Forem: Diego Trujillo

Managing your GoDaddy domain with Route53

Diego Trujillo — Thu, 06 Jun 2024 21:13:42 +0000

This post explains how to use AWS Route53 to manage your external domain, such as GoDaddy. Simply follow these steps:

Select your domain in GoDaddy

Verify the domain you own. The domain name is important, for example: my-daddy-o.org

Create your Hosted Zone in Route53

Log in to the AWS Console and navigate to the Route53 service console. Then, go to the "Hosted Zone" section and click on "Create hosted zone".

Type your Domain name here (my-daddy-o.org) and select "Public" type.

After setting up your Hosted Zone, review the records and double-check the default NS and SOA records, especially the "NS" type record.

Update your Nameservers on GoDaddy

Go to your GoDaddy domain, navigate to the "DNS" section, update the "Nameservers," and then click "Change".

In the new window, enter the values from your "NS" record in Route53. Be careful to not include the last dot. For example: ns-777.awsdns-11.com. → ns-777.awsdns-11.com

Verify your domain

You can verify the complete application of your Name Server change by checking its propagation. This may take some time (minutes to hours). Use whatsmydns to check for correct propagation.

Validate a record

As an additional step, you need to create a new record on Route53 to validate its functionality.

In my case, I created an S3 Bucket to test a simple website. After configuring the bucket as a static website, I created a new record pointing to the website endpoint.

For this, I created a new record "www.my-daddy-o.org". Please verify that the URL resolves to your bucket.

Implementing AWS Config for your Organization with CloudFormation

Diego Trujillo — Tue, 04 Jun 2024 05:33:07 +0000

Objective

This lab is centered on deploying AWS Config within your AWS Organization for the first time. It's advisable to familiarize yourself with essential concepts of AWS Config, AWS CloudFormation, and how they integrate with AWS Organizations if you are new to them. In case you're interested I have published a concise summary of AWS Config in a separate post.

I was motivated to develop this lab since I was testing some AWS Organization features and started creating multiple accounts. Subsequently, I recognized that deploying basic AWS Security Services across all accounts would be the most secure approach.

Solution Structure

With that in mind, there are numerous options available for AWS Config. In this lab, we will utilize the following setup and components:

(Pre-requisite) An AWS Organization must be already set up.
We'll use AWS CloudFormation StackSets to automatically enable AWS Config on every member account. It should be noted that as per the AWS Documentation, the StackSet will not be deployed to the Management Account.
As we plan to integrate AWS Config and AWS CloudFormation with AWS Organizations, we will assign the role of Delegated Administrator to one member account, thereby avoiding using the Management Account.
We will create a single S3 Bucket within the Delegated Admin account to centralize AWS Config Log files from all member accounts.
We will deploy a CloudFormation Stack to set up the Config StackSet and the centralized S3 Bucket.
Once AWS Config is enabled across all accounts, we will begin establishing Organization Config Rules within the Delegated Admin account.
Finally, a Config Aggregator will be set up in the Delegated Admin account to consolidate compliance data from all accounts and create reports.

Accounts Structure

Steps

Below are the sequential steps for deploying our AWS Config solution. The complete source code is available in the GitHub Repository.

Assign a Delegated Administrator for AWS Config and CloudFormation.
Establish AWS Config Recorders using CloudFormation StackSets.
Implement Organization Config Rules across all accounts.
Set up an AWS Aggregator for cross-account reporting.

Step 1. Assign a Delegated Administrator for AWS Config and CloudFormation.

As mentioned in AWS Documentation, run the following commands from the Management Account for enabling AWS Config and AWS CloudFormation for your Organization, and assigning a Delegated Admin.

Enable service access as a delegated administrator for your organization to aggregate AWS Config data across your organization:

aws organizations enable-aws-service-access --service-principal=config.amazonaws.com

Enable service access as a delegated administrator for your organization to deploy and manage AWS Config rules and conformance packs across your organization:

aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com

Enable service access as delegated administrator for your organization to create and manage stack sets across your organization:

aws organizations enable-aws-service-access --service-principal=member.org.stacksets.cloudformation.amazonaws.com

To check if the enable service access is complete, enter the following command and press Enter to execute the command:

aws organizations list-aws-service-access-for-organization

You should see output similar to the following:

{
    "EnabledServicePrincipals": [
        {
            "ServicePrincipal": "config-multiaccountsetup.amazonaws.com",
            "DateEnabled": "2024-05-23T18:09:52.878000+00:00"
        },
        {
            "ServicePrincipal": "config.amazonaws.com",
            "DateEnabled": "2024-05-24T16:27:31.462000+00:00"
        },
        {
            "ServicePrincipal": "member.org.stacksets.cloudformation.amazonaws.com",
            "DateEnabled": "2024-05-24T16:56:08.933000+00:00"
        }
    ]
}

Next, enter the following commands to register a member account as a Delegated Admin for Config and CloudFormation:

aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id MemberAccountID
aws organizations register-delegated-administrator --service-principal=config.amazonaws.com --account-id MemberAccountID
aws organizations register-delegated-administrator --service-principal=member.org.stacksets.cloudformation.amazonaws.com --account-id MemberAccountID

To check if the registration of the delegated administrator is complete, enter the following commands:

aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
aws organizations list-delegated-administrators --service-principal=config.amazonaws.com
aws organizations list-delegated-administrators --service-principal=member.org.stacksets.cloudformation.amazonaws.com

You should see output similar to the following:

{
    "DelegatedAdministrators": [
        {
            "Id": "MemberAccountID",
            "Arn": "arn:aws:organizations::MemberAccountID:account/o-c7esubdi38/MemberAccountID",
            "Email": "name@amazon.com",
            "Name": "name",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": 1604867734.48,
            "DelegationEnabledDate": 1607020986.801
        }
    ]
}

You can validate the following IAM Roles created on your AWS Member Accounts:

AWSServiceRoleForConfig
AWSServiceRoleForConfigMultiAccountSetup
AWSServiceRoleForCloudFormationStackSetsOrgMember

Step 2. Establish AWS Config Recorders using CloudFormation StackSets.

Before setting up Config Rules, it is necessary to begin recording resource changes, which requires the creation of a Configuration Recorder in each member account of our Organization.

There are various methods to activate AWS Config across multiple accounts; however, in this lab, we will utilize AWS CloudFormation StackSets to centrally manage Config Recorders from the Delegated Admin Account. We will also employ a Service-managed StackSet to automatically generate the required IAM Roles, prefixed with "stacksets-exec."

AWS offers various CloudFormation templates for AWS Config; however, we will utilize the template named EnableAWSConfigForOrganizations.yml.

You can review the entire file to see all the functionalities the template supports. In this lab, we will concentrate on the following resources:

Configuration Recorder to record all resource types (or to filter the resource types you prefer)
Delivery Channel to send Config History and Config Snapshot files to S3, and optionally to SNS

  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      RecordingGroup:
        AllSupported: !Ref AllSupported
        IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
        ResourceTypes: !If
          - IsAllSupported
          - !Ref AWS::NoValue
          - !Ref ResourceTypes
      RoleARN:
        Fn::Sub:
          "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"

  ConfigDeliveryChannel:
    Type: AWS::Config::DeliveryChannel
    Properties:
      Name: !If
        - IsGeneratedDeliveryChannelName
        - !Ref AWS::NoValue
        - !Ref DeliveryChannelName
      ConfigSnapshotDeliveryProperties: !If
        - DisableSnapshots
        - !Ref AWS::NoValue
        - DeliveryFrequency: !FindInMap
            - Settings
            - FrequencyMap
            - !Ref Frequency
      S3BucketName: !If
        - CreateBucket
        - !Ref ConfigBucket
        - !Ref S3BucketName
      S3KeyPrefix: !If
        - UsePrefix
        - !Ref S3KeyPrefix
        - !Ref AWS::NoValue
      SnsTopicARN: !If
        - UseSNS
        - !If
          - CreateTopic
          - !Ref ConfigTopic
          - !Ref TopicArn
        - !Ref AWS::NoValue

I have developed a CloudFormation template that implements our StackSet for enabling AWS Config on all accounts, thereby automating its creation via the AWS CLI. The template includes the following functionalities:

Creation of a new S3 Bucket exclusively for centralized AWS Config logging.
Implementation of the StackSet across all our organization accounts, with the Delivery Channel set up to relay logs to the centralized S3 Bucket.

Please review the entire template and make any necessary modifications as needed.

AWSTemplateFormatVersion: 2010-09-09
Description:
  This CloudFormation Stack creates a StackSet that deploys the "EnableAWSConfigForOrganizations.yml" template to an Organization, in addition to a S3 Bucket for centralized logging.
  The StackSet will deploy a Stack containing the Config componentes to each member account.
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Parameters
        Parameters:
          - ConfigRegions
          - TagName
          - TagUnit
          - TagEnvironment
      - Label:
          default: Centralized Bucket Parameters
        Parameters:
          - OrganizationId
          - CentralizedBucketName
      - Label:
          default: Cfn StackSet Resource Parameters
        Parameters:
          - StackSetOuId
          - StackSetAutoDeployment
          - StackSetManagedExecution
          - StackSetCallAsAccount
      - Label:
          default: Config StackSet Template Parameters
        Parameters:
          - StSeParAllSupported
          - StSeParIncludeGlobalResourceTypes
          - StSeParResourceTypes
          - StSeParServiceLinkedRoleRegion
          - StSeParDeliveryChannelName
          - StSeParS3KeyPrefix
          - StSeParFrequency
          - StSeParSNS
          - StSeParTopicArn
          - StSeParNotificationEmail
Parameters:
  ConfigRegions:
    Type: List<String>
    Default: us-east-1
    Description: Specifies list of Regions to be configured as Deployment Target.
  TagName:
    Type: String
    Description: Specifies the prefix for the 'Name' tag for stack resources.
  TagUnit:
    Type: String
    Description: Specifies the value for the 'Unit' tag for stack resources.
  TagEnvironment:
    Type: String
    Description: Specifies the value for the 'Environment' tag for stack resources.
  OrganizationId:
    Type: String
    Default: <OrgId>
    Description: Organization Id, for restricting access to centralized logging bucket.
  CentralizedBucketName:
    Type: String
    Default: <CentrBucket>
    Description: Name for Centralized Logging Bucket in Administration Account.
  StackSetOuId:
    Type: String
    Default: <OuId>
    Description: ID of Organization Unit to be configured as Deployment Target.
  StackSetAutoDeployment:
    Type: String
    Default: true
    Description: Specifies whether to enable Auto Deployment. This feature
      automatically deploys StackSets to AWS Organizations accounts that are
      added to a target.
    AllowedValues:
      - true
      - false
  StackSetManagedExecution:
    Type: String
    Default: false
    Description: Describes whether StackSets performs non-conflicting operations
      concurrently and queues conflicting operations.
    AllowedValues:
      - true
      - false
  StackSetCallAsAccount:
    Type: String
    Default: DELEGATED_ADMIN
    Description:
      Specifies whether you are acting as an account administrator in the
      organization's management account or as a delegated administrator in a
      member account.
    AllowedValues:
      - SELF
      - DELEGATED_ADMIN
  StSeParAllSupported:
    Type: String
    Default: true
    Description:
      StackSet Parameter "AllSupported" - Indicates whether to record all
      supported resource types.
    AllowedValues:
      - true
      - false
  StSeParIncludeGlobalResourceTypes:
    Type: String
    Default: false
    Description:
      StackSet Parameter "IncludeGlobalResourceTypes" - Indicates whether
      AWS Config records all supported global resource types.
    AllowedValues:
      - true
      - false
  StSeParResourceTypes:
    Type: List<String>
    Description:
      StackSet Parameter "ResourceTypes" - A list of valid AWS resource
      types to include in this recording group, such as AWS::EC2::Instance or
      AWS::CloudTrail::Trail.
    Default: <All>
  StSeParServiceLinkedRoleRegion:
    Type: String
    Description:
      StackSet Parameter "ResourceTypes" - A region such as us-east-1. If
      specified, the Config service-linked role will only be created if the
      stack is deployed to this region.
    Default: <DeployToAnyRegion>
  StSeParDeliveryChannelName:
    Type: String
    Default: <Generated>
    Description:
      StackSet Parameter "DeliveryChannelName" - The name of the delivery
      channel.
  StSeParS3KeyPrefix:
    Type: String
    Default: <Prefix>
    Description:
      StackSet Parameter "S3KeyPrefix" - Prefix for the specified Amazon
      S3 bucket.
  StSeParFrequency:
    Type: String
    Default: 24hours
    Description: StackSet Parameter "Frequency" - The frequency with which AWS
      Config delivers configuration snapshots.
    AllowedValues:
      - 1hour
      - 3hours
      - 6hours
      - 12hours
      - 24hours
  StSeParSNS:
    Type: String
    Default: true
    Description:
      StackSet Parameter "TopicArn" - Describes wether AWS Config sends
      SNS notifications.
    AllowedValues:
      - true
      - false
  StSeParTopicArn:
    Type: String
    Default: <New Topic>
    Description:
      StackSet Parameter "TopicArn" - The Amazon Resource Name (ARN) of
      the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config
      delivers notifications to.
  StSeParNotificationEmail:
    Type: String
    Default: <None>
    Description: StackSet Parameter "NotificationEmail" - address for AWS Config
      notifications (for new topics).
Resources:
  CentralizedBucket:
    DeletionPolicy: Retain
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref CentralizedBucketName
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      Tags:
        - Key: Name
          Value: !Sub
            - "${tag}-${bucket}"
            - tag: !Ref TagName
              bucket: !Ref CentralizedBucketName
        - Key: Unit
          Value: !Ref TagUnit
        - Key: Environment
          Value: !Ref TagEnvironment
  CentralizedBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref CentralizedBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:GetBucketAcl
            Resource:
              - !Sub arn:${AWS::Partition}:s3:::${CentralizedBucket}
            Condition:
              StringEquals:
                aws:SourceOrgID: !Ref OrganizationId
          - Sid: AWSConfigBucketExistenceCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:ListBucket
            Resource:
              - !Sub arn:${AWS::Partition}:s3:::${CentralizedBucket}
            Condition:
              StringEquals:
                aws:SourceOrgID: !Ref OrganizationId
          - Sid: AWSConfigBucketDelivery
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:PutObject
            Resource:
              - !Sub arn:${AWS::Partition}:s3:::${CentralizedBucket}/${StSeParS3KeyPrefix}/AWSLogs/*
            Condition:
              StringEquals:
                aws:SourceOrgID: !Ref OrganizationId
  ConfigStackSet:
    Type: AWS::CloudFormation::StackSet
    Properties:
      StackSetName: ConfigStackSet
      Description: StackSet for deploying AWS Config to an Organization Unit
      PermissionModel: SERVICE_MANAGED
      Capabilities:
        - CAPABILITY_IAM
      ManagedExecution:
        Active: !Ref StackSetManagedExecution
      OperationPreferences:
        FailureToleranceCount: 0
        MaxConcurrentCount: 1
        RegionConcurrencyType: SEQUENTIAL
      StackInstancesGroup:
        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Ref StackSetOuId
          Regions: !Ref ConfigRegions
      CallAs: !Ref StackSetCallAsAccount
      AutoDeployment:
        Enabled: !Ref StackSetAutoDeployment
        RetainStacksOnAccountRemoval: true
      Parameters:
        - ParameterKey: AllSupported
          ParameterValue: !Ref StSeParAllSupported
        - ParameterKey: IncludeGlobalResourceTypes
          ParameterValue: !Ref StSeParIncludeGlobalResourceTypes
        - ParameterKey: ResourceTypes
          ParameterValue: !Join
            - ","
            - !Ref StSeParResourceTypes
        - ParameterKey: ServiceLinkedRoleRegion
          ParameterValue: !Ref StSeParServiceLinkedRoleRegion
        - ParameterKey: DeliveryChannelName
          ParameterValue: !Ref StSeParDeliveryChannelName
        - ParameterKey: S3BucketName
          ParameterValue: !Ref CentralizedBucket
        - ParameterKey: S3KeyPrefix
          ParameterValue: !Ref StSeParS3KeyPrefix
        - ParameterKey: Frequency
          ParameterValue: !Ref StSeParFrequency
        - ParameterKey: SNS
          ParameterValue: !Ref StSeParSNS
        - ParameterKey: TopicArn
          ParameterValue: !Ref StSeParTopicArn
        - ParameterKey: NotificationEmail
          ParameterValue: !Ref StSeParNotificationEmail
      TemplateURL: https://cloudformation-stackset-sample-templates-us-east-1.s3.us-east-1.amazonaws.com/EnableAWSConfigForOrganizations.yml
      Tags:
        - Key: Name
          Value: !Sub
            - "${tag}-StackSet"
            - tag: !Ref TagName
        - Key: Unit
          Value: !Ref TagUnit
        - Key: Environment
          Value: !Ref TagEnvironment

Upload the template to an S3 Bucket, and then execute the following command, replacing the necessary values.

aws cloudformation create-stack --stack-name Config-StackSetConfigRecorder \ 
--template-url https://xxxxxxxx-templates.s3.amazonaws.com/2-StackSetConfigOrg.yml \ 
--parameters \
      ParameterKey=ConfigRegions,ParameterValue=us-east-1 \
      ParameterKey=TagName,ParameterValue=Config-StackSetConfigRecorder \
      ParameterKey=TagUnit,ParameterValue=Security \
      ParameterKey=TagEnvironment,ParameterValue=Prod \
      ParameterKey=OrganizationId,ParameterValue=o-xxxxxxx \
      ParameterKey=CentralizedBucketName,ParameterValue=centralized-aaa-bbb-c \
      ParameterKey=StackSetOuId,ParameterValue=r-xxxx \
      ParameterKey=StackSetAutoDeployment,ParameterValue=true \
      ParameterKey=StackSetManagedExecution,ParameterValue=false \
      ParameterKey=StackSetCallAsAccount,ParameterValue=DELEGATED_ADMIN \
      ParameterKey=StSeParAllSupported,ParameterValue=true \
      ParameterKey=StSeParIncludeGlobalResourceTypes,ParameterValue=false \
      ParameterKey=StSeParResourceTypes,ParameterValue="<All>" \
      ParameterKey=StSeParServiceLinkedRoleRegion,ParameterValue="<DeployToAnyRegion>" \
      ParameterKey=StSeParDeliveryChannelName,ParameterValue="<Generated>" \
      ParameterKey=StSeParS3KeyPrefix,ParameterValue=o-xxxxxxx \
      ParameterKey=StSeParFrequency,ParameterValue=24hours \
      ParameterKey=StSeParSNS,ParameterValue=false \
      ParameterKey=StSeParTopicArn,ParameterValue="<New Topic>" \
      ParameterKey=StSeParNotificationEmail,ParameterValue="<None>"

Following the successful creation of the Stack, you may proceed to verify the establishment of the following resources:

CloudFormation Stack in Delegated Admin account

S3 Bucket in Delegated Admin account

CloudFormation StackSet in Delegated Admin account

CloudFormation Stacks in Member Accounts

IAM Role for Service-managed StackSet in Member Accounts

AWS Config enabled in Member Accounts

Step 3. Implement Organization Config Rules across all accounts.

Next, we will deploy a few Organization Config Rules. You can explore all the available Managed Rules or create your Custom Rules. For this lab, we will use the ACCESS_KEYS_ROTATED and REQUIRED_TAGS rules to fit my use case.

It should be noted that Organization Config Rules are automatically deployed to the Management Account. However, during Step 2, when the StackSet was deployed to activate Config, it did not include the Management Account. Therefore, if you wish to set up Config for the Management Account, you must first manually activate Config and then establish the necessary Service-Linked accounts using these commands:

aws iam create-service-linked-role --aws-service-name config.amazonaws.com
aws iam create-service-linked-role --aws-service-name config-multiaccountsetup.amazonaws.com

For simplicity, we will not deploy Config Rules to the Management Account. Therefore, we will include an additional parameter "ExcludedAccounts" with the Management account ID as its value to prevent the creation of Config Rules in that account.

Please review the following template and make any necessary modifications as needed.

AWSTemplateFormatVersion: 2010-09-09
Description: This CloudFormation Stack creates a StackSet that deploys a group of Organization Config Rules.
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Organization Config Rules Parameters
        Parameters:
          - OrgRulePrefixName
Parameters:
  OrgRulePrefixName:
    Type: String
    Default: <OrgRulePrefix>
    Description: Prefix for the name of the Organization Config Rules.
  OrgRuleExcludedAccounts:
    Type: List<String>
    Default: <OrgRuleExcludedAccounts>
    Description: List of excluded accounts for the Organization Config Rules.
Resources:
  ConfigOrgRuleRequiredTags:
    Type: AWS::Config::OrganizationConfigRule
    Properties:
      OrganizationConfigRuleName: !Sub
        - "${prefix}-requiredtags"
        - prefix: !Ref OrgRulePrefixName
      ExcludedAccounts: !Ref OrgRuleExcludedAccounts
      OrganizationManagedRuleMetadata:
        RuleIdentifier: REQUIRED_TAGS
        Description: Checks if your resources have the standard tags.
        InputParameters: !Sub '{"tag1Key":"Name", "tag2Key":"Unit", "tag2Value":"Management,Security,Applications", "tag3Key":"Environment", "tag3Value": "Prod,Dev,Test,Sandbox"}'
  ConfigOrgRuleAccessKeysRotated:
    Type: AWS::Config::OrganizationConfigRule
    Properties:
      OrganizationConfigRuleName: !Sub
        - "${prefix}-accesskeysrotation"
        - prefix: !Ref OrgRulePrefixName
      ExcludedAccounts: !Ref OrgRuleExcludedAccounts
      OrganizationManagedRuleMetadata:
        RuleIdentifier: ACCESS_KEYS_ROTATED
        Description: Checks if active IAM access keys are rotated within 90 days.
        InputParameters: !Sub '{"maxAccessKeyAge": "90"}'
        MaximumExecutionFrequency: TwentyFour_Hours

Upload the new template to S3 and run the following command for creating the stack.

aws cloudformation create-stack --stack-name Config-OrgConfigRules \ 
--template-url https://xxxxxxxx-templates.s3.amazonaws.com/3-StackSetConfigRules.yml \ 
--parameters \
      ParameterKey=TagName,ParameterValue=Config-StackSetConfigRecorder \
      ParameterKey=TagUnit,ParameterValue=Security \
      ParameterKey=TagEnvironment,ParameterValue=Prod \
      ParameterKey=OrgRulePrefixName,ParameterValue="compliance" \
      ParameterKey=OrgRuleExcludedAccounts,ParameterValue="XXXXXXXXXXXXX"

After successfully creating the Stack, you can confirm the establishment of the Config Rules in the Member Accounts:

List Organization Config Rules using the CLI

aws configservice describe-organization-config-rules

List Organization Config Rules using the Console

Step 4. Set up an AWS Aggregator for cross-account reporting.

Now that we've implemented some Config Rules, it's necessary to have a straightforward method to monitor compliance across all accounts, which is why we are proceeding to establish our Config Aggregator.

We will create a final stack to deploy the Config Aggregator, along with a new IAM Role that the Aggregator needs to gather data from all accounts within an organization.

Please review the following template and make any necessary modifications as needed.

AWSTemplateFormatVersion: 2010-09-09
Description: This CloudFormation Stack creates a StackSet that deploys the
  "EnableAWSConfig.yml" template to an Organization
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Parameters
        Parameters:
          - ConfigRegions
          - TagName
          - TagUnit
          - TagEnvironment
      - Label:
          default: Aggregator Parameters
        Parameters:
          - ConfigAggRoleName
          - ConfigAggName
Parameters:
  ConfigRegions:
    Type: List<String>
    Default: us-east-1
    Description: Specifies list of Regions to be configured as Deployment Target.
  TagName:
    Type: String
    Description: Specifies the prefix for the 'Name' tag for stack resources.
  TagUnit:
    Type: String
    Description: Specifies the value for the 'Unit' tag for stack resources.
  TagEnvironment:
    Type: String
    Description: Specifies the value for the 'Environment' tag for stack resources.
  ConfigAggRoleName:
    Type: String
    Default: <AggregatorRoleName>
    Description: Name for Config Aggregator IAM Role.
  ConfigAggName:
    Type: String
    Default: <AggregatorName>
    Description: Name for Config Aggregator.
Resources:
  ConfigAggregatorRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref ConfigAggRoleName
      Description: Role for organizational AWS Config aggregator
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: config.amazonaws.com
            Action: sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
      Tags:
        - Key: Name
          Value: !Sub
            - "${tag}-${rolename}"
            - tag: !Ref TagName
              rolename: !Ref ConfigAggRoleName
        - Key: Unit
          Value: !Ref TagUnit
        - Key: Environment
          Value: !Ref TagEnvironment
  ConfigAggregator:
    Type: AWS::Config::ConfigurationAggregator
    Properties:
      ConfigurationAggregatorName: !Ref ConfigAggName
      OrganizationAggregationSource:
        AllAwsRegions: false
        AwsRegions: !Ref ConfigRegions
        RoleArn: !GetAtt ConfigAggregatorRole.Arn
      Tags:
        - Key: Name
          Value: !Sub
            - "${tag}-${agg}"
            - tag: !Ref TagName
              agg: !Ref ConfigAggName
        - Key: Unit
          Value: !Ref TagUnit
        - Key: Environment
          Value: !Ref TagEnvironment

Upload the new template to S3 and run the following command to create the stack.

aws cloudformation create-stack --stack-name Config-OrgConfigAggregator \ 
--template-url https://xxxxxxxx-templates.s3.amazonaws.com/4-StackSetConfigAgg.yml \ 
--capabilities CAPABILITY_NAMED_IAM \ 
--parameters \
    ParameterKey=ConfigRegions,ParameterValue=us-east-1 \
    ParameterKey=TagName,ParameterValue=Config-StackSetConfigRecorder \
    ParameterKey=TagUnit,ParameterValue=Security \
    ParameterKey=TagEnvironment,ParameterValue=Prod \
    ParameterKey=ConfigAggRoleName,ParameterValue="ConfigAggregatorRole" \
    ParameterKey=ConfigAggName,ParameterValue="aggregator"

Once the command is executed successfully, an 'OK' status will appear on the aggregator page. However, the aggregator dashboard may take a while to reflect the data from all accounts.

You can execute a query in the Console utilizing data from all accounts and examine all the available fields. To view data from all S3 buckets, run the following query.

SELECT
  resourceId,
  resourceName,
  resourceCreationTime,
  accountId
WHERE
  resourceType = 'AWS::S3::Bucket'

Cleanup

This lab outlined enabling AWS Config using the AWS CLI to easily replicate each setting. It's important to remember to clean up all CloudFormation stacks and any IAM Role created by AWS.

Further steps

If you're interested in further exploring AWS Config features and enhancing your setup, consider these suggestions:

Implement Conformance Packs to utilize a single template that establishes Config Rules across all accounts, avoiding the constraints of Organization Config Rules that necessitate individual rule definition.
Extend the scope of AWS Config to a multi-region setting within AWS Organizations.
Introduce server-side encryption for the Centralized S3 Bucket using KMS, which will entail adding IAM Policies to numerous IAM Roles.
Experiment with AWS Control Tower, a service that simplifies many of the manual configurations associated with AWS Config.
Implement SNS Notifications for the Config Delivery channel to centralize all messages into one account.

Additional resources

Overview of AWS Config: Concepts and Components

Diego Trujillo — Wed, 29 May 2024 21:53:17 +0000

AWS Config is a fully managed service that provides you with resource inventory, configuration history, and configuration change notifications for security and governance.

AWS Config is an auditing service that keeps track of changes made to your AWS resources and allows you to monitor configuration data over time for detecting potential security and operational issues.

This post focuses on some introductory concepts for AWS Config that are not always kept in mind when inspecting the AWS Console for Config, which performs many operations under the surface for us, but in case you want to use another way for setting up your AWS Config these concepts will be very important.

1. AWS Config

AWS Config is a fully managed service that provides you with resource inventory, configuration history, and configuration change notifications for security and governance.

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

AWS Config tracks changes made to these supported AWS resources and records their changes as configuration items (CIs), which are JSON files delivered to an Amazon Simple Storage Service (Amazon S3) bucket. These files are accessed through AWS Config APIs and optionally sent through Amazon Simple Notification Service (Amazon SNS).

2. Configuration Items (CI)

A configuration item represents a point-in-time view of the various attributes of a supported AWS resource that exists in your account. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events.

AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording. You can select AWS Config to create a configuration item at the recording frequency that you set: Continuous recording which records configuration changes continuously whenever a change occurs, and Daily recording which creates a configuration item (CI) representing the most recent state of your resources over the last 24-hour period (only if it’s different from the previous CI recorded).

Here is an example of a Configuration Item for a Resource Group:

{
    "relatedEvents": [],
    "relationships": [
        {
            "resourceId": "vpc-XXXXXXXXXXXX",
            "resourceType": "AWS::EC2::VPC",
            "name": "Is contained in Vpc"
        }
    ],
    "configuration": {
        "description": "default VPC security group",
        "groupName": "default",
        "ipPermissions": [
            {
                "ipProtocol": "-1",
                "ipv6Ranges": [],
                "prefixListIds": [],
                "userIdGroupPairs": [
                    {
                        "groupId": "sg-YYYYYYYYYYYY",
                        "userId": "0000000000"
                    }
                ],
                "ipv4Ranges": [],
                "ipRanges": []
            }
        ],
        "ownerId": "0000000000",
        "groupId": "sg-YYYYYYYYYYYY",
        "ipPermissionsEgress": [
            {
                "ipProtocol": "-1",
                "ipv6Ranges": [],
                "prefixListIds": [],
                "userIdGroupPairs": [],
                "ipv4Ranges": [
                    {
                        "cidrIp": "0.0.0.0/0"
                    }
                ],
                "ipRanges": [
                    "0.0.0.0/0"
                ]
            }
        ],
        "tags": [],
        "vpcId": "vpc-XXXXXXXXXXXX"
    },
    "supplementaryConfiguration": {},
    "tags": {},
    "configurationItemVersion": "1.3",
    "configurationItemCaptureTime": "YYYY-MM-DDTHH:MM:SS.000Z",
    "configurationStateId": 0000000000,
    "awsAccountId": "0000000000",
    "configurationItemStatus": "ResourceDiscovered",
    "resourceType": "AWS::EC2::SecurityGroup",
    "resourceId": "sg-YYYYYYYYYYYY",
    "resourceName": "default",
    "ARN": "arn:aws:ec2:us-east-1:0000000000:security-group/sg-YYYYYYYYYYYY",
    "awsRegion": "us-east-1",
    "availabilityZone": "Not Applicable",
    "configurationStateMd5Hash": ""
}

3. Configuration History

A configuration history is a collection of the configuration items for a specific resource type over any time period. Each file includes resources of only one type, such as Amazon EC2 instances or Amazon EBS volumes. If no configuration changes occur, AWS Config does not send a file.

Configuration History Files are useful when you’re looking for the historical configuration state for a specific resource type.
AWS Config delivers configuration history files automatically after enabling the Configuration Recorder and Delivery Channel to an Amazon S3 bucket that you specify. AWS Config sends a configuration history file every six hours, and each file contains details about the resources that changed in that six-hour period.

You can select a given resource in the AWS Config console and navigate to all previous configuration items for that resource using the timeline.

Here is an example of a Configuration History File, with a name in the format {accountId}_Config_{region}_ConfigHistory_{resourceType}_{time}:

{ // Configuration File for AWS::S3::Bucket Resource Type
    "fileVersion": "1.0",
    "configurationItems": [
        { 
            // CI S3 Bucket "A"
        },
        { 
            // CI S3 Bucket "B"
        },
        // Additional S3 Buckets
    ]
}

4. Configuration Snapshot

A configuration snapshot is a collection of the configuration items for the supported resources that exist in your account. This configuration snapshot is a point-in-time capture of the resources that are being recorded and their configurations.

Configuration Snapshot Files are useful when you’re looking for the current configuration state for all supported resources in an account.

By default Configuration Snapshots are not automatically enabled just by enabling the Configuration Recorder and Delivery Channel, you must configure the Delivery Channel with a specific snapshot delivery frequency of 1, 3, 6, 12, or 24 hours. You can have the configuration snapshots delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify.

Here is an example of a Configuration History File, with a name in the format {accountId}_Config_{region}_ConfigSnapshot_{time}:

{
    "fileVersion": "1.0",
    "configSnapshotId": "677bc092-27a0-4831-9c08-012eed635738",
    "configurationItems": [
        { 
            // CI CloudFormation Stack "A"
        },
        { 
            // CI S3 Bucket "B"
        },
        { 
            // CI S3 Bucket "C"
        },
        { 
            // CI SNS Topic "D"
        },
        // Additional Resources
    ]
}

5. Configuration Recorder

The configuration recorder stores the configurations of the supported resources in your account as configuration items. You must first create and then start the configuration recorder before you can start recording. You can stop and restart the configuration recorder at any time.

By default, the configuration recorder records all supported resources in the region where AWS Config is running. You can create a customized configuration recorder that records only the resource types that you specify.

If you use the AWS Management Console or the CLI to turn on the service, AWS Config automatically creates and starts a configuration recorder for you.

6. Delivery Channel

As AWS Config continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. You can manage the delivery channel to control where AWS Config sends configuration updates.

Before you can create a delivery channel, you must create a configuration recorder. You can have only one delivery channel per AWS Region per AWS account, and the delivery channel is required to use AWS Config.

7. Delivery of CIs to Amazon S3

As mentioned above AWS Config sends Configuration History Files every six hours to S3, after enabling the configuration recorder.
In the case of Configuration Snapshots, they are sent when a user manually performs the DeliverConfigSnapshot API call or the API is invoked according to a periodic setting for the snapshot every 1, 3, 6, 12, or 24 hours, according to the Delivery Channel setting.
Snapshots and History files use the same format to be stored in S3 and are sent to the same Bucket in two different folders ConfigHistory _and _ConfigSnapshot.

8. Config Notifications and Amazon SNS
AWS Config uses the Amazon SNS topic that you optionally specify in the Delivery Channel.
AWS Config sends notifications for the following events:

Configuration item change for a resource.
Configuration history for a resource was delivered for your account.
Configuration snapshot for recorded resources was started and delivered for your account.
Compliance state of your resources and whether they are compliant with your rules.
Evaluation started for a rule against your resources.
AWS Config failed to deliver the notification to your account.

9. Config Rules

An AWS Config rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config. If a resource does not comply with the rule, AWS Config flags the resource and the rule as noncompliant.
There are two types of rules: AWS Config Managed Rules (predefined) and AWS Config Custom Rules (created using Lambda Functions or using Guard language).
When creating a Config Rule you can choose the trigger type to specify how often your AWS Config rules evaluate your resources: Resources can be evaluated when there are configuration changes, on a periodic schedule, or both.

10. AWS Config for AWS Organizations

AWS Config helps you centrally manage your Config Rules and data visualization (CIs, queries, reports, etc.) for all your Member accounts using different features of AWS Config

For using AWS Config services with AWS Organizations you'll need to use the
EnableAWSServiceAccess action (using the API, CLI or Console), which enables the integration and allows AWS Config to create a Service-Linked Role in all accounts in your organization. This allows the AWS Config service to perform operations on your behalf in your organization and its accounts.

AWS Documentation indicates to enable the principals config.amazonaws.com (for AWS Config) and config-multiaccountsetup.amazonaws.com (for managing multi-account AWS Config Rules).

Delegated Administrator for AWS Config
AWS Organizations allows you to delegate tasks or responsibilities to member accounts. The designated member account then becomes delegated administrators, meaning that they can perform a specific activity or manage a specific AWS service across accounts, on behalf of the organization.

AWS Config is one of the AWS services operating across accounts and supporting delegation in AWS Organizations. The Delegated Administrator supports using Aggregators for multi-account, multi-region resource data aggregation.

If you are using an organization management account and intend to use a delegated administrator for organizational deployment, be aware that AWS Config won't automatically create the service-linked role (SLR). You must manually create the service-linked role (SLR) separately using IAM, or using the EnableAWSServiceAccess API as mentioned above.

11. Organizational Rules

AWS Config supports Organizational Rules, which allows you to manage AWS Config rules across all AWS accounts within an organization. You can:

Centrally create, update, and delete AWS Config rules across all accounts in your organization.
Deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created.
Use the APIs from the management account in AWS Organizations to enforce governance by ensuring that the underlying AWS Config rules are not modifiable by your organization’s member accounts.

Remember that Organizational Rules can only be created using the API or CLI. This operation is not supported in the AWS Config console. In addition, when configuring Organizational Rules, each one can only include one AWS Config Rule, so in case you want to use many Config Rules for your Organization Accounts you will have to manage many separate Organizational Rules.

12. Conformance Packs

A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can also use AWS Systems Manager documents (SSM documents) to store your conformance pack templates on AWS and directly deploy conformance packs using SSM document names. You can deploy the template by using the AWS Config console or the AWS CLI.

13. Aggregators

An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:

Multiple accounts and multiple AWS Regions.
Single account and multiple AWS Regions.
An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled. Use an aggregator to view the resource configuration and compliance data recorded in AWS Config. An aggregator uses an Amazon S3 bucket to store aggregated data. It periodically retrieves configuration snapshots from the source accounts and stores them in the designated S3 bucket.

When setting up an Aggregator, you must use the Management Account or a registered Delegated Administrator.