diff --git a/aws/documentation/organizations/security/config.md b/aws/documentation/organizations/security/config.md index ab758ef4..aabebe3e 100644 --- a/aws/documentation/organizations/security/config.md +++ b/aws/documentation/organizations/security/config.md @@ -59,13 +59,76 @@ module.config.data.template_file.splunk_configrules We will centralize the AWS Config setup to send all Config events to the organization's logging account (see [main](README.md)). This involves: -* delegation from the org management account to the logging account of the config service -* other things +* Delegation from the org management account to the security account of the config service (each organization sectools account i.e. ent-ew-sectools : 282958839025) +* Deploying organization managed AWS Config Rules and configurations in the configuration of to the delegated AWS Config Adminstrative Account (also to be the sectools account in the associated organization). These rules will be inherited by all member accounts in the organization +* AWS Config Aggregator will be deployed to the sectools account and will aggregate AWS Config data from all member accounts in the organization. + - *Config Data will be accessible in the individual accounts as well in the aggregated account view* + +``` script +# Proposed Resources +## Infrastructure +aws_config_configuration_aggregator.organization - "inf-Config-Organizations-Aggregator" +aws_config_configuration_recorder.inf_config_recorder +aws_config_delivery_channel.inf_config_tools +aws_config_configuration_recorder_status.inf_config_tools + +#IAM +aws_iam_role.config_role + +##Configuration Recorder +aws_iam_role_policy_attachment.read_only_policy_attach +aws_iam_role_policy_attachment.config_policy_attach + +##Config Org +aws_iam_policy.config_org_policy +aws_iam_role_policy_attachmen.config_org_policy_attach + +##S3 +aws_s3_bucket_policy.config_s3_iam_policy + +#S3 Bucket +aws_s3_bucket.config_ois_tools + + +## Organization Managed Rules +aws_config_organization_managed_rule - [ACCOUNT_PART_OF_ORGANIZATIONS] +aws_config_organization_managed_rule - [CLOUDTRAIL_ENABLED] +aws_config_organization_managed_rule - [CLOUDTRAIL_S3_DATAEVENTS_ENABLED] +aws_config_organization_managed_rule - [CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED] +aws_config_organization_managed_rule - [IAM_ROOT_ACCESS_KEY_CHECK] +aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_READ_PROHIBITED] +aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_WRITE_PROHIBITED] +aws_config_organization_managed_rule - [S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS] +aws_config_organization_managed_rule - [S3_BUCKET_LOGGING_ENABLED] +aws_config_organization_managed_rule - [INCOMING_SSH_DISABLED] +aws_config_organization_managed_rule - [VPC_DEFAULT_SECURITY_GROUP_CLOSED] +``` + +# Considerations +* Need to remove configuration recorders and Config Delivery Channels in each account and each region as they will no longer be leveraged in this configuration +* Should only include Global Config resource types in one region per organizational structure, this will pull in a vast amount of data and should not be included across all regions (will incur large data costs unnecessarily) + +``` script +- include_global_resource_types = true +``` + # Links +* [AWS Organizations, AWS Config, and Terraform | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/aws-organizations-aws-config-and-terraform/) + +* [Moving from a single account AWS Config deployment to an Organization wide deployment | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/moving-from-a-single-account-aws-config-deployment-to-an-organization-wide-deployment/) + +* [aws_config_organization_managed_rule | Resources | hashicorp/aws | Terraform | Terraform Registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_organization_managed_rule.html) + +* [multi-region-org-config-rules-terraform/administrator_account/config/config.tf at master ยท aws-samples/multi-region-org-config-rules-terraform](https://github.com/aws-samples/multi-region-org-config-rules-terraform/blob/master/administrator_account/config/config.tf) + +* [terraform-modules/aws-inf-setup: AWS Infrastructure Setup](https://github.e.it.census.gov/terraform-modules/aws-inf-setup) + # CHANGELOG * 1.0.0 -- 2023-09-21 - initial +* 1.0.1 -- 2023-10-10 + - Addressing reviewer comments