Do you want to understand governance across all of your AWS accounts? Are you struggling to get visibility into the compliance of your AWS resources? Join us in this session as we explore the new multi-account, multi-region data aggregation capability in AWS Config, which enables centralized governance and monitoring of compliance status across your AWS infrastructure. You learn how to use this exciting new capability to centrally monitor your compliance status across accounts, across regions, within your AWS Organization.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sid Gupta
Sr. Product Manager, AWS Config
April 4, 2018
Monitor Cross-Account and Cross-Region
Compliance Status with AWS Config

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to Expect from the Session
• About AWS management tools
• About AWS Config
• Multi-account, multi-region data aggregation feature
• Demo
• Q&A

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Management Tools
Define provisioning of resources
 AWS CloudFormation
 AWS Service Catalog
Discover and gain visibility
 AWS CloudTrail
 AWS Config, AWS Config rules
Manage your compute environment
 Amazon EC2 Systems Manager
Monitor, Report, and Respond to changes
 Amazon CloudWatch

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Configuration auditor
• Monitors configuration changes over time
• Evaluates the configuration against policies defined using
AWS Config rules
• Alerts you if the configuration is noncompliant with your
policies
AWS Config
Changing resources
AWS Config
AWS Config rules
History, snapshot
Notifications
API access
Normalized

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common Use Cases
• Auditing configuration changes over time
• Detecting misconfigurations
• Verifying compliance (with internal and regulatory
requirements)
• Change management (third-party CMDB integration)
5

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous Assessment Using AWS Config
Rules
• 45+ pre-built rules provided by AWS
• Custom rules (e.g., CIS benchmarks)
• GitHub repo: Community sourced rules
• Alerts sent via Amazon SNS and CloudWatch Events

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config Dashboard

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Problem Statement
I have 200+ accounts in my enterprise where I have
provisioned AWS Config rules. How can I get an enterprise-
wide view of their compliance status?

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is this challenging?
• AWS Config rules are deployed into each account and each region
• Custom tools are needed to aggregate compliance data
• This increases operational and management overhead
• If new accounts get added or removed, I need to update scripts
accordingly

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New Feature: Multi-Account, Multi-Region Data
Aggregation
 Central dashboard that provides an aggregated view
 Multi-account, multi-region
 Integrates with AWS Organizations
 Available at no additional charge

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New Concepts
Aggregator – A new resource type in AWS Config that identifies the sources (accounts and regions)
of the compliance data to be aggregated
Aggregator account – An AWS account that owns one or more aggregators
Source account – An AWS account that has compliance data to be aggregated
Authorization – An action that authorizes the aggregator account to collect AWS Config data from a
source account
Aggregated view – A dashboard that shows compliance status for an aggregator

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-Account, Multi-Region Data Aggregation Feature in AWS Config

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Getting Started
Step 1 - Enable AWS Config / Config rules in your source
accounts
Step 2 - Create an aggregator in the aggregator account
Step 3 - Authorize the aggregator account / region to collect
your AWS Config data.
Step 4 - View the aggregated dashboard in the aggregator
account

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
Provision Config rules across multiple accounts

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Video will be embedded here

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
Aggregate data from individual source accounts

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Video will be embedded here

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How can you enable these features across many accounts
programmatically?
 Use AWS CloudFormation templates
 Use StackSets to deploy across multiple accounts and regions

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations Integration
• You can aggregate compliance data from all accounts in
your organization
• Aggregator can only be created in the master account
• All features must be enabled in your organization
• Authorization step is not needed in the member accounts
• Aggregator automatically gets updated when accounts join
or leave the organization

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
Aggregate data from AWS Organizations

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Video will be embedded here

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer Testimonial
“With the launch of AWS Config’s multi-account, multi-region data
aggregation feature, we now have a centralized view of compliance state
for all AWS resources. This greatly simplifies our management across
multiple AWS accounts. This feature also allows us to optimize our AWS
spend by quickly identifying and removing noncompliant or unneeded
resources.”
- Bradley Segobiano, Software Engineer at Genesys PureCloud

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer Testimonial
“AWS Config’s multi-account, multi-region data aggregation feature
eliminates the problem of configuration drift across 50+ AWS accounts and
multiple regions. It increases our team’s productivity by allowing us to
remediate misconfigurations in real time and at scale. This improves our
security as well as environment parity.”
- Blayze Stefaniak, Lead Cloud Engineer at UPMC Enterprises

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key Takeways: Multi-Account, Multi-Region Data
Aggregation Aggregates AWS Config rule compliance data
 Supports single-account, multi-region aggregation
 Supports multi-account, multi-region aggregation
 Integrates with AWS Organizations
 Available at no additional charge
 Available in these regions: US East (N. Virginia), US East (Ohio), US
West (Oregon), US West (San Francisco), EU (Ireland), EU (Frankfurt),
Asia Pacific (Tokyo), Asia Pacific (Sydney), and Asia Pacific (Singapore)

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the summit mobile app.

26. Submit Session Feedback
1. Tap the Schedule icon. 2. Select the session
you attended.
3. Tap Session
Evaluation to submit your
feedback.

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!