AWS is getting serious about simplifying management for organizations with multiple AWS accounts, which is recommended for organizations taking their cloud operations to the enterprise level. Until now, change management and compliance in a multi-account structure was difficult to implement even with most third-party solutions. I was excited when I was afforded the opportunity to participate in a study for this feature, and now even more so that it is generally available.
Many sophisticated AWS customers will already be familiar with AWS Config, but here’s a recap: Config provides current and historical views of AWS resource configurations, allowing an administrator to quickly see how infrastructure has evolved over time. Taken a step further, Config Rules provide a definition of allowed and denied configurations and the ability to take corrective action if resources are created or changed in a way that breaks standards or regulatory compliance. For example, if a user opens a security group to make it too permissive, Config Rules can change it back. The AWS Community has been instrumental in open-sourcingtheir own checks and actions, making it easy for new Config users to begin actively enforcing their infrastructure configurations.
Until now, using Config/Config Rules across multiple accounts meant deploying the rules and Lambda functions in each of the accounts individually. Now, configuration can be managed in a single account, with insight into other accounts managed by AWS. What’s more, administrators and security officers can view compliance across all your accounts from a single dashboard, no third-party tools or custom-built interfaces required.
DevOps and infrastructure as code can help orchestrate and standardize infrastructure management, but Config and active monitoring is the only way to really ensure compliance. JHC believes that ensuring compliance is critical even in non-regulated industries (but we’re happy to share our experience helping organizations meet FISMA Mod/High, NIST, HIPAA, and other regulatory frameworks). Let us know what management challenges or regulations your organization is working on. We specialize in helping organizations get their Cloud. Simplified.
Blog post for cross-account AWS config: https://aws.amazon.com/blogs/aws/aws-config-update-aggregate-compliance-data-across-accounts-regions/