Introducing AWS Config Multi-Account, Multi-Region support for Advanced Query

I’m excited to introduce you to our latest feature addition, AWS Config Advanced Query. Advanced query, launched last year, makes it easy to query the resource configuration properties of your AWS resources for audit, compliance, or operational troubleshooting using simple SQL-like queries. With our latest release, you can now use Advanced query with configuration aggregators, enabling you to run the same queries across accounts and Regions. This provides you an easy mechanism to query your entire AWS footprint from a central account and get relevant information about your resources.

In this blog post, I walk you through how to use this new feature.

Prerequisites

To take advantage of multi-account, multi-region query support, you must:

• Ensure that AWS Config recording is turned on in all accounts and Regions.
• Ensure that you have a Configuration Aggregator that aggregates the data across accounts and Regions.

Ensure AWS Config Recording is On

If this is your first time accessing AWS Config, please follow the steps in Setting Up AWS Config with the Console. Otherwise, consult your AWS Config settings and ensure that recording is on. This must be done for each account and Region with resources that you would like to formulate queries for. You can use CloudFormation StackSets to programmatically enable AWS Config recording across multiple accounts and Regions.

Create an Aggregator

If you have not set up an aggregator before, please follow the steps in Setting Up An Aggregator Using the Console documentation. Remember to configure the aggregator in the central account, where you would run multi-account and multi-region advanced queries.

Making a Multi-Account, Multi-Region Query

To make a multi-account and multi-region query, navigate to AWS Config > Resources > Advanced query. This will redirect you to our new console. From here, you can access the SQL query editor. To become familiar with some use cases, you may either formulate your own query at this point or select from a list of sample SQL queries authored by AWS. You can refer to the resource type schema in GitHub to view all the properties that can be queries using Advanced queries.

We have provided ~60 sample queries for common scenarios in inventory and compliance management. You can search for specific queries by name, description, creator, or tag.

A simple example

Let’s begin with a simple use case to get our feet wet. Let’s suppose I want to get a list of all active DynamoDB tables in my AWS organization. Assuming I already have an aggregator in my account, aggregating AWS Config data from all accounts and Regions in my organization, I select a sample query called Active DynamoDB tables, which takes me to the Query editor screen.

Here I select the Query scope to either run this query in this account and Region or pick an aggregator. Since I want to run this query across accounts and Regions, I pick an aggregator from the drop-down in the Query scope section. I modify the sample query to include the accountID and awsRegion properties, so that they get populated in my query results.

Finally, I click the Run button.

As can be seen, the query returns all active DynamoDB tables across my organization.

A more advanced example

Now suppose I want to identify volumes that aren’t attached to any EC2 instances. These can be important from a cost management perspective, as costs are incurred for these unused volumes. I select the Unused EBS sample query and run it on my aggregator.

The results show all unused and unattached EBS volumes across my organization, along with account numbers and Region.

The same query can be made using the AWS CLI with the following command:

aws configservice --region us-east-1 select-aggregate-resource-config --expression "SELECT resourceId, accountId, awsRegion, resourceType, configuration.volumeType, configuration.size, resourceCreationTime, tags, configuration.encrypted, configuration.availabilityZone, configuration.state.value WHERE resourceType = 'AWS::EC2::Volume' AND configuration.state.value <> 'in-use'" --configuration-aggregator-name DevAggregator

As can be seen in the examples, multi-account and multi-region querying can quickly help identify resources across accounts and Regions that meet a specific criteria.

Exporting Query Results

Now that you have the query results, you can even export them in a JSON or CSV format for offline analysis and sharing with other teams.

Conclusion

Multi-account and multi-region support for Advanced Queries provides you with a powerful and convenient option to query your AWS footprint centrally. You no longer must describe individual resources across each account and region to fetch the information you are looking for. Instead, you can leverage this exciting new capability in AWS Config, at no additional cost.

About the Author

Hsin-Mao Wu is an engineer on AWS Config based in Seattle, Washington. He has a dog named Arabella.