Multi-Account Multi-Region Data Aggregation - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Multi-Account Multi-Region Data Aggregation

An aggregator is an Amazon Config resource type that collects Amazon Config configuration and compliance data from the following:

  • Multiple accounts and multiple Amazon Regions.

  • Single account and multiple Amazon Regions.

  • An organization in Amazon Organizations and all the accounts in that organization which have Amazon Config enabled.

Use an aggregator to view the resource configuration and compliance data recorded in Amazon Config. The following image displays how an aggregator collects Amazon Config data from multiple accounts and Regions.

The image depicts the Amazon Config data aggregation proces. It invovles collecting data from multiple source accounts and Amazon Regions, aggregating resource configuration information and compliance data, and presenting an aggregated view to help with management.

Use Cases

  • Compliance Monitoring: You can aggregate compliance data to assess the overall compliance postures of your organization, or across accounts and Regions.

  • Change Tracking: You can track changes to resources over time across your organization, or across accounts and Regions.

  • Resource Relationships: You can analyze resource dependencies and relationships across your organization, or across accounts and Regions.

Note

Aggregators provide a read-only view into the source accounts and Regions that the aggregator is authorized to view by replicating data from the source accounts into the aggregator account. Aggregators do not provide mutating access into a source account or region. For example, this means that you cannot deploy rules through an aggregator or push snapshot files to a source account or region through an aggregator.

Using aggregators does not incur any additional costs.

Terminology

A source account is the Amazon Web Services account from which you want to aggregate Amazon Config resource configuration and compliance data. A source account can be an individual account or an organization in Amazon Organizations. You can provide source accounts individually or you can retrieve them through Amazon Organizations.

A source region is the Amazon Region from which you want to aggregate Amazon Config configuration and compliance data.

An aggregator account is an account where you create an aggregator.

Authorization refers to the permissions you grant to an aggregator account and region to collect your Amazon Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of Amazon Organizations.

Region Support

Currently, multi-account multi-region data aggregation is supported in the following Regions:

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 config.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 config.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 config.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 config.us-west-2.amazonaws.com HTTPS
Africa (Cape Town) af-south-1 config.af-south-1.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 config.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Hyderabad) ap-south-2 config.ap-south-2.amazonaws.com HTTPS
Asia Pacific (Jakarta) ap-southeast-3 config.ap-southeast-3.amazonaws.com HTTPS
Asia Pacific (Melbourne) ap-southeast-4 config.ap-southeast-4.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 config.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Osaka) ap-northeast-3 config.ap-northeast-3.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
Canada West (Calgary) ca-west-1 config.ca-west-1.amazonaws.com HTTPS
China (Beijing) cn-north-1 config.cn-north-1.amazonaws.com.cn HTTPS
China (Ningxia) cn-northwest-1 config.cn-northwest-1.amazonaws.com.cn HTTPS
Europe (Frankfurt) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
Europe (Milan) eu-south-1 config.eu-south-1.amazonaws.com HTTPS
Europe (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
Europe (Spain) eu-south-2 config.eu-south-2.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
Europe (Zurich) eu-central-2 config.eu-central-2.amazonaws.com HTTPS
Israel (Tel Aviv) il-central-1 config.il-central-1.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 config.me-south-1.amazonaws.com HTTPS
Middle East (UAE) me-central-1 config.me-central-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 config.sa-east-1.amazonaws.com HTTPS