Modify Future Configuration and Links sections

aws/documentation/organizations/security/config.md

@@ -59,10 +59,70 @@ module.config.data.template_file.splunk_configrules
 We will centralize the AWS Config setup to send all Config events to the organization's logging account (see [main](README.md)).
 This involves:
 
-* delegation from the org management account to the logging account of the config service
-* other things
+* Delegation from the org management account to the logging account of the config service (each organization sectools account i.e. ent-ew-sectools : 282958839025)
+* Deploying organization  managed AWS Config Rules and configurations in the configuration of to the delegated AWS Config Adminstrative Account (also to be the sectools account in the associated organization). These rules will be inherited by all member accounts in the organization
+* AWS Config Aggregator will be deployed to the sectools account and will aggregate AWS Config data from all member accounts in the organization
+
+``` script
+# Proposed Resources 
+## Infrastructure
+aws_config_configuration_aggregator.organization - "OIS-Config-Organizations-Aggregator"
+aws_config_configuration_recorder.ois_config_recorder
+aws_config_delivery_channel.config_ois_tools
+aws_config_configuration_recorder_status.config_ois_tools
+
+#IAM
+aws_iam_role.config_role
+
+##Configuration Recorder
+aws_iam_role_policy_attachment.read_only_policy_attach
+aws_iam_role_policy_attachment.config_policy_attach
+
+##Config Org
+aws_iam_policy.config_org_policy
+aws_iam_role_policy_attachmen.config_org_policy_attach
+
+##S3
+aws_s3_bucket_policy.config_s3_iam_policy
+
+#S3 Bucket
+aws_s3_bucket.config_ois_tools
+
+
+## Organization Managed Rules
+aws_config_organization_managed_rule - [ACCOUNT_PART_OF_ORGANIZATIONS]
+aws_config_organization_managed_rule - [CLOUDTRAIL_ENABLED]
+aws_config_organization_managed_rule - [CLOUDTRAIL_S3_DATAEVENTS_ENABLED]
+aws_config_organization_managed_rule - [CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED]
+aws_config_organization_managed_rule - [IAM_ROOT_ACCESS_KEY_CHECK]
+aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_READ_PROHIBITED]
+aws_config_organization_managed_rule - [S3_BUCKET_PUBLIC_WRITE_PROHIBITED]
+aws_config_organization_managed_rule - [S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS]
+aws_config_organization_managed_rule - [S3_BUCKET_LOGGING_ENABLED]
+aws_config_organization_managed_rule - [INCOMING_SSH_DISABLED]
+aws_config_organization_managed_rule - [VPC_DEFAULT_SECURITY_GROUP_CLOSED]
+```
+
+# Considerations
+* Need to remove configuration recorders and Config Delivery Channels in each account and each region as they will no longer be leveraged in this configuration
+* Should only include Global Config resource types in one region per organizational structure, this will pull in a vast amount of data and should not be included across all regions (will incur large data costs unnecessarily)
+
+``` script 
+-  include_global_resource_types = true
+```
+
 
 # Links
+[AWS Organizations, AWS Config, and Terraform | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/aws-organizations-aws-config-and-terraform/)
+
+[Moving from a single account AWS Config deployment to an Organization wide deployment | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/moving-from-a-single-account-aws-config-deployment-to-an-organization-wide-deployment/)
+
+[aws_config_organization_managed_rule | Resources | hashicorp/aws | Terraform | Terraform Registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_organization_managed_rule.html)
+
+[multi-region-org-config-rules-terraform/administrator_account/config/config.tf at master · aws-samples/multi-region-org-config-rules-terraform](https://github.com/aws-samples/multi-region-org-config-rules-terraform/blob/master/administrator_account/config/config.tf)
+
+[terraform-modules/aws-inf-setup: AWS Infrastructure Setup](https://github.e.it.census.gov/terraform-modules/aws-inf-setup)
+
 
 # CHANGELOG