Multi-Account Multi-Region Data Aggregation - Amazon Config
Use CasesTerminologyHow to Aggregate DataRegion SupportTroubleshooting
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Multi-Account Multi-Region Data Aggregation

An aggregator is an Amazon Config resource type that collects Amazon Config configuration and compliance data from the following:

  • Multiple accounts and multiple Amazon Regions.

  • Single account and multiple Amazon Regions.

  • An organization in Amazon Organizations and all the accounts in that organization which have Amazon Config enabled.

Use an aggregator to view the resource configuration and compliance data recorded in Amazon Config. An aggregator uses an Amazon S3 bucket to store aggregated data. It periodically retrieves configuration snapshots from the source accounts and stores them in the designated S3 bucket. The following image displays how an aggregator collects Amazon Config data from multiple accounts and Regions.

The image depicts the Amazon Config data aggregation proces. It invovles collecting data from multiple source accounts and Amazon Regions, aggregating resource configuration information and compliance data, and presenting an aggregated view to help with management.

Use Cases

  • Compliance Monitoring: You can aggregate compliance data to assess the overall compliance postures of your organization, or across accounts and Regions.

  • Change Tracking: You can track changes to resources over time across your organization, or across accounts and Regions.

  • Resource Relationships: You can analyze resource dependencies and relationships across your organization, or across accounts and Regions.

Note

Aggregators provide a read-only view into the source accounts and Regions that the aggregator is authorized to view by replicating data from the source accounts into the aggregator account. Aggregators do not provide mutating access into a source account or region. For example, this means that you cannot deploy rules through an aggregator or push snapshot files to a source account or region through an aggregator.

Using aggregators does not incur any additional costs.

Terminology

A source account is the Amazon Web Services account from which you want to aggregate Amazon Config resource configuration and compliance data. A source account can be an individual account or an organization in Amazon Organizations. You can provide source accounts individually or you can retrieve them through Amazon Organizations.

A source region is the Amazon Region from which you want to aggregate Amazon Config configuration and compliance data.

An aggregator account is an account where you create an aggregator.

Authorization refers to the permissions you grant to an aggregator account and region to collect your Amazon Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of Amazon Organizations.

How to Aggregate Data

To aggregate your Amazon Config data from source accounts and Regions, start with:

  1. Adding an aggregator to aggregate Amazon Config configuration and compliance data from multiple accounts and Regions. For more information see, Setting Up an Aggregator Using the Console and Setting Up an Aggregator Using the Amazon Command Line Interface.

  2. Authorizing aggregator accounts to collect Amazon Config configuration and compliance data. For more information, see Authorizing Aggregator Accounts to Collect Amazon Config Configuration and Compliance Data Using the Console and Authorizing Aggregator Accounts to Collect Amazon Config Configuration and Compliance Data Using the Amazon Command Line Interface.

    Note

    There are two types of aggregators: Individual accounts aggregator and Organization aggregator

    For the individual accounts aggregator, authorization is required for any included source account Regions including external account Regions or Organization member account Regions.

    For the organization aggregator, authorization is not required for Organization member account Regions since authorization is integrated with the Organizations service.

  3. Monitoring compliance data for rules and accounts in the aggregated view. For more information, see Viewing Compliance and Inventory Data in the Aggregator Dashboard.

Region Support

Currently, multi-account multi-region data aggregation is supported in the following Regions:

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 config.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 config.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 config.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 config.us-west-2.amazonaws.com HTTPS
Africa (Cape Town) af-south-1 config.af-south-1.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 config.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Hyderabad) ap-south-2 config.ap-south-2.amazonaws.com HTTPS
Asia Pacific (Jakarta) ap-southeast-3 config.ap-southeast-3.amazonaws.com HTTPS
Asia Pacific (Melbourne) ap-southeast-4 config.ap-southeast-4.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 config.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Osaka) ap-northeast-3 config.ap-northeast-3.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
Canada West (Calgary) ca-west-1 config.ca-west-1.amazonaws.com HTTPS
China (Beijing) cn-north-1 config.cn-north-1.amazonaws.com.cn HTTPS
China (Ningxia) cn-northwest-1 config.cn-northwest-1.amazonaws.com.cn HTTPS
Europe (Frankfurt) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
Europe (Milan) eu-south-1 config.eu-south-1.amazonaws.com HTTPS
Europe (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
Europe (Spain) eu-south-2 config.eu-south-2.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
Europe (Zurich) eu-central-2 config.eu-central-2.amazonaws.com HTTPS
Israel (Tel Aviv) il-central-1 config.il-central-1.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 config.me-south-1.amazonaws.com HTTPS
Middle East (UAE) me-central-1 config.me-central-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 config.sa-east-1.amazonaws.com HTTPS

Troubleshooting for Multi-Account Multi-Region Data Aggregation

Amazon Config might not aggregate data from source accounts for one of the following reasons:

If this happens Do this
Amazon Config is not enabled in the source account for accounts within an Organization. Enable Amazon Config in the source account and authorize the aggregator account to collect data.
Authorization is not granted to an aggregator account. Sign in to the source account and grant authorization to the aggregator account to collect Amazon Config data.
There might be a temporary issue that is preventing data aggregation. Data aggregation is subject to delays. Wait for a few minutes.

Amazon Config might not aggregate data from an organization for one of the following reasons:

If this happens Do this
Amazon Config is unable to access your organization details due to invalid IAM role. Create an IAM role or select a valid IAM role from the IAM role list.
Note

If the IAM role is invalid for more than 24 hours, Amazon Config deletes data for entire organization.
Amazon Config service access is disabled in your organization. You can enable integration between Amazon Config and Amazon Organizations through the EnableAWSServiceAccess API. If you choose Add my organization in console, Amazon Config automatically enables the integration between Amazon Config and Amazon Organizations.
Amazon Config is unable to access your organization details because all features is not enabled in your organization. Enable all features in Amazon Organizations console.
Organizational changes such as adding an account, removing an account, enabling service access, and disabling service access are not updated in Middle East (Bahrain) and Asia Pacific (Hong Kong) regions immediately. Organizational changes are subject to 2 hour delay. Wait for 2 hours to see all organization changes.