AMS multi-account landing zone utilizes the AWS Config aggregator service to create a centralized view of compliance across all your accounts. This means you can see the compliance status of all AWS Config Rules across your AMS multi-account landing zone environment under the AWS Config aggregator in your security account.
The following is a sample of the AWS Config aggregator showcasing central compliance status of AWS Config Rules across accounts.
For more information, see the AWS documentation for Config Aggregator.
How does AMS use AWS Config rules?
AMS creates AWS Config Rules to give visibility into the configuration of your AWS resources against conditions specified in the rules. If a rule is non-compliant, you can request a change and the AMS Ops team will work with you to take corrective action.
In that case, you see the following changes appear in your AMS accounts:
AWS Config Rules under AWS Config > Rules
Custom Config rules with their Lambda functions exist in your account
Config Aggregator in Security account and Config Authorization in all accounts (Multi-Account Landing Zone only)
The following is a sample of AWS Config Rules and their compliance evaluation results is shown below:
To learn more about AWS Config, see:
-
AWS Config: What Is Config?
AWS Config Rules: Evaluating Resources with Rules
AWS Config Rules: Dynamic Compliance Checking: AWS Config Rules – Dynamic Compliance Checking for Cloud Resources
AWS Config Aggregator: Multi-Account Multi-Region Data Aggregation
