Deploy AWS Config Rule from Org
If you have AWS Org configured, you can deploy Config Rule from a single location out to all the accounts in the same Org. You can do this for both AWS Managed and your Custom Rules.
References:
Details:
- Max 150 rules
- All necessary permissions and roles must be pre-configured
Advantages:
- Deploy from central location
- Does not allow accounts from editing the rules
Setup
Setup Root Account
- Configure Aggregator
- Configure S3 Logging Bucket for Config*
- Configure SNS Topic*
- Configure Lambda Role
- Your usual Lambda Role permissions
- Ability to Assume Role to the Recorder Role name in all accounts (this can be extracted from "executionRoleArn" of the Event object)
- Configure Lambda Function
- Need to allow this function to be executed by all accounts in this Org
Setup All Accounts
- Configure Recorder Role
- use same name across all accounts
- need necessary permission to
- write to Config
- write to S3 Logging Bucket in Root Account*
- write to SNS Topic in Root Account*
- Trust Lambda Role in Root Account to AssumeRole
- and read/edit necessary resources for it to do what you want
- Turn on Recording
*The S3 and SNS does not have to be in Root Account, just put it somewhere common
No comments:
Post a Comment