icon-zcspm.svg
ZCSPM

Enabling AWS Config Based Data Collection

If your Amazon Web Services (AWS) cloud deployment has a lot of resources, Zscaler recommends enabling the AWS Config based metadata collection. ZCSPM will be able to access large configuration metadata more effectively using the AWS Config APIs.

Create an AWS IAM Role for ZCSPM before you enable AWS Config based metadata collection.

Enabling AWS Config Based Metadata Collection using AWS Console

    1. Log in to the AWS Console.
    2. Go to Services > Config.
    3. Click Get started.
    4. Select the Record all resources supported in this region option, then check the Include global resources (e.g., AWS IAM resources) check box.
    5. Select the Use an existing AWS Config service-linked role option.
    6. Select Create a bucket, then enter the S3 bucket name.
    7. Click Next. You don't need to make any changes on the Rules page. Click Next.
    8. Click Confirm.

    Close

  • You must select a primary region to set up the aggregator.

    1. Go to Services > Config.
    2. From the left pane, click Aggregators.
    3. Click Create aggregator.
    4. Check the Allow AWS Config to replicate data from source account(s) into an aggregator account. check box.
    5. Enter the Aggregator name.
    6. Select Add individual account IDs.
    7. Click Add AWS account IDs, then enter the AWS account IDs.
    8. Under Regions, click Select all regions. Then, check the Include future AWS regions check box.

    After you are done setting up, AWS Config will start aggregating configuration metadata from the primary and secondary regions into the aggregator. It might take a few minutes for the metadata collection to finish.

    Zscaler recommends you wait until the metadata collection finishes before onboarding the AWS account on to ZCSPM.

    Close
    1. Log in into ZCSPM as a License Admin.
    2. Click Activate License.
    3. Select AWS and click Continue.
    4. Enter the Cloud Account Name, the AWS Account Id, and the AWS Role Name.

    You must enter the same role name which you chose when you created the role. See Creating an AWS role above.

    1. Turn on the AWS Config Based Data Collection toggle button.
    2. Enter the AWS Config Aggregator Name.
    3. Select an AWS Config Aggregator Region from the drop-down menu.
    4. Click Add Account.

    View how to onboard an AWS config-enabled account on ZCSPM

    Close

Enabling AWS Config Based Metadata Collection using AWS CLI

    1. Ensure AWS CLI is installed.
    2. Download the AWS Config deployment script files from ZCSPM Github.
    3. Install the serverless npm module using the following command:
    npm install -g serverless
    1. Install JQ on your bash terminal.
    2. On the AWS CLI, go to the folder location where you have cloned the repository from ZCSPM Github.
    3. Enter the following command:
    aws configure
    1. Enter the AWS Access Key ID and AWS Secret Access Key. To generate them:
      1. Click your Account name on the top-right corner, then click My Security Credentials.
      2. In the AWS IAM credentials section, you can view the access keys under Access keys for CLI, SDK, & API access.
    2. Enter the default region name, (e.g., us-east-1).
    3. Enter the default output format as JSON.
    1. Enable AWS Config and set up the aggregator, run the following command:
    bash deploy-config.sh -a <AWS-account-id> -e <cloudneeti-environment-prefix> -n <Config-aggregator-name> -p <primary-aggregator-region> -s <list of secondary regions>
    • (-a) AWS Account ID: 12-digit AWS Account ID of the account where you want to enable AWS Config.
    • (-e) Environment Prefix: Enter any suitable prefix for your deployment.
    • (-n) Config Aggregator Name: Suitable name for the AWS Config aggregator.
    • (-p) Config Aggregator Region (primary)
    • (-s) Region List (secondary)

    When you run the AWS Config deployment script and you have already set up AWS Config, the configuration will be changed for the chosen regions.

    Close

  • Verify that the following AWS resources are created in your AWS console:

    • Cloudformation stack is deployed in the primary and secondary regions.

    • AWS S3 Bucket is set up.

    • AWS Config service role is created.
    • AWS Config recording is on in the primary and secondary regions.
    • Aggregator is set up in the primary region.

    Once you are done setting up, AWS Config will start aggregating configuration metadata from the primary and secondary regions into the aggregator. It might take a few minutes for the metadata collection to finish. Once completed, onboard the AWS account on ZCSPM.

    Close

Decommissioning AWS Config

    1. Go to Cloud Account > Configurations.
    2. Select Update Cloud Account, then click Configure Accounts.
    3. Disable AWS Config Based Data Collection using the toggle button, then click Save.
    Close

  • You need to delete the AWS Config deployment bucket. Search config-bucket on the AWS Console and delete the appropriate deployment bucket.

    Close
    1. Download the decommission script files from ZCSPM Git.
    2. On the AWS Console, go to the AWS Config onboarding downloaded directory using the following command:
    cd aws-config-onboarding
    1. Decommission AWS Config resources in AWS account using the following command:
    bash decommission-config.sh -a <AWS-account-id> -e <environment-prefix> -p <primary-aggregator-region>
    • (-a)AWS Account ID: 12-digit AWS Account ID of the account where you want to enable AWS Config.
    • (-e) Environment Prefix: Enter any suitable prefix for your deployment.
    • (-p) Config aggregator region (primary)
    Close
Related Articles
Onboarding an AWS AccountEnabling AWS Config Based Data CollectionGranting Access to KMS Keys on AWSGranting Access to AWS BackupEnabling AWS Inspector Agent for OS Baseline and Vulnerability ConfigurationsConfiguring the ZCSPM Agent for the Amazon Elastic Kubernetes ServiceVerifying the Cloud Account Health Status for AWSOffboarding an AWS Account