AWS Cloud Operations & Migrations Blog

Moving from a single account AWS Config deployment to an Organization wide deployment

As customers become more mature in the cloud, they will start to investigate how they can utilize additional AWS services in order to meet their goals. In many cases the initial phase will involve some research and testing of the service before deploying it across their cloud environment. For customers that may need to maintain compliance with one or multiple compliance standards such as NIST or PCI, they may start to experiment with AWS Config.

AWS Config is a service that lets you evaluate the configuration state of your resources against your desired configurations and reports on the current status of each resource. For example, if your Amazon S3 buckets need to be encrypted at all times you can use Config to evaluate those resources and flag them as non-compliant if any of them are not currently encrypted.

In order to use AWS Config, you must enable the configuration recorder which will track your resource configurations, and establish a delivery channel which is used to update the configuration state records. By design, AWS config is enabled per region per account, and you will need to enable it in every region that you want to use it in. That said, you can use Quick Setup, a capability of AWS Systems Manager, to enable AWS Config throughout your AWS Organizations organization with just a few clicks.

Quick Setup simplifies and automates setting up services across your AWS accounts and regions without writing a single line of code. If you have previously enabled AWS Config in your individual AWS accounts, and you would like to setup an organization-wide AWS Config using Quick Setup, you must remove the existing configuration recorder and delivery channel before transitioning to organization-wide deployment with Quick Setup.

In this post, we demonstrate how to move from single account AWS Config to an organization-wide deployment. You will learn how to remove the configuration recorder and delivery channel from all the single accounts in order to transition to an organization-wide deployment.

Solution overview

The solution is deployed using a AWS CloudFormation stack. The stack is deployed in a management (central) account with the following components:

  • CloudFormation Custom Resource – The CloudFormation stack includes a custom resource implementation. A custom resource provides a way to write custom provisioning logic that is run by CloudFormation. The custom provisioning logic is backed by a Lambda function that is automatically invoked when a stack operation is performed. (e.g. create, update and delete).
  • AWS Lambda-backed custom resource – The CloudFormation stack deploys a Lambda function which is used to trigger a Systems Manager automation document across regions/accounts. The AWS Lambda Function is invoked by the CloudFormation custom resource upon stack creation.
  • Systems Manager Automation document (runbooks)  – AWS Systems Manager automation documents (runbooks) defines automated actions to perform on your AWS resources. One of those actions is aws:executeScript which we use here to make an API calls to perform the following:
    1. Store Config recorder configuration and status in Parameter Store before deletion.
    2. Delete AWS Config.

The following diagram shows the architecture:

The diagram shows the components used by the solution including a CloudFormation, lambda function, dead letter queue, and System Manager Automation document. Details are described in the section below.

Figure 1: Automate deletion of configuration recorder and delivery channel across accounts

As the CloudFormation stack is deployed, the following sequence of steps takes place as shown in the preceding diagram

  1. CloudFormation Custom Resource asynchronously invokes the AWS Lambda Function.
  2. In turn, the AWS Lambda function will trigger a multi-accounts / multi-Regions System Manager Automation Document (Runbook).
  3. The System Manager Automation Document assumes (AWSConfigDeletion-ExecutionRole) IAM role created in the target accounts. (You can deploy this IAM role to all of your target accounts via AWS CloudFormation StackSets)
  4. The execution role will invoke an automation document in the target accounts/regions.
  5. The automation document will then uses aws:executeScript to make an API call to store AWS Config configuration in Parameter store and then delete AWS config.

Prerequisites

The following prerequisites need to be completed to deploy this solution.

  • This solution uses a management (central) account within AWS Organizations to orchestrate the deployment. You must have administrative credentials to this account. this is the account referred to as “Management account” in Figure 1.
  • This solution uses AWS CloudFormation StackSets to make it easy to deploy AWS IAM resources from a central accounts to targets accounts. When you deploy a stack set, the accounts must have the required permissions for StackSets operations to orchestrate the deployment of your CloudFormation template. You can either use self-managed or service-managed permissions.

Configure Stack Set

  • You need to configure the required permissions for StackSet in both the Management Account and the targets accounts. Link to Pre-requisities

Deploy AWS Config execution Role (AWSConfigDeletion-ExecutionRole) in the Target accounts:

This template creates an IAM Role in the specified accounts, this IAM role is assumed by the Automation document and has the required permission to remove AWS config rules and settings.

In the Management /Central Account:

  • Download the IAM template file AWSConfigDeletion-ExecutionRole.yaml
  • Navigate to the CloudFormation StackSets console.
  • Choose Create StackSet.
  • From the dropdown list, choose with new resources (standard).
  • On the Create StackSet page, select Upload a template file, select Choose file, upload the downloaded template “AWSConfigDeletion-ExecutionRole.yaml”, and then choose Next.
  • In the Specify StackSet details page:
    • For Stack name, enter a name for the stack.
    • For ManagementAccountNumber , enter the AWS Management or Central Account ID.
Figure 2. Specify the StackSet Details

Figure 2. Specify the StackSet Details

  • Choose Next.
  • Under the Account Section, enter your AWS account IDs. Alternatively, you can choose to deploy to specific organizational units within your AWS Organizations.
  • Under the Specify region section, Select the preferred region.
Figure 3. Set the deployment regions and accounts

Figure 3. Set the deployment regions and accounts

  • Choose Next.
  • Step through the remaining pages.
  • On the final page, select the acknowledgement that IAM resources can be created.
Figure 4. Ensure that you have selected the acknowledgement box and proceed

Figure 4. Ensure that you have selected the acknowledgement box and proceed

Deploy the solution

In the Management /Central Account:

  • Download the Solution Template file. AWSConfigDeletion-Automation-Multiaccounts.yaml
  • Navigate to the AWS CloudFormation console, choose Create stack.
  • From the dropdown list, choose with new resources (standard).
  • On the Create stack page, select Upload the downloaded template file titled “AWSConfigDeletion-Automation-Multiaccounts.yaml”, and then choose Next.
Figure 5. Stack name and parameters

Figure 5.  Stack name and parameters

  • Choose Next
  • Step through the remaining page
Figure 6. Set the options for your stack

Figure 6.  Set the options for your stack

  • On the last page, check the resource creation acknowledgement checkbox.
Figure 7. Select the acknowledgement box before creating the stack.

Figure 7.  Select the acknowledgement box before creating the stack.

Cleaning up

To avoid incurring recurring charges, we recommend that you clean up the environment when it is no longer necessary.

To delete the resources created in steps 1-2 of this post, go to the AWS CloudFormation console in the management account. From the left navigation pane, choose StackSets, and then choose the StackSet you created. From Actions, choose Delete StackSet.
For more information, see Deleting a StackSets on the AWS CloudFormation console in the AWS CloudFormation User Guide.

To delete the resources created in step 3 of this post, go to the AWS CloudFormation console in the management account. Choose the stack you created, and then choose Delete.
For more information, see Deleting a stack on the AWS CloudFormation console in the AWS CloudFormation User Guide.

Conclusion

In this post, we shared a solution that provides an implementation of a custom automation to remove any delivery channels or configuration recorders that are deployed across an AWS environment. This removes some complexity for customers looking implement a standardized compliance framework across all of their AWS accounts and regions. By using this solution, we were able to automate the process of removing the recorder and delivery channel from singular accounts, which would otherwise need to be done manually before deploying AWS Config at the organizational level. If you want to learn more about AWS Config, read about the best practices for AWS Config and AWS Config Conformance Packs.

About the authors:

Craig Edwards

Craig Edwards is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. When he is not building cloud solutions, he enjoys being a Father and electric vehicles.

Erik Weber

Erik Weber is a World-wide Specialist Solutions Architect for AWS Cloud Operations services. He specializes in AWS Systems Manager, AWS Config, AWS CloudTrail, and AWS Audit Manager. Outside of work, Erik has a passion for hiking, cooking, and biking.

Khaled Mohamed

Khaled is a Solution Architect with the AWS Public Sector team in Toronto, Canada. His role is to help AWS partners and customers to successfully build secure, high-performing, resilient infrastructure and accelerate cloud adoption on AWS. In his spare time, Khaled enjoys building and exploring new solutions, and technologies.