Setting Up Aggregate AWS Config Collection in CloudCheckr
AWS allows you to combine AWS Config log files from multiple AWS accounts into a single S3 bucket. Using CloudCheckr’s Multi-Account View, you can view the details and changes from these Config logs. CloudCheckr will also automatically funnel the data down from the Multi-Account View into the general accounts, if they have been added to CloudCheckr.
NOTE: You must use a multi-account view in CloudCheckr to process aggregated AWS Config logs.
To configure your CloudCheckr Multi-Account View to retrieve the log files from your AWS aggregated S3 bucket, follow these steps:
1 – Load (or create) the Multi-Account View you would like to configure from your list of Multi-Account Views.
2 – In the left-hand menu of reports, select Security > AWS Config > Aggregated S3 Buckets > Configure
3 – Within the “Name of the S3 Bucket storing the Aggregate AWS Config data” text box enter the exact name of the S3 bucket where your aggregate AWS Config logs are being stored.
4 – Enter the Access Key and Secret Key from an IAM user that has permissions to access the S3 bucket storing the aggregate AWS Confg logs.
NOTE: The IAM user must exist in the same AWS account as the S3 aggregated bucket.
NOTE: For instructions on creating a Read Only Access Key and Secret Key, please see here: https://support.cloudcheckr.com/getting-started-with-cloudcheckr/adding-credentials-in-cloudcheckr/creating-an-aws-user-group-and-policy/
These are the IAM permissions needed for CloudCheckr to verify and process the AWS Config data from the aggregate S3 bucket:
"iam:GetUser", "s3:ListBuckets", "s3:ListObjects," "s3:GetObject"
5 – Click the Update button.
That’s it! CloudCheckr will now begin downloading the Trail data from that AWS Config bucket. Once that’s finished you can use the AWS Config reports within this Multi-Account View to explore the data.