AWS Config の個別アカウントアグリゲータを AWS CLI で作成する
2024.04.04AWS Config アグリゲータを AWS CLI で設定してみました。Config アグリゲータには個別アカウントアグリゲータと組織アグリゲータがあり、今回は個別アカウントアグリゲータを対象としています(非 AWS Organizations 環境でも利用できるアグリゲータです)。
なお、組織アグリゲータを AWS CLI で設定する方法は別のブログで紹介されています。
AWS CLI で個別アカウントアグリゲータの設定
AWS CLI を用いて次の流れで個別アカウントアグリゲータを設定します。
- 個別アカウントアグリゲータを作成
- 招待された AWS アカウントで承認
- アグリゲータに集約対象の AWS アカウントを追加
個別アカウントアグリゲータを作成
アグリゲータの作成はput-configuration-aggregatorコマンドです。
- put-configuration-aggregator — AWS CLI 1.32.77 Command Reference
- put-configuration-aggregator — AWS CLI 2.15.35 Command Reference
今回は、東京リージョンにおいて次の設定で有効化します。
- 個別アカウントアグリゲータとする
- 対象アカウントはアグリゲータを作成するアカウント
111122223333と招待するアカウント444455556666とする - 対象リージョンは全てとして、将来の AWS リージョンも含める
aws configservice put-configuration-aggregator \
--configuration-aggregator-name test-aggregator \
--account-aggregation-sources '[{"AccountIds":["111122223333","444455556666"],"AllAwsRegions":true}]'
実行結果例です。
$ aws configservice put-configuration-aggregator \
> --configuration-aggregator-name test-aggregator \
> --account-aggregation-sources '[{"AccountIds":["111122223333","444455556666"],"AllAwsRegions":true}]'
{
"ConfigurationAggregator": {
"ConfigurationAggregatorName": "test-aggregator",
"ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-hdg7jddo",
"AccountAggregationSources": [
{
"AccountIds": [
"111122223333",
"444455556666"
],
"AllAwsRegions": true
}
],
"CreationTime": "2024-04-04T00:41:46.900000+00:00",
"LastUpdatedTime": "2024-04-04T00:47:04.231000+00:00"
}
}
describe-configuration-aggregatorsコマンドで作成済みのアグリゲータを確認できます。
$ aws configservice describe-configuration-aggregators
{
"ConfigurationAggregators": [
{
"ConfigurationAggregatorName": "test-aggregator",
"ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-hdg7jddo",
"AccountAggregationSources": [
{
"AccountIds": [
"111122223333",
"444455556666"
],
"AllAwsRegions": true
}
],
"CreationTime": "2024-04-04T00:41:46.900000+00:00",
"LastUpdatedTime": "2024-04-04T00:47:04.233000+00:00"
}
]
}
招待された AWS アカウントで承認
アグリゲータ作成時に招待したアカウントにおいて、招待の承認をします。アグリゲータを作成したアカウント内では承認は不要なため、招待したアカウントのみの手順となります。
招待状況はdescribe-pending-aggregation-requestsコマンドを確認できます。下記は東京リージョンの招待を確認するコマンド例です。
$ aws configservice describe-pending-aggregation-requests --region ap-northeast-1
{
"PendingAggregationRequests": [
{
"RequesterAccountId": "111122223333",
"RequesterAwsRegion": "ap-northeast-1"
}
]
}
マネジメントコンソールではアグリゲータの認証設定から招待を確認できます。
招待はリージョン単位で実施されているため、承認も全てのリージョンで実施します。承認はput-aggregation-authorizationコマンドで実行できます。authorized-aws-regionオプションではアグリゲータを作成しているリージョンを指定します。
aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
| while read region; do
echo "### Put aggregation authorization in ${region}"
aws configservice put-aggregation-authorization \
--authorized-account-id 111122223333 \
--authorized-aws-region ap-northeast-1 \
--region ${region}
done
実行結果例です。
$ aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
> | while read region; do
> echo "### Put aggregation authorization in ${region}"
> aws configservice put-aggregation-authorization \
> --authorized-account-id 111122223333 \
> --authorized-aws-region ap-northeast-1 \
> --region ${region}
> done
### Put aggregation authorization in ap-south-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:ap-south-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:18:50.047000+00:00"
}
}
### Put aggregation authorization in eu-north-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:eu-north-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:18:51.913000+00:00"
}
}
### Put aggregation authorization in eu-west-3
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:eu-west-3:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:18:53.839000+00:00"
}
}
### Put aggregation authorization in eu-west-2
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:eu-west-2:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:18:55.977000+00:00"
}
}
### Put aggregation authorization in eu-west-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:eu-west-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:18:57.872000+00:00"
}
}
### Put aggregation authorization in ap-northeast-3
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:ap-northeast-3:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:18:59.085000+00:00"
}
}
### Put aggregation authorization in ap-northeast-2
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:ap-northeast-2:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:00.147000+00:00"
}
}
### Put aggregation authorization in ap-northeast-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:ap-northeast-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:01.293000+00:00"
}
}
### Put aggregation authorization in ca-central-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:ca-central-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:03.150000+00:00"
}
}
### Put aggregation authorization in sa-east-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:sa-east-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:05.398000+00:00"
}
}
### Put aggregation authorization in ap-southeast-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:ap-southeast-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:06.820000+00:00"
}
}
### Put aggregation authorization in ap-southeast-2
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:ap-southeast-2:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:08.358000+00:00"
}
}
### Put aggregation authorization in eu-central-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:eu-central-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:10.295000+00:00"
}
}
### Put aggregation authorization in us-east-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:us-east-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:11.984000+00:00"
}
}
### Put aggregation authorization in us-east-2
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:us-east-2:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:13.566000+00:00"
}
}
### Put aggregation authorization in us-west-1
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:us-west-1:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:15.175000+00:00"
}
}
### Put aggregation authorization in us-west-2
{
"AggregationAuthorization": {
"AggregationAuthorizationArn": "arn:aws:config:us-west-2:444455556666:aggregation-authorization/111122223333/ap-northeast-1",
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1",
"CreationTime": "2024-04-04T01:19:16.745000+00:00"
}
}
実行後は保留中の招待はなくなっています。東京リージョンの招待を確認してみます。
$ aws configservice describe-pending-aggregation-requests --region ap-northeast-1
{
"PendingAggregationRequests": []
}
マネジメントコンソールにおいてもステータスは承認済になっています。
招待の設定を確認する場合はdescribe-aggregation-authorizationsコマンドで確認できます。
aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
| while read region; do
echo "### Describe aggregation authorizations in ${region}"
aws configservice describe-aggregation-authorizations \
--query 'AggregationAuthorizations[*].{AuthorizedAccountId:AuthorizedAccountId,AuthorizedAwsRegion:AuthorizedAwsRegion}' \
--region ${region}
done
実行結果例です。
$ aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
> | while read region; do
> echo "### Describe aggregation authorizations in ${region}"
> aws configservice describe-aggregation-authorizations \
> --query 'AggregationAuthorizations[*].{AuthorizedAccountId:AuthorizedAccountId,AuthorizedAwsRegion:AuthorizedAwsRegion}' \
> --region ${region}
> done
### Describe aggregation authorizations in ap-south-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in eu-north-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in eu-west-3
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in eu-west-2
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in eu-west-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in ap-northeast-3
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in ap-northeast-2
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in ap-northeast-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in ca-central-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in sa-east-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in ap-southeast-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in ap-southeast-2
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in eu-central-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in us-east-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in us-east-2
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in us-west-1
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
### Describe aggregation authorizations in us-west-2
[
{
"AuthorizedAccountId": "111122223333",
"AuthorizedAwsRegion": "ap-northeast-1"
}
]
以上で、招待の承認は終わりです。
アグリゲータに集約対象の AWS アカウントを追加
次に、作成済みのアグリゲータにアカウントを追加してみます。設定変更の場合も、アグリゲータ作成時と同様にput-configuration-aggregatorコマンドを利用します。
アグリゲータの対象アカウントを指定するaccount-aggregation-sourcesオプションにおいて、追加のアカウント777788889999を指定します。このとき、既存のアカウントも含める必要があります。
aws configservice put-configuration-aggregator \
--configuration-aggregator-name test-aggregator \
--account-aggregation-sources '[{"AccountIds":["111122223333","444455556666","777788889999"],"AllAwsRegions":true}]'
実行結果例です。
$ aws configservice put-configuration-aggregator \
> --configuration-aggregator-name test-aggregator \
> --account-aggregation-sources '[{"AccountIds":["111122223333","444455556666","777788889999"],"AllAwsRegions":true}]'
{
"ConfigurationAggregator": {
"ConfigurationAggregatorName": "test-aggregator",
"ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-hdg7jddo",
"AccountAggregationSources": [
{
"AccountIds": [
"111122223333",
"444455556666",
"777788889999"
],
"AllAwsRegions": true
}
],
"CreationTime": "2024-04-04T00:41:46.900000+00:00",
"LastUpdatedTime": "2024-04-04T02:25:13.045000+00:00"
}
}
後は、新しく追加したアカウントにおいて「招待された AWS アカウントで承認」の手順を実施します。
(参考)アグリゲータの承認を削除する
アグリゲータの設定を検証する際に、承認した招待や保留中の招待を削除したい場合もあると思います。そのコマンド例を紹介します。
始めに、全てのリージョンにおいて承認済みの状態を削除するコマンドです。
aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
| while read region; do
echo "### Delete aggregation authorization in ${region}"
aws configservice delete-aggregation-authorization \
--authorized-account-id 111122223333 \
--authorized-aws-region ap-northeast-1 \
--region ${region}
done
実行結果例です。
$ aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
> | while read region; do
> echo "### Delete aggregation authorization in ${region}"
> aws configservice delete-aggregation-authorization \
> --authorized-account-id 111122223333 \
> --authorized-aws-region ap-northeast-1 \
> --region ${region}
> done
### Delete aggregation authorization in ap-south-1
### Delete aggregation authorization in eu-north-1
### Delete aggregation authorization in eu-west-3
### Delete aggregation authorization in eu-west-2
### Delete aggregation authorization in eu-west-1
### Delete aggregation authorization in ap-northeast-3
### Delete aggregation authorization in ap-northeast-2
### Delete aggregation authorization in ap-northeast-1
### Delete aggregation authorization in ca-central-1
### Delete aggregation authorization in sa-east-1
### Delete aggregation authorization in ap-southeast-1
### Delete aggregation authorization in ap-southeast-2
### Delete aggregation authorization in eu-central-1
### Delete aggregation authorization in us-east-1
### Delete aggregation authorization in us-east-2
### Delete aggregation authorization in us-west-1
### Delete aggregation authorization in us-west-2
承認一覧の確認コマンドです(再掲)。承認が削除されたことを確認する場合に利用できます。
aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
| while read region; do
echo "### Describe aggregation authorizations in ${region}"
aws configservice describe-aggregation-authorizations \
--query 'AggregationAuthorizations[*].{AuthorizedAccountId:AuthorizedAccountId,AuthorizedAwsRegion:AuthorizedAwsRegion}' \
--region ${region}
done
承認削除後の実行結果例です。承認がないことを確認できます。
$ aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
> | while read region; do
> echo "### Describe aggregation authorizations in ${region}"
> aws configservice describe-aggregation-authorizations \
> --query 'AggregationAuthorizations[*].{AuthorizedAccountId:AuthorizedAccountId,AuthorizedAwsRegion:AuthorizedAwsRegion}' \
> --region ${region}
> done
### Describe aggregation authorizations in ap-south-1
[]
### Describe aggregation authorizations in eu-north-1
[]
### Describe aggregation authorizations in eu-west-3
[]
### Describe aggregation authorizations in eu-west-2
[]
### Describe aggregation authorizations in eu-west-1
[]
### Describe aggregation authorizations in ap-northeast-3
[]
### Describe aggregation authorizations in ap-northeast-2
[]
### Describe aggregation authorizations in ap-northeast-1
[]
### Describe aggregation authorizations in ca-central-1
[]
### Describe aggregation authorizations in sa-east-1
[]
### Describe aggregation authorizations in ap-southeast-1
[]
### Describe aggregation authorizations in ap-southeast-2
[]
### Describe aggregation authorizations in eu-central-1
[]
### Describe aggregation authorizations in us-east-1
[]
### Describe aggregation authorizations in us-east-2
[]
### Describe aggregation authorizations in us-west-1
[]
### Describe aggregation authorizations in us-west-2
[]
次に、全てのリージョンにおいて保留中の招待を削除するコマンドです。requester-account-idとrequester-aws-regionオプションはアグリゲータ設定があるアカウントとリージョンを指定します。
aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
| while read region; do
echo "### Delete pending aggregation request in ${region}"
aws configservice delete-pending-aggregation-request \
--requester-account-id 111122223333 \
--requester-aws-region ap-northeast-1 \
--region ${region}
done
実行結果例です。
$ aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
> | while read region; do
> echo "### Delete pending aggregation request in ${region}"
> aws configservice delete-pending-aggregation-request \
> --requester-account-id 111122223333 \
> --requester-aws-region ap-northeast-1 \
> --region ${region}
> done
### Delete pending aggregation request in ap-south-1
### Delete pending aggregation request in eu-north-1
### Delete pending aggregation request in eu-west-3
### Delete pending aggregation request in eu-west-2
### Delete pending aggregation request in eu-west-1
### Delete pending aggregation request in ap-northeast-3
### Delete pending aggregation request in ap-northeast-2
### Delete pending aggregation request in ap-northeast-1
### Delete pending aggregation request in ca-central-1
### Delete pending aggregation request in sa-east-1
### Delete pending aggregation request in ap-southeast-1
### Delete pending aggregation request in ap-southeast-2
### Delete pending aggregation request in eu-central-1
### Delete pending aggregation request in us-east-1
### Delete pending aggregation request in us-east-2
### Delete pending aggregation request in us-west-1
### Delete pending aggregation request in us-west-2
保留中の招待一覧の確認するコマンドです。削除後の確認に利用できます。
aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
| while read region; do
echo "### Describe pending aggregation requests in ${region}"
aws configservice describe-pending-aggregation-requests --region ${region}
done
実行結果例です。招待されている承認がないことを確認できます。
$ aws --output text ec2 describe-regions --query "Regions[].[RegionName]" \
> | while read region; do
> echo "### Describe pending aggregation requests in ${region}"
> aws configservice describe-pending-aggregation-requests --region ${region}
> done
### Describe pending aggregation requests in ap-south-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in eu-north-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in eu-west-3
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in eu-west-2
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in eu-west-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in ap-northeast-3
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in ap-northeast-2
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in ap-northeast-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in ca-central-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in sa-east-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in ap-southeast-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in ap-southeast-2
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in eu-central-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in us-east-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in us-east-2
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in us-west-1
{
"PendingAggregationRequests": []
}
### Describe pending aggregation requests in us-west-2
{
"PendingAggregationRequests": []
}
さいごに
AWS Config の個別アカウントアグリゲータを AWS CLI で作成・設定変更する手順を調べる機会がありましたので、備忘録ついでにブログ化しました。アグリゲータの作成から招待の承認まで AWS CLI で一通りできることを確認できました。
以上、このブログがどなたかのご参考になれば幸いです。
