2

I am currently trying to enable AWS Config notifications on multiple accounts. I have enabled monitoring on each individual account with its own S3 bucket and SNS topic, but it would make more sense to have one centralized bucket and topic. I am trying to implement this with little success. I have created an s3 bucket and target ARN but when I try and apply the changes I get an error of insufficient delivery policy

Note I am doing this through the AWS console and not with code.

Alex Harvey
  • 14,494
  • 5
  • 61
  • 97
Richard Hewitt
  • 345
  • 1
  • 5
  • 22
  • If you _were_ getting that error while using code (like I am), I would say check out this thread https://github.com/aws/aws-sdk-js/issues/850 which mentions how it can take time for newly created IAM policies to propagate, maybe 10 or 15 seconds. (In these instances, you can at the very least create a crude polling function to check when it's available first) – D.Tate Mar 25 '18 at 16:24
  • 1
    AWS Config has a sub-par user experience, it is just ridiculous. 8 years later and it has improved none at all. Such cr*p. – advance512 Feb 22 '23 at 14:04

1 Answers1

3

To do this, you need two pieces:

  1. The Identity and Access Management (IAM) Role being used must have permissions to deliver data to the common S3 bucket and SNS Topic. You'll need to go to the IAM Management Console, and edit the role being used by Config in each account and update the S3 bucket/SNS names in "PutObject", "GetBucketACL" and "sns:Publish"

  2. You also need to allow the S3 bucket and SNS Topic to receive data from this new role. See a. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_accounts_bucket_policy.html b. http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage_UseCases_Sns.html

Prashant Prahlad
  • 46
  • 1