Enterprise Governance with AWS Aggregator and Conformance Packs

Why Do You Need Enterprise Governance?

Every organisation wants to enable their teams to get new features out quickly to improve the digital customer experience. In large organisations there are typically inconsistent maturity levels between teams. Some teams might already use automated compliance validations, whereas other teams might not know how to manage it.

How Does it Work?

The Config Aggregator collects configuration and compliance data from multiple accounts and regions for the following use cases:

  • Multiple accounts and multiple regions
  • Single account and multiple regions
  • All accounts within an AWS Organizations
source: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
source: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html

Step By Step Instructions

These are the detailed steps that are required to get an aggregated view for all accounts and regions within an AWS Organization:

aws cloudformation create-stack-set --stack-set-name config-recorder-org --template-body file://enableConfig-in-org.yml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false
aws cloudformation create-stack-instances --stack-set-name config-recorder-org --deployment-targets OrganizationalUnitIds="ou-enen-r6ziod3r" --regions "us-east-1" "us-east-2" "ap-southeast-2"  "us-west-1" "us-west-2"
  • aws configservice describe-configuration-recorders:
    This will give us the Recorder name if it already exists in our account and we can delete it with:
    aws configservice delete-configuration-recorder — configuration-recorder-name default
  • aws configservice describe-delivery-channels:
    If we receive the name of a delivery channel as a response we can delete it with:
    aws configservice delete-delivery-channel — delivery-channel-name default
  • Control Tower Detective Guardrails
  • Best Practices for PCI-DSS
  • Best Practices for DynamoDB
  • Best Practices for S3
aws configservice put-organization-conformance-pack --organization-conformance-pack-name="S3ConformancePackOrg" --template-body="file://conformance-pack-s3-org.yml" --delivery-s3-bucket=awsconfigconforms-yourname


AWS Config Aggregator helps us to get a single pane governance & compliance view across the enterprise landscape. By using Conformance Packs we can manage groups of rules. Sending the rule evaluation outcomes from all source accounts to a central S3 bucket enables us to get consolidated log files. AWS Config is a really powerful service that helps us to govern the entire enterprise AWS landscape.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gerald Bachlmayr

Gerald Bachlmayr

Principal Cloud Architect at Cuscal Payments