Deployment: AWS Config account
Deployment Instructions
The infrastructure needed to collect and process the data is defined in AWS CloudFormation. The dashboard resources are defined in a template file that can be installed using the CID-CMD
Deployment on standalone account
Follow the same installation instructions for the AWS Config account.
Deployment on AWS Config account
The installation process consists of two steps:
-
Data pipeline resources for the dashboard, via CloudFormation stack.
-
Quick Sight resources for the dashboard and the necessary Athena views, using the CID-CMD
command line tool.
Deployment Steps
Note
Ensure you are in the Region where both your AWS Config Logs bucket and Amazon Quick Sight are deployed.
Step 1
-
Log into the AWS Management Console for your AWS Config account.
-
Click the Launch Stack button below to open the stack template in your CloudFormation console. This Stack will create the data pipeline resources for the dashboard.
-
Specify the following parameters:
-
AWS Config account IDEnter the AWS account ID where you are currently logged in (Required). -
AWS Config Logs bucketEnter the name of the Amazon S3 bucket that collects AWS Config data (Required). -
ARN of the KMS key that encrypts the AWS Config Logs bucketLeave empty if the bucket is not encrypted with a KMS key. If you encrypt the bucket with a KMS key, copy the key’s ARN here.-
CloudFormation will create an IAM policy that grants Amazon Quick Sight permissions to use the key for decrypt operations.
-
You may prefer managing key permissions on the key policy, rather than IAM. In this case, leave the parameter empty. You’ll have to manually grant key permissions in the key policy (more details below).
-
-
Dashboard account IDEnter the same value as theAWS Config account ID(Required). -
Dashboard bucketEnter the same value as theAWS Config Logs bucket(Required). -
ARN of the KMS key that encrypts the Dashboard bucketLeave empty, this parameter is ignored in this deployment mode. -
Configure S3 event notificationThis will configure S3 event notifications to trigger the Partitioner Lambda function, which creates the corresponding partition on Amazon Athena when a new AWS Config file is delivered to the AWS Config Logs bucket (Required).-
Select
yesto configure S3 event notifications. -
Select
noif you have already configured event notifications on the AWS Config Logs bucket. You’ll have to manually configure S3 event notifications (more details below). -
The S3 event notification configuration is performed by an ad-hoc Lambda function (called
crcd-support-configure-s3-event-notification) that will be called by the CloudFormation template automatically.Note
The
crcd-support-configure-s3-event-notificationfunction will return an error (and the entire stack will fail) if you have already configured event notifications on the AWS Config Logs bucket. In this case you must selectnoand run the stack again.
-
-
Configure cross-account replicationLeave at the default value. This parameter is ignored in this deployment mode. -
Is the AWS Organization Data Collection Module of CID Data Collection installed?This is the recommended way to extend the dashboard with account names and organization metadata, make sure the setup of CID Data Collection is complete prior to deploy the dashboard (Required). We recommend to install the dashboard and the CID Data collection module in the same account and Region.-
Select
yesto confirm the AWS Organization Data Collection Module of CID Data Collection is installed. -
Select
nootherwise.
-
-
CID data collection bucketEnter the name of the destination bucket created by the CID Data Collection module. By default, it is the string 'cid-data-' concatenated with the Data Collection account number, e.g. 'cid-data-1234567890'. You can find the exact name on the KeyBucketof the outputs section of the CID Data Collection stack. An ad-hoc Lambda function (calledcrcd-support-configure-account-names) will access the data and prepare your organizational taxonomy for the later steps of deployment. -
Leave all other parameters at their default value.
-
-
Run the CloudFormation template.
-
Note down the output values of the CloudFormation template.
Manual setup of KMS key permissions
Note
Skip this section if you do not utilize a KMS key to encrypt your Dashboard bucket, or if you specified the key ARN in the CloudFormation parameter ARN of the KMS key that encrypts the Dashboard bucket in Step 1.
Follow these steps to edit the key policy and grant the Quick Sight role permissions to use the key for decrypt operations.
-
Ensure you are logged into the AWS Management Console on the AWS Config account and Region where you created the KMS key that encrypts the AWS Config Logs bucket.
-
Open the AWS Key Management Service console and click on the KMS key.
-
Add the following statement to the key policy:
{ "Sid": "CRCD Dashboard allow Quick Sight Role access", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_ID:role/QUICKSIGHT_DATASOURCE_ROLE" }, "Action": [ "kms:Decrypt" ], "Resource": "*" }
Where:
-
ACCOUNT_IDis the AWS account ID where you installed the dashboard. -
QUICKSIGHT_DATASOURCE_ROLEis the value of the outputQuick SightDataSourceRolefrom the CloudFormation template.
Manual setup of S3 event notification
Note
Skip this section if you selected yes in CloudFormation parameter Configure S3 event notification in Step 1.
If you selected no, you must configure the AWS Config Logs S3 bucket event notification to trigger the Lambda Partitioner function when objects are added to the bucket. CloudFormation has already deployed the necessary permissions for the Lambda function to access the AWS Config Logs bucket. You can find the ARN of the Lambda Partitioner function in the output values of the CloudFormation template.
We recommend that you configure your event notification to an SNS topic in these cases:
-
If your bucket already publishes events notifications to an SNS topic, subscribe the Lambda Partitioner function to the topic.
-
If your bucket sends event notifications to another Lambda function, change the notification to an SNS topic and subscribe both the existing function and the Lambda Partitioner function to that SNS topic.
The S3 event notifications for this dashboard must meet the following requirements:
-
All object create events.
-
All prefixes.
This may be a challenge depending on your current S3 event notification setup, as Amazon S3 cannot have overlapping prefixes in two rules for the same event type.
Follow these instructions to add a notification configuration to your bucket using an Amazon SNS topic. Also, ensure that the AWS Config Logs bucket is granted permissions to publish event notification messages to your SNS topic.
Step 2
Remain logged into the AWS Management Console for your AWS Config account.
Note
At this step you will specify the tags to be used to display resources in the Resource inventory management part of the dashboard. Use the tags that classify workloads and resources in your organization. Use the Athena query in the dashboard’s FAQ to see the tags that are used across your organization.
-
Navigate to the AWS Management Console and open AWS CloudShell
. Ensure to be in the correct Region. -
Install the latest pip package of the CID-CMD
tool: pip3 install --upgrade cid-cmd
-
Deploy the dashboard by running the following command (replace the parameters accordingly):
-
--tag1The name of the first tag you use to categorize resources. -
--tag2The name of the second tag you use to categorize resources. -
--tag3The name of the third tag you use to categorize resources. -
--tag4The name of the fourth tag you use to categorize resources. -
Notice that tag parameters are case sensitive and cannot be empty. If you do not use a tag, pass a short default value, e.g.
--tag4 'NA'. -
Leave all other parameters at their default value.
-
cid-cmd deploy \ --resources 'https://raw.githubusercontent.com/aws-samples/config-resource-compliance-dashboard/refs/heads/main/dashboard_template/cid-crcd.yaml' \ --dashboard-id 'cid-crcd' \ --athena-database 'cid_crcd_database' \ --athena-workgroup 'crcd-dashboard' \ --tag1 'REPLACE_WITH_CUSTOM_TAG_1' \ --tag2 'REPLACE_WITH_CUSTOM_TAG_2' \ --tag3 'REPLACE_WITH_CUSTOM_TAG_3' \ --tag4 'REPLACE_WITH_CUSTOM_TAG_4'
-
The CID-CMD tool will prompt you to select a datasource:
[quicksight-datasource-id] Please choose DataSource (Select the first one if not sure):.-
If you have installed other CID/CUDOS dashboards, select the existing datasource
CID-CMD-Athena. -
Otherwise select
CID-CMD-Athena <CREATE NEW DATASOURCE>.
-
-
When prompted
[quicksight-datasource-role] Please choose a Quick Sight role. It must have access to Athena:selectCidCmdQuickSightDataSourceRole <ADD NEW ROLE>orCidCmdQuickSightDataSourceRole(the second option will appear by default if you have other CID/CUDOS dashboards). -
In certain cases the installer will show an updated IAM policy JSON code and prompt
? [confirm-policy-AthenaAccess] Please confirm:. Selectyes. -
When prompted
[timezone] Please select timezone for datasets scheduled refresh.:select the time zone for dataset scheduled refresh in your Region (it is already preselected). -
When prompted
Select taxonomy fields to add as dashboard filters and group by fieldsselect the organization metadata extracted previously.-
You will see
accountid(Accound ID),account_name(Account Name) andregion(Region). Do not add these since they are already part of the dashboard. -
You will see other fields such as
organization_unit(the OU where the account belongs) and one or more fields calledou_tag_<tag name>- for exampleou_tag_application,ou_tag_owner,ou_tag_costcenter. These are the tags added to your OUs and accounts in AWS Organizations on the payer account. -
Add and order fields according to your needs.
-
Select
Looks goodwhen done.
-
-
When prompted
[share-with-account] Share this dashboard with everyone in the account?:select the option that works for you.
Visualize the dashboard
-
Navigate to Quick Sight and then
Dashboards. -
Ensure you are in the correct Region.
-
Click on the AWS Config Resource Compliance Dashboard (CRCD) dashboard.