Central repository for AWS Config

Good day,

It seems that you need data aggregation if you are working with multiple accounts. See these links:

• https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
• https://medium.com/@bachlmayr/enterprise-governance-with-aws-aggregator-and-conformance-packs-29b80370d34a
• https://www.contino.io/insights/aws-config-aggregator-compliance
• https://cloudaffaire.com/single-and-multi-account-aws-config-aggregator-setup/

Hello!

A couple important points to remember:

• For Config to send files to S3, it needs access as the Service Principal (What you see as config.amazonaws.com).

• Since the condition there is for SourceAccount, you need something to limit this to your Organizational Accounts. However, as AWS states - this service won't work with organization ID or organization units based conditions.

If you remove the AWS:SourceAccount condition, then this will work for all accounts (including accounts you don't own), which could mean that any account could possibly use Config as a confused deputy. Another option would be (if you have limited accounts), to add these accounts to the Bucket Policy. This would have drawbacks as you would need to maintain and manage a larger bucket policy (could be prone to misconfiguration and bucket policy size limits as well).

Some other options include using aggregators with organizations to do aggregation across Config in your AWS Organization: https://docs.aws.amazon.com/config/latest/developerguide/setup-aggregator-console.html.