Deployment Instructions Installation on dedicated Dashboard account Deployment Steps Step 1 [in Dashboard account]Step 2 [in Log Archive account]Step 3 [in Dashboard account]Configure dataset refresh schedule (optional)Visualize the dashboard

Deployment: Dashboard account

Deployment Instructions

The infrastructure needed to collect and process the data is defined in AWS CloudFormation. The dashboard resources are defined in a template file that can be installed using the CID-CMD tool.

Installation on dedicated Dashboard account

The installation process consists of three steps:

On the Dashboard account, deploy data pipeline resources for the dashboard using a CloudFormation stack.
On the Log Archive account, configure the S3 replication rule that copies AWS Config files from the Log Archive bucket to the Dashboard bucket using a CloudFormation stack.
On the Dashboard account, deploy Quicksight resources for the dashboard and the necessary Athena views using the CID-CMD command line tool.

CRCD Dashboard: deployment steps on Dashboard account

Note

The S3 replication rule configured at step 2 is valid only for new AWS Config files delivered to the Log Archive bucket, i.e. it will not replicate files that previously existed on the Log Archive bucket.

Deployment Steps

Note

Ensure you are in the region where both your Log Archive bucket and Amazon QuickSight are deployed.

Step 1 [in Dashboard account]

Log into the AWS Management Console for your Dashboard account.
Ensure you are in the same region as the Log Archive bucket.
Click the Launch Stack button below to open the stack template in your CloudFormation console. This Stack will create the data pipeline resources for the dashboard.

Specify the following parameters:
- Log Archive account ID Enter the AWS account ID of the Log Archive account. Notice this in not where you are currently logged in (Required).
- Log Archive bucket Enter the name of the Amazon S3 bucket that collects AWS Config data (Required).
- ARN of the KMS key that encrypts the Log Archive bucket If you encrypt the Log Archive bucket with a KMS key, copy the key’s ARN here.
  - If a KMS key ARN is passed here, the CloudFormation template will create a new KMS key and use it to encrypt the the Dashboard bucket.
- Dashboard account ID Enter the AWS account ID where you are currently logged in (Required).
- Dashboard bucket Enter the name of the Amazon S3 bucket that will collect AWS Config data. The CloudFormation template will create this bucket on the Dashboard account (Required).
- ARN of the KMS key that encrypts the Dashboard bucket Leave empty. This parameter is ignored in this deployment mode.
- Configure S3 event notification Leave at the default value. This parameter is ignored in this deployment mode.
- Configure cross-account replication Leave at the default value. This parameter is ignored in this deployment mode.
- Leave all other parameters at their default value.

Run the CloudFormation template.
Note down the output values of the CloudFormation template.
If you encrypt the Log Archive bucket with a KMS key, the template will create a KMS key to encrypt the Dashboard bucket. Note down its ARN from the output value DashboardBucketKmsKeyArn. You will use it at the next step.

Step 2 [in Log Archive account]

Log into the AWS Management Console for your Log Archive account.
Click the Launch Stack button below to open the stack template in your CloudFormation console. This Stack will create the data pipeline resources for the dashboard.

Specify the following parameters:
- Log Archive account ID Enter the AWS account ID where you are currently logged in (Required).
- Log Archive bucket Enter the name of the Amazon S3 bucket that collects AWS Config data (Required).
- ARN of the KMS key that encrypts the Log Archive bucket If you encrypt the Log Archive bucket with a KMS key, copy the key’s ARN here.
- Dashboard account ID Insert the ID of the Dashboard account that you specified in this field at Step 1 (Required).
- Dashboard bucket Insert the bucket name that you specified in this field at Step 1 (Required).
- ARN of the KMS key that encrypts the Dashboard bucket This parameter is used only at this step of the Dashboard account deployment. If you encrypt the Log Archive bucket with a KMS key, insert the ARN of the KMS key created in Step 1 (it’s DashboardBucketKmsKeyArn on the CloudFormation Outputs).
- Configure S3 event notification Leave at the default value. This parameter is ignored in this deployment mode.
- Configure cross-account replication (Required)
  - Select yes to configure S3 replication from the Log Archive bucket to the Dashboard bucket.
  - Select no if you already have configured S3 replication rules on the Log Archive bucket. You will have to setup S3 replication manually (see below).
  - The S3 replication configuration is performed by an ad-hoc Lambda function (Configure bucket replication in the diagram above) that will be called by the CloudFormation template automatically.
    
    Note
    If you select yes, and you have existing S3 replication configurations, the Configure bucket replication function will return an error and the entire stack will fail. In this case you must select no and run the stack again.
- Leave all other parameters at their default value.

Run the CloudFormation template.
Note down the output values of the CloudFormation template.

Manual setup of S3 replication

Log onto the Log Archive Account and open the Amazon S3 console.
You can replicate AWS Config files from the centralized Log Archive bucket to the Dashboard bucket through an Amazon S3 Replication configuration, follow these instructions.
Specify the IAM role created by the CloudFormation template at Step 2, as reported in the output value ReplicationRoleArn of the template.

If your Log Archive bucket is SSE-KMS encrypted, the replication role will have the necessary permissions, no need for additional steps.

Note

Step 3 [in Dashboard account]

Log back into the AWS Management Console for your Dashboard account.

Note

At this step you will specify the tags to be used to display resources in the Inventory management part of the dashboard. Use the tags that classify workloads and resources in your organization.

Navigate to the AWS Management Console and open AWS CloudShell. Ensure to be in the correct region.
Install the latest pip package of CID-CMD tool:
```
pip3 install --upgrade cid-cmd
```

Deploy the dashboard by running the following command (replace the parameters accordingly):
- --tag1 The name of the first tag you use to categorize workloads.
- --tag2 The name of the second tag you use to categorize workloads.
- --tag3 The name of the third tag you use to categorize workloads.
- --tag4 The name of the fourth tag you use to categorize workloads.
- Notice that tag parameters are case sensitive and cannot be empty. If you do not use a tag, pass a short default value, e.g. --tag4 'NA'.
- Leave all other parameters at their default value.
```
cid-cmd deploy \
   --resources 'https://raw.githubusercontent.com/aws-samples/config-resource-compliance-dashboard/refs/heads/main/dashboard_template/cid-crcd.yaml' \
   --dashboard-id 'cid-crcd' \
   --athena-database 'cid_crcd_database' \
   --athena-workgroup 'crcd-dashboard' \
   --tag1 'REPLACE_WITH_CUSTOM_TAG_1' \
   --tag2 'REPLACE_WITH_CUSTOM_TAG_2' \
   --tag3 'REPLACE_WITH_CUSTOM_TAG_3' \
   --tag4 'REPLACE_WITH_CUSTOM_TAG_4'
```

The CID-CMD tool will prompt you to select a datasource: [quicksight-datasource-id] Please choose DataSource (Select the first one if not sure):.
- If you have installed other CID/CUDOS dashboards, select the existing datasource CID-CMD-Athena.
- Otherwise select CID-CMD-Athena <CREATE NEW DATASOURCE>.
When prompted [quicksight-datasource-role] Please choose a QuickSight role. select CidCmdQuickSightDataSourceRole <ADD NEW ROLE> or CidCmdQuickSightDataSourceRole (the second option will appear as default if you have other CID/CUDOS dashboards).
In certain cases the installer will show an updated IAM policy JSON code and prompt ? [confirm-policy-AthenaAccess] Please confirm:. Select yes.
When prompted [timezone] Please select timezone for datasets scheduled refresh.: select the time zone for dataset scheduled refresh in your region (it is already preselected).
When prompted [share-with-account] Share this dashboard with everyone in the account?: select the option that works for you.

Configure dataset refresh schedule (optional)

By default, the datasets for the CRCD dashboard are refreshed once a day. You can optionally configure the Refresh Schedule in QuickSight with a different frequency:

Navigate to QuickSight and then Datasets.
All the datasets for this dashboard have the prefix config_.
Click on a dataset, and then open the Refresh tab.
Click on ADD NEW SCHEDULE, select Full refresh, and choose the desired frequency.

Visualize the dashboard

Navigate to QuickSight and then Dashboards.
Ensure you are in the correct region.
Click on the AWS Config Resource Compliance Dashboard (CRCD) dashboard.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deployment: Log Archive account

Optional post-deployment activities and FAQ