AWS Config for accounts compliance over accounts distributed to teams inside organizations

AWS Config service assists organizations to audit, evaluate, and assess the configurations of various AWS resources. It permits continuous recording and monitoring of the present configurations to facilitate an evaluation against desired configurations. As such, it is an essential service for enterprises allocating multiple AWS accounts to different teams. Keeping track and control of the accounts can be challenging since they serve different purposes with diverse compliance requirements. By using AWS Config, a company can address compliance challenges to conform with the required governance guidelines. 

‍

Non-compliance challenges 

Lacking a continuous compliance approach causes challenges such as failure to scale, inability to conduct proper assessments, exhausting compliance events, and insufficient feedback.

1. Failure to scale: Business can achieve instantaneous changes with rapid changes and scaling in a cloud environment. However, a manual compliance method can prevent easy adaptability to large and rapid scaling.
   ‍
2. Improper assessments: Changes occur regularly in a cloud-based infrastructure. The changes might cause policy violations especially if they go unnoticed. Also, using APIs to deploy changes causes extreme assessment difficulties where there lacks an automated and systematic compliance approach.
   ‍
3. Exhausting compliance events: Organizations lacking a continuous compliance method end up consuming valuable resources and time during external and internal audits when demonstrating compliance.
   ‍
4. Insufficient feedback: Product teams rely on accurate feedback to ensure proper change management to end products. At the heart of such feedback is continuous compliance as a manual approach performs partial compliance on separate events during the release lifecycle. 
   

AWS Config as a solution 

AWS Config consists of a managed service used to track AWS changes and resource inventory in a distributed environment. The Config Rules provides the assurance that both new and existing AWS resources conforms to an organization’s usage practices and security policies. Furthermore, AWS Config provides full visibility of the resources related to the distributed AWS accounts, including association with other resources, the configurations made different accounts, and how they have changed with time. For companies with distributed AWS accounts to various teams, they can use AWS Config for compliance through the following ways:

1. Compliance as Code 

An enterprise can use AWS Config to automate rule or policy enforcement. By using a relevant framework, Config Rules functionality enables the implementation of Compliance as Code. Most Config Rules enable a company to report on the specific controls described in the chosen framework. The controls may include encryption, controlled resource access, usage, and sharing. Config Rules enables continuous compliance as most are out-of-the-box from AWS, thus allowing simple customization. They also clearly indicate the pass or fail state of a resource with respect to a particular compliance requirement.  

2. Clear reporting 

Distributing multiple AWS accounts to different organizational teams may hinder correct and accurate reporting in regards to the compliance state. Monitoring the compliance needs using AWS Config provides an organized and customized ledger of deployment changes with a focus on how the resources meet compliance. A programmatic log generates useful data used as a reference during compliance audits. Besides, most companies are shifting to microservices based on CI/CD (Continuous Integration and Continuous Deployment). AWS Config leaves a vital trail of the continuous actions, further supporting accurate reporting on internal processes at each CI/CD process.

3. Automating problem mitigations 

AWS Config provides enterprises with the ability to automate mitigations to noncompliant resources. One can use an API or console to add rules for fixing noncompliant resources automatically. The functionality exists within documents in AWS Systems Manager Automation. Config Rules reference from instructions found in the documents designed to provide guidelines for various actions depending on the state of AWS resources. 

4. Config Rules

AWS Config Rules represent the desired settings or configurations for an AWS resource or account. Accounts violating the rules causes AWS Config to flag down the AWS accounts as noncompliant, and proceeds to notify through the Amazon SNS (Simple Notification Service). The Config Rules can either be managed or customized. In the former, AWS Config provides predefined but customizable rules to assist an organization get started on a continuous compliance process. There are many rules with new ones added regularly to cover emerging practices, technologies, and security requirements. On the other hand, organizational teams can create their own custom Config rules. The rules are specific to compliance needs governing services and resources in the distributed accounts. Custom rules enable the teams to address compliance shortcomings in their AWS accounts and workloads, thus ensuring an ongoing compliance.