Is it possible to auto enable AWS Config on addition of a new account to organisation?

Question

AWS has auto-join/auto-enable recording of new resources and accounts in Security Hub, which I am happily using. I wanted to enable the same kind of setting for AWS Config, which currently require manual setup for all new accounts of my organisation. However, I failed to find anything similar to aforementioned Security Hub feature in Config.

Am I missing it or is it currently not available out-of-box?

Answer 1

@Ido Van Orell I do not think there is a native feature in AWS Config but what you can leverage for this is CloudFormation stacksets.

Create a CloudFormation template that enables AWS Config. Deploy it as stackset with automatic deployment enabled. This should ensure that when a new account joins your org AWS Config is enabled.

If you are using AWS Control Tower by any chance, you also get an event when account is vended which you can run automation on the back off.

{
          "detail-type": ["AWS Service Event via CloudTrail"],
          "source": ["aws.controltower"],
          "detail":
            {
              "eventName": ["CreateManagedAccount"],
              "serviceEventDetails":
                { "createManagedAccountStatus": { "state": ["SUCCEEDED"] } },
            },
        }

Use AWS Config Aggregator's integration with AWS Organisations to get a single pane of glass view across all accounts and regions for org where Config is enabled. Refer this