From fca34290f288e91e9c483a4b300f62cdfe6dc75c Mon Sep 17 00:00:00 2001 From: Kyle Marcel Martin Date: Thu, 21 Sep 2023 10:57:37 -0400 Subject: [PATCH 1/6] Modify Future Configuration and Links sections --- .../organizations/security/config.md | 35 +++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/aws/documentation/organizations/security/config.md b/aws/documentation/organizations/security/config.md index ab758ef4..89c71fdd 100644 --- a/aws/documentation/organizations/security/config.md +++ b/aws/documentation/organizations/security/config.md @@ -59,10 +59,41 @@ module.config.data.template_file.splunk_configrules We will centralize the AWS Config setup to send all Config events to the organization's logging account (see [main](README.md)). This involves: -* delegation from the org management account to the logging account of the config service -* other things +* Delegation from the org management account to the logging account of the config service (each organization sectools account i.e. ent-ew-sectools : 282958839025) +* Deploying organization managed AWS Config Rules and configurations in the configuration of to the delegated AWS Config Adminstrative Account (also to be the sectools account in the associated organization). These rules will be inherited by all member accounts in the organization +* AWS Config Aggregator will be deployed to the sectools account and will aggregate AWS Config data from all member accounts in the organization + +``` script +# Proposed Resources +aws_config_organization_managed_rule - [ACCOUNT_PART_OF_ORGANIZATIONS] +aws_config_organization_managed_rule - [CLOUDTRAIL_ENABLED] +aws_config_organization_managed_rule - [CLOUDTRAIL_S3_DATAEVENTS_ENABLED] +aws_config_organization_managed_rule - [CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED] +aws_config_organization_managed_rule - [IAM_ROOT_ACCESS_KEY_CHECK] +aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_READ_PROHIBITED] +aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_WRITE_PROHIBITED] +aws_config_organization_managed_rule - [S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS] +aws_config_organization_managed_rule - [S3_BUCKET_LOGGING_ENABLED] +aws_config_organization_managed_rule - [INCOMING_SSH_DISABLED] +aws_config_organization_managed_rule - [VPC_DEFAULT_SECURITY_GROUP_CLOSED] +``` + +# Considerations +* Need to remove configuration recorders and Config Delivery Channels in each account and each region as they will no longer be leveraged in this configuration +* Should only include Global Config resource types in one region per organizational structure, this will pull in a vast amount of data and should not be included across all regions (will incur large data costs unnecessarily) + +``` script +- include_global_resource_types = true +``` + # Links +[AWS Organizations, AWS Config, and Terraform | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/aws-organizations-aws-config-and-terraform/) +[Moving from a single account AWS Config deployment to an Organization wide deployment | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/moving-from-a-single-account-aws-config-deployment-to-an-organization-wide-deployment/) +[aws_config_organization_managed_rule | Resources | hashicorp/aws | Terraform | Terraform Registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_organization_managed_rule.html) +[multi-region-org-config-rules-terraform/administrator_account/config/config.tf at master · aws-samples/multi-region-org-config-rules-terraform](https://github.com/aws-samples/multi-region-org-config-rules-terraform/blob/master/administrator_account/config/config.tf) +[terraform-modules/aws-inf-setup: AWS Infrastructure Setup](https://github.e.it.census.gov/terraform-modules/aws-inf-setup) + # CHANGELOG From f100ec61518b573259c09a5ac14915040eef01b1 Mon Sep 17 00:00:00 2001 From: Kyle Marcel Martin Date: Mon, 2 Oct 2023 08:51:42 -0400 Subject: [PATCH 2/6] Update config.md --- aws/documentation/organizations/security/config.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/aws/documentation/organizations/security/config.md b/aws/documentation/organizations/security/config.md index 89c71fdd..b563f141 100644 --- a/aws/documentation/organizations/security/config.md +++ b/aws/documentation/organizations/security/config.md @@ -65,6 +65,13 @@ This involves: ``` script # Proposed Resources +## Infrastructure +aws_config_configuration_aggregator - "OIS-Config-Organizations-Aggregator" +aws_config_configuration_recorder +aws_config_delivery_channel +aws_config_configuration_recorder_status + +## Organization Managed Rules aws_config_organization_managed_rule - [ACCOUNT_PART_OF_ORGANIZATIONS] aws_config_organization_managed_rule - [CLOUDTRAIL_ENABLED] aws_config_organization_managed_rule - [CLOUDTRAIL_S3_DATAEVENTS_ENABLED] From fe64477b1adf68f15fa0e119854349566dd85d29 Mon Sep 17 00:00:00 2001 From: Kyle Marcel Martin Date: Mon, 2 Oct 2023 08:52:34 -0400 Subject: [PATCH 3/6] Update config.md --- aws/documentation/organizations/security/config.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/aws/documentation/organizations/security/config.md b/aws/documentation/organizations/security/config.md index b563f141..8646742f 100644 --- a/aws/documentation/organizations/security/config.md +++ b/aws/documentation/organizations/security/config.md @@ -96,9 +96,13 @@ aws_config_organization_managed_rule - [VPC_DEFAULT_SECURITY_GROUP_CLOSED] # Links [AWS Organizations, AWS Config, and Terraform | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/aws-organizations-aws-config-and-terraform/) + [Moving from a single account AWS Config deployment to an Organization wide deployment | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/moving-from-a-single-account-aws-config-deployment-to-an-organization-wide-deployment/) + [aws_config_organization_managed_rule | Resources | hashicorp/aws | Terraform | Terraform Registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_organization_managed_rule.html) + [multi-region-org-config-rules-terraform/administrator_account/config/config.tf at master · aws-samples/multi-region-org-config-rules-terraform](https://github.com/aws-samples/multi-region-org-config-rules-terraform/blob/master/administrator_account/config/config.tf) + [terraform-modules/aws-inf-setup: AWS Infrastructure Setup](https://github.e.it.census.gov/terraform-modules/aws-inf-setup) From cdc2c883be46899cff9f01802666862f75dcf2a5 Mon Sep 17 00:00:00 2001 From: Kyle Marcel Martin Date: Tue, 3 Oct 2023 10:53:18 -0400 Subject: [PATCH 4/6] Update config.md --- aws/documentation/organizations/security/config.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/aws/documentation/organizations/security/config.md b/aws/documentation/organizations/security/config.md index 8646742f..f6a0c87e 100644 --- a/aws/documentation/organizations/security/config.md +++ b/aws/documentation/organizations/security/config.md @@ -71,6 +71,10 @@ aws_config_configuration_recorder aws_config_delivery_channel aws_config_configuration_recorder_status +#S3 +resource "aws_s3_bucket" "config_ois_tools" { + bucket = "ois-inf-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}" + ## Organization Managed Rules aws_config_organization_managed_rule - [ACCOUNT_PART_OF_ORGANIZATIONS] aws_config_organization_managed_rule - [CLOUDTRAIL_ENABLED] From 9cb8684bca4ceb12ffa5aea797a7045ea5e7d008 Mon Sep 17 00:00:00 2001 From: Kyle Marcel Martin Date: Tue, 10 Oct 2023 08:59:21 -0400 Subject: [PATCH 5/6] Update config.md --- .../organizations/security/config.md | 30 ++++++++++++++----- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/aws/documentation/organizations/security/config.md b/aws/documentation/organizations/security/config.md index f6a0c87e..30b2d0d4 100644 --- a/aws/documentation/organizations/security/config.md +++ b/aws/documentation/organizations/security/config.md @@ -66,14 +66,28 @@ This involves: ``` script # Proposed Resources ## Infrastructure -aws_config_configuration_aggregator - "OIS-Config-Organizations-Aggregator" -aws_config_configuration_recorder -aws_config_delivery_channel -aws_config_configuration_recorder_status - -#S3 -resource "aws_s3_bucket" "config_ois_tools" { - bucket = "ois-inf-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}" +aws_config_configuration_aggregator.organization - "OIS-Config-Organizations-Aggregator" +aws_config_configuration_recorder.ois_config_recorder +aws_config_delivery_channel.config_ois_tools +aws_config_configuration_recorder_status.config_ois_tools + +#IAM +aws_iam_role.config_role + +##Configuration Recorder +aws_iam_role_policy_attachment.read_only_policy_attach +aws_iam_role_policy_attachment.config_policy_attach + +##Config Org +aws_iam_policy.config_org_policy +aws_iam_role_policy_attachmen.config_org_policy_attach + +##S3 +aws_s3_bucket_policy.config_s3_iam_policy + +#S3 Bucket +aws_s3_bucket.config_ois_tools + ## Organization Managed Rules aws_config_organization_managed_rule - [ACCOUNT_PART_OF_ORGANIZATIONS] From 8880bd552c310fc571fbc714dfc9dc56b8c7ba31 Mon Sep 17 00:00:00 2001 From: Kyle Marcel Martin Date: Tue, 10 Oct 2023 10:42:43 -0400 Subject: [PATCH 6/6] Update to address comments. --- .../organizations/security/config.md | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/aws/documentation/organizations/security/config.md b/aws/documentation/organizations/security/config.md index 30b2d0d4..aabebe3e 100644 --- a/aws/documentation/organizations/security/config.md +++ b/aws/documentation/organizations/security/config.md @@ -59,17 +59,18 @@ module.config.data.template_file.splunk_configrules We will centralize the AWS Config setup to send all Config events to the organization's logging account (see [main](README.md)). This involves: -* Delegation from the org management account to the logging account of the config service (each organization sectools account i.e. ent-ew-sectools : 282958839025) +* Delegation from the org management account to the security account of the config service (each organization sectools account i.e. ent-ew-sectools : 282958839025) * Deploying organization managed AWS Config Rules and configurations in the configuration of to the delegated AWS Config Adminstrative Account (also to be the sectools account in the associated organization). These rules will be inherited by all member accounts in the organization -* AWS Config Aggregator will be deployed to the sectools account and will aggregate AWS Config data from all member accounts in the organization +* AWS Config Aggregator will be deployed to the sectools account and will aggregate AWS Config data from all member accounts in the organization. + - *Config Data will be accessible in the individual accounts as well in the aggregated account view* ``` script # Proposed Resources ## Infrastructure -aws_config_configuration_aggregator.organization - "OIS-Config-Organizations-Aggregator" -aws_config_configuration_recorder.ois_config_recorder -aws_config_delivery_channel.config_ois_tools -aws_config_configuration_recorder_status.config_ois_tools +aws_config_configuration_aggregator.organization - "inf-Config-Organizations-Aggregator" +aws_config_configuration_recorder.inf_config_recorder +aws_config_delivery_channel.inf_config_tools +aws_config_configuration_recorder_status.inf_config_tools #IAM aws_iam_role.config_role @@ -113,19 +114,21 @@ aws_config_organization_managed_rule - [VPC_DEFAULT_SECURITY_GROUP_CLOSED] # Links -[AWS Organizations, AWS Config, and Terraform | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/aws-organizations-aws-config-and-terraform/) +* [AWS Organizations, AWS Config, and Terraform | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/aws-organizations-aws-config-and-terraform/) -[Moving from a single account AWS Config deployment to an Organization wide deployment | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/moving-from-a-single-account-aws-config-deployment-to-an-organization-wide-deployment/) +* [Moving from a single account AWS Config deployment to an Organization wide deployment | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/moving-from-a-single-account-aws-config-deployment-to-an-organization-wide-deployment/) -[aws_config_organization_managed_rule | Resources | hashicorp/aws | Terraform | Terraform Registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_organization_managed_rule.html) +* [aws_config_organization_managed_rule | Resources | hashicorp/aws | Terraform | Terraform Registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_organization_managed_rule.html) -[multi-region-org-config-rules-terraform/administrator_account/config/config.tf at master · aws-samples/multi-region-org-config-rules-terraform](https://github.com/aws-samples/multi-region-org-config-rules-terraform/blob/master/administrator_account/config/config.tf) +* [multi-region-org-config-rules-terraform/administrator_account/config/config.tf at master · aws-samples/multi-region-org-config-rules-terraform](https://github.com/aws-samples/multi-region-org-config-rules-terraform/blob/master/administrator_account/config/config.tf) -[terraform-modules/aws-inf-setup: AWS Infrastructure Setup](https://github.e.it.census.gov/terraform-modules/aws-inf-setup) +* [terraform-modules/aws-inf-setup: AWS Infrastructure Setup](https://github.e.it.census.gov/terraform-modules/aws-inf-setup) # CHANGELOG * 1.0.0 -- 2023-09-21 - initial +* 1.0.1 -- 2023-10-10 + - Addressing reviewer comments