AWS New Account Config

We’re getting ready to deploy our first production workload in AWS, and our AWS account team recommended we enable a bunch of auditing on our accounts in each region. That is a lot of clicking for 9 regions across three accounts.

This script will configure AWS CloudTrail and AWS Config Service in all regions, configure the logging bucket, and establish a reasonable password policy. Amazon is about to release 3 (or four) more regions in Ohio, England, Korea and India. As these regions spin up you’ll need to enable auditing trails there, even if you never plan to use the region.

The script can also be used with –status to make sure all your logging is enabled.

./new_account_config.sh --status mydomain 49nnnnnnnnn
Using mydomain as my bucket suffix and 49nnnnnnnnn as my AWS Account Number
                        Cloud Trail Status
Region      Trail Name      Bucket      GlobalEvents?       Logging On?
eu-west-1   Default     logs-mydomain       False       True
ap-southeast-1  Default     logs-mydomain       False       True
ap-southeast-2  Default     logs-mydomain       False       True
eu-central-1    Default     logs-mydomain       False       True
ap-northeast-1  Default     logs-mydomain       False       True
us-east-1   logs-mydomain   arn:aws:cloudtrail:us-east-1:496486987401:trail/Default         True
sa-east-1   Default     logs-mydomain       False       True
us-west-1   Default     logs-mydomain       False       True
us-west-2   Default     logs-mydomain       False       True

                    AWS Config Service Status
Region      Recorder Name       Bucket          Last Status?        Recording?
eu-west-1   Default-eu-west-1   logs-mydomain       SUCCESS         True
ap-southeast-1  Default-ap-southeast-1  logs-mydomain       SUCCESS         True
ap-southeast-2  Default-ap-southeast-2  logs-mydomain       SUCCESS         True
eu-central-1    Default-eu-central-1    logs-mydomain       SUCCESS         True
ap-northeast-1  Default-ap-northeast-1  logs-mydomain       SUCCESS         True
us-east-1   Default-us-east-1   logs-mydomain       SUCCESS         True
sa-east-1   Default-sa-east-1   logs-mydomain       SUCCESS         True
us-west-1   Default-us-west-1   logs-mydomain       SUCCESS         True
us-west-2   Default-us-west-2   logs-mydomain       SUCCESS         True

-------------------------------------------
|        GetAccountPasswordPolicy         |
+-----------------------------------------+
||            PasswordPolicy             ||
|+------------------------------+--------+|
||  AllowUsersToChangePassword  |  True  ||
||  ExpirePasswords             |  True  ||
||  HardExpiry                  |  False ||
||  MaxPasswordAge              |  180   ||
||  MinimumPasswordLength       |  8     ||
||  RequireLowercaseCharacters  |  True  ||
||  RequireNumbers              |  True  ||
||  RequireSymbols              |  True  ||
||  RequireUppercaseCharacters  |  True  ||
|+------------------------------+--------+|

This is a work in progress and as I delve deeper into account best practices I will be adding to this.