Managing Conformance Packs Across all Accounts in Your Organization
Use AWS Config to manage conformance packs across all AWS accounts within an organization. You can do the following:
-
Centrally deploy, update, and delete conformance packs across member accounts in an organization in AWS Organizations.
-
Deploy a common set of AWS Config rules and remediation actions across all accounts and specify accounts where AWS Config rules and remediation actions should not be created.
-
Use the APIs from the master account in AWS Organizations to enforce governance by ensuring that the underlying AWS Config rules and remediation actions are not modifiable by your organization’s member accounts.
For deployments across different regions
The API call to deploy rules and conformance packs across accounts is region specific.
At the organization level, you need to change the context of your API call to a different
region if you want to deploy rules in other regions. For example, to deploy a rule
in US East (N. Virginia), change the region to US East (N. Virginia) and then call
PutOrganizationConfigRule.
For accounts within an organzation
If a new account joins an organization, the rule is deployed to that account. When an account leaves an organization, the rule is removed.
Retry mechanism for new accounts added to an organization
Deployment of existing organizational AWS Config Rules and organizational conformance packs will only be retried for 7 hours after an account is added to your organization if a recorder is not available. You are expected to create a recorder if one doesn't exist within 7 hours of adding an account to your organization.
Ensure AWS Config recording is on before you use the following APIs to manage conformance pack rules across all AWS accounts within an organization:
-
DeleteOrganizationConformancePack, deletes the specified organization conformance pack and all of the config rules and remediation actions from all member accounts in that organization.
-
DescribeOrganizationConformancePacks, returns a list of organization conformance packs.
-
DescribeOrganizationConformancePackStatuses, provides organization conformance pack deployment status for an organization.
-
GetOrganizationConformancePackDetailedStatus, returns detailed status for each member account within an organization for a given organization conformance pack.
-
PutOrganizationConformancePack, deploys conformance packs across member accounts in an AWS Organization.
Region Support
Deploying conformance packs across member accounts in an AWS Organization is supported in the following Regions.
| Region name | Region | Endpoint | Protocol |
|---|---|---|---|
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
