AWS Cloud Operations & Migrations Blog

Managing AWS Organizations accounts using AWS Config and AWS CloudFormation StackSets

AWS Organizations enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. Organizations includes consolidated billing and account management capabilities that enable you to better meet your business’s budgetary, security, and compliance needs. As an administrator of an organization, you can create member accounts in your organization and invite existing accounts to join the organization.

AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

With AWS Config, you can review changes in configurations and relationships between AWS resources and dive into detailed resource configuration histories. You can also determine your overall compliance against the configurations specified in your internal guidelines. AWS Config simplifies compliance auditing, security analysis, change management, and operational troubleshooting.

Combining Organizations with AWS Config capabilities and AWS CloudFormation StackSets, you can manage hundreds or thousands of member accounts efficiently. In this post, we walk you through the creation of organizational units, IAM role provisioning, CloudFormation StackSets configuration, and AWS Config rule deployment.

Create organizational units

For this post, create a simple organization with two organizational units: Production Team and Development Team.

  1. Create your organization
  2. Create the organizational units

When you finish, your Development and Production Teams are displayed on the Organize Accounts tab.

For this post, enforce AWS Config rules for the Development Team, and put at least one member account under the Development Team. Member accounts can have multiple AWS resources under multiple AWS Regions. You don’t have to enable the All Feature mode to create simple organizational units like the one discussed in this section.

Create a CloudFormation StackSet

A StackSet is a container for CloudFormation stacks that lets you provision stacks across AWS accounts and Regions with a single CloudFormation template.

An administrator account in Organizations can provision a CloudFormation stack to member accounts as target accounts in multiple Regions, as shown in the following diagram.

The administrator account must have an AWSCloudFormationStackSetsAdministrationRole IAM role and the target member accounts must have a corresponding AWSCloudFormationStackSetsExecutionRole. The following diagram shows one administrator account managing multiple target member accounts.

You can create these roles using the following guidance to ensure implementation of least privilege principles.

Provision the IAM roles for the accounts

Now, create the stacks and provision IAM roles for the Administrator and Target accounts. To provision the Administrator account:

  1. Log in from the Administrator account.
  2. In the AWS CloudFormation console, choose Create Stack.
  3. Complete the Specify template for this role. Refer to this guidance to ensure implementation of least privilege principles.
  4. Name the stack AWSCloudFormationStackSetsAdministrationRoleStack and choose Next.
  5. Complete the wizard and choose Create stack.

The stack details page should now display with the status create in progress. Wait until the status reads create complete, then provision the target accounts.

To provision the target accounts:

  1. Log in with the Target (Member) account.
  2. In the CloudFormation console, choose Create Stack.
  3. Complete the Specify template for this role. Refer to this guidance to ensure implementation of least privilege principles.
  4. Name the stack AWSCloudFormationStackSetsExecutionRoleStack.
  5. For Parameters/AdministratorAccountId, provide the account number and choose Next.
  6. Complete the wizard and choose Create stack.

 

The stack details page should show the status create in progress. When the status reads create complete, follow the steps outlined in the next section.

Configure CloudFormation StackSets for AWS Config

AWS CloudFormation StackSets helps enable AWS Config on all member accounts under organizational units in a single execution. If you have hundreds or thousands of member accounts, this capability simplifies AWS Config enablement across an organization.

  1. In the CloudFormation console, choose StackSets.
  2. On the Create StackSets page, go to the Choose a template.
  3. For Select a sample template, select the Enable AWS Config.

In a single operation, this StackSet enables AWS Config, sets up an S3 bucket, and creates the SNS topic required to send notifications to each target member account and AWS Region.

Configure StackSet details

  1. In the AWS CloudFormation console, choose Specify StackSet details.
  2. Select the EnableAWS Config StackSets details and choose Next.
  3. Enter a StackSet name. For this example, use the name EnableAWSConfigDEV-OU.
  4. Enter or modify the default parameters for this StackSet as follows:
    1. To monitor global resources like IAM resources, set IncludeGlobalResourceTypes to true.
    2. For ResourceTypes, accept the default value to include all resources.
    3. Set the NotificationEmail to either your email address or a distribution list. This email notifies recipients of non-compliance events.
    4. Leave the TopicARN parameter set to the default, so the StackSet operation creates a new SNS topic. Alternatively, specify your preferred SNS topic ARN.
    5. Set DeliveryChannelName for AWS Config snapshots.
    6. Set Frequency to 24 hours. The options are one hour, three hours, six hours, 12 hours, and 24 hours. These options specify how long AWS Config delivers configuration record snapshots to the S3 bucket. By choosing the 24 hours option, you make sure that AWS Config backs up the latest configuration state of all your account resources daily.
    7. To monitor all AWS resources, set AllSupported to true. To only monitor specific resources, like EC2 Instances or AWS CloudTrail, set AllSupported to false and put the names of the resources under ResourceTypes.
  5. After configuring all of the cited parameters, choose Next.

Configure StackSet options

  1. Choose Configure StackSet options. Enter the following values and choose Next.
  • For IAM admin role name, enter AWSCloudFormationStackSetsAdministrationRole.
  • For IAM execution role name, enter AWSCloudFormationStackSetsExecutionRole.

You provisioned these roles earlier, with the first two small stacks that you deployed.

  1. For Organizational units, enter the Organization ID value, which you can retrieve from the AWS Organizations console. Select the desired organization and use the text under the ID label, as shown in the following screenshot.

Configure deployment options

  1. Choose Set deployment locations, Deploy stacks in organizational units.
  2. For Organization numbers, enter the Organization ID
  3. Scroll down to Specify regions and Deployment options.
  4. For this post, deploy StackSets to enable AWS Config on all AWS Regions. In the production environment, you can choose specific AWS Regions to optimize cost, because AWS Config provisions S3 buckets and SNS topics for each account on these AWS Regions.

The Maximum concurrent accounts setting specifies the number of accounts per Region to which you can deploy stacks in parallel.

The Failure tolerance setting specifies the number of accounts per Region for which stacks can fail before CloudFormation stops the operation in that Region. If CloudFormation stops the operation in one Region, it does not continue in other Regions.

  1. For this post, enter 10 for both settings and choose Next.
  2. To review the StackSet configuration, select the check box acknowledging that the stack might create IAM resources: I acknowledge that AWS CloudFormation might create IAM resources.
  3. Choose Submit.

Because StackSets provides all required resources on all member accounts on all specified Regions, this process takes some time. After StackSets finishes the provisioning process, it enables AWS Config, along with the required resources (S3 buckets, SNS topics).

To see your StackSet execution progress:

  1. In the CloudFormation console, choose StackSet details.
  2. To review execution details, select EnableAWSConfigDEV-OU.

Deploy AWS Config rules on all member accounts under organization units

AWS CloudFormation StackSets can also be used to deploy the AWS Config rules to all member accounts under organizational units in a single execution. If you have hundreds or thousands of member accounts, this capability simplifies AWS Config rules deployment across your organization.

Here are three rules as examples:

Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

Checks whether security groups that are in use disallow unlimited incoming SSH traffic.

Checks whether your EC2 instances are of the specified instance types.

To deploy the AWS Config rules in production, follow the same procedure that you used when deploying the StackSet that enabled AWS Config. However, for this post, use the templates for the three rules specified in the cited URLs. Note that some AWS Config Managed Rules not available in all regions, refer to list of AWS Config Managed Rules for more details.

S3 Bucket Public Read Prohibited

Follow the StackSet creation steps outlined earlier in this post. Use the S3 Bucket Public Read Prohibited rule template URL and apply the same deployment options (Organization ID, all Regions, and the same concurrency and fault tolerance settings as before, with 10 accounts). Use the same Administration and ExecutionIAM role and choose Submit.

Restricted SSH rule

Follow the StackSet creation steps outlined earlier in this post. Use the Restricted SSH rule template URL and apply the same deployment options (Organization ID, all Regions, and the same concurrency and fault tolerance settings as before, with 10 accounts). Use the same Administration and ExecutionIAM role and choose Submit.

EC2 instance type whitelist rule

Follow the StackSet creation steps outlined earlier in this post. Use the EC2 instance type whitelist template URL. Specify EC2 instance types (multiple values separated by a comma: t2.small, m4.large). Apply the same deployment options (Organization ID, all Regions, and the same concurrency and fault tolerance settings as before, with 10 accounts). Also, use the same Administration and Execution IAM role and choose Submit.

AWS rule execution on organization unit accounts in all Regions

After you create the three AWS Config rules, AWS Config runs against all resources under the Development Team, on all accounts and Regions. AWS Config runs the rules during S3 bucket creation for the S3 Bucket Public Read Prohibited rule, during security group creation for the Restricted SSH rule and during EC2 Instance creation for the EC2 instance type whitelist rule.

The administrator can re-evaluate the rules on-demand using the AWS Config Console.

View AWS Config execution results in a single dashboard

AWS Config supports aggregated views to show the results of rules execution over organization unit accounts on all AWS Regions.

  1. In the AWS Config console, and choose Aggregated view, Aggregators.
  2. Choose Add aggregator, Allow AWS Config to replicate data from source account(s) into an aggregator account.
  3. To integrate AWS Config and Organization, create a new IAM role, such as aws-config-aggregator-role.
  4. Enter a name for the aggregator, such as DevelopmentTeamOUAggregator.
  5. Add applicable AWS Regions to the aggregator and choose Save.

The aggregator takes some time to gather all applicable AWS Resources on all Member accounts and all AWS Regions. After the aggregator finishes this task, you can view all the AWS Config Rule execution results in the Aggregated View dashboard.

 

After you complete this exercise, note the following:

  • StackSets creates S3 buckets for each account in each Region that you choose.
  • AWS Config creates S3 buckets for each service event that you choose, even if there are no violations.
  • You incur charges for S3 buckets, SNS topics, and AWS Config rules for as long as they are in use.

After CloudFormation StackSets enables AWS Config and provisions AWS Config rules, you can follow the same steps described in this post to:

  • Add new AWS Config rules
  • Enable or disable AWS resources
  • Enable AWS Config and deploy AWS Config rules to new member accounts when they join the organization units

Summary

In this post, we walked you through the creation of AWS organizational units, IAM role provisioning for stacks, CloudFormation StackSets configuration, and AWS Config rule deployment. We hope that this walkthrough provided helpful guidance.  Visit our documentation to get started with AWS Config and AWS CloudFormation.

 

About the Authors

Sigit Priyanggoro is a Sr Partner Solutions Architect for the Global System Integrator team. He works with partners and customers on AWS technologies in Management Tools, Telecom, and Mobile. In his spare time, he plays in a band as a guitarist and backup drummer. You can reach him via @sigitp on Dev.To.

 

 

Carlos Santiago is a Sr. Technical Account Manager with more than 23 years of experience in Windows systems management. He is passionate towards helping customers move from legacy management systems to the cloud.

 

 

 

Terry Chapman is a Sr. Technical Account Manager with a focus on Contact Centers and Amazon Connect. He actively works with large Enterprise accounts with a focus on operations of customers environments in the AWS Cloud.

 

 

 

Luis Colon is a Senior Developer Advocate for the AWS CloudFormation team. He works with customers and internal development teams to focus on and improve the developer experience for CloudFormation users. In his spare time, he mixes progressive trance music. You can reach him via @luiscolon1 on Twitter.