Enterprise Governance with AWS Aggregator and Conformance Packs

In my previous blog “Governance & Compliance Automation With AWS Config” we looked into the core concepts of AWS Config, how to set up compliance rules and automatically remediate them. In this write-up we will explore how AWS Config Aggregator can be used in an enterprise environment spanning all accounts and multiple regions.

Why Do You Need Enterprise Governance?

Every organisation wants to enable their teams to get new features out quickly to improve the digital customer experience. In large organisations there are typically inconsistent maturity levels between teams. Some teams might already use automated compliance validations, whereas other teams might not know how to manage it.

An organisation needs a safety net that prevents it from being exposed to data leaks and other vulnerabilities. AWS Aggregator helps you to get a consolidated compliance view across all your AWS accounts and regions.

How Does it Work?

The Config Aggregator collects configuration and compliance data from multiple accounts and regions for the following use cases:

• Multiple accounts and multiple regions
• Single account and multiple regions
• All accounts within an AWS Organizations

Aggregator provides a combined view in your aggregator account in your region of choice.

source: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html

The aggregator account can be the master account as part of AWS Organizations or a different account. Using the master account is easier because you are automatically authorised to aggregate logs from all the accounts that are part of your AWS Organization. If you use a different account as the aggregator account, you need to list all the source accounts. Each source account will then receive an Authorization Request for every region. Each of those requests needs to be accepted. We will proceed with an Organization setup and therefore we don’t need to do that.

We need to enable recording across the Organization, set up an Aggregator in the aggregator account (i.e. master account) and deploy some compliance rules. There is a little bit more to it and we will explore that now.

Step By Step Instructions

These are the detailed steps that are required to get an aggregated view for all accounts and regions within an AWS Organization:

Create a S3 Bucket for Centralised Logging

We create a new S3 bucket in the aggregator account. This bucket will later be used by all source accounts to store the Config log files. Because we are going to use Conformance Packs later on, the name of the delivery S3 bucket must start with “awsconfigconforms”.

Enable Config Recorder And Define a Delivery Channel

This step is similar to the single account setup that I described in the previous blog post. The main difference here is that we need to deploy the Recorder and Delivery Channel as a StackSet to our Organization. We create a StackSet by deploying our CloudFormation template with the following command:

aws cloudformation create-stack-set --stack-set-name config-recorder-org --template-body file://enableConfig-in-org.yml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false

After the StackSet is created we need to create our AWS resources within all accounts and specified regions in our Organization with the following command:

aws cloudformation create-stack-instances --stack-set-name config-recorder-org --deployment-targets OrganizationalUnitIds="ou-enen-r6ziod3r" --regions "us-east-1" "us-east-2" "ap-southeast-2"  "us-west-1" "us-west-2"

There can only be one Recorder and one Delivery Channel in each account. If there are issues the following commands will help to find out more:

• aws configservice describe-configuration-recorders:
  This will give us the Recorder name if it already exists in our account and we can delete it with:
  aws configservice delete-configuration-recorder — configuration-recorder-name default
• aws configservice describe-delivery-channels:
  If we receive the name of a delivery channel as a response we can delete it with:
  aws configservice delete-delivery-channel — delivery-channel-name default

Replace the word “default” if the recorder or delivery channel has a different name.

Setup of an Aggregator

Before setting up the Aggregator we need to make sure that all features in our Organization are enabled. We define the Aggregator and the IAM role in a CloudFormation template:

Please note, there is a separate IAM service role for Config deployments to our Organization called AWSConfigRoleForOrganizations.

Since we only need one Aggregator we deploy the template as a CloudFormation Stack — not as a StackSet. Optionally we can send SNS notifications to a topic. If we do that then the SNS topic must have policies that grant access permissions to AWS Config.

Defining the S3 Bucket Policy

As a first step we created a S3 bucket in the aggregator account that can be used by the source accounts. We now need to setup the S3 bucket policy to make sure the source accounts can write to the bucket:

Please refer to the documentation for a complete S3 bucket policy example. Once we have setup the Aggregator and the bucket policy we can see which accounts are being monitored:

Deployment of Conformance Pack

Recently AWS released a new Config feature called Conformance Packs. They allow us to bundle Config Rules and deploy them across our Organization. Let’s have a look how this works: We can either write our own Conformance Packs in YAML format or we can use any of the pre-canned sample templates, for example:

• Control Tower Detective Guardrails
• Best Practices for PCI-DSS
• Best Practices for DynamoDB
• Best Practices for S3

In this example we will deploy the one for S3 best practices with the following command:

aws configservice put-organization-conformance-pack --organization-conformance-pack-name="S3ConformancePackOrg" --template-body="file://conformance-pack-s3-org.yml" --delivery-s3-bucket=awsconfigconforms-yourname

Once the conformance pack is deployed we can see the included rules under “Conformance Packs” in the Config console:”

Aggregated View

Now that all the rules are up and running we can get a consolidated view in the Aggregator. We can see an aggregated inventory and consolidated view of our compliance status and the top non-compliant rules:

The “Rules” view within the Aggregator gives us a per-rule view and helps us to identify resources that do not comply with the rule. We can filter the view by compliant/non-compliant, region and Account ID.

Summary

AWS Config Aggregator helps us to get a single pane governance & compliance view across the enterprise landscape. By using Conformance Packs we can manage groups of rules. Sending the rule evaluation outcomes from all source accounts to a central S3 bucket enables us to get consolidated log files. AWS Config is a really powerful service that helps us to govern the entire enterprise AWS landscape.