Appearance
AWS Config — Resource inventory + compliance rules
Status: Active since 2026-04-18 in all 4 accounts. Delegated admin: log-archive. Purpose: SOC 2 CC7.1 (Infrastructure Management), HIPAA §164.308(a)(1)(ii)(D), CMS EDE Phase 3 configuration change tracking.
Summary
AWS Config records a continuous, point-in-time snapshot of every resource in every account and evaluates them against rules. Snapshots are delivered to a central S3 bucket in log-archive. A Config aggregator consolidates all 4 accounts' resource inventory into a single queryable index.
Per-account recorders
Each account runs a recorder + delivery channel in us-east-1:
| Account | Role | Recorder | Status |
|---|---|---|---|
| askflorencehealth (778477254880) | AskFlorenceConfigRole | default (allSupported + global) | RECORDING, SUCCESS |
| askflorence-prod (039624954211) | AskFlorenceConfigRole | default (allSupported + global) | RECORDING, SUCCESS |
| askflorence-staging (549136075525) | AskFlorenceConfigRole | default (allSupported + global) | RECORDING, SUCCESS |
| askflorence-log-archive (754660694122) | AskFlorenceConfigRole | default (allSupported + global) | RECORDING, PENDING (~5 min after enable) |
All snapshots land in s3://askflorence-org-config-754660694122/AWSLogs/<account>/Config/us-east-1/ with 24-hour delivery frequency. Bucket has versioning, KMS encryption via askflorence-org-logs CMK, public access blocked, deny-non-SSL policy.
Role design
Each account has a customer-managed AskFlorenceConfigRole (chosen over the service-linked role AWSServiceRoleForConfig because the service-linked version hit InvalidRoleException during recorder provisioning — likely IAM propagation timing). The role has:
- AWS-managed
AWS_ConfigRolepolicy (standard Config permissions). - Inline
ConfigS3KMSAccess— explicit allow on S3 bucket + KMS CMK. - Trust policy:
config.amazonaws.com.
Config aggregator
In log-archive (754660694122): askflorence-org-aggregator (arn:aws:config:us-east-1:754660694122:config-aggregator/config-aggregator-51lvmf9z).
- Source: organization-wide (all current + future accounts).
- Region: us-east-1 only (matches region-lock SCP).
- Role:
AskFlorenceConfigAggregatorRolewithAWSConfigRoleForOrganizationsmanaged policy.
Query across all accounts from the aggregator console:
# Example: all S3 buckets in the org
aws configservice select-aggregate-resource-config \
--configuration-aggregator-name askflorence-org-aggregator \
--expression "SELECT accountId, resourceId, resourceName, awsRegion WHERE resourceType = 'AWS::S3::Bucket'"Conformance packs (future)
Not yet applied. Planned additions:
- Phase 8 (prod launch): AWS Operational Best Practices for HIPAA Security conformance pack on prod.
- Phase 8: AWS Operational Best Practices for CIS 1.4 on staging.
Conformance packs are deployed via the delegated admin (log-archive) using PutConformancePack or via Organizations cross-account deployment.
SCP protection
ScpBaseline denies:
config:DeleteConfigurationRecorderconfig:DeleteDeliveryChannelconfig:StopConfigurationRecorder
Member accounts can't silence Config.
Costs
Config charges per configuration item recorded + per rule evaluation. Pre-launch estimate: $3–8/mo across 4 accounts. Scales with resource count; will grow when Phase 4-8 resources land.
Runbook
aws configservice describe-configuration-recorder-status— confirm recording = true, lastStatus = SUCCESS.aws configservice describe-delivery-channels— confirm S3 destination.- From log-archive:
aws configservice describe-configuration-aggregators— confirm aggregator active. - Recommended monthly:
aws configservice select-aggregate-resource-configquery to verify every account's resources show up.
