-
Notifications
You must be signed in to change notification settings - Fork 17
Home
- Overview
- Architecture Stuff...
- Getting Ready...
- Deploying Watchmen...
- Deploying Citizens...
- Managing Stuff...
Currently we have many different teams using separate AWS accounts. So how do we make sure these teams are using AWS resources in a way that is compliant with our organisation's policies. AWS Config provides this service but custom rules and lambdas have to be deployed to each account. Watchmen solves this by centralising the lambda functions used by AWS config rules into a single AWS account so that they can be managed easily and efficiently using automation.
Essentially we deploy our Watchmen stack to a dedicated AWS account. We then get our other AWS accounts (Citizens) to deploy a Citizen stack which provides Watchmen with a role that will allow us to deploy and manage config rules in their account. These config rules will be pointing to lambdas in the Watchmen account. When the config rule is triggered, Watchmen will run the lambda but will assume another role in the Citizen account so that it reports on resources in the Citizen accounts.
Watchmen is an AWS CloudFormation stack comprising of:
- Lambda functions written in Python that process AWS resources and determine if they are compliant or non-compliant based on certain rules logic.
- Monitoring stack using CloudWatch to monitor the Lambda functions.
- ElasticSearch stack to ingest the logs from the Lambda functions so they can be easily visualised and searched.
- Reporting stack using CloudWatch Events and additional lambda functions to report on the status of each Citizen's Config Rules.
- Citizen Update stack using a SNS topic and additional lambda function to manage the AWS Config rules in each Citizen account.
- Other stuff that makes everything work (IAM roles, polices, lambda permissions, etc).
To enable the monitoring of a Citizen AWS account, we deploy a stack comprising of:
- IAM roles that allow us to deploy config rules and query AWS Config for statuses of resources.
- Config Rules that display in AWS Config whether resources are compliant or non-compliant.
Watchmen relies on AWS Config. For more information on how it works refer to: https://aws.amazon.com/config