AWS Config - baseline for enabling access logging and S3 buckets in member accounts

Hi,

To achieve this kind of automation, you can use a combination of AWS services (Primarily, Config rule, Lambda Function, and CFn Stacksets).

Flow could look like this:

1. Create a Config rule that checks whether S3 Access Logging is enabled on S3 buckets [1]. If not, it triggers a remediation action.
2. Create a Lambda function for remediation action to enable S3 Access logging. You can, alternatively, use SSM Automation for remediation action [2].
3. Create a Cloudformation Stackset to deploy them (Config rule & Lambda) across all accounts in your Organizations [3].

Note: You would also need to configure appropriate IAM roles and permissions for the resources.

For aggregating logs to a central S3 buckets in log archive account, you would need to add replication rules to your existing buckets, and configure the destination bucket(s) in the central logging account. It depends on a lot of factors on how you want your logging design to be, including, replication of all buckets or just a few, whether they will all be replicated to one bucket or different, and so on. You can accordingly design and create automation for the same. If you need further insights on this, please share your specific requirements on this.

References:
[1] https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html
[2] https://aws.amazon.com/blogs/mt/aws-config-auto-remediation-s3-compliance/
[3] https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html

Thanks,
Atul