To support a scalable and secure multi-account AWS Config integration with Observe, AWS recommends delivering all Config data to a centralized S3 bucket. This setup simplifies observability and security management by consolidating logs from all accounts into a single location.
This article outlines how to configure an S3 bucket policy that allows multiple AWS accounts to deliver AWS Config data to a shared bucket monitored by Observe.
Prerequisites
-
A central S3 bucket (e.g., observe-central-config-bucket) in the designated log archive or security tooling account.
-
AWS Config enabled in all source accounts, configured to deliver to the shared bucket.
-
The Observe AWS Collection is deployed and configured to subscribe to this shared bucket.
-
List of source account IDs that will write to the bucket.
Example: S3 Bucket Policy for Shared AWS Config Collection
Update the following example:
-
Replace 111111111111, 222222222222 with the source AWS account IDs
-
Replace observe-central-config-bucket with your S3 bucket name
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::observe-central-config-bucket"
},
{
"Sid": "AWSConfigWriteAccessAccount1",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::observe-central-config-bucket/AWSLogs/111111111111/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSConfigWriteAccessAccount2",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::observe-central-config-bucket/AWSLogs/222222222222/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Repeat the PutObject block for each AWS account sending Config data.
Updated Bucket Policy to Allow Observe to Read
Assuming:
-
Your Observe collection is using an IAM role like arn:aws:iam::333333333333:role/observe-collection-role
-
Your bucket is observe-central-config-bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::observe-central-config-bucket"
},
{
"Sid": "AWSConfigWriteAccessAccount1",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::observe-central-config-bucket/AWSLogs/111111111111/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSConfigWriteAccessAccount2",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::observe-central-config-bucket/AWSLogs/222222222222/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "ObserveReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::333333333333:role/observe-collection-role"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::observe-central-config-bucket",
"arn:aws:s3:::observe-central-config-bucket/AWSLogs/*/Config/*"
]
}
]
}
Security Tip
-
Only grant read access — no
s3:PutObject,s3:DeleteObject. -
Scope access to the specific prefix (AWSLogs/…/Config/) to avoid Observe accidentally reading unrelated bucket contents.