0

Can anyone help me in sorting out my queries on aws config.

Firstly, when I am launching control tower, I see 2 config aggregators, one in management account and other in archive account. What is the difference between these two? If there is no difference won't it result in unnecessary costs. If there is a difference, may I know what are the differences and which one is the main config one.

I believe I am correct in my understanding that controls implemented by preventive guardrails, though implemented by aws config has nothing to do with aws config. I mean does the non-compliance things shown by CT and AWS aggregator both differ?

Lets say I want to apply CIS/NIST conformance packs, where should I apply them. Is it under aggregator of management or archive account? I also see an option of frameworks under CT guardrails. What difference does it make if I apply nist as controls on control tower rather than on aws config aggregator.
nischeruku
  • 1
  • 2

1 Answers1

0

Difference between the two Config aggregators in Control Tower:

Control Tower sets up two AWS Config aggregators for you: one in the management account and one in the log archive account. The primary difference between these two aggregators is their scope and purpose.

Management account aggregator: This aggregator is responsible for aggregating configuration and compliance data from all AWS accounts within the organization. This allows you to view the compliance status and configuration changes across your entire organization from a single place.

Log archive account aggregator: This aggregator is focused on aggregating AWS Config data related to the log archive account. The primary purpose of this account is to store and centralize logs and audit trails for security and compliance purposes.

While it might seem redundant, having these two aggregators set up separately allows for better organization, control, and visibility of your AWS resources and their compliance status.

Guardrails and AWS Config:

Preventive guardrails in Control Tower are implemented using AWS Config rules. While the rules are managed by AWS Config, the guardrails themselves are specific to Control Tower. Non-compliance information shown by Control Tower might differ from the information in AWS Config, as Control Tower provides a higher-level view of your multi-account environment and its compliance status.

Applying CIS/NIST conformance packs:

To apply CIS or NIST conformance packs, you should do so in the management account's AWS Config aggregator. This will ensure that the conformance packs are applied across all the accounts in your organization. Control Tower guardrails are meant to enforce best practices, whereas conformance packs are a predefined set of AWS Config rules and remediation actions tailored to meet specific compliance standards like CIS or NIST.

Regarding frameworks under Control Tower guardrails, they are pre-built guardrail sets designed for specific compliance needs. If you choose to apply a NIST framework as a guardrail, it will provide similar benefits as applying NIST conformance packs in AWS Config. However, the difference lies in the implementation: Control Tower guardrails are designed to work seamlessly with your Control Tower multi-account environment, whereas conformance packs in AWS Config will need to be managed and applied directly within AWS Config.

Wenbing Li
  • 12,289
  • 1
  • 29
  • 41
  • A special thanks for picking up queries. Just a couple of more on your comments. Firstly, on differences between the aggregators. If aws aggregator in archive accounts tracks only its own account, is aggregator still required to meet its own purpose. Also, if I need to consolidate all config logs (of all accounts) to a central bucket, then do I need to find a way to send management aggregator logs as well as archive aggregator logs to centralized bucket. Lastly on conformance packs, what is the best practice to apply NIST. Is it through CT or config. – nischeruku Apr 03 '23 at 17:39