Skip to content
Jump to bottom

Modify Future Configuration and Links sections #215

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Modify Future Configuration and Links sections #215

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fca3429
Modify Future Configuration and Links sections
marti926 Sep 21, 2023
f100ec6
Update config.md
marti926 Oct 2, 2023
fe64477
Update config.md
marti926 Oct 2, 2023
cdc2c88
Update config.md
marti926 Oct 3, 2023
9cb8684
Update config.md
marti926 Oct 10, 2023
8880bd5
Update to address comments.
marti926 Oct 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
67 changes: 65 additions & 2 deletions aws/documentation/organizations/security/config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,13 +59,76 @@ module.config.data.template_file.splunk_configrules
We will centralize the AWS Config setup to send all Config events to the organization's logging account (see [main](README.md)).
This involves:

* delegation from the org management account to the logging account of the config service
* other things
* Delegation from the org management account to the security account of the config service (each organization sectools account i.e. ent-ew-sectools : 282958839025)
* Deploying organization managed AWS Config Rules and configurations in the configuration of to the delegated AWS Config Adminstrative Account (also to be the sectools account in the associated organization). These rules will be inherited by all member accounts in the organization
* AWS Config Aggregator will be deployed to the sectools account and will aggregate AWS Config data from all member accounts in the organization.
- *Config Data will be accessible in the individual accounts as well in the aggregated account view*

``` script
# Proposed Resources
## Infrastructure
aws_config_configuration_aggregator.organization - "inf-Config-Organizations-Aggregator"
aws_config_configuration_recorder.inf_config_recorder
aws_config_delivery_channel.inf_config_tools
aws_config_configuration_recorder_status.inf_config_tools

#IAM
aws_iam_role.config_role

##Configuration Recorder
aws_iam_role_policy_attachment.read_only_policy_attach
aws_iam_role_policy_attachment.config_policy_attach

##Config Org
aws_iam_policy.config_org_policy
aws_iam_role_policy_attachmen.config_org_policy_attach

##S3
aws_s3_bucket_policy.config_s3_iam_policy

#S3 Bucket
aws_s3_bucket.config_ois_tools


## Organization Managed Rules
aws_config_organization_managed_rule - [ACCOUNT_PART_OF_ORGANIZATIONS]
aws_config_organization_managed_rule - [CLOUDTRAIL_ENABLED]
aws_config_organization_managed_rule - [CLOUDTRAIL_S3_DATAEVENTS_ENABLED]
aws_config_organization_managed_rule - [CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED]
aws_config_organization_managed_rule - [IAM_ROOT_ACCESS_KEY_CHECK]
aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_READ_PROHIBITED]
aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_WRITE_PROHIBITED]
aws_config_organization_managed_rule - [S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS]
aws_config_organization_managed_rule - [S3_BUCKET_LOGGING_ENABLED]
aws_config_organization_managed_rule - [INCOMING_SSH_DISABLED]
aws_config_organization_managed_rule - [VPC_DEFAULT_SECURITY_GROUP_CLOSED]
```

# Considerations
* Need to remove configuration recorders and Config Delivery Channels in each account and each region as they will no longer be leveraged in this configuration
* Should only include Global Config resource types in one region per organizational structure, this will pull in a vast amount of data and should not be included across all regions (will incur large data costs unnecessarily)
Comment on lines +108 to +109
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What will this mean for each account/region? Look over the config module used as part of the baseline ("git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//config?ref=tf-upgrade").

Does this mean we will not be able to look at Config in a per account basis?


``` script
- include_global_resource_types = true
```


# Links
* [AWS Organizations, AWS Config, and Terraform | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/aws-organizations-aws-config-and-terraform/)

* [Moving from a single account AWS Config deployment to an Organization wide deployment | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/moving-from-a-single-account-aws-config-deployment-to-an-organization-wide-deployment/)

* [aws_config_organization_managed_rule | Resources | hashicorp/aws | Terraform | Terraform Registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_organization_managed_rule.html)

* [multi-region-org-config-rules-terraform/administrator_account/config/config.tf at master · aws-samples/multi-region-org-config-rules-terraform](https://github.com/aws-samples/multi-region-org-config-rules-terraform/blob/master/administrator_account/config/config.tf)

* [terraform-modules/aws-inf-setup: AWS Infrastructure Setup](https://github.e.it.census.gov/terraform-modules/aws-inf-setup)


# CHANGELOG

* 1.0.0 -- 2023-09-21
- initial
* 1.0.1 -- 2023-10-10
- Addressing reviewer comments