Authorizing Aggregator Accounts to Collect Amazon Config Configuration and Compliance Data Using the Amazon Command Line Interface - Amazon Config
ConsiderationsAdd Authorization for Aggregator Accounts and RegionsDelete an Authorization Account
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authorizing Aggregator Accounts to Collect Amazon Config Configuration and Compliance Data Using the Amazon Command Line Interface

You can authorize aggregator accounts to collect Amazon Config data from source accounts and delete aggregator accounts using the Amazon Command Line Interface (Amazon CLI). To use the Amazon Management Console, see Authorizing Aggregator Accounts to Collect Amazon Config Configuration and Compliance Data Using the Console.

The Amazon CLI is a unified tool to manage your Amazon services. With just one tool to download and configure, you can control multiple Amazon services from the command line and use scripts to automate them. For more information about the Amazon CLI and for instructions on installing the Amazon CLI tools, see the following in the Amazon Command Line Interface User Guide.

If necessary, type aws configure to configure the Amazon CLI to use an Amazon Region where Amazon Config conformance packs are available.

Considerations

There are two types of aggregators: Individual account aggregator and Organization aggregator

For an individual account aggregator, authorization is required for all source accounts and Regions that you want to include, including both external accounts and Regions and Organization member accounts and Regions.

For an organization aggregator, authorization is not required for Organization member account regions since authorization is integrated with the Amazon Organizations service.

Aggregators do not automatically enable Amazon Config on your behalf

Amazon Config needs to be enabled in the source account and Region for either type of aggregator, in order for Amazon Config data to be generated in the source account and Region.

Add Authorization for Aggregator Accounts and Regions

  1. Open a command prompt or a terminal window.

  2. Enter the following command:

    aws configservice put-aggregation-authorization --authorized-account-id  AccountID --authorized-aws-region Region

  3. You should see output similar to the following:

    
{
    "AggregationAuthorization": {
        "AuthorizedAccountId": "AccountID",
        "AggregationAuthorizationArn": "arn:aws:config:Region:AccountID:aggregation-authorization/AccountID/Region",
        "CreationTime": 1518116709.993,
        "AuthorizedAwsRegion": "Region"
    }
}

Delete an Authorization Account

Enter the following command:

aws configservice delete-aggregation-authorization --authorized-account-id  AccountID --authorized-aws-region Region

If successful, the command executes with no additional output.