Skip to content

STEP 2 : Enable AWS Config based data collection (Optional)(Preview)

This step is optional.

Involves enabling AWS Config and setting up Aggregator. This enables you to assess, audit and evaluate configurations of your AWS resources. Using AWS Config APIs, Cloudneeti will now be able to pull out resource configuration metadata at scale. This optional onboarding configuration will be used by default for accounts with larger number of resources.

AWS Data collection and processing mechanisms to use AWS config to support massive scale requirements for the following AWS services listed here

Workstation readiness

Activity Description
Workstation: Install AWS Command Line Interface To install AWS cli follow link AWS Command Line Interface (CLI) is a unified tool to manage your AWS services.
Workstation: download config deployment scripts Download files for deployment of config and related resources for config based data collection from git link
Workstation: Install serverless npm module Serverless Framework is a CLI tool to manage AWS deployments. Execute below command to install serverless module, # npm install –g serverless
Workstation: Install JQ for bash terminal Download latest stable version of JQ from here and install on the workstation

2.1 Provision resources for config based data collection

Note

  • This script will delete any default config recorders and delivery channels present in entered regions of the AWS Account.

  • Cloudneeti recommends following AWS Config best practices.

  • AWS Config aggregation data is subject to delay. For details, please follow link

Steps

  1. Open any terminal which has AWS CLI configured
  2. On terminal navigate to folder location where you cloned the repository aws-config-onboarding
  3. Type aws configure and enter

    a. Account access key id and secret access key generated in step

    b. Default region name(eg. us-east-1).

    c. Default output format as "json" only.

  4. To enable Config and Aggregator execute below command

        bash deploy-config.sh -a <AWS-acount-id> -e <Cloudneeti-environment-prefix> -n <Config-aggregator-name> -p <primary-aggregator-region> -s <list of regions(secondary) where config is to enabled>
    
    • (-a)Account Id: 12-digit AWS account Id of the account where you want to deploy AWS Config setup

    • (-e)Environment prefix: Enter any suitable prefix for your deployment

    • (-n)Config Aggregator Name: Suitable name for the config aggregator

    • (-p)Config Aggregator region(primary): Programmatic name of the region where the primary config with an aggregator is to be created(eg:us-east-1). AWS Config supported in regions.

    • (-s)Region list(secondary): Comma separated list(with no spaces) of the regions where the config(secondary) is to be enabled(eg: us-east-1,us-east-2) Pass "all" if you want to enable config in all other available regions Pass "na" if you do not want to enable config in any other region

    Create access key

  5. Verify script executed successfully

    Create access key

  1. Cloudformation stack deployed in all selected regions.

    • Primary region

    Primary region stack

    • Secondary region

    Secondary region stack

  2. S3 Bucket

    S3 Bucket

  3. Config service role created config-role-

  4. Config recording is on primary and secondary regions where the config is enabled

    Config_Primary

  5. Aggregator is setup in primary region

    aggregation_progress

2.3 Verify Aggregation is completed

After setup, AWS Config starts aggregating data from the specified regions into an aggregator. It might take a few minutes for Data collection from all source aregions to complete.

Once completed, AWS account onboarding at Cloudneeti can be initiated.

aggregation_success

Appendix

Services supported by AWS Config enabled data collection

  • Updated AWS Data collection and processing mechanisms to use AWS config to support massive scale requirements for the following AWS services.

    • AWS::EC2::Instance

    • AWS::EC2::Volume

    • AWS::EC2::SecurityGroup

    • AWS::S3::Bucket

Generate AWS account access key id and secret

  1. Click your name located on the top right navigation pane

  2. Select My Security Credentials

  3. Access key id is under the section Access keys for CLI, SDK, & API access

    Create access key

  4. If access key secret is not available for this id, please create a new access key by clicking on Create access key button.

    Create access key

Decommission AWS Config

1. Disable AWS Config Based Data Collection

  1. Navigate to Cloud Account (2) from Configurations (1)

    Create access key

  2. Select Update Cloud Account (3) in Configure Accounts (2)

    Create access key

  3. Disable AWS Config Based Data Collection (1) and Save (2)

    Create access key

2. Delete deployment bucket

Delete config deployment bucket using AWS console. Search for deployment bucket with name config-bucket having below tags

S. No. Tag Name Tag Value
1 ServiceName config-bucket
2 Description Bucket for config data collection

3. Execute decommission script

  1. Open bash terminal

  2. Download files from git link

  3. Go to config onboarding downloaded directory

    cd aws-config-onboarding
    
  4. Decommission config resources in AWS account

    bash decommission-config.sh -a <AWS-acount-id> -e <environment-prefix> -p <primary-aggregator-region>
    

    (-a)Account Id: 12-digit AWS account Id of the account where you want to delete the AWS Config setup

    (-e)Environment prefix: Enter any suitable prefix for your deployment

    (-p) Config Aggregator region(primary): Programmatic name of the region where the primary config with an aggregator is to be decommissioned(eg:us-east-1)