Enable AWS Config

0

Hi AWS, while disabling the unapproved regions in our AWS accounts we noticed that a couple of regions are enabled by default. After research I figured out Regions introduced before March 20, 2019 are enabled by default. AWS originally enabled all new AWS Regions by default, which means you can begin creating and managing resources in these Regions immediately.

You cannot enable or disable a Region that is enabled by default. You can control only the below regions that can be enabled or disabled but other regions are enabled by default as mentioned.

  • Asia Pacific (Mumbai) -> ap-south-1
  • Asia Pacific (Osaka) -> ap-northeast-3
  • Asia Pacific (Seoul) -> ap-northeast-2
  • Asia Pacific (Singapore) -> ap-southeast-1
  • Asia Pacific (Sydney) -> ap-southeast-2
  • Asia Pacific (Tokyo) -> ap-northeast-1
  • Canada (Central) -> ca-central-1
  • Europe (Frankfurt) -> eu-central-1
  • Europe (Ireland) -> eu-west-1
  • Europe (London) -> eu-west-2
  • Europe (Paris) -> eu-west-3
  • Europe (Stockholm) -> eu-north-1
  • South America (São Paulo) -> sa-east-1

Now there is a requirement that we need to turn on the config recorder in order to enable AWS Config in those enabled regions. What would be the best option, AWS Lambda or CloudFormation Stack as we need to do into multiple AWS accounts.

1 Answer
0

Explore the options of using AWS Control Tower, Service Control Policies (SCPs), AWS Service Catalog, and AWS Config Aggregators to meet your requirements for enabling AWS Config in multiple AWS accounts and regions.

Option 1: AWS Control Tower

AWS Control Tower provides a way to set up and govern a secure, multi-account AWS environment based on AWS best practices. It uses AWS Organizations to manage multiple accounts.

Set Up AWS Control Tower:

  • Sign in to the AWS Management Console.
  • Navigate to the AWS Control Tower console.
  • Follow the setup wizard to set up your Control Tower landing zone.

Deny Region Access Using Control Tower:

  • In the Control Tower console, navigate to the Guardrails section.
  • Select the Deny Access to AWS Regions guardrail.
  • Apply this guardrail to the organizational units (OUs) where you want to restrict region access.

Enable AWS Config Using Control Tower:

  • Use the Enable AWS Config guardrail to ensure AWS Config is enabled in all the necessary regions.
  • Apply this guardrail to your OUs to ensure AWS Config is enabled and continuously monitored.

Option 2: Service Control Policies (SCPs)

SCPs can help you enforce policies across your AWS Organization to control which AWS services and actions can be accessed.

Create SCP to Deny Region Access:

  • Sign in to the AWS Management Console.
  • Navigate to the AWS Organizations console.
  • Create an SCP to deny access to specific regions. Here is an example policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnapprovedRegions",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-west-2",
            "eu-west-1"
          ]
        }
      }
    }
  ]
}

Attach this SCP to the relevant OUs or accounts.

Option 3: AWS Config via Service Catalog

AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.

Create a Portfolio in AWS Service Catalog:

  • Sign in to the AWS Management Console.
  • Navigate to the AWS Service Catalog console.
  • Create a new portfolio and add a product for enabling AWS Config using a CloudFormation template similar to the one provided earlier.

Distribute the Portfolio:

  • Share the portfolio with the accounts or OUs that need to enable AWS Config.
  • Users in these accounts can launch the product to enable AWS Config as per the predefined configuration.

Option 4: AWS Config Aggregator

AWS Config Aggregator allows you to aggregate AWS Config data from multiple accounts and regions into a single account.

**Enable AWS Config in Individual Accounts: **

Use one of the methods above (Control Tower, SCP, or Service Catalog) to enable AWS Config in each account and region.

Create a Config Aggregator:

  • Sign in to the AWS Management Console.
  • Navigate to the AWS Config console in the aggregator account.
  • Create an aggregator by selecting the accounts and regions you want to aggregate data from.
  • Configure the necessary IAM roles and permissions to allow AWS Config data to be aggregated from other accounts.*

By leveraging AWS Control Tower, SCPs, AWS Service Catalog, and AWS Config Aggregator, you can create a robust, compliant, and scalable setup for enabling and managing AWS Config across multiple accounts and regions.

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions