[SEO Subhead]
This Guidance shows you how to implement the Resource Inventory Management capability. The Resource Inventory Management capability enables the collection, visibility, tracking, configuration validation, and service mapping of cloud resources. By tracking and monitoring your cloud resources, you can find opportunities for cost optimization, efficient allocation of resources, and increased governance.
Please note: [Disclaimer]
Architecture Diagram
[text]
Step 1
Create an Amazon Simple Storage Service (Amazon S3) bucket that will hold the AWS resource configuration snapshots and history.
Step 2
Optionally, create an AWS Key Management Service (AWS KMS) key in the Security Tooling organizational unit (OU) account. This account will be used to encrypt configuration history and snapshot files using server-side encryption with AWS KMS customer-managed keys (CMKs). If you do not use an AWS KMS key, the AWS Config data will be encrypted at rest using AES-256 encryption.
Step 3
Deploy an AWS Config configuration recorder and delivery channel to all operating Regions (Regions that you are not prohibited with service control policies [SCPs]) in all member accounts. Configure the delivery channel to send resource configuration information to the S3 bucket in the Log Archive account for audit and retention purposes.
Step 4
Deploy AWS Config configuration recorder and delivery channel to all available Regions in the Management account. Configure the delivery channel to send management account resource configuration information to the S3 bucket in the Log Archive account.
Step 5
Delegate AWS Config administration to the Security Tooling OU account to allow for AWS Config administration outside of the management account.
Step 6
Deploy an AWS Config multi-account, multi-Region data aggregator in the Security Tooling OU account to aggregate account and Region data for the organization. This will provide visibility to organization resources and AWS Config configuration compliance.
Step 7
Deploy AWS Config Rules to organization accounts to evaluate resource compliance. You can deploy rules with organization AWS Config rules, with conformance packs, or by using automation, such as AWS CloudFormation StackSets.
Step 1
Create an Amazon Simple Storage Service (Amazon S3) bucket that will hold the AWS resource configuration snapshots and history.
Step 2
Optionally, create an AWS Key Management Service (AWS KMS) key in the Security Tooling organizational unit (OU) account. This account will be used to encrypt configuration history and snapshot files using server-side encryption with AWS KMS customer-managed keys (CMKs). If you do not use an AWS KMS key, the AWS Config data will be encrypted at rest using AES-256 encryption.
Step 3
Deploy an AWS Config configuration recorder and delivery channel to all operating Regions (Regions that you are not prohibited with service control policies [SCPs]) in all member accounts. Configure the delivery channel to send resource configuration information to the S3 bucket in the Log Archive account for audit and retention purposes.
Step 4
Deploy AWS Config configuration recorder and delivery channel to all available Regions in the Management account. Configure the delivery channel to send management account resource configuration information to the S3 bucket in the Log Archive account.
Step 5
Delegate AWS Config administration to the Security Tooling OU account to allow for AWS Config administration outside of the management account.
Step 6
Deploy an AWS Config multi-account, multi-Region data aggregator in the Security Tooling OU account to aggregate account and Region data for the organization. This will provide visibility to organization resources and AWS Config configuration compliance.
Step 7
Deploy AWS Config Rules to organization accounts to evaluate resource compliance. You can deploy rules with organization AWS Config rules, with conformance packs, or by using automation, such as AWS CloudFormation StackSets.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
Additional Considerations
Maintaining a healthy cloud environment starts with effective resource inventory management. Resource inventory management can enhance your disaster recovery preparedness and sustainability initiatives. Visibility into the location and configuration of resources helps you maintain an efficient and reliable cloud infrastructure for your business or projects.
Establishing resource inventory management will contribute to a secure cloud environment by detecting unauthorized configurations, which allows for automated or manual responses to findings. Monitoring your resource inventory helps ensure optimal service application and performance, while also contributing to a secure environment through access tracking and effective security measures. Proper resource management aids in cost optimization by identifying underutilized or unused resources to help you get the most value out of your cloud investments. Additionally, maintaining a comprehensive inventory enables swift disaster recovery, resulting in minimal impact to business continuity during disruptions.
Implementation Resources
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.
Related Content-
[Title]
Related Content
- Stakeholders: Central IT (primary), Security, Operations, Finance
- Supporting Capabilities: Identity Management and Access Control, Tagging
- For additional information on this capability, read the whitepaper.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.