Consolidating Config Guardrails with Aggregators

By |2018-11-01T15:41:04+00:00October 22nd, 2018|

In Quick and Dirty: Building an S3 guardrail with Config we highlighted one of the big problems with Config: you need to set it up in each region of each account. Your best bet to make that manageable is to use infrastructure as code tools like CloudFormation to replicate your settings across environments. We have a lot more to say on scaling out baseline security and operations settings, but for this post I want to highlight how to aggregate Config into a unified dashboard.

Earlier this year AWS came out with Config Aggregators. This allows you to centralize Config data and rules into a single view. You still need to configure Config separately in each account and region, but aggregators can provide a unified view of your resources and rule compliance. If you haven’t worked much with Config remember that it is a change management tool, tracking configuration state over time, and Rules is merely one feature to find compliant and non-compliant resources. With an aggregator you also get to view the full configuration state of the monitored resources over time.

Set up your first aggregator

Setting up an aggregator is easy. First, pick which account and region you want to use as your dashboard. You probably don’t want to set up your enterprise-wide aggregator in a developer’s playground account.

Then its a simple as going to Config -> Aggregated view -> Add aggregator:

You have two options:

  • Add individual account IDs to add accounts one by one.
  • Add my organization to add all accounts in your organization.

For each, you need to understand the next steps to make it work. Ideally you enable this for your entire organization and all regions (and check the box to add future regions).

  • For individual accounts added you need to log into Config in each of those accounts and authorize the connection. Here’s an AWS-provided screenshot of what that looks like:
  • For aggregation to work in an Organization, you basically need to turn on all the AWS Organizations features and ensure you authorize (and create if needed) the new IAM role to manage the data aggregation:

Assuming everything works this will now replicate all your data from the other accounts and regions into a single dashboard view. The local accounts still need to have Config configured and will still have access to their own data, but this does allow you to keep an eye on everything centrally.

Practically speaking, if you have more than a handful of accounts you should implement this with automation. Either infrastructure as code or programmatic automation (like our Ops) can wire all of this together over API. Even if you use automation tools like us we still recommend Config for its change management capabilities, but you may or may not want to aggregate everything depending on how you manage your environment operationally.

Config aggregation is a great enhancement and relatively simple to set up — the trick is to pick your strategy and ensure all your IAM is set up properly, and then remember to authorize each request on both sides. If you are worried about wiring in your entire organization, keep in mind this only pulls data when Config itself is set up in each account. We’d like to give you definitive strategic advice but this one really does depend a lot on how you use (or plan to use) Config and either pattern is completely viable.

About the Author:

With twenty years of experience in information security, physical security, and risk management, Rich is one of the foremost experts on cloud security, having driven development of the Cloud Security Alliance’s V4 Guidance and the associated CCSK training curriculum. In addition to his role at D-OPS, Rich currently serves as Analyst & CEO of Securosis.