Component: aws-config
This component is responsible for configuring AWS Config.
AWS Config service enables you to track changes to your AWS resources over time. It continuously monitors and records configuration changes to your AWS resources and provides you with a detailed view of the relationships between those resources. With AWS Config, you can assess, audit, and evaluate the configurations of your AWS resources for compliance, security, and governance purposes.
Some of the key features of AWS Config include:
- Configuration history: AWS Config maintains a detailed history of changes to your AWS resources, allowing you to see when changes were made, who made them, and what the changes were.
- Configuration snapshots: AWS Config can take periodic snapshots of your AWS resources configurations, giving you a point-in-time view of their configuration.
- Compliance monitoring: AWS Config provides a range of pre-built rules and checks to monitor your resources for compliance with best practices and industry standards.
- Relationship mapping: AWS Config can map the relationships between your AWS resources, enabling you to see how changes to one resource can impact others.
- Notifications and alerts: AWS Config can send notifications and alerts when changes are made to your AWS resources that could impact their compliance or security posture.
Overall, AWS Config provides you with a powerful toolset to help you monitor and manage the configurations of your AWS resources, ensuring that they remain compliant, secure, and properly configured over time.
Prerequisites
As part of CIS AWS Foundations 1.20, this component assumes that a designated support IAM role with the following permissions has been deployed to every account in the organization:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSupport",
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
},
{
"Sid": "AllowTrustedAdvisor",
"Effect": "Allow",
"Action": "trustedadvisor:Describe*",
"Resource": "*"
}
]
}
Before deploying this AWS Config component config-bucket and cloudtrail-bucket should be deployed first.
Usage
Stack Level: Regional
NOTE: Since AWS Config is regional AWS service, this component needs to be deployed to all regions.
At the AWS Organizational level, the Components designate an account to be the central collection account and a single region to be the central collection region so that compliance information can be aggregated into a central location.
Logs are typically written to the audit account and AWS Config deployed into to the security account.
Here's an example snippet for how to use this component:
components:
terraform:
aws-config:
vars:
enabled: true
account_map_tenant: core
az_abbreviation_type: fixed
# In each AWS account, an IAM role should be created in the main region.
# If the main region is set to us-east-1, the value of the var.create_iam_role variable should be true.
# For all other regions, the value of var.create_iam_role should be false.
create_iam_role: false
central_resource_collector_account: core-security
global_resource_collector_region: us-east-1
config_bucket_env: ue1
config_bucket_stage: audit
config_bucket_tenant: core
conformance_packs:
- name: Operational-Best-Practices-for-CIS-AWS-v1.4-Level2
conformance_pack: https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml
parameter_overrides:
AccessKeysRotatedParamMaxAccessKeyAge: '45'
- name: Operational-Best-Practices-for-HIPAA-Security.yaml
conformance_pack: https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml
parameter_overrides:
...
(etc)
managed_rules:
access-keys-rotated:
identifier: ACCESS_KEYS_ROTATED
description: "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."
input_parameters:
maxAccessKeyAge: "30"
enabled: true
tags: {}
Deployment
Apply to your central region security account
atmos terraform plan aws-config-{central-region} --stack core-{central-region}-security -var=create_iam_role=true
For example when central region is us-east-1:
atmos terraform plan aws-config-ue1 --stack core-ue1-security -var=create_iam_role=true
Apply aws-config to all stacks in all stages.
atmos terraform plan aws-config-{each region} --stack {each region}-{each stage}
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0 |
| awsutils | >= 0.16.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 4.0 |
Modules
| Name | Source | Version |
|---|---|---|
| account_map | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| aws_config | cloudposse/config/aws | 1.1.0 |
| aws_config_label | cloudposse/label/null | 0.25.0 |
| aws_team_roles | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| config_bucket | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| conformance_pack | cloudposse/config/aws//modules/conformance-pack | 1.1.0 |
| global_collector_region | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| iam_roles | ../account-map/modules/iam-roles | n/a |
| this | cloudposse/label/null | 0.25.0 |
| utils | cloudposse/utils/aws | 1.3.0 |
Resources
| Name | Type |
|---|---|
| aws_caller_identity.this | data source |
| aws_partition.this | data source |
| aws_region.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_map_tenant | (Optional) The tenant where the account_map component required by remote-state is deployed. | string | "" | no |
| additional_tag_map | Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration. | map(string) | {} | no |
| attributes | ID element. Additional attributes (e.g. workers or cluster) to add to id,in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiterand treated as a single ID element. | list(string) | [] | no |
| az_abbreviation_type | AZ abbreviation type, fixed or short | string | "fixed" | no |
| central_resource_collector_account | The name of the account that is the centralized aggregation account. | string | n/a | yes |
| config_bucket_env | The environment of the AWS Config S3 Bucket | string | n/a | yes |
| config_bucket_stage | The stage of the AWS Config S3 Bucket | string | n/a | yes |
| config_bucket_tenant | (Optional) The tenant of the AWS Config S3 Bucket | string | "" | no |
| conformance_packs | List of conformance packs. Each conformance pack is a map with the following keys: name, conformance_pack, parameter_overrides. For example: conformance_packs = [ { name = "Operational-Best-Practices-for-CIS-AWS-v1.4-Level1" conformance_pack = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level1.yaml" parameter_overrides = { "AccessKeysRotatedParamMaxAccessKeyAge" = "45" } }, { name = "Operational-Best-Practices-for-CIS-AWS-v1.4-Level2" conformance_pack = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml" parameter_overrides = { "IamPasswordPolicyParamMaxPasswordAge" = "45" } } ] Complete list of AWS Conformance Packs managed by AWSLabs can be found here: https://github.com/awslabs/aws-config-rules/tree/master/aws-config-conformance-packs | | [] | no |
| context | Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value.Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged. | any | | no |
| create_iam_role | Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config | bool | false | no |
| delegated_accounts | The account IDs of other accounts that will send their AWS Configuration or Security Hub data to this account | set(string) | null | no |
| delimiter | Delimiter to be used between ID elements. Defaults to - (hyphen). Set to "" to use no delimiter at all. | string | null | no |
| descriptor_formats | Describe additional descriptors to be output in the descriptors output map.Map of maps. Keys are names of descriptors. Values are maps of the form {<br/> format = string<br/> labels = list(string)<br/>}(Type is any so the map values can later be enhanced to provide additional options.)format is a Terraform format string to be passed to the format() function.labels is a list of labels, in order, to pass to format() function.Label values will be normalized before being passed to format() so they will beidentical to how they appear in id.Default is {} (descriptors output will be empty). | any | {} | no |
| enabled | Set to false to prevent the module from creating any resources | bool | null | no |
| environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string | null | no |
| global_environment | Global environment name | string | "gbl" | no |
| global_resource_collector_region | The region that collects AWS Config data for global resources such as IAM | string | n/a | yes |
| iam_role_arn | The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the AWS resources associated with the account. This is only used if create_iam_role is false. If you want to use an existing IAM Role, set the variable to the ARN of the existing role and set create_iam_role to false.See the AWS Docs for further information: http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | string | null | no |
| iam_roles_environment_name | The name of the environment where the IAM roles are provisioned | string | "gbl" | no |
| id_length_limit | Limit id to this many characters (minimum 6).Set to 0 for unlimited length.Set to null for keep the existing setting, which defaults to 0.Does not affect id_full. | number | null | no |
| label_key_case | Controls the letter case of the tags keys (label names) for tags generated by this module.Does not affect keys of tags passed in via the tags input.Possible values: lower, title, upper.Default value: title. | string | null | no |
| label_order | The order in which the labels (ID elements) appear in the id.Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | list(string) | null | no |
| label_value_case | Controls the letter case of ID elements (labels) as included in id,set as tag values, and output by this module individually. Does not affect values of tags passed in via the tags input.Possible values: lower, title, upper and none (no transformation).Set this to title and set delimiter to "" to yield Pascal Case IDs.Default value: lower. | string | null | no |
| labels_as_tags | Set of labels (ID elements) to include as tags in the tags output.Default is to include all labels. Tags with empty values will not be included in the tags output.Set to [] to suppress all generated tags.Notes: The value of the name tag, if included, will be the id, not the name.Unlike other null-label inputs, the initial setting of labels_as_tags cannot bechanged in later chained modules. Attempts to change it will be silently ignored. | set(string) | | no |
| managed_rules | A list of AWS Managed Rules that should be enabled on the account. See the following for a list of possible rules to enable: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html Example: | | {} | no |
| name | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag.The "name" tag is set to the full id string. There is no tag with the value of the name input. | string | null | no |
| namespace | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | string | null | no |
| privileged | True if the default provider already has access to the backend | bool | false | no |
| regex_replace_chars | Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits. | string | null | no |
| region | AWS Region | string | n/a | yes |
| root_account_stage | The stage name for the Organization root (master) account | string | "root" | no |
| stage | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | string | null | no |
| tags | Additional tags (e.g. {'BusinessUnit': 'XYZ'}).Neither the tag keys nor the tag values will be modified by this module. | map(string) | {} | no |
| tenant | ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for | string | null | no |
Outputs
| Name | Description |
|---|---|
| aws_config_configuration_recorder_id | The ID of the AWS Config Recorder |
| aws_config_iam_role | The ARN of the IAM Role used for AWS Config |
| storage_bucket_arn | Storage Config bucket ARN |
| storage_bucket_id | Storage Config bucket ID |