Multi-Account Multi-Region Data Aggregation
An aggregator is an Amazon Config resource type that collects Amazon Config configuration and compliance data from the following:
-
Multiple accounts and multiple Amazon Regions.
-
Single account and multiple Amazon Regions.
-
An organization in Amazon Organizations and all the accounts in that organization which have Amazon Config enabled.
Use an aggregator to view the resource configuration and compliance data recorded in Amazon Config. The following image displays how an aggregator collects Amazon Config data from multiple accounts and Regions.
Use Cases
-
Compliance Monitoring: You can aggregate compliance data to assess the overall compliance postures of your organization, or across accounts and Regions.
-
Change Tracking: You can track changes to resources over time across your organization, or across accounts and Regions.
-
Resource Relationships: You can analyze resource dependencies and relationships across your organization, or across accounts and Regions.
Note
Aggregators provide a read-only view into the source accounts and Regions that the aggregator is authorized to view by replicating data from the source accounts into the aggregator account. Aggregators do not provide mutating access into a source account or region. For example, this means that you cannot deploy rules through an aggregator or push snapshot files to a source account or region through an aggregator.
Using aggregators does not incur any additional costs.
Terminology
A source account is the Amazon Web Services account from which you want to aggregate Amazon Config resource configuration and compliance data. A source account can be an individual account or an organization in Amazon Organizations. You can provide source accounts individually or you can retrieve them through Amazon Organizations.
A source region is the Amazon Region from which you want to aggregate Amazon Config configuration and compliance data.
An aggregator account is an account where you create an aggregator.
Authorization refers to the permissions you grant to an aggregator account and region to collect your Amazon Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of Amazon Organizations.
Region Support
Currently, multi-account multi-region data aggregation is supported in the following Regions:
Region Name | Region | Endpoint | Protocol |
---|---|---|---|
US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
Africa (Cape Town) | af-south-1 | config.af-south-1.amazonaws.com | HTTPS |
Asia Pacific (Hong Kong) | ap-east-1 | config.ap-east-1.amazonaws.com | HTTPS |
Asia Pacific (Hyderabad) | ap-south-2 | config.ap-south-2.amazonaws.com | HTTPS |
Asia Pacific (Jakarta) | ap-southeast-3 | config.ap-southeast-3.amazonaws.com | HTTPS |
Asia Pacific (Melbourne) | ap-southeast-4 | config.ap-southeast-4.amazonaws.com | HTTPS |
Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
Asia Pacific (Osaka) | ap-northeast-3 | config.ap-northeast-3.amazonaws.com | HTTPS |
Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
Canada West (Calgary) | ca-west-1 | config.ca-west-1.amazonaws.com | HTTPS |
China (Beijing) | cn-north-1 | config.cn-north-1.amazonaws.com.cn | HTTPS |
China (Ningxia) | cn-northwest-1 | config.cn-northwest-1.amazonaws.com.cn | HTTPS |
Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
Europe (Milan) | eu-south-1 | config.eu-south-1.amazonaws.com | HTTPS |
Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
Europe (Spain) | eu-south-2 | config.eu-south-2.amazonaws.com | HTTPS |
Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
Europe (Zurich) | eu-central-2 | config.eu-central-2.amazonaws.com | HTTPS |
Israel (Tel Aviv) | il-central-1 | config.il-central-1.amazonaws.com | HTTPS |
Middle East (Bahrain) | me-south-1 | config.me-south-1.amazonaws.com | HTTPS |
Middle East (UAE) | me-central-1 | config.me-central-1.amazonaws.com | HTTPS |
South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |