Authorizing Aggregator Accounts to Collect Amazon Config Configuration and Compliance Data Using the Amazon Command Line Interface
You can authorize aggregator accounts to collect Amazon Config data from source accounts and delete aggregator accounts using the Amazon Command Line Interface (Amazon CLI). To use the Amazon Management Console, see Authorizing Aggregator Accounts to Collect Amazon Config Configuration and Compliance Data Using the Console.
The Amazon CLI is a unified tool to manage your Amazon services. With just one tool to download and configure, you can control multiple Amazon services from the command line and use scripts to automate them. For more information about the Amazon CLI and for instructions on installing the Amazon CLI tools, see the following in the Amazon Command Line Interface User Guide.
If necessary, type aws configure
to configure the Amazon CLI to use an Amazon
Region where Amazon Config conformance packs are available.
Topics
Considerations
There are two types of aggregators: Individual account aggregator and Organization aggregator
For an individual account aggregator, authorization is required for all source accounts and Regions that you want to include, including both external accounts and Regions and Organization member accounts and Regions.
For an organization aggregator, authorization is not required for Organization member account regions since authorization is integrated with the Amazon Organizations service.
Aggregators do not automatically enable Amazon Config on your behalf
Amazon Config needs to be enabled in the source account and Region for either type of aggregator, in order for Amazon Config data to be generated in the source account and Region.
Add Authorization for Aggregator Accounts and Regions
-
Open a command prompt or a terminal window.
-
Enter the following command:
aws configservice put-aggregation-authorization --authorized-account-id
AccountID
--authorized-aws-regionRegion
-
You should see output similar to the following:
{ "AggregationAuthorization": { "AuthorizedAccountId": "
AccountID
", "AggregationAuthorizationArn": "arn:aws:config:Region
:AccountID
:aggregation-authorization/AccountID
/Region
", "CreationTime": 1518116709.993, "AuthorizedAwsRegion": "Region
" } }
Delete an Authorization Account
Enter the following command:
aws configservice delete-aggregation-authorization --authorized-account-id
AccountID
--authorized-aws-regionRegion
If successful, the command executes with no additional output.