How do I use the AWSSupport-SetupConfig runbook to use AWS Config in multiple AWS accounts?

Short description

You can use the AWS Systems Manager AWSSupport-SetupConfig runbook. This runbook sends configuration snapshots and history files from multiple AWS Regions and accounts to an Amazon Simple Storage Service (Amazon S3) bucket. The AWS ConfigAWSSupport-SetupConfig runbook is configured with AWS Systems Manager.

The AWS Config AWSSupport-SetupConfig runbook creates these resources:

• An AWS Identity and Access Management (IAM) service-linked role.
• A configuration recorder powered with AWS Config.
• A delivery channel with an Amazon S3 bucket.

This runbook can also create authorizations for data aggregation to collect AWS Config configuration and compliance data from multiple AWS Regions and accounts. For more information, see Multi-account multi-region data aggregation.

Resolution

Prerequisites

Before you start the runbook, make sure that your IAM entity (user or role) has the required permissions. For more information, see Required IAM permissions in AWSSupport-SetupConfig.

Note: For multi-Region setup and multi-account setup, the AWS-SystemsManager-AutomationExecutionRole role is required to run automations. For more information, see Running automations in multiple AWS Regions and accounts.

Run the AWSSupport-SetupConfig runbook

1.    Open the Systems Manager console.

2.    In the navigation pane, choose Documents.

3.    In the search bar, enter "AWSSupport-SetupConfig".

4.    Select the AWSSupport-SetupConfig document, and then choose Execute automation.

5.    For Input parameters enter these variables:

• AutomationAssumeRole (required): Enter the ARN of the IAM role that allows Automation to perform actions for you. If a role isn't specified, then Automation won't start.
• AggregatorAccountId (optional): The AWS Account ID that AWS Config data is aggregated. This ID is used to authorize the source accounts.
• AggregatorAccountRegion (optional): The Region where an aggregator is added to aggregate AWS Config configuration and compliance data from multiple accounts and Regions. This Region is used to authorize the source accounts.
• IncludeGlobalResourcesRegion (required): To avoid recording global resource data in each Region, specify one Region to record global resource data from.
• Partition (required): The partition that you want to collect AWS Config configuration and compliance data from.
• S3BucketName (required): The Amazon S3 bucket name for the AWS Config delivery channel. The name provided is appended with '-[AWS Account ID]'. The default name is "aws-config-delivery-channel".

6.    Choose Execute. The runbook performs these steps:

• CreateServiceLinkedRole: Creates a service-linked IAM role for AWS Config if one doesn't already exist.
• CreateRecorder: Creates a configuration recorder if one doesn't already exist.
• CreateBucket: Creates an Amazon S3 bucket used by the delivery channel if one doesn't already exist.
• CreateDeliveryChannel: Creates a delivery channel with the runbook resources.
• StartRecorder: Starts the configuration recorder.
• PutAggregationAuthorization: If you specified values for the AggregatorAccountId and AggregatorAccountRegion parameters, authorizations for multi-account and multi-Region data aggregation are configured.

7.    After the runbook completes, open the Amazon S3 console. Check that the S3 bucket was created by the delivery channel, and check the AWS Config setup for the AWS accounts or Regions.

Note: To help you troubleshoot, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the Systems Manager provided predefined runbooks. These runbooks are prefixed with "AWSSupport-" or "AWSPremiumSupport-".

Related information

Run an automation

Setting up Automation