I finally got AWS Config working properly at work, huzzah!
After much trial and error, and a couple of support tickets, I finally succeeded in getting a working Terraform definition for deploying AWS Config. It turns out the documentation for AWS Config is missing some key instructions if you elect to create your own IAM roles instead of using the default service-linked role. Ironically, the docs recommend that you don’t use the service-linked role as it can create a potential security risk, but it fails to provide complete instructions for creating your own IAM role. Here are the two items that were not in the documentation that gave me trouble.
For our use case, we have many AWS accounts and we want to send all of our AWS Config findings to one central location. AWS Config has an aggregation feature that can be setup to collect information from all accounts. The docs tell you that you need to assign the
AWS_ConfigRole to your IAM policy, but we kept seeing errors with the aggregator stating it could not read organization details. It turns out you also need to add the
AWSConfigRoleForOrganizations policy to the IAM role in order for the aggregator to process Config data from the other accounts.
Unlike some of the other AWS detective control services, AWS Config does not have an option to enable it automatically at the organization level. This means you have to set it up of each account, and in every region individually. The frustrating part is the documentation is not very clear about this requirement and it is very tedious to perform this setup on every account. Thankfully, we have Terraform (or another infrastructure automation tool) to handle this for us. To make this more manageable in the future we have added this to our account base template. This way it will automatically get setup when we create a new AWS account.