AWS New Account Config

We’re getting ready to deploy our first production workload in AWS, and our AWS account team recommended we enable a bunch of auditing on our accounts in each region. That is a lot of clicking for 9 regions across three accounts.

This script will configure AWS CloudTrail and AWS Config Service in all regions, configure the logging bucket, and establish a reasonable password policy. Amazon is about to release 3 (or four) more regions in Ohio, England, Korea and India. As these regions spin up you’ll need to enable auditing trails there, even if you never plan to use the region.

The script can also be used with –status to make sure all your logging is enabled.

./ --status mydomain 49nnnnnnnnn
Using mydomain as my bucket suffix and 49nnnnnnnnn as my AWS Account Number
						Cloud Trail Status
Region 		Trail Name 		Bucket 		GlobalEvents?		Logging On?
eu-west-1 	Default 	logs-mydomain 		False 		True
ap-southeast-1 	Default 	logs-mydomain 		False 		True
ap-southeast-2 	Default 	logs-mydomain 		False 		True
eu-central-1 	Default 	logs-mydomain 		False 		True
ap-northeast-1 	Default 	logs-mydomain 		False 		True
us-east-1 	logs-mydomain 	arn:aws:cloudtrail:us-east-1:496486987401:trail/Default 		True
sa-east-1 	Default 	logs-mydomain 		False 		True
us-west-1 	Default 	logs-mydomain 		False 		True
us-west-2 	Default 	logs-mydomain 		False 		True

					AWS Config Service Status
Region 		Recorder Name 		Bucket 			Last Status?		Recording?
eu-west-1 	Default-eu-west-1 	logs-mydomain 		SUCCESS 		True
ap-southeast-1 	Default-ap-southeast-1 	logs-mydomain 		SUCCESS 		True
ap-southeast-2 	Default-ap-southeast-2 	logs-mydomain 		SUCCESS 		True
eu-central-1 	Default-eu-central-1 	logs-mydomain 		SUCCESS 		True
ap-northeast-1 	Default-ap-northeast-1 	logs-mydomain 		SUCCESS 		True
us-east-1 	Default-us-east-1 	logs-mydomain 		SUCCESS 		True
sa-east-1 	Default-sa-east-1 	logs-mydomain 		SUCCESS 		True
us-west-1 	Default-us-west-1 	logs-mydomain 		SUCCESS 		True
us-west-2 	Default-us-west-2 	logs-mydomain 		SUCCESS 		True

|        GetAccountPasswordPolicy         |
||            PasswordPolicy             ||
||  AllowUsersToChangePassword  |  True  ||
||  ExpirePasswords             |  True  ||
||  HardExpiry                  |  False ||
||  MaxPasswordAge              |  180   ||
||  MinimumPasswordLength       |  8     ||
||  RequireLowercaseCharacters  |  True  ||
||  RequireNumbers              |  True  ||
||  RequireSymbols              |  True  ||
||  RequireUppercaseCharacters  |  True  ||

This is a work in progress and as I delve deeper into account best practices I will be adding to this.