Create a centralized AWS Config for multiple accounts in your organization

15 Dec, 2022

Terraform configuration example that you can use to create a centralized AWS Config for multiple accounts in your organization:

# Configure the AWS provider
provider "aws" {
  # Replace with the AWS region where you want to create the AWS Config resources
  region = "us-east-1"

  # Replace with the AWS access key and secret access key for the IAM user or role that will be used to manage the AWS Config resources
  access_key = "ACCESS_KEY"
  secret_key = "SECRET_KEY"
}

# Define the list of AWS accounts to be managed by AWS Config
variable "aws_accounts" {
  type = list(string)
  default = [
    "123456789012",
    "234567890123",
    "345678901234"
  ]
}

# Create a resource for each AWS account in the list
resource "aws_config_recorder" "accounts" {
  count = length(var.aws_accounts)

  name     = "account${count.index+1}_recorder"
  role_arn = "arn:aws:iam::${var.aws_accounts[count.index]}:role/config_recorder_role"
}

resource "aws_config_delivery_channel" "accounts" {
  count = length(var.aws_accounts)

  name            = "account${count.index+1}_delivery_channel"
  s3_bucket_name  = "account${count.index+1}-config-bucket"
  sns_topic_arn   = "arn:aws:sns:us-east-1:${var.aws_accounts[count.index]}:account${count.index+1}-config-topic"
  config_snapshot_delivery_properties {
    delivery_frequency = "Six_Hours"
  }
}

# Create an S3 bucket to store the AWS Config snapshots
resource "aws_s3_bucket" "config_bucket" {
  # Replace with the desired name for the S3 bucket
  bucket = "centralized-config-bucket"
}

# Create an IAM role that AWS Config can assume to access the S3 bucket
resource "aws_iam_role" "config_role" {
  name = "config_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

# Attach a policy to the IAM role that allows AWS Config to access the S3 bucket
resource "aws_iam_policy" "config_policy" {
  name   = "config_policy"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::central

Create a centralized AWS Config for multiple accounts in your organization

Tools required to install to work with AWS EKS cluster

OAuth 2.0 Client Credentials Grant type flow

Creating custom Terraform providers and extending Terraform’s functionality

An introduction to Terraform and its use cases

Working and investigating issues with AWS ECS containers

What is Docker and how can I use it

Tag to a previous commit in a Git repository that you have cloned locally