Single And Multi Account AWS Config Aggregator Setup
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we discussed how to get all the resources deployed in your AWS landscape.
https://cloudaffaire.com/how-to-get-all-resources-deployed-in-aws/
AWS Config Aggregator is used to collect config and compliance data from multiple accounts and region into a centralized location. Config aggregator can be deployed in three ways, single account multiple regions, multiple accounts and multiple regions and aws organization level. In this blog post, we will first setup a single account multiple region config aggregator and then update that aggregator to include a second region for multi-account multi-region config aggregator setup.
We will use AWS CLI for this demo to understand the entire config aggregator setup from start to finish for accounts that are not part of AWS Organization. Though CloudFormation stack set for config aggregator using AWS Organizatiob feature is more suitable for this job.
Single And Multi Account AWS Config Aggregator Setup:
Prerequisites:
- AWS CLI installed and configured with proper access in multiple AWS account. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
I have setup AWS CLI like below
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
cat .aws/config [member1] region = ap-south-1 output = json [member2] region = ap-south-1 output = json cat .aws/credentials [member1] aws_access_key_id = <Account_A_Access_Key> aws_secret_access_key = <Account_A_Secret_Key> [member2] aws_access_key_id = <Account_B_Access_Key> aws_secret_access_key = <Account_B_Secret_Key> |
Step 1: Create S3 bucket in both the accounts to store config data.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
############################# ## For Account A (member1) ## ############################# ## Create the S3 bucket aws s3api create-bucket \ --bucket config-recording-s3-bucket-member1 \ --region ap-south-1 \ --profile member1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file for config cat <<EOF > config_bucket_policy_member1.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::config-recording-s3-bucket-member1" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::config-recording-s3-bucket-member1" }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::config-recording-s3-bucket-member1/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } EOF ## Create a S3 bucket policy for Config aws s3api put-bucket-policy \ --bucket config-recording-s3-bucket-member1 \ --profile member1 \ --policy file://config_bucket_policy_member1.json ############################# ## For Account B (member2) ## ############################# ## Create the S3 bucket aws s3api create-bucket \ --bucket config-recording-s3-bucket-member2 \ --region ap-south-1 \ --profile member2 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file for config cat <<EOF > config_bucket_policy_member2.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::config-recording-s3-bucket-member2" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::config-recording-s3-bucket-member2" }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::config-recording-s3-bucket-member2/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } EOF ## Create a S3 bucket policy for Config aws s3api put-bucket-policy \ --bucket config-recording-s3-bucket-member2 \ --profile member2 \ --policy file://config_bucket_policy_member2.json |
Step 2: Create IAM role for AWS Config server in both the accounts.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
## Create assume role policy definition cat <<'EOF'> config_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ############################# ## For Account A (member1) ## ############################# ## Create IAM role aws iam create-role \ --role-name config_iam_role \ --profile member1 \ --assume-role-policy-document file://config_assume_role_policy.json ## Create IAM policy definition for config to access S3 cat <<EOF > config_iam_policy.json { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::config-recording-s3-bucket-member1/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::config-recording-s3-bucket-member1" } ] } EOF ## Update the IAM role with the above IAM policy aws iam put-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy \ --profile member1 \ --policy-document file://config_iam_policy.json ## Add AWS managed AWS_ConfigRole policy to the role aws iam attach-role-policy \ --role-name config_iam_role \ --profile member1 \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole ############################# ## For Account B (member2) ## ############################# ## Create IAM role aws iam create-role \ --role-name config_iam_role \ --profile member2 \ --assume-role-policy-document file://config_assume_role_policy.json ## Create IAM policy definition for config to access S3 cat <<EOF > config_iam_policy.json { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::config-recording-s3-bucket-member2/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::config-recording-s3-bucket-member2" } ] } EOF ## Update the IAM role with the above IAM policy aws iam put-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy \ --profile member2 \ --policy-document file://config_iam_policy.json ## Add AWS managed AWS_ConfigRole policy to the role aws iam attach-role-policy \ --role-name config_iam_role \ --profile member2 \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole |
Step 3: Enable AWS Config service in both the accounts for two regions.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
## Create recording group configuration cat <<'EOF' > config_recording_group.json { "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": ["AWS::EC2::VPC"] } EOF ############################# ## For Account A (member1) ## ############################# ## Enable AWS Config in ap-south-1 region of account A MEMBER1_ACCOUNT_ID=$(aws sts get-caller-identity --profile member1 | jq -r .Account) && MEMBER1_IAM_ROLE_ARN=arn:aws:iam::$MEMBER1_ACCOUNT_ID:role/config_iam_role && aws configservice put-configuration-recorder \ --configuration-recorder name=config_member1_ap_south_1,roleARN=$MEMBER1_IAM_ROLE_ARN \ --profile member1 \ --region ap-south-1 \ --recording-group file://config_recording_group.json ## Enable AWS Config in us-east-1 region of account A aws configservice put-configuration-recorder \ --configuration-recorder name=config_member1_us_east_1,roleARN=$MEMBER1_IAM_ROLE_ARN \ --profile member1 \ --region us-east-1 \ --recording-group file://config_recording_group.json ############################# ## For Account B (member2) ## ############################# ## Enable AWS Config in ap-south-1 region of Account B MEMBER2_ACCOUNT_ID=$(aws sts get-caller-identity --profile member2 | jq -r .Account) && MEMBER2_IAM_ROLE_ARN=arn:aws:iam::$MEMBER2_ACCOUNT_ID:role/config_iam_role && aws configservice put-configuration-recorder \ --configuration-recorder name=config_member2_ap_south_1,roleARN=$MEMBER2_IAM_ROLE_ARN \ --profile member2 \ --region ap-south-1 \ --recording-group file://config_recording_group.json ## Enable AWS Config in us-east-1 region of Account B aws configservice put-configuration-recorder \ --configuration-recorder name=config_member2_us_east_1,roleARN=$MEMBER2_IAM_ROLE_ARN \ --profile member2 \ --region us-east-1 \ --recording-group file://config_recording_group.json |
Step 4: Create Config rule in both the accounts and regions.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
## Create config rule definition file cat <<'EOF' > config_rule.json { "ConfigRuleName": "myconfigrule", "Description": "Checks if VPC has specific tags", "Scope": { "ComplianceResourceTypes": ["AWS::EC2::VPC"] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" }, "InputParameters": "{\"tag1Key\":\"owner\",\"tag1Value\":\"debjeet\"}" } EOF ############################# ## For Account A (member1) ## ############################# ## Create the config rule in ap-south-1 of account A aws configservice put-config-rule \ --profile member1 \ --region ap-south-1 \ --config-rule file://config_rule.json ## Create the config rule in us-east-1 of account A aws configservice put-config-rule \ --profile member1 \ --region us-east-1 \ --config-rule file://config_rule.json ############################# ## For Account B (member2) ## ############################# ## Create the config rule in ap-south-1 of Account B aws configservice put-config-rule \ --profile member2 \ --region ap-south-1 \ --config-rule file://config_rule.json ## Create the config rule in us-east-1 of Account B aws configservice put-config-rule \ --profile member2 \ --region us-east-1 \ --config-rule file://config_rule.json |
Step 5: Create Config delivery channel for both the account and region.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
## Create Config delivery channel object ############################# ## For Account A (member1) ## ############################# ## Create config delivery channel object configuration file cat << EOF > config_delivery_channel_member1_ap_south_1.json { "name": "config_member1_ap_south_1", "s3BucketName": "config-recording-s3-bucket-member1", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } } EOF cat << EOF > config_delivery_channel_member1_us_east_1.json { "name": "config_member1_us_east_1", "s3BucketName": "config-recording-s3-bucket-member1", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } } EOF ## Create config delivery channel in ap-south-1 for account A aws configservice put-delivery-channel \ --profile member1 \ --region ap-south-1 \ --delivery-channel file://config_delivery_channel_member1_ap_south_1.json ## Create config delivery channel in us-east-1 for account A aws configservice put-delivery-channel \ --profile member1 \ --region us-east-1 \ --delivery-channel file://config_delivery_channel_member1_us_east_1.json ############################# ## For Account B (member2) ## ############################# ## Create config delivery channel object configuration file cat << EOF > config_delivery_channel_member2_ap_south_1.json { "name": "config_member2_ap_south_1", "s3BucketName": "config-recording-s3-bucket-member2", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } } EOF cat << EOF > config_delivery_channel_member2_us_east_1.json { "name": "config_member2_us_east_1", "s3BucketName": "config-recording-s3-bucket-member2", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } } EOF ## Create config delivery channel in ap-south-1 for Account B aws configservice put-delivery-channel \ --profile member2 \ --region ap-south-1 \ --delivery-channel file://config_delivery_channel_member2_ap_south_1.json ## Create config delivery channel in us-east-1 for Account B aws configservice put-delivery-channel \ --profile member2 \ --region us-east-1 \ --delivery-channel file://config_delivery_channel_member2_us_east_1.json |
Step 6: Start Config recordings in both the account and region.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
## Start config recordings ############################# ## For Account A (member1) ## ############################# ## Starts recording for ap-south-1 region in account A aws configservice start-configuration-recorder \ --profile member1 \ --region ap-south-1 \ --configuration-recorder-name config_member1_ap_south_1 ## Starts recording for us-east-1 region in account A aws configservice start-configuration-recorder \ --profile member1 \ --region us-east-1 \ --configuration-recorder-name config_member1_us_east_1 ############################# ## For Account B (member2) ## ############################# ## Starts recording for ap-south-1 region in Account B aws configservice start-configuration-recorder \ --profile member2 \ --region ap-south-1 \ --configuration-recorder-name config_member2_ap_south_1 ## Starts recording for us-east-1 region in Account B aws configservice start-configuration-recorder \ --profile member2 \ --region us-east-1 \ --configuration-recorder-name config_member2_us_east_1 |
Step 7: Create the 1st Account (Single Account Multi Region) Config Aggregator in Account A’s ap-south-1 region.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
## Create config aggregator definition cat <<EOF > config_aggregator.json [ { "AccountIds": ["$MEMBER1_ACCOUNT_ID"], "AllAwsRegions": false, "AwsRegions": ["ap-south-1","us-east-1"] } ] EOF ## Create the config aggregator in ap-south-1 region of Account A aws configservice put-configuration-aggregator \ --configuration-aggregator-name myconfigaggregator \ --profile member1 \ --region ap-south-1 \ --account-aggregation-sources file://config_aggregator.json |
Step 8: Add authorization to config aggregator for Account A.
|
1 2 3 4 5 6 7 8 9 10 11 |
## Add authorization for both the region in account A aws configservice put-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member1 \ --region ap-south-1 && aws configservice put-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member1 \ --region us-east-1 |
Step 9: Add a second account (Multi Account Multi Region) to config aggregator.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
## Add account B in config aggregator ## Update config aggregator definition cat <<EOF > config_aggregator.json [ { "AccountIds": ["$MEMBER1_ACCOUNT_ID","$MEMBER2_ACCOUNT_ID"], "AllAwsRegions": false, "AwsRegions": ["ap-south-1","us-east-1"] } ] EOF ## Update the config aggregator to add Account B aws configservice put-configuration-aggregator \ --configuration-aggregator-name myconfigaggregator \ --profile member1 \ --region ap-south-1 \ --account-aggregation-sources file://config_aggregator.json |
Step 10: Add authorization for both the regions of Account B
|
1 2 3 4 5 6 7 8 9 10 11 |
## Add authorization for both the region for account B aws configservice put-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member2 \ --region ap-south-1 && aws configservice put-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member2 \ --region us-east-1 |
Note: It will take some time for the aggregator to complete the collection. Wait for some time and then check.
|
1 2 3 4 5 |
## Get status information for sources within an aggregator aws configservice describe-configuration-aggregator-sources-status \ --configuration-aggregator-name myconfigaggregator \ --profile member1 \ --region ap-south-1 |
You can also check from the console.
Step 11: Get details on config aggregator.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
## Get Config Aggregator Details ## Get details on config aggregator aws configservice describe-configuration-aggregators \ --profile member1 \ --region ap-south-1 ## Get status information for sources within an aggregator aws configservice describe-configuration-aggregator-sources-status \ --configuration-aggregator-name myconfigaggregator \ --profile member1 \ --region ap-south-1 ## Get pending aggregration details aws configservice describe-pending-aggregation-requests \ --profile member1 \ --region ap-south-1 ## Get complience summary aws configservice get-aggregate-config-rule-compliance-summary \ --configuration-aggregator-name myconfigaggregator \ --profile member1 \ --region ap-south-1 ## Get all discovered resource count aws configservice get-aggregate-discovered-resource-counts \ --configuration-aggregator-name myconfigaggregator \ --profile member1 \ --region ap-south-1 ## Get complience details for a config rule aws configservice get-aggregate-compliance-details-by-config-rule \ --configuration-aggregator-name myconfigaggregator \ --config-rule-name myconfigrule \ --account-id $MEMBER1_ACCOUNT_ID \ --aws-region ap-south-1 \ --compliance-type NON_COMPLIANT \ --profile member1 \ --region ap-south-1 |
We have successfully create a multi-account, multi -region config aggregator.
Next, we will delete all the resources created in this demo.
Step 12: Clean Up.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
## Cleanup ## Delete authorization for aggregator aws configservice delete-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member1 \ --region ap-south-1 && aws configservice delete-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member1 \ --region us-east-1 && aws configservice delete-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member2 \ --region ap-south-1 && aws configservice delete-aggregation-authorization \ --authorized-account-id $MEMBER1_ACCOUNT_ID \ --authorized-aws-region ap-south-1 \ --profile member2 \ --region us-east-1 ## Delete the config aggregator aws configservice delete-configuration-aggregator \ --configuration-aggregator-name myconfigaggregator \ --profile member1 \ --region ap-south-1 ## Stop config recordings aws configservice stop-configuration-recorder \ --profile member1 \ --region ap-south-1 \ --configuration-recorder-name config_member1_ap_south_1 && aws configservice stop-configuration-recorder \ --profile member1 \ --region us-east-1 \ --configuration-recorder-name config_member1_us_east_1 && aws configservice stop-configuration-recorder \ --profile member2 \ --region ap-south-1 \ --configuration-recorder-name config_member2_ap_south_1 && aws configservice stop-configuration-recorder \ --profile member2 \ --region us-east-1 \ --configuration-recorder-name config_member2_us_east_1 ## Delete config rules aws configservice delete-config-rule \ --config-rule-name myconfigrule \ --profile member1 \ --region ap-south-1 && aws configservice delete-config-rule \ --config-rule-name myconfigrule \ --profile member1 \ --region us-east-1 && aws configservice delete-config-rule \ --config-rule-name myconfigrule \ --profile member2 \ --region ap-south-1 && aws configservice delete-config-rule \ --config-rule-name myconfigrule \ --profile member2 \ --region us-east-1 ## Delete config delivery channels aws configservice delete-delivery-channel \ --delivery-channel-name config_member1_ap_south_1 \ --profile member1 \ --region ap-south-1 && aws configservice delete-delivery-channel \ --delivery-channel-name config_member1_us_east_1 \ --profile member1 \ --region us-east-1 && aws configservice delete-delivery-channel \ --delivery-channel-name config_member2_ap_south_1 \ --profile member2 \ --region ap-south-1 && aws configservice delete-delivery-channel \ --delivery-channel-name config_member2_us_east_1 \ --profile member2 \ --region us-east-1 ## Delete config service aws configservice delete-configuration-recorder \ --configuration-recorder-name config_member1_ap_south_1 \ --profile member1 \ --region ap-south-1 && aws configservice delete-configuration-recorder \ --configuration-recorder-name config_member1_us_east_1 \ --profile member1 \ --region us-east-1 && aws configservice delete-configuration-recorder \ --configuration-recorder-name config_member2_ap_south_1 \ --profile member2 \ --region ap-south-1 && aws configservice delete-configuration-recorder \ --configuration-recorder-name config_member2_us_east_1 \ --profile member2 \ --region us-east-1 ## Delete the S3 bucket with objects (configuration items) aws s3 rb \ s3://config-recording-s3-bucket-member1 --force \ --profile member1 && aws s3 rb \ s3://config-recording-s3-bucket-member2 --force \ --profile member2 ## Delete IAM Role & Policy aws iam detach-role-policy \ --profile member1 \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole && aws iam delete-role-policy \ --profile member1 \ --role-name config_iam_role \ --policy-name config_iam_policy && aws iam delete-role \ --profile member1 \ --role-name config_iam_role && aws iam detach-role-policy \ --profile member2 \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole && aws iam delete-role-policy \ --profile member2 \ --role-name config_iam_role \ --policy-name config_iam_policy && aws iam delete-role \ --profile member2 \ --role-name config_iam_role |
Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation