Skip to content
This repository has been archived by the owner. It is now read-only.


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


AWS account concierge allows you to specify the desired configuration of your account in a relatively straight forward YML config file and it will configure your account to match.

The goal of the tool is to enable you to take a newly created AWS account and have it configured ready for use in one simple step.


The concierge can take care of the following details for you:

  • Ensure the root account has an MFA associated with it
  • Configure the account alias
  • Configure managed policies
  • Configure the account password policy
  • Configure sns topics and subscribers to them
  • Configure roles including
    • trust policy
    • attached policies
    • inline policies
  • Configure groups including
    • name
    • attached policies
    • inline policies
    • group members
  • Configure S3 buckets including
    • bucket policies
    • prefixes
  • Configure cloudtrails
  • Alarms including
    • configuring metric filters
    • alarm action topics
    • regions they are configured in.

Policy files have a primative templating function, concierge will figure out your AWS account number from the API keys that you supply when running concierge and replace instances of ACCOUNTNUMBER with the real thing. Similiarly BUCKETNAME for s3 bucket policies.

Development Status

Currently under active development, I'd consider it at the alpha stage now and be happy to run it on clean accounts where mistakes have a very low cost to fix. If running in production, please check that things are configured as you expect.

Getting Started

  1. edit the account config.yml as appropriate, example-full-config.yml isn't a bad place to start.

  2. bundle install

  3. Assume a privileged role in your account or fill in your environment with privileged API keys and run the concierge tool passing it the path to your config file in the manner that best suits your environment:

    • aws-vault exec <rolename> -- bundle exec ./concierge.rb <path to your yaml file> for aws-vault users
    • eval $(aws --profile <privilegedprofile> keyring show | sed -e 's/^/export /g') && bundle exec ./concierge <path to your yaml file> for aws keyring users
    • set the AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN using whatever method you wish and run bundle exec ./concierge <path to your yaml file>


Andrew Humphrey


This software is provider to you under the terms of the Apache 2.0 licence, see the LICENCE.txt file for details, but for clarity. This software is

Copyright 2016 Andrew Humphrey

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contributor Code of Conduct

See the CODE_OF_CONDUCT.txt file


For bug fixes, documentation changes, and small features:

  1. Fork it ( )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

For larger new features: Do everything as above, but first also make contact with the project maintainers to be sure your change fits with the project direction and you won't be wasting effort going in the wrong direction


Opensource AWS account management tool



Code of conduct





No releases published


No packages published