Operating AWS Config

Enable AWS Config across all regions in all accounts

For customers running multiple AWS accounts, we recommend implementing AWS Config across your entire organization. AWS Config is a region-specific service, you'll need to enable it in each region where you want to track resource configuration changes and compliance evaluations. You can do so in three ways:

1. Using CloudFormation StackSets: CloudFormation StackSets provide pre-built templates for enabling AWS Config across multiple regions and accounts simultaneously, deploy the configuration recorder across your organization, and maintain consistent settings across all accounts. To deploy AWS Config across your organization using CloudFormation, please follow this blog.
2. Using AWS Systems Manager Quick Setup: AWS Systems Manager Quick Setup offers a streamlined way to enable Config recorder across your entire organization. To deploy AWS Config across your organization using Systems Manager Quick Setup, please follow this blog.
3. AWS Control Tower: AWS Control Tower helps you set up and securely manage multiple AWS accounts from a central location. When enabled, Control Tower automatically activates AWS Config across all enrolled accounts. To get started with AWS Control, please refer to AWS Control Tower Getting Started public documentation.

AWS Config recorder settings

When configuring AWS Config recorder settings, an important best practice is to enable tracking for all resource types. The additional benefit of enabling all resources is the automatic inclusion of new AWS services resource types as they become available for Config tracking, ensuring your configuration management stays current without manual intervention. Regarding global resources, such as IAM, it's important to enable recording in only one region (AWS Config should be enabled in the customer's home or main region). This configuration serves two purposes: it prevents duplicate configuration items and helps avoid unnecessary costs. If you enable global resource recording in multiple regions, you'll encounter redundant configuration tracking and incur additional expenses for monitoring the same global resources multiple times. For example, when tracking IAM users, roles, and policies, you should designate a primary region (such as us-east-1) for global resource recording and disable this feature in all other regions.

Delivery Method Best Practices

When implementing AWS configuration management, establishing proper delivery methods for configuration items is crucial. A recommended best practice is to designate a centralized Amazon S3 bucket within a central account, which could be either a logging account or another specifically designated account. This centralization allows for better organization and management of configuration item logs. To maintain clear organization within the bucket, it's advisable to implement a structured prefix system that clearly identifies the source account and region for each configuration item. Please also implement security best practices for the S3 bucket such as: enabling encryption in transit and at rest, disabling public access, and maintaining strict access controls. These security measures ensure compliance with data protection standards and minimize security risks.

You can also configure AWS Config to automatically stream configuration changes and compliance status updates to a designated SNS topic. For enterprise environments with multiple AWS accounts, you establish a central SNS topic to consolidate these notifications. This centralized approach enables IT and Security teams to efficiently monitor and respond to configuration changes across the organization. To do so, please follow this documentation.

Delegated Admin for AWS Config

A delegated administrator for AWS Config is a designated member account within an AWS organization that receives permissions to manage configuration settings across the entire organization. This administrator can deploy and manage AWS Config rules, handle conformance packs, and aggregate configuration data from multiple accounts. They have visibility into resource configurations and compliance status across the organization, enabling centralized management and monitoring. To use delegated admin for AWS Config operations and aggregation please follow this blog.

Using a delegated administrator for AWS Config is a best practice because it protects the management account by limiting its use to only essential organizational tasks while delegating AWS Config specific administrative duties to designated member accounts. This approach follows the principle of least privilege, reduces security risks, and provides better operational control by centralizing Config management in designated accounts.