AWS Config Rules in single yaml file to save time and effort in multi account architecture
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
An AWS resource is an entity you can work with in AWS, such as an Amazon Elastic Compute Cloud (EC2) instance, an Amazon Elastic Block Store (EBS) volume, a security group, or an Amazon Virtual Private Cloud (VPC).
How Config Works
When you turn on AWS Config, it first discovers the supported AWS resources that exist in your account and generates a configuration item for each resource.
AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder.
Config Rules
AWS Config rules, represent your ideal configuration settings. AWS Config provides customizable, predefined rules called managed rules to help you get started. While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant.
The Problem Statement
Now that you know what Config is and how it works, we will try to address the extra effort required when there are multiple AWS accounts.
As you know that Config rules are predefined by AWS and we can simply select these rules directly from the console and apply, but what if there are multiple AWS accounts and these accounts are not under an Organisation?
This will require you to select the multiple rules from console of each AWS account and apply separately. This approach will take time and there are possibilities of missing the rules.
The Solution
AWS provides a way for you to create a template file, define all the rules in a single file and deploy the file.
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Let’s look at the way to achieve this.
Prerequisites
Before you deploy your conformance pack, turn on AWS Config recording.
Steps
- Create a yaml file with following template
Resources:
Userdefinedname:
Type: AWS::Config::ConfigRule
Description: ""
Properties:
ConfigRuleName: ""
Source:
Owner: AWS
SourceIdentifier: ""Userdefinedname: You can define your name here for identification.
Description: Add description of the resource
ConfigRuleName: User defined rule name here
SourceIdentifier: Unique identifier defined by AWS for each rule.
URL for managed rules: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
2. Save the file in a centralized S3 bucket and provide access of this bucket to all the AWS accounts where the config rules have to be deployed.
S3 bucket policy :
{
"Sid": "AllowReadsFromOtherAccount",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::acct-id-1:root",
"arn:aws:iam::acct-id-2:root",
"arn:aws:iam::acct-id-3:root"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET_NAME/configrules.yaml"
}3. Its time to deploy the template file.
- Go to AWS Config console and then to Conformance packs
- Select “Deploy conformance pack”
- Select Upload template -> Amazon S3 bucket -> Provide the S3 URI path to the uploaded yaml file (eg s3://config-bucket/configrules.yaml)
- Provide a conformance pack name -> Next -> Deploy
Similarly you can deploy the template file in all the AWS accounts.
Conclusion
Now you have a central config rules file which can be deployed to any AWS account thus saving time and effort to search for rules and applying it individually in multiple accounts.
