AWS Cloud Operations & Migrations Blog

AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack

Many of the customers I work with would like to be able to apply AWS Control Tower’s detective guardrails to an existing AWS account before moving them to Control Tower governance. Now that you can launch AWS Control Tower in an existing AWS Organization, customers want to evaluate their existing accounts for compliance with AWS Control Tower detective guardrails. We also just announced the ability to enroll an account to Control Tower governance. As a best practice, it is good to check how Control Tower guardrails impact your account before extending Control Tower governance to that account.

In this blog, I show how to use an AWS Config Conformance Pack to apply Control Tower guardrails to your existing accounts. You can then evaluate the compliance of the resources in that account before enrolling in AWS Control Tower. I show you how to modify the conformance pack to apply a subset of the detective guardrails to your unmanaged accounts. Finally, I show how to use the conformance pack to manage resources in accounts that exist in regions where AWS Control Tower is not deployed.

Background

Once you turn on AWS Control Tower in an existing AWS Organization, new Organization Units (OU) that are created via Control Tower automatically receive all mandatory Control Tower guardrails. However, accounts that are not created from a net new organizational OU via Control Tower remain unmanaged by Control Tower.

The accounts that you launched before deploying AWS Control Tower, remain outside AWS Control Towers’ governance. These accounts must be enrolled in the AWS Control Tower explicitly. See the blog on how to do so here.

Enrolling an account into AWS Control Tower deploys baselines and additional guardrails to enable continuous governance on your existing AWS accounts. However, you must perform proper due diligence before enrolling in an account. Refer to Things to Consider section below for additional information.

Here’s a quick review of some terms used in this post:

  • AWS Config Conformance Packs is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
  • The unregistered OU is an organizational unit that is created directly on AWS Organizations and AWS Control Tower does not manage this OU.
  • The unenrolled account is an existing AWS account created before deploying AWS Control Tower.
  • The registered OU is an organizational unit that is created from Control Tower service.
  • An AWS Account Factory account is an AWS account provisioned using account factory in AWS Control Tower.

Things to Consider

Enrolling an existing AWS account into AWS Control Tower involves moving an account from an unregistered OU or from root of the Organization into a registered OU. Before you decide to enroll the account under AWS Control Tower governance, it’s important to understand the resources running in the account. The Conformance Pack evaluates the impact of applying AWS Control Tower guardrails to the resources in the account.

Prerequisites

Follow this blog post to enable AWS Config in the Region where the majority of your account resources are located. When you get to the step labeled “Deploying your first conformance pack,” move to the steps below.

Deploy the AWS Control Tower Guardrails Conformance Pack

  • Download the AWS Control Tower Guardrails conformance pack to your local machine.
  • Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/
  • Navigate to the Conformance packs page and choose Deploy conformance pack.
  • On the Specify template page, either choose a sample template or use an existing template.
    • Choose Template is ready, specify the template source as Upload a template file. If your template is more than 50 KB, upload it to the S3 bucket and select that S3 bucket location. For example: s3://bucketname/prefix.
    • Choose Next.
  • On the Specify conformance pack details page, type the name for your conformance pack. The conformance pack name must be a unique name with a maximum of 256 alphanumeric characters. The name can contain hyphens but cannot contain spaces.
  • Select the “Create an S3 bucket” and make sure that the name starts with awsconfigconforms. Include the account number to ensure that the bucket name is unique, for example: awsconfigconforms-012345678901.
  • Choose Next.
  • On the Review and deploy page, review all of the information. You can edit the template details and conformance pack details by choosing Edit.
  • Choose Deploy conformance pack. AWS Config displays the conformance pack on the conformance pack page with the appropriate status. If your conformance pack deployment fails, check your permissions, verify that you did the prerequisite steps, and try again. Or you can contact AWS Config support.

Check the status of the resources in your account in the AWS Config Dashboard

  • Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/
  • In the AWS Management Console menu, verify that the Region selector is set to a Region that supports AWS Config rules. For the list of supported Regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.
  • In the navigation pane, choose Rules. The Rules page shows your rules and the compliance status for each.
  • Choose a rule from the list.
  • In the navigation pane, choose Resource. The Resources page shows your resources and the compliance status for each.

You can see the status of your resources against each of the AWS Control Tower guardrails (rules). You have an idea of how many non-compliant resources you have in each Region in each of your existing accounts. Now you must decide how you want to move forward. Remember that non-compliant resources in your account show in the AWS Control Tower dashboard once you enroll the account. You may decide to wait until you have a chance to remediate all of the non-compliant resources. Or, you could choose to enroll the account with the understanding that you have non-compliant resources in the AWS Control Tower dashboard.

Creating your own guardrails conformance pack

The AWS Control Tower detective guardrails conformance pack contains all of the AWS Config Rules based guardrails from AWS Control Tower. You may choose to only investigate the resources in your accounts for the guardrails that you plan to apply to the governed OU in AWS Control Tower. In that case, the guardrails conformance pack is easy to modify to meet that need. Notice from the template snippet below, that a conformance pack is just a CloudFormation template Resource block with the config rules defined. Notice that all of the guardrails are AWS Config managed rules. So, to choose which rules to use, simply remove the commented #Resource block for each rule that you don’t need.

Resources:
  CheckForEbsOptimizedInstance:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEbsOptimizedInstance
      Description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized
      Source:
        Owner: AWS
        SourceIdentifier: EBS_OPTIMIZED_INSTANCE
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Instance
  CheckForEc2VolumesInUse:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEc2VolumesInUs
      Description: eDisallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances
      InputParameters:
        deleteOnTermination: None
      Source:
        Owner: AWS
        SourceIdentifier: EC2_VOLUME_INUSE_CHECK
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Volume

If I just want to remove the first rule, CheckForEbsOptimizedInstance, the snippet looks like this:

Resources:

  CheckForEc2VolumesInUse:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEc2VolumesInUs
      Description: eDisallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances
      InputParameters:
        deleteOnTermination: None
      Source:
        Owner: AWS
        SourceIdentifier: EC2_VOLUME_INUSE_CHECK
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Volume

Save this new template with a different file name, and deploy this custom conformance pack using the same steps I used to deploy the original.

Using your own guardrails conformance pack to govern resources in regions where AWS Control Tower is not deployed

Now that you have your own version(s) of conformance pack(s), you can govern resources in other AWS regions where Control Tower is not currently supported. The accounts are located in OUs managed by AWS Control Tower, however, the workloads run within AWS regions that don’t have AWS Control Tower support today. AWS Control Tower implements a Service Control Policy (SCP) based guardrail that does not allow accounts to change or create the AWS Config recorder. Temporarily detach the SCP from the OU that contains the account. Make the necessary changes to AWS Config and deploy the conformance pack and then reattach the SCP.

Here are the detailed steps:

  • Sign in to the AWS Management Console for the Organizations master account and open the AWS Organizations console at https://console.aws.amazon.com/organizations/
  • Select the Policies tab
  • Select the policies with names like “aws-guardrails-XXXXX” and in the right side of the page check which OU the policy is attached to. Click Detach.
  • Sign in to the AWS Management Console into the account that you will apply the conformance pack against and open the AWS Config console at https://console.aws.amazon.com/config/
  • Download the AWS Control Tower Detective Guardrails conformance pack and follow the steps in the previous section labeled “Deploy the AWS Control Tower Guardrails Conformance Pack”
  • Repeat the steps for each Region you would like to deploy the conformance pack, using the S3 bucket that you created for the first launch of a conformance pack.
  • Once all of the regions have been deployed, sign in to the AWS Management Console for the Organizations master account and open the AWS Organizations console at https://console.aws.amazon.com/organizations/
  • Select Organize Accounts. Select the OU that hosts the account you just used. Select Service Control Policies. Select the policy that you detached previously. On the right side, select the Organization Units. Click Attach.

When the Region becomes available in AWS Control Tower, you remove the conformance packs that you have deployed and update the account to use the new AWS Control Tower Region.

Cleanup steps

Cleaning up AWS Config conformance packs are as easy as just using the AWS Config console, selecting the conformance pack, and select Delete from the Actions button.

Conclusion

In this post, I have shown how to deploy AWS Control Tower detective guardrails into your existing unenrolled accounts before enrolling them into AWS Control Tower. I have shown you how to modify the conformance pack to reflect the guardrails that you want to use to manage the accounts. Finally, I have shown you how to use the pack to manage resources in your accounts in regions not currently supported by AWS Control Tower.

About the author

Bryan Miller is a Sr. Specialist for AWS Control Tower and AWS Service Catalog. Bryan enjoys helping customers build automated solutions to accelerate their cloud journey.