- Newest
- Most votes
- Most comments
Explore the options of using AWS Control Tower, Service Control Policies (SCPs), AWS Service Catalog, and AWS Config Aggregators to meet your requirements for enabling AWS Config in multiple AWS accounts and regions.
Option 1: AWS Control Tower
AWS Control Tower provides a way to set up and govern a secure, multi-account AWS environment based on AWS best practices. It uses AWS Organizations to manage multiple accounts.
Set Up AWS Control Tower:
- Sign in to the AWS Management Console.
- Navigate to the AWS Control Tower console.
- Follow the setup wizard to set up your Control Tower landing zone.
Deny Region Access Using Control Tower:
- In the Control Tower console, navigate to the Guardrails section.
- Select the Deny Access to AWS Regions guardrail.
- Apply this guardrail to the organizational units (OUs) where you want to restrict region access.
Enable AWS Config Using Control Tower:
- Use the Enable AWS Config guardrail to ensure AWS Config is enabled in all the necessary regions.
- Apply this guardrail to your OUs to ensure AWS Config is enabled and continuously monitored.
Option 2: Service Control Policies (SCPs)
SCPs can help you enforce policies across your AWS Organization to control which AWS services and actions can be accessed.
Create SCP to Deny Region Access:
- Sign in to the AWS Management Console.
- Navigate to the AWS Organizations console.
- Create an SCP to deny access to specific regions. Here is an example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnapprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2",
"eu-west-1"
]
}
}
}
]
}
Attach this SCP to the relevant OUs or accounts.
Option 3: AWS Config via Service Catalog
AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
Create a Portfolio in AWS Service Catalog:
- Sign in to the AWS Management Console.
- Navigate to the AWS Service Catalog console.
- Create a new portfolio and add a product for enabling AWS Config using a CloudFormation template similar to the one provided earlier.
Distribute the Portfolio:
- Share the portfolio with the accounts or OUs that need to enable AWS Config.
- Users in these accounts can launch the product to enable AWS Config as per the predefined configuration.
Option 4: AWS Config Aggregator
AWS Config Aggregator allows you to aggregate AWS Config data from multiple accounts and regions into a single account.
**Enable AWS Config in Individual Accounts: **
Use one of the methods above (Control Tower, SCP, or Service Catalog) to enable AWS Config in each account and region.
Create a Config Aggregator:
- Sign in to the AWS Management Console.
- Navigate to the AWS Config console in the aggregator account.
- Create an aggregator by selecting the accounts and regions you want to aggregate data from.
- Configure the necessary IAM roles and permissions to allow AWS Config data to be aggregated from other accounts.*
By leveraging AWS Control Tower, SCPs, AWS Service Catalog, and AWS Config Aggregator, you can create a robust, compliant, and scalable setup for enabling and managing AWS Config across multiple accounts and regions.
Relevant content
- asked 10 months ago
- asked 2 months ago
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hi Praveen Muppala, I deployed the exact same SCP but the region codes I mentioned above are still enabled by default as SCP does not disable regions "Enabled by default". Please follow the link for your reference: https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html