Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Authorizing Aggregator Accounts to Collect
Amazon Config Configuration and Compliance Data
Authorization refers to the permissions you grant to an aggregator
account and region to collect your Amazon Config configuration and compliance data. Authorization is
not required if you are aggregating source accounts that are part of Amazon Organizations. You can use
the Amazon Config console or the Amazon CLI to authorize aggregator accounts.
Considerations
There are two types of aggregators: Individual account aggregator and
Organization aggregator
For an individual account aggregator, authorization is required for all source
accounts and Regions that you want to include, including both external accounts and
Regions and Organization member accounts and Regions.
For an organization aggregator, authorization is not required for Organization member
account regions since authorization is integrated with the Amazon Organizations service.
Aggregators do not automatically enable Amazon Config on your
behalf
Amazon Config needs to be enabled in the source account and Region for either type of
aggregator, in order for Amazon Config data to be generated in the source account and
Region.
Adding Authorization
- Adding Authorization (Console)
-
You can add authorization to grant permission to aggregator accounts
and Regions to collect Amazon Config configuration and compliance data.
Sign in to the Amazon Web Services Management Console and open the Amazon Config console at
https://console.amazonaws.cn/config/home.
-
Navigate to the Authorizations page and
choose Add authorization.
-
For Aggregator account, type the 12-digit
account ID of an aggregator account.
-
For Aggregator region, choose the
Amazon Web Services Regions where the aggregator account is allowed to collect
Amazon Config configuration and compliance data.
-
Choose Add authorization to confirm your
selection.
Amazon Config displays an aggregator account, Region, and authorization
status.
You can also add authorizations to aggregator accounts and
Regions programatically using Amazon CloudFormation sample templates. For more
information, see AWS::Config::AggregationAuthorization in the
Amazon CloudFormation User Guide.
- Authorizing a Pending Request (Console)
-
If you have a pending authorization request from an existing
aggregator account you will see the request status on the
Authorizations page. You can authorize a
pending request from this page.
-
Choose the aggregator account that you want to authorize, and then
choose Authorize.
A confirmation message is displayed to confirm that you want to
grant the aggregator account permission to collect Amazon Config data from
this account.
-
Choose Authorize again to confirm that you
want to grant permission to the aggregator account.
The authorization status changes from Requesting for
authorization to
Authorized.
Authorization approval period
Authorization approval is required to add source accounts to an individual
account aggregator. A pending authorization approval request will be
available for 7 days after an individual account aggregator adds a source
account.
- Adding Authorization (Amazon CLI)
-
-
Open a command prompt or a terminal window.
-
Enter the following command:
aws configservice put-aggregation-authorization --authorized-account-id AccountID --authorized-aws-region Region
-
You should see output similar to the following:
{
"AggregationAuthorization": {
"AuthorizedAccountId": "AccountID",
"AggregationAuthorizationArn": "arn:aws:config:Region:AccountID:aggregation-authorization/AccountID/Region",
"CreationTime": 1518116709.993,
"AuthorizedAwsRegion": "Region"
}
}