AWS Cloud Operations Blog
View AWS Config rules across multiple accounts and Regions using AWS Systems Manager Explorer
AWS Systems Manager Explorer is a customizable operations dashboard that displays an aggregated view of operations data from across your AWS accounts and AWS Regions. Explorer provides context into how operational issues are distributed, trend over time, and vary by category. In this blog post, I explain how Explorer gathers the compliance status of AWS Config rules and resources in your AWS account. If you are using AWS Organizations, Explorer aggregates the status from across all Regions and accounts in your organization.
AWS Config is used to assess, audit, and evaluate the configuration of your AWS resources. You can use a set of AWS Config managed rules for common compliance scenarios or you can create your own rules for custom scenarios. When an AWS resource is found to be noncompliant, you can specify a remediation action through an AWS Systems Manager Automation document and optionally send an alert through an Amazon Simple Notification Service (Amazon SNS) topic.
Prerequisites
To aggregate AWS Config rules and resource compliance into Explorer, use the AWS Config console, AWS CLI, or the AWS Config SDKs to set up the service. The blog post AWS Config Rules – Dynamic Compliance Checking for Cloud Resources provides details on creating rules and Config.
Follow the steps in the Quick Setup section of the Manage instances using AWS Systems Manager Quick Setup across organizations in AWS Organizations blog post. When you use this method, Explorer uses default settings for AWS Identity and Access Management roles and AWS Systems Manager OpsData sources.
AWS Config rules
In the AWS Config console, you find rules that you defined for your current account and Region.
Figure 1: List of AWS Config rules
AWS Config resource inventory
AWS Config provides an inventory of the resources it has recorded. As described in the AWS Config documentation on viewing AWS Resource configurations and history, the inventory allows you to understand the compliance status of your AWS resources based on type of resource, tag, or compliance status. Figure 2 shows a list of noncompliant resources.
Figure 2: Noncompliant resources
If you want to perform ad hoc queries against the current configuration state of your resources, see the query your resource configuration state using the advanced query feature of AWS Config blog post.
Viewing AWS Config compliance status
Before you can view AWS Config compliance status, you must enable the flow of information from AWS Config into Explorer by using the Explorer OpsData sources. OpsData sources are connectors built and maintained by AWS that gather data from AWS services, converts it into OpsData items, and displays them in Explorer widgets.
To enable the AWS Config data source, sign in to the AWS Systems Manager console, choose Dashboard actions, and then choose Configure dashboard.
Figure 3: Explorer page of AWS Systems Manager console
When you choose an OpsData source, you see a list of its associated widgets, which you can add or remove from the Explorer dashboard. For information about customizing the display, see customizing the display and using filters in the AWS Systems Manager user guide.
On the Configure OpsData sources and widgets page, confirm that AWS Config Compliance is set to Enabled. Confirm that Added is displayed for the AWS Config Compliance Summary widget.
Figure 4: Enable AWS Config data source and widgets
Because you have added the AWS Config widget, you can see a summary of AWS Config rules, resources, and conformance packs. Figure 5 shows the summary of rules and resources in my AWS account.
Figure 5: Explorer widget for AWS Config
Viewing OpsData for AWS Config rules
The widget allows you to drill down and explore the data from AWS Config. Choose the Rule name links to view the compliant and noncompliant details. Figure 6 shows the list of noncompliant AWS Config rules and their compliance status. If you are viewing Explorer for a single account, there is a link to the AWS Config console. As explained in the AWS documentation for exporting OpsData rom Systems Manager Explorer, you can use the Export Table button to send a CSV file to an SNS topic.
Figure 6: List of AWS Config rules
When you choose the rule name, the AWS Config console opens so you can view the compliance status of the monitored resources for the selected rule.
Figure 7: AWS Config rules
Viewing OpsData for AWS Config resources
On the Explorer widget, when you choose the links next to the AWS Config resources, you see a list of compliant and noncompliant resources. If you are viewing the resources from a single account, there is link to the AWS Config console where you can view details of the resource.
Figure 8: List of AWS resources
You can use the Export Table button to export the list of AWS Config resources to an Amazon Simple Storage Service (Amazon S3) bucket and send a CSV file to an SNS topic.
Figure 9 shows the Export data as CSV page where you choose the S3 bucket where the CSV file will be stored, the SNS topic that receives the CSV file, and an optional message. After you choose Export, an AWS Systems Manager Automation task starts and, in a few minutes, subscribers to the SNS topic will receive a message. When you export the CSV file, an AWS Identity and Access Management (IAM) role with the permissions required to access the S3 bucket and SNS topic is created.
Figure 9: Export AWS Config resources as a CSV file
When you choose the link for a resource, the AWS Config console opens so you can view the resource configuration details.
Figure 10: AWS Config resource
Conclusion
In this blog post, I showed how you can view aggregated AWS Config rule and resource compliance across multiple accounts and Regions in AWS Systems Manager Explorer dashboards. From the Explorer widget, you can view lists of AWS Config elements, export the details to CSV, and distribute them through an SNS topic.
For information about other Explorer OpsData sources, see the multi-account AWS Trusted Advisor summaries now available in AWS Systems Manager Explorer and use AWS Systems Manager Explorer to optimize your compute resources across your organizations in AWS Organizations blog posts.
About the author
Michael Heyd is a Solutions Architect with Amazon Web Services and is based in Vancouver, Canada. Michael works with enterprise AWS customers to transform their business through innovative use of cloud technologies. Outside work he enjoys board games and biking.