You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This capability deletes the AWS Config Recorder on selected accounts.
Why is this important?
AWS ControlTower deploys an AWS Config Recorder in every account that it manages. This enables central inventory of cloud resources and their configuration. This also supports a number of controls and guardrails deployed along AWS ControlTower. However, in sandbox accounts where cloud resources may have a short life cycle, AWS Config maintains item records that are a waste. Because of that, we have seen sandbox accounts where costs of AWS Config are coming first. The new capability will allow to reduce costs of SPA significantly across sandbox accounts.
How to implement it?
The solution presented by AWS consists of: 1) detach the SCP that prevents management of AWS Config, 2) delete the AWS Config Recorder on target account, 3) attach the SCP again. ref
The deletion of an AWS Config Recorder is supported in AWS CLI ref and in boto3 ref so it should be possible to automate it as part of the preparation process.
The new capability could be split in two parts:
SPA takes care of the SCP detach and re-attach operations on SCP selected explicitly with settings
Deletion of AWS Config Recorder can be set via the buildspec used for preparation tasks, and with tags set at OU and at accounts in settings
Definition of Done:
document the procedure for management of AWS Config recorder in workbooks/manage-aws-config.md
add a feature file to describe the architecture and expected behaviour features/scp-management.feature
provide a script fixtures/scripts/delete-aws-config-recorder.sh
add new configuration option with_scp_avoidance in section features of the settings file
add test settings fixtures/settings/settings_with_scp_avoidance.yaml
add test tests/test_cdk_configuration.py
pass make tests
pass make lint
The text was updated successfully, but these errors were encountered:
What is this?
This capability deletes the AWS Config Recorder on selected accounts.
Why is this important?
AWS ControlTower deploys an AWS Config Recorder in every account that it manages. This enables central inventory of cloud resources and their configuration. This also supports a number of controls and guardrails deployed along AWS ControlTower. However, in sandbox accounts where cloud resources may have a short life cycle, AWS Config maintains item records that are a waste. Because of that, we have seen sandbox accounts where costs of AWS Config are coming first. The new capability will allow to reduce costs of SPA significantly across sandbox accounts.
How to implement it?
The solution presented by AWS consists of: 1) detach the SCP that prevents management of AWS Config, 2) delete the AWS Config Recorder on target account, 3) attach the SCP again. ref
The deletion of an AWS Config Recorder is supported in AWS CLI ref and in boto3 ref so it should be possible to automate it as part of the preparation process.
The new capability could be split in two parts:
Definition of Done:
workbooks/manage-aws-config.mdfeatures/scp-management.featurefixtures/scripts/delete-aws-config-recorder.shwith_scp_avoidancein sectionfeaturesof the settings filefixtures/settings/settings_with_scp_avoidance.yamltests/test_cdk_configuration.pymake testsmake lintThe text was updated successfully, but these errors were encountered: