Central repository for AWS Config

0

Hi,

I am try to create a central repository in my Audit account and send all Config files to this bucket. I figure out how to do via these instructions Granting AWS Config access to the Amazon S3 Bucket (https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html#granting-access-in-another-account), but I am trying to use the organization policy to avoid creating one entry for each account. Can someone explain it to me? I did not figure it out!

2 Answers
0
  • Thank you for the links. These articles helped a bit, but they are not working as it states...

0

Hello!

A couple important points to remember:

  • For Config to send files to S3, it needs access as the Service Principal (What you see as config.amazonaws.com).

  • Since the condition there is for SourceAccount, you need something to limit this to your Organizational Accounts. However, as AWS states - this service won't work with organization ID or organization units based conditions.

If you remove the AWS:SourceAccount condition, then this will work for all accounts (including accounts you don't own), which could mean that any account could possibly use Config as a confused deputy. Another option would be (if you have limited accounts), to add these accounts to the Bucket Policy. This would have drawbacks as you would need to maintain and manage a larger bucket policy (could be prone to misconfiguration and bucket policy size limits as well).

Some other options include using aggregators with organizations to do aggregation across Config in your AWS Organization: https://docs.aws.amazon.com/config/latest/developerguide/setup-aggregator-console.html.

jsonc
answered 2 years ago
  • I was able to enable Config in two accounts and register the Audit account to be the Delegate Administrator. I create one aggregator and the other Config was sending information to it. The only think it is missing is the central bucket repository. I seems I can not do it based on bucket policies, but via IAM role policy as AWS says: "If you plan to set up AWS Config in many accounts from the same organization to deliver configuration items to a single Amazon S3 bucket, we recommend using IAM roles instead of service-linked roles so you can use AWS Organizations conditions keys such as AWS:PrincipalOrgID. " https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html#granting-access-in-another-account

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions