How do I set up and use AWS Config in multiple AWS accounts?
I want to set up and use AWS Config in multiple AWS Regions and AWS accounts.
Short description
Use the AWS Systems Manager AWSSupport-SetupConfig runbook to create an AWS Identity and Access Management (IAM) service-linked role, a configuration recorder powered by AWS Config, and a delivery channel with an Amazon Simple Storage Service (Amazon S3) bucket where AWS Config sends configuration snapshots and configuration history files.
This runbook can also create authorizations for data aggregation to collect AWS Config configuration and compliance data from multiple AWS Regions and accounts. For more information, see Multi-account multi-Region data aggregation.
Resolution
Prerequisites
Before you start the runbook, make sure that your IAM entity (user or role) has the required permissions. For more information, see Required IAM permissions in AWSSupport-SetupConfig.
For multi-Region setup and multi-account setup, the AWS-SystemsManager-AutomationExecutionRole role is required to run automations. For more information, see Running automations in multiple AWS Regions and accounts.
Run the AWSSupport-SetupConfig runbook
- Open the Systems Manager console.
- In the navigation pane, choose Documents.
- In the search bar, enter "AWSSupport-SetupConfig".
- Select the AWSSupport-SetupConfig document, and then choose Execute automation.
- For Input parameters enter the following::
AutomationAssumeRole: Enter the ARN of the IAM role that allows Automation to perform actions for you. If a role isn't specified, then Automation won't start.
AggregatorAccountId (optional): The AWS Account ID that AWS Config data is aggregated. This ID is used to authorize the source accounts.
AggregatorAccountRegion (optional): The Region where an aggregator is added to aggregate AWS Config configuration and compliance data from multiple accounts and Regions. This Region is used to authorize the source accounts.
IncludeGlobalResourcesRegion: To avoid recording global resource data in each Region, specify one Region to record global resource data from.
Partition: The partition that you want to collect AWS Config configuration and compliance data from.
S3BucketName: The Amazon S3 bucket name for the AWS Config delivery channel. The name provided is appended with '-[AWS Account ID]'. The default name is "aws-config-delivery-channel". - Choose Execute. The runbook performs these steps:
CreateServiceLinkedRole: Creates a service-linked IAM role for AWS Config if one doesn't already exist.
CreateRecorder: Creates a configuration recorder if one doesn't already exist.
CreateBucket: Creates an Amazon S3 bucket used by the delivery channel if one doesn't already exist.
CreateDeliveryChannel: Creates a delivery channel with the runbook resources.
StartRecorder: Starts the configuration recorder.
PutAggregationAuthorization: If you specified values for the AggregatorAccountId and AggregatorAccountRegion parameters, authorizations for multi-account and multi-Region data aggregation are configured. - After the runbook completes, open the Amazon S3 console. Confirm that the S3 bucket was created by the delivery channel. Also, confirm the AWS Config setup for the AWS accounts or Regions.
Related information
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 3 ans
