|
1 | | -# Cost Optimization Conformance |
| 1 | +# Optimizing AWS Resource Costs using AWS Config |
| 2 | + |
| 3 | +This repository contains code to deploy the Cost Optimization Conformance Pack solution across an AWS Organization that utilises Control Tower. It includes an example collection of three custom rules containing best practice cost optimization logic. These will monitor and evaluate your resources to identify their cost optimization compliance posture and consolidate the results back to a single ‘delegated administrator’ account for simplified management. The following rules are included: |
| 4 | + |
| 5 | +Rule 1: Check for EBS gp2 volumes Remediation: Convert them to gp3 volumes |
| 6 | +Rule 2: Check for EBS volumes not attached to an EC2 instance |
| 7 | +Rule 3: Check for S3 buckets that do not have a lifecycle configuration policy |
| 8 | + |
| 9 | +For this solution the following will be deployed: |
| 10 | + |
| 11 | +- **AWS Config Organization Conformance Pack** - a collection of AWS Config custom rules that will be used to evaluate resources against best practice cost optimization logic. |
| 12 | + - This Organization Conformance Pack will deploy individual Cost Optimization Conformance Packs into each member account. |
| 13 | +- **AWS CloudFormation StackSet** - a collection of CloudFormation stacks deployed into all the member accounts in the AWS Organization. These stacks will deploy the following: |
| 14 | + - **AWS Lambda Function** - The AWS Config custom rules invoke a Lambda function that contains the logic to evaluate whether the specified resource is either Compliant or Noncompliant with cost optimization best practice rules defined above. |
| 15 | + - **IAM Roles** - Two custom IAM roles will be deployed. One that will enable the Lambda function to be invoked and the second which will be used by AWS Systems Manager (SSM) to carry out remediation actions as defined in the SSM document. |
| 16 | +- **AWS Systems Manager Automation Document** - This will deployed into the audit account only and used by the member accounts. |
2 | 17 |
|
3 | | -This repository contains code to deploy the Cost Optimization Organization Conformance pack into an AWS Organization. |
4 | 18 |
|
5 | 19 | ## Pre-requisites |
6 | 20 |
|
7 | | -To use this solution, the following components must be already deployed within an AWS account. |
| 21 | +To use this solution you will need the following: |
| 22 | + |
| 23 | +- AWS Organizations utilising AWS Control Tower |
| 24 | +- Permission to access both your organizations management account and the audit account you are delegating administrative rights to for deployment of the Cost Optimization Conformance Pack solution. |
| 25 | +- Trusted access for StackSets with AWS Organizations enabled. |
| 26 | +- AWS Console access to AWS Config in the member accounts where the solution is being deployed |
| 27 | + |
| 28 | +## Walkthrough |
| 29 | + |
| 30 | +In this solution walkthrough you will complete the following steps: |
| 31 | + |
| 32 | +- Establish a trust relationship between AWS Organizations and the service principals for AWS Config and AWS CloudFormation StackSets |
| 33 | +- Grant *delegated administrator* permissions for the AWS Config and AWS CloudFormation services to the audit account |
| 34 | +- Deploy the Cost Optimization Conformance Pack |
| 35 | +- Using CloudFormation, you will deploy the conformance pack, Lambda function, IAM roles and Systems Manager document included in the solution |
| 36 | +- Test the solution |
| 37 | + |
| 38 | +## Deployment |
| 39 | + |
| 40 | +For the purposes of this deployment walkthrough, our management account ID will be 111111111111 and the audit account from which we will deploy the solution will have an account ID of 222222222222 |
| 41 | + |
| 42 | +**Establish a trust relationship between AWS Organizations and the service principals for AWS Config and AWS CloudFormation** |
| 43 | + |
| 44 | +1. Run the following commands using the AWS CLI or an AWS CloudShell session |
| 45 | + - `aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com` |
| 46 | + - `aws organizations enable-aws-service-access --service-principal=member.org.stacksets.cloudformation.amazonaws.com` |
| 47 | +2. Validate they have been successful by running the command `aws organizations list-aws-service-access-for-organization` where they will be listed as service principals |
| 48 | + |
| 49 | +**Setup a delegated administrator account for AWS Config and AWS CloudFormation** |
| 50 | + |
| 51 | +1. Run the following CLI commands replacing the account-id with the ID of your audit account: |
| 52 | + - `aws organizations register-delegated-administrator --account-id 222222222222 --service-principal config-multiaccountsetup.amazonaws.com` |
| 53 | + - `aws organizations register-delegated-administrator --account-id 222222222222 --service-principal config.amazonaws.com` |
| 54 | + - `aws organizations register-delegated-administrator --service-principal=member.org.stacksets.cloudformation.amazonaws.com --account-id=222222222222` |
| 55 | +2. Validate they have been successful by running the following commands where you should see the listed delegated admininstrators: |
| 56 | + - `aws organizations list-delegated-administrators --service-principal=config.amazonaws.com` |
| 57 | + - `aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com` |
| 58 | + - `aws organizations list-delegated-administrators --service-principal=member.org.stacksets.cloudformation.amazonaws.com` |
| 59 | + |
| 60 | +**Deploy the Cost Optimization Conformance Pack** |
| 61 | + |
| 62 | +1. Download `template.yaml` from the latest release. |
| 63 | +2. Using AWS CLI or an AWS CloudShell sesssion, create a new CloudFormation stack with the following command that refers to the `template.yaml` file: |
| 64 | + - `aws cloudformation deploy --template-file template.yaml --stack-name CostOptimizationConfPack --parameter-overrides DeployingInDelegatedAdminAccount=True --capabilities CAPABILITY_IAM ` |
| 65 | +3. You can verify the resources have deployed successfully by navigating to CloudFormation in the AWS Console and selecting Stacks from the menu. |
| 66 | + |
| 67 | + |
| 68 | +## Testing |
| 69 | + |
| 70 | +The Cost Optimization Conformation Pack should now be deployed across the Organization and you can view the compliance status of the rules by navigating to the AWS Config dashboard and selecting Conformance packs from the menu. |
| 71 | +The rules will automatically evaluate resources in your accounts that match the criteria however, if you do not have any that match you can [create an Amazon EBS volume](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html) and set the `Volume Type` as `gp2`. |
| 72 | + |
| 73 | +Once the EBS volume has been created, follow the steps below in the AWS Console to re-evaluate resources in the account: |
| 74 | + |
| 75 | +1. Navigate to the AWS Config dashboard. |
| 76 | +2. Select ‘Conformance packs’. |
| 77 | +3. Select the conformance pack with **CostOptimization** in the name. |
| 78 | +4. A list of Rules will appear |
| 79 | +5. Select the rule with **CostOpt-Ebs** in the name to view the rule dashboard. |
| 80 | +6. Select the Actions menu. |
| 81 | +7. Select Re-evaluate to trigger the rule to assess the resources in the account. |
| 82 | + |
| 83 | +After the evaluation has completed the **Noncompliant** EBS volume will display |
| 84 | + |
| 85 | +To invoke the remediation rule follow the steps below in the AWS Console: |
| 86 | + |
| 87 | +1. From the AWS Config rule dashboard scroll down to **Resources in scope**. |
| 88 | +2. Select the radio button for the EC2 Volume that is listed as **Noncompliant**. |
| 89 | +3. Select the Remediate button. |
| 90 | + |
| 91 | +Once the remediation rule has been triggered Action executed successfully should then appear under the Status column. |
| 92 | +You can also validate the change in volume type has completed successfully by looking at the volumes listed in the Elastic Block Store under the EC2 service. |
| 93 | + |
| 94 | +## Clean Up |
| 95 | + |
| 96 | +All the resources deployed for the Cost Optimization Conformance Pack solution can be removed by deleting the CloudFormation stack either through the AWS Console, or using the CLI command below: |
| 97 | + |
| 98 | +To delete the Cost Optimization Conformance Pack solution (CLI) |
8 | 99 |
|
9 | | -- AWS Organizations. |
10 | | -- AWS Config deployed in same region in all member accounts of the AWS Organization. |
11 | | -- Delegated AWS Config account within AWS Organizations. |
12 | | -- Delegated AWS CloudFormation Stackets account within AWS Organizations. |
| 100 | +1. Using AWS CLI or an AWS CloudShell session run the `aws cloudformation delete-stack --stack-name CostOptimizationConfPack` command. |
13 | 101 |
|
14 | | -## Deployment Guide |
15 | 102 |
|
16 | | -Download `template.yaml` from the latest release. |
| 103 | +## Further Reading |
17 | 104 |
|
18 | | -Create a new CloudFormation stack using this `template.yaml` file. |
| 105 | +You can find out more about [AWS Config custom Lambda rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs.html) and [AWS Systems Manager documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html) to expand the functionality of the solution further. |
0 commit comments