Managing AWS Config Rules Across All Accounts in Your Organization
AWS Config allows you to manage AWS Config rules across all AWS accounts within an organization. You can:
-
Centrally create, update, and delete AWS Config rules across all accounts in your organization.
-
Deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created.
-
Use the APIs from the management account in AWS Organizations to enforce governance by ensuring that the underlying AWS Config rules are not modifiable by your organization’s member accounts.
For deployments across different regions
The API call to deploy rules and conformance packs across accounts is region specific.
At the organization level, you need to change the context of your API call to a
different region if you want to deploy rules in other regions. For example, to deploy a
rule in US East (N. Virginia), change the region to US East (N. Virginia) and then call
PutOrganizationConfigRule.
For accounts within an organzation
If a new account joins an organization, the rule or conformance pack is deployed to that account. When an account leaves an organization, the rule or conformance pack is removed.
If you deploy an organizational rule or conformance pack in an organization administrator account, and then establish a delegated administrator and deploy an organizational rule or conformance pack in the delegated administrator account, you won't be able to see the organizational rule or conformance pack in the organization administrator account from the delegated administrator account or see the organizational rule or conformance pack in the delegated administrator account from organization administrator account. The DescribeOrganizationConfigRules and DescribeOrganizationConformancePacks APIs can only see and interact with the organization-related resource that were deployed from within the account calling those APIs.
Retry mechanism for new accounts added to an organization
Deployment of existing organizational rules and conformance packs will only be retried for 7 hours after an account is added to your organization if a recorder is not available. You are expected to create a recorder if one doesn't exist within 7 hours of adding an account to your organization.
Ensure AWS Config recording is on before you use the following APIs to manage AWS Config rules across all AWS accounts within an organization:
-
PutOrganizationConfigRule, adds or updates organization config rule for your entire organization evaluating whether your AWS resources comply with your desired configurations.
-
DescribeOrganizationConfigRules, returns a list of organization config rules.
-
GetOrganizationConfigRuleDetailedStatus, returns detailed status for each member account within an organization for a given organization config rule.
-
GetOrganizationCustomRulePolicy, returns the policy definition containing the logic for your organization config custom policy rule.
-
DescribeOrganizationConfigRuleStatuses, provides organization config rule deployment status for an organization.
-
DeleteOrganizationConfigRule, deletes the specified organization config rule and all of its evaluation results from all member accounts in that organization.
Region Support
Deploying AWS Config Rules across member accounts in an AWS Organization is supported in the following Regions.
| Region name | Region | Endpoint | Protocol |
|---|---|---|---|
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
