Setting Up an Aggregator Using the Amazon Command Line Interface - Amazon Config
Add an Aggregator Using Individual AccountsAdd an Aggregator Using Amazon OrganizationsRegister a Delegated AdministratorView an AggregatorEdit an AggregatorDelete an AggregatorLearn More
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting Up an Aggregator Using the Amazon Command Line Interface

You can create, view, update, and delete Amazon Config aggregator data using the Amazon Command Line Interface (Amazon CLI).

The Amazon CLI is a unified tool to manage your Amazon services. With just one tool to download and configure, you can control multiple Amazon services from the command line and use scripts to automate them. For more information about the Amazon CLI and for instructions on installing the Amazon CLI tools, see the following in the Amazon Command Line Interface User Guide.

If necessary, enter aws configure to configure the Amazon CLI to use an Amazon Region where Amazon Config aggregators are available.

Add an Aggregator Using Individual Accounts

  1. Open a command prompt or a terminal window.

  2. Enter the following command to create an aggregator named MyAggregator.

    aws configservice put-configuration-aggregator --configuration-aggregator-name MyAggregator --account-aggregation-sources "[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"

    For account-aggregation-sources, enter one of the following.

    • A comma-separated list of Amazon account IDs for which you want to aggregate data. Wrap the account IDs in square brackets, and be sure to escape quotation marks (for example, "[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]").

    • You can also upload a JSON file of comma-separated Amazon account IDs. Upload the file using the following syntax: --account-aggregation-sources MyFilePath/MyFile.json

      The JSON file must be in the following format:

    [
    {
        "AccountIds": [
            "AccountID1",
            "AccountID2",
            "AccountID3"
        ],
        "AllAwsRegions": true
    }
]

  3. Press Enter to execute the command.

    You should see output similar to the following:

    {
    "ConfigurationAggregator": {
        "ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
        "CreationTime": 1517942461.442,
        "ConfigurationAggregatorName": "MyAggregator",
        "AccountAggregationSources": [
            {
                "AllAwsRegions": true,
                "AccountIds": [
                    "AccountID1",
                    "AccountID2",
                    "AccountID3"
                ]
            }
        ],
        "LastUpdatedTime": 1517942461.442
    }
}

Add an Aggregator Using Amazon Organizations

Before you begin this procedure, you must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization.

Note

Ensure that the management account registers a delegated administrator with both of the following Amazon Config service principal names (config.amazonaws.com andconfig-multiaccountsetup.amazonaws.com) before the delegated administrator creates an aggregator. To register a delegated administrator, see Register a Delegated Administrator.

  1. Open a command prompt or a terminal window.

  2. If have not created an IAM role for your Amazon Config aggregator, enter the following command: 

    aws iam create-role --role-name OrgConfigRole --assume-role-policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" --description "Role for organizational AWS Config aggregator"
    Note

    Copy the Amazon Resource Name (ARN) from this IAM role for use when you create your Amazon Config aggregator. You can find the ARN on the response object.

  3. If have not attached a policy to your IAM role, attach the AWSConfigRoleForOrganizations managed policy or enter the following command: 

    aws iam create-policy --policy-name OrgConfigPolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["organizations:ListAccounts","organizations:DescribeOrganization","organizations:ListAWSServiceAccessForOrganization","organizations:ListDelegatedAdministrators"],"Resource":"*"}]}'

  4. Enter the following command to create an aggregator named MyAggregator.

    aws configservice put-configuration-aggregator --configuration-aggregator-name MyAggregator --organization-aggregation-source "{\"RoleArn\": \"Complete-Arn\",\"AllAwsRegions\": true}"

  5. Press Enter to execute the command.

    You should see output similar to the following:

    {
    "ConfigurationAggregator": {
        "ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
        "CreationTime": 1517942461.442,
        "ConfigurationAggregatorName": "MyAggregator",
        "OrganizationAggregationSource": {
                "AllAwsRegions": true,
                "RoleArn": "arn:aws-cn:iam::account-of-role-to-assume:role/name-of-role"
         },
        "LastUpdatedTime": 1517942461.442
    }
}

Register a Delegated Administrator

Delegated administrators are accounts within a given Amazon Organization that are granted additional administrative privileges for a specified Amazon service.

  1. Login with management account credentials.

  2. Open a command prompt or a terminal window.

  3. Enter the following command to enable service access as a delegated administrator for your organization to deploy and manage Amazon Config rules and conformance packs across your organization:

    aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com

  4. Enter the following command to enable service access as a delegated administrator for your organization to aggregate Amazon Config data across your organization:

    aws organizations enable-aws-service-access --service-principal=config.amazonaws.com

  5. To check if the enable service access is complete, enter the following command and press Enter to execute the command.

    aws organizations list-aws-service-access-for-organization

    You should see output similar to the following:

    {
    "EnabledServicePrincipals": [
        {
            "ServicePrincipal": [
                "config.amazonaws.com",
                "config-multiaccountsetup.amazonaws.com"
        ],
            "DateEnabled": 1607020860.881
        }
    ]
}

  6. Next, enter the following command to register a member account as a delegated administrator for Amazon Config.

    aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id MemberAccountID

    and

    aws organizations register-delegated-administrator --service-principal=config.amazonaws.com --account-id MemberAccountID

  7. To check if the registration of delegated administrator is complete, enter the following command from the management account and press Enter to execute the command.

    aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com

    and

    aws organizations list-delegated-administrators --service-principal=config.amazonaws.com

    You should see output similar to the following:

    {
    "DelegatedAdministrators": [
        {
            "Id": "MemberAccountID",
            "Arn": "arn:aws:organizations::MemberAccountID:account/o-c7esubdi38/MemberAccountID",
            "Email": "name@amazon.com",
            "Name": "name",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": 1604867734.48,
            "DelegationEnabledDate": 1607020986.801
        }
    ]
}

View an Aggregator

  1. Enter the following command:

    aws configservice describe-configuration-aggregators

  2. Depending on your source account you should see output similar to the following:

    For individuals accounts

    {
    "ConfigurationAggregators": [
        {
            "ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
            "CreationTime": 1517942461.442,
            "ConfigurationAggregatorName": "MyAggregator",
            "AccountAggregationSources": [
                {
                    "AllAwsRegions": true,
                    "AccountIds": [
                        "AccountID1",
                        "AccountID2",
                        "AccountID3"
                    ]
                }
            ],
            "LastUpdatedTime": 1517942461.455
        }
    ]
}

    OR

    For an organization

    {
    "ConfigurationAggregator": {
        "ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
        "CreationTime": 1517942461.442,
        "ConfigurationAggregatorName": "MyAggregator",
        "OrganizationAggregationSource": {
                "AllAwsRegions": true,
                "RoleArn": "arn:aws-cn:iam::account-of-role-to-assume:role/name-of-role"
         },
        "LastUpdatedTime": 1517942461.442
    }
}

Edit an Aggregator

  1. You can use the put-configuration-aggregator command to update or edit a configuration aggregator.

    Enter the following command to add a new account ID to MyAggregator:

    aws configservice put-configuration-aggregator --configuration-aggregator-name MyAggregator --account-aggregation-sources "[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"

  2. Depending on your source account you should see output similar to the following:

    For individuals accounts

    {
    "ConfigurationAggregator": {
        "ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-xz2upuu6",
        "CreationTime": 1517952090.769,
        "ConfigurationAggregatorName": "MyAggregator",
        "AccountAggregationSources": [
            {
                "AllAwsRegions": true,
                "AccountIds": [
                    "AccountID1",
                    "AccountID2",
                    "AccountID3",
                    "AccountID4"
                ]
            }
        ],
        "LastUpdatedTime": 1517952566.445
    }
}

    OR

    For an organization

    {
    "ConfigurationAggregator": {
        "ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
        "CreationTime": 1517942461.442,
        "ConfigurationAggregatorName": "MyAggregator",
        "OrganizationAggregationSource": {
                "AllAwsRegions": true,
                "RoleArn": "arn:aws-cn:iam::account-of-role-to-assume:role/name-of-role"
         },
        "LastUpdatedTime": 1517942461.442
    }
}

Delete an Aggregator

To delete a configuration aggregator using the Amazon CLI

  • Enter the following command:

    aws configservice delete-configuration-aggregator --configuration-aggregator-name MyAggregator

    If successful, the command executes with no additional output.

Learn More