Repository files navigation

NOTE: This repo contains only the documentation for the private BoltsOps Pro repo code.Original file:https://github.com/boltopspro/enable-aws-config/blob/master/README.mdThe docs are publish so they are available for interested customers.For access to the source code, you must be a paying BoltOps Pro subscriber.If are interested, you can contact us atcontact@boltops.com orhttps://www.boltops.com

This blueprint can be used to enable AWS Config in a single region or multiple regions. The same infrastructure code is used in both cases. This template is useful for compliance requirements.

AWS also provides a CloudFormation StackSet example template that enables AWS Config in every region. That template creates an S3 Bucket in every region. This can be a little messy if you're only enabling AWS Config for compliance reasons and don't really use the other AWS regions. It can be preferable to only have one s3 bucket in a single region to store AWS Config results. This blueprint provides the flexibility to either use an existing S3 Bucket or create new S3 Buckets in multiple regions.

• The blueprint can be deployed a single CloudFormation stack.
• Or can be deployed via Stack Sets to multiple regions and multiple accounts.

Related Blueprints:

• boltopspro/aws-config-aggregator
• boltopspro/aws-config-bucket
• boltopspro/enable-aws-cloudtrail
• boltopspro/enable-aws-config
• boltopspro/enable-aws-guardduty

1. Add blueprint to Gemfile
2. Configure: configs/enable-aws-config values
3. Deploy

Add the blueprint to your lono project'sGemfile.

gem"enable-aws-config",git:"git@github.com:boltopspro/enable-aws-config.git"

First you want to configure theconfigs/enable-aws-configconfig files. You can uselono seed to configure starter values quickly.

LONO_ENV=development lono seed enable-aws-config

For additional environments:

LONO_ENV=production  lono seed enable-aws-config

The generated files inconfig/enable-aws-config folder look something like this:

configs/enable-aws-config/├── params│   ├── development.txt│   └── production.txt└── variables    ├── development.rb    └── production.rb

With this blueprint, you can enable AWS Config on an individual account and region basis like with thelono cfn deploy command. Example:

LONO_ENV=development lono cfn deploy enable-aws-config --sureLONO_ENV=production  lono cfn deploy enable-aws-config --sure

However, it is common to use StackSets to enable AWS Config in multiple regions and accounts.

To deploy the stack to multiple accounts, we can uselono sets, which is essentially CloudFormation Stack Sets.

If you want to use a single s3 bucket to be shared, instead of lots of regions, first deploy theboltopspro/aws-config-bucket blueprint to create a S3 Bucket that will be shared.

lono cfn deploy aws-config-bucket

You can use that bucket to configure theBucketName param:

configs/enable-aws-config/development.txt

# Parameter Group: S3 BucketBucketName=<%= stack_output("aws-config-bucket.ConfigBucket") %> # using lookup_output helper, but can also just use the bucket name

Configure theconfigs/accounts andconfigs/regions files (with your own values):

configs/accounts/development.txt

111111111111222222222222

configs/regions/development.txt

us-east-1us-west-2

Then you can deploy the template to multiple accounts and regions.

lono sets deploy enable-aws-config --sure # only creates the StackSetlono sets instances sync enable-aws-config --sure # deploys StackSet instances - actual stacks

Deploying Stack Sets take a while as CloudFormation loops through each region one at a time. Note, using the "operation preferences" to increase the parallelism usually results in CloudFormation Rate Limit Errors and it failing. So, it is recommended running StackSets one stack at a time. Generally, StackSets are a nice feature and are helpful, but they can take a long time. Recommend using them only for simple templates.

The output looks something like this:

$ lono sets instances sync enable-aws-config --sure=> Running create_stack_instances on:  accounts: 111111111111,222222222222  regions: us-east-1,us-west-2Stack Instance statuses... (takes a while)You can check on the StackSetsole Operations Tab for the operation status.Here is also the cli command to check:    aws cloudformation describe-stack-set-operation --stack-set-name enable-aws-guardduty --operation-id 92089e7a-e9f5-49c2-bef1-0ad883cdd4c12020-03-29 11:18:38PM Stack Instance: account 111111111111 region us-west-2 status OUTDATED reason User initiated operation2020-03-29 11:18:38PM Stack Instance: account 222222222222 region us-west-2 status OUTDATED reason User initiated operation2020-03-29 11:18:38PM Stack Instance: account 111111111111 region us-east-1 status OUTDATED reason User initiated operation2020-03-29 11:18:38PM Stack Instance: account 222222222222 region us-east-1 status OUTDATED reason User initiated operationStack Set Operation Status: SUCCEEDEDTime took to complete stack set operation: 44sStack Set Operation Summary:account 111111111111 region us-east-1 status SUCCEEDEDaccount 222222222222 region us-east-1 status SUCCEEDEDaccount 111111111111 region us-west-2 status SUCCEEDEDaccount 222222222222 region us-west-2 status SUCCEEDED$

If you see aResourceStatusReason:Insufficient error. That means the S3 bucket you have provided does allow permission for AWS Config to deliver logs to it. Here's an example of the error:

OUTDATED reason ResourceLogicalId:ConfigDeliveryChannel, ResourceType:AWS::Config::DeliveryChannel, ResourceStatusReason:Insufficient delivery policy to s3 bucket: aws-config-bucket-configbucket-lr7n5zsxk0yz, unable to write to bucket, provided s3 key prefix is 'null'. (Service: AmazonConfig; Status Code: 400; Error Code: InsufficientDeliveryPolicyException; Request ID: 6d139e0d-3736-4556-867b-f65611a7fda9).

And example screenshot:

You might have deployed theboltopspro/aws-config-bucket blueprint without adjusting the@accounts, which adds the permission to the S3 Bucket and allows AWS Config from other accounts to deliver logs to the S3 bucket. Please double check that.

You can check the S3 Bucket Permissions / Policy to see if there is ans3:PutObject allowance for all the accounts you're enabling AWS Config in.

Here's a useful loop to help determine that AWS Config is enabled on all Regions:

REGIONS=$(aws ec2 describe-regions | jq -r '.Regions[].RegionName')for i in $REGIONS ; do echo $i ; aws configservice describe-configuration-recorder-status --region $i ; done

Here's an example checking just 2 regions:

$ for i in $REGIONS ; do echo $i ; aws configservice describe-configuration-recorder-status --region $i ; doneus-west-2{    "ConfigurationRecordersStatus": [        {            "name": "StackSet-enable-aws-config-177ce307-47c2-41ff-88e1-516bf1e50dde-ConfigRecorder-1QY1HTHZBV65E",            "lastStartTime": 1580683128.282,            "recording": true,            "lastStatus": "SUCCESS",            "lastStatusChangeTime": 1585496343.32        }    ]}us-east-1{    "ConfigurationRecordersStatus": []}$

We can see that us-west-2 has AWS Config enabled and us-east-1 does not.

Note: Theeu-north-1 region does currently support StackSets. You can deploy the same code withlono cfn deploy separately to that region to enable AWS Config.