This solution deploys AWS Config in all existing and future AWS Organization member accounts.
This solution is intended for deployment from the security tooling account. Deploying from a different account will necessitate minor template adjustments.
Enable AWS Config (config.amazonaws.com) and AWS Config Multi-Account Setup (config-multiaccountsetup.amazonaws.com) as a Trusted Service in Organizations.
./../scripts/enable_trusted_access_for_config.shRegister the security tooling account as a delegated administrator for AWS Config and AWS Config Multi-Account Setup.
./../scripts/enable_delegated_admin_for_config.sh 222222222222Deploy aws-config-org-deployment.yaml CloudFormation template in the security tooling account. This template deploys all required resources via nested stacks and stacksets. It deploys:
aws-config-org-bucket-kms-key.yamlin the current account and region via nested stackaws-config-org-bucket.yamlin the log archive account, current region via stacksetaws-config-org-sns.yamlin every provided region of the security tooling accountaws-config-org.yamlin every provided region of every organization member account via stackset and organization management account via stacksetaws-config-org-aggregator.yamlin the current account and region via nested stackaws-config-org-conforms-pack-delivery-bucket.yamlin the log archive account, current region via stackset
Step 3a: Create IAM Roles Required for Deploying CloudFormation StackSets with Self-Managed Permissions
In order to deploy CloudFormation StackSets with self-managed permissions, we need to create admin and execution IAM roles.
You can deploy them using cloudformation/stackset-roles solution from this project. See Readme for more details.
Upload all necessary templates to the S3 bucket used for storing CloudFormation templates.
aws s3 cp . s3://BUCKETNAME \
--recursive \
--exclude "*" \
--include "aws-config-org*" \
--exclude "*deployment.yaml"aws cloudformation deploy \
--template-file aws-config-org-deployment.yaml \
--stack-name aws-config-org-deployment \
--capabilities "CAPABILITY_NAMED_IAM" \
--parameter-overrides \
pArtifactBucketName="BUCKETNAME" \
pDeployTargetOrgUnitId=r-abcd \
pStackSetAdminRoleName="AWSCloudFormationStackSetAdministrationRole" \
pStackExecutionRoleName="AWSCloudFormationStackSetExecutionRole" \
pEnabledRegions="us-east-1,us-west-2" \
pOrgID=o-abc123def4 \
pConfigBucketKeyAlias=aws-config-org-bucket-key \
pSecurityToolingAccountId=222222222222 \
pLogArchiveAccountId=333333333333 \
pManagementAccountId=111111111111 \
pBucketNameSuffix=a1b2c3d4e5fg6h7i \
pWorkloadIdTag=aws-config-org \
pEnvironmentIdTag=prod \
pOwnerNameTag=secopsaws-config-org-bucket-kms-key.yamldeploys:${pConfigBucketKeyAlias}- KMS Key
aws-config-org-bucket.yamldeploys:aws-config-history-${pBucketNameSuffix}- S3 bucketaws-config-history-${pBucketNameSuffix}-access-logs- S3 bucket
aws-config-org-sns.yamldeploys:aws-config-org-stream-${AWS::Region}- SNS Topic
aws-config-org.yamldeploys:AWSServiceRoleForConfig- IAM Service-Linked Roledefault- AWS Config Configuration Recorderdefault- AWS Config Delivery Channel
aws-config-org-aggregator.yamldeploys:AWSConfigAggregatorRole- IAM Roleaws-config-org-aggregator- AWS Config Aggregator
aws-config-org-conforms-pack-delivery-bucket.yamldeploys:awsconfigconforms-pack-delivery-${pBucketNameSuffix}- S3 bucket
aws-config-org-deployment.yamldeploys:rConfigBucketKMSKeyStack- Stack foraws-config-org-bucket-kms-key.yamlaws-config-org-bucket- StackSet foraws-config-org-bucket.yamlaws-config-org-sns-topics- StackSet foraws-config-org-sns.yamlaws-config-org-recorders- StackSet foraws-config-org.yamlaws-config-org-mgmt-recorder- StackSet foraws-config-org.yamlrConfigAggregatorStack- Stack foraws-config-org-aggregator.yaml