# Multi-Account Multi-Region Data Aggregation for AWS Config
An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:
+ Multiple accounts and multiple AWS Regions.
+ Single account and multiple AWS Regions.
+ An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled.
Use an aggregator to view the resource configuration and compliance data recorded in AWS Config. The following image displays how an aggregator collects AWS Config data from multiple accounts and Regions.
![\[The image depicts the AWS Config data aggregation proces. It invovles collecting data from multiple source accounts and AWS Regions, aggregating resource configuration information and compliance data, and presenting an aggregated view to help with management.\]](http://docs.aws.amazon.com/config/latest/developerguide/images/Aggregate_Data_Landing_Page_Diagram.png)
## Use Cases
+ **Compliance Monitoring**: You can aggregate compliance data to assess the overall compliance postures of your organization, or across accounts and Regions.
+ **Change Tracking**: You can track changes to resources over time across your organization, or across accounts and Regions.
+ **Resource Relationships**: You can analyze resource dependencies and relationships across your organization, or across accounts and Regions.
**Note**
Aggregators provide a *read-only view* into the source accounts and Regions that the aggregator is authorized to view by replicating data from the source accounts into the aggregator account. Aggregators do not provide mutating access into a source account or region. For example, this means that you cannot deploy rules through an aggregator or push snapshot files to a source account or region through an aggregator.
Using aggregators does not incur any additional costs.
## Terminology
A *source account* is the AWS account from which you want to aggregate AWS Config resource configuration and compliance data. A source account can be an individual account or an organization in AWS Organizations. You can provide source accounts individually or you can retrieve them through AWS Organizations.
A *source region* is the AWS Region from which you want to aggregate AWS Config configuration and compliance data.
An *aggregator account* is an account where you create an aggregator.
*Authorization* refers to the permissions you grant to an aggregator account and region to collect your AWS Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of AWS Organizations.
A *service-linked aggregator* is linked to a specific AWS service. The configuration and compliance data in scope are set by the linked service.
## Region Support
Currently, multi-account multi-region data aggregation is supported in the following Regions:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html)
# Viewing Compliance and Inventory Data in the Aggregator Dashboard for AWS Config
The dashboard on the **Aggregators** page displays the configuration data of your aggregated AWS resources. It provides an overview of your rules, conformance packs, and their compliance states.
The dashboard provides the total resource count of AWS resources. The resource types and source accounts are ranked by the highest number of resources. It also provides a count of compliant and noncompliant rules and conformance packs. The noncompliant rules are ranked by highest number of noncompliant resources. The noncompliant conformance packs and source accounts are ranked by the highest number of noncompliant rules.
After setting up AWS Config, it starts aggregating data from the specified source accounts into an aggregator. It might take a few minutes for the compliance status of rules to display.
## Using the Aggregator Dashboard
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the **Aggregators** page. You can view:
+ Your rules and their compliance states.
+ Your conformance packs and their compliance states.
+ Your AWS resources and their configuration data.
1.
Choose an aggregator from the dashboard. Filter through your aggregators by aggregator name. You can view the following widgets:
+ **Resource inventory**
View the top 10 resource types from the selected aggregator, in descending order by the resource count. Choose the total number of resources for the selected aggregator, displayed in parentheses after **Resource inventory**, to go to the aggregated **Resources** page, where you can view all the resources for an aggregator. Alternatively, choose a resource type in the widget to go to the aggregated **Resources** page, filtered using the specified resource type.
+ **Accounts by resource count**
View the top five accounts from the selected aggeregator in the descending order by the resource count. Choose an account in the widget to go to the **Resources** page, filtered using the specified account.
+ **Noncompliant rules**
View the top five noncompliant rules from the selected Aggregator, in descending order by the number of noncompliant resources. Choose a rule in the widget to go to the details page for the specified rule. Choose **View all noncompliant rules** to go to the aggregated **Rules** page, where you can view all the rules for an aggregator.
+ **Accounts by noncompliant rules**
View the top five accounts from the selected aggregator, in descending order by the number of noncompliant rules. Choose an account in the widget to go to the aggregated **Rules** page, where you can view all the rules for an aggregator filtered using the specified account.
+ **Accounts by noncompliant conformance packs**
View the top five accounts from the selected aggregagtor, in descending order by the number of noncompliant conformance packs. Choose an account in the widget to go to the aggregated **Conformance Pack** page, where you can view all conformance packs for an aggregagtor filtered using the specified account.
1. In the left navigation pane, choose one of the following options from the dropdown menu:
+ **Compliance dashboard**
View automated compliance dashboards by using the widgets that summarize insights about resource compliance within your aggregator. You can see data such as the top 10 resource types by noncompliant resources, and top 10 account level conformance packs by noncompliant rules. For information about these graphs and charts, see [Compliance dashboards](https://docs.aws.amazon.com/config/latest/developerguide/viewing-the-aggregate-dashboard.html#aggregate-compliance-dashboard).
+ **Conformance packs**
View all conformance packs that are created and linked to the different AWS accounts within your aggregator. The **Conformance Pack** page displays a table that lists the name, Region, account ID, and compliance status of each conformance pack. From this page, you can choose a conformance pack and **View details** for more information about its rules and resources and their compliance status.
+ **Rules**
View all rules that are created and linked to the different AWS accounts within your aggregator. The **Rules** page displays a table that lists the name, compliance status, Region, and account of each rule. From this page, you can choose a rule and **View details** for information, such as its aggregator, Region, account ID, and resources in scope.
+ **Inventory dashboard**
View automated inventory dashboards by using the widgets that summarize insights about resource configuration data within your aggregator. You can see data such as the top 10 resource types by resource count, and the top 10 accounts by resource count. For information about these graphs and charts, see [Inventory dashboards](https://docs.aws.amazon.com/config/latest/developerguide/viewing-the-aggregate-dashboard.html#aggregate-resource-dashboard).
+ **Resources**
View all resources that are recorded and linked to the different AWS accounts within your aggregator. From the **Resource** page, choose a resource and **View details** to view its details, the rules associated with it, and the current resource configuration. You can also see information about the resource, such as its aggregator, Region, account ID, resource name, resource type, and resource ID.
+ **Authorizations**
View and manage all accounts currently authorized or pending authorization. From the **Authorizations** page, choose **Add authorization** to provide access to another account. Choose **Delete authorization** to revoke access from an account ID.
**Note**
**Troubleshooting**
You might see the **Data collection from all source accounts and regions is incomplete** message displayed in the aggregated view for the following reasons:
The transfer of noncompliant AWS Config rules and configuration data of AWS resources is in progress.
AWS Config can't find rules to match the filter that you applied. Select the appropriate account or Region, and try again.
You might see this message display in the aggregated view: **Data collection from your organization is incomplete. You can view the below data only for 24 hours.** It displays for the following reasons:
AWS Config can't access your organization details because of an IAM role that is not valid. If the IAM role remains not valid for more than 24 hours, AWS Config deletes the data for the entire organization.
AWS Config service access is disabled in your organization.
## Compliance Dashboard
View automated compliance dashboards by using widgets that summarize insights about resource compliance within your aggregator This dashboard displays only rules with compliance results.
**Note**
**Limitations**
The insights in the compliance dashboard are provided by the Advanced Queries feature of AWS Config, and this feature does not support nested structures or unpacking nested arrays. This means that the compliance dashboard displays the overall compliance of a resource and not the compliance status for each specific rule which reports on a resource.
For example, if you check the configuration item (CI) for the resource type `AWS::Config::ResourceCompliance`, the dashboard will display the compliance results for all the rules that report on that resource. If there are 10 rules that report on the resource, 9 of them are COMPLIANT, and only 1 is NON\$1COMPLIANT, the overall compliance of that resource will be NON\$1COMPLIANT.
**Compliance Summary By Resources**
Displays a pie chart comparing the number of compliant resources to noncompliant resources from the selected aggregator. Hover over the chart to see the exact number and percentage of compliant and noncompliant resources.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator, and the Regions where the selected aggregator is configured to collect data.
**Top 10 resource types by noncompliant resources**
Displays a horizontal bar graph comparing up to 10 resource types from the selected aggregator in descending order by the number of noncompliant resources. Hover over the graph to see the exact number of noncompliant resources for each resource type.
The data displayed is dependent on the settings of the configuration recorder for each account in the selected aggregator and the Regions where the selected aggregator is configured to collect data.
**Top 10 accounts by noncompliant resources**
*Top 10 accounts by noncompliant resources* displays a horizontal bar graph comparing up to 10 accounts from the selected aggregator in descending order by the number of noncompliant resources. Hover over the graph to see the exact number of noncompliant resources for each account.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator, and the Regions where the selected aggregator is configured to collect data.
**Top 10 regions by noncompliant resources**
Displays a horizontal bar graph comparing up to 10 Regions where the selected aggregator collects data in descending order by the number of noncompliant resources. Hover over the graph to see the exact number of noncompliant resources for each Region.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator.
**Top 10 account level conformance packs by noncompliant rules**
Displays a horizontal bar graph comparing up to 10 account level conformance packs from the selected aggregator in descending order by the number of noncompliant rules. Hover over the graph to see the percentage of compliant and noncompliant rules for each account level conformance pack.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator, and the Regions where the selected aggregator is configured to collect data.
**Top 10 organization level conformance packs by noncompliant rules**
Displays a horizontal bar graph comparing up to 10 organizational level conformance packs from the selected aggregator in descending order by the number of noncompliant rules. Hover over the graph to see the percentage of compliant and noncompliant rules in each organizational level conformance pack.
The data displayed is dependent on the settings of the configuration recorder for each account in the selected aggregator and the Regions where the selected aggregator is configured to collect data.
**Top 10 accounts by noncompliant rules across conformance packs**
*Top 10 accounts by noncompliant rules across conformance packs* displays a horizontal bar graph comparing up to 10 accounts from the selected aggregator in descending order by the number of noncompliant rules across all your conformance packs. Hover over the graph to see the exact number of noncompliant rules in each account.
The data displayed is dependent on the settings of the configuration recorder for each account in the selected aggregator and the Regions where the selected aggregator is configured to collect data.
## Inventory Dashboard
View automated inventory dashboards by using widgets that summarize insights about resource configuration data within your aggregator.
**Top 10 resource types by resource count**
Displays a horizontal bar graph comparing up to 10 resource types from the selected aggregator in descending order by resource count. Hover over the graph to see the exact number of resources for each resource type.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator, and the Regions where the selected aggregator is configured to collect data.
**Resource count by region**
Displays a horizontal bar graph comparing up to 10 Regions where the selected aggregator collects data in descending order by resource count. Hover over the graph to see the exact number of resources for each Region.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator.
**Top 10 accounts by resource count**
Displays a horizontal bar graph comparing up to 10 accounts from the selected aggregator in descending order by resource count. Hover over the graph to see the exact number resources for each resource type.
The data displayed is dependent on the settings of the configuration recorder for each account in the selected aggregator and the Regions where the selected aggregator is configured to collect data.
**Resource count by Amazon EC2 service resource types**
Displays a horizontal bar graph comparing Amazon EC2 resource types from the selected aggregator in descending order by resource count. Hover over the graph to see the exact number of resources for each Amazon EC2 resource type.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator, and the Regions where the selected aggregator is configured to collect data. To use this chart, you must configure the recorder to record Amazon EC2 resource types. For more information, see [Selecting Which Resources AWS Config Records](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html).
**Top 10 EC2 instance types used**
Displays a horizontal bar graph comparing up to 10 Amazon EC2 instance types from the selected aggregator in descending order by usage. Hover over the graph to see usage for each EC2 instance type.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator and the Regions where the selected aggregator is configured to collect data. To use this chart, you must configure the recorder to record the EC2 instance resource type. For more information, see [Recoding AWS Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html).
**EBS Volume counts by volume type and size**
Displays a vertical bar graph comparing EBS volumes from the selected aggregator by resource count. Hover over the graph to see the count and size breakdown for each type of EBS volume.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator and the Regions where the selected aggregator is configured to collect data. To use this chart, you must configure the recorder to record the EC2 volume resource type. For more information, see [Selecting Which Resources AWS Config Records](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html).
**Number of EC2 instances that are running vs. stopped by type**
Displays a horizontal bar graph comparing EC2 instance types from the selected aggregator that are running to EC2 instances that are stopped by instance type. Hover over the graph to see the exact number of stopped and running EC2 instances for each type.
The data displayed depends on the settings of the configuration recorder for each account in the selected aggregator and the Regions where the selected aggregator is configured to collect data. To use this chart, you must configure the recorder to record the EC2 instance resource type. For more information, see [Recoding AWS Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html).
# Creating Aggregators for AWS Config
You can use the AWS Config console or the AWS CLI to create your aggregators. From the AWS Config you can choose **Add individual account IDs** or **Add my organization** from where you want to aggregate data. For the AWS CLI there are two different procedures.
------
#### [ Creating Aggregators (Console) ]
On the **Aggregator** page, you can create an aggregator by specifying the source account IDs or organization and regions from where you want to aggregate data.
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the **Aggregators** page and choose **Create aggregator**.
1. **Allow data replication**, gives permission to AWS Config to replicate data from the source accounts into an aggregator account.
Choose **Allow AWS Config to replicate data from source account(s) into an aggregator account. You must select this checkbox to continue to add an aggregator**.
1. For **Aggregator name**, type the name for your aggregator.
The aggregator name must be a unique name with a maximum of 64 alphanumeric characters. The name can contain hyphens and underscores.
1. For **Select source accounts**, either choose **Add individual account IDs** or **Add my organization** from where you want to aggregate data.
**Note**
Authorization is required when using **Add individual account IDs** to select source accounts.
+ If you choose **Add individual account IDs**, you can add individual account IDs for an aggregator account.
1. Choose **Add source accounts** to add account IDs.
1. Choose **Add AWS account IDs** to manually add comma-separated AWS account IDs. If you want to aggregate data from the current account, type the account ID of the account.
OR
Choose **Upload a file** to upload a file (.txt or .csv) of comma-separated AWS account IDs.
1. Choose **Add source accounts** to confirm your selection.
+ If you choose **Add my organization**, you can add all accounts in your organization to an aggregator account.
**Note**
You must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization. If the caller is a management account, AWS Config calls `EnableAwsServiceAccess` API to [enable integration](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) between AWS Config and AWS Organizations. If the caller is a registered delegated administrator, AWS Config calls `ListDelegatedAdministrators` API to verify whether the caller is a valid delegated administrator.
Ensure that the management account registers delegated administrator for AWS Config service principal name (config.amazonaws.com) before the delegated administrator creates an aggregator. To register a delegated administrator, see [Registering a Delegated Administrator for AWS Config](aggregated-register-delegated-administrator.md).
You must assign an IAM role to allow AWS Config to call read-only APIs for your organization.
1. Choose **Choose a role from your account** to select an existing IAM role.
**Note**
In the IAM console, attach the `AWSConfigRoleForOrganizations` managed policy to your IAM role. Attaching this policy allows AWS Config to call AWS Organizations `DescribeOrganization`, `ListAWSServiceAccessForOrganization`, and `ListAccounts` APIs. By default `config.amazonaws.com` is automatically specified as a trusted entity.
1. Or, choose **Create a role** and type a name for your IAM role name to create IAM role.
1. For **Regions**, choose the regions for which you want to aggregate data.
+ Select one region or multiple regions or all the AWS Regions.
+ Select **Include future AWS Regions** to aggregate data from all future AWS Regions where multi-account multi-region data aggregation is enabled.
1. Choose **Save**. AWS Config displays the aggregator.
------
#### [ Creating Aggregators using Individual Accounts (AWS CLI) ]
1. Open a command prompt or a terminal window.
1. Enter the following command to create an aggregator named **MyAggregator**.
```
aws configservice put-configuration-aggregator --configuration-aggregator-name MyAggregator --account-aggregation-sources "[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"
```
For `account-aggregation-sources`, enter one of the following.
+ A comma-separated list of AWS account IDs for which you want to aggregate data. Wrap the account IDs in square brackets, and be sure to escape quotation marks (for example, `"[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"`).
+ You can also upload a JSON file of comma-separated AWS account IDs. Upload the file using the following syntax: `--account-aggregation-sources MyFilePath/MyFile.json`
The JSON file must be in the following format:
```
[
{
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3"
],
"AllAwsRegions": true
}
]
```
1. Press Enter to execute the command.
You should see output similar to the following:
```
{
"ConfigurationAggregator": {
"ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "MyAggregator",
"AccountAggregationSources": [
{
"AllAwsRegions": true,
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3"
]
}
],
"LastUpdatedTime": 1517942461.442
}
}
```
------
#### [ Creating Aggregators using AWS Organizations (AWS CLI) ]
Before you begin this procedure, you must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization.
**Note**
Ensure that the management account registers a delegated administrator with both of the following AWS Config service principal names (`config.amazonaws.com` and`config-multiaccountsetup.amazonaws.com`) before the delegated administrator creates an aggregator. To register a delegated administrator, see [Registering a Delegated Administrator for AWS Config](aggregated-register-delegated-administrator.md).
1. Open a command prompt or a terminal window.
1. If have not created an IAM role for your AWS Config aggregator, enter the following command:
```
aws iam create-role --role-name OrgConfigRole --assume-role-policy-document "{\"Version\":\"2012-10-17\", \"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" --description "Role for organizational AWS Config aggregator"
```
**Note**
Copy the Amazon Resource Name (ARN) from this IAM role for use when you create your AWS Config aggregator. You can find the ARN on the response object.
1. If have not attached a policy to your IAM role, attach the [AWSConfigRoleForOrganizations](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigRoleForOrganizations.html) managed policy or enter the following command:
```
aws iam create-policy --policy-name OrgConfigPolicy --policy-document '{"Version":"2012-10-17", "Statement":[{"Effect":"Allow","Action":["organizations:ListAccounts","organizations:DescribeOrganization","organizations:ListAWSServiceAccessForOrganization","organizations:ListDelegatedAdministrators"],"Resource":"*"}]}'
```
1. Enter the following command to create an aggregator named **MyAggregator**.
```
aws configservice put-configuration-aggregator --configuration-aggregator-name MyAggregator --organization-aggregation-source "{\"RoleArn\": \"Complete-Arn\",\"AllAwsRegions\": true}"
```
1. Press Enter to execute the command.
You should see output similar to the following:
```
{
"ConfigurationAggregator": {
"ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "MyAggregator",
"OrganizationAggregationSource": {
"AllAwsRegions": true,
"RoleArn": "arn:aws:iam::account-of-role-to-assume:role/name-of-role"
},
"LastUpdatedTime": 1517942461.442
}
}
```
------
# Registering a Delegated Administrator for AWS Config
Delegated administrators are accounts within a given AWS Organization that are granted additional administrative privileges for a specified AWS service. For more information, see [Delegated administrator](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*. You must use the AWS CLI to register a delegated administrator.
**Registering a Delegated Administrator**
1. Log in with management account credentials.
1. Open a command prompt or a terminal window.
1. Enter the following command to enable service access as a delegated administrator for your organization to deploy and manage AWS Config rules and conformance packs across your organization:
```
aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
```
1. Enter the following command to enable service access as a delegated administrator for your organization to aggregate AWS Config data across your organization:
```
aws organizations enable-aws-service-access --service-principal=config.amazonaws.com
```
1. To check if the enable service access is complete, enter the following command and press Enter to execute the command.
```
aws organizations list-aws-service-access-for-organization
```
You should see output similar to the following:
```
{
"EnabledServicePrincipals": [
{
"ServicePrincipal": [
"config.amazonaws.com",
"config-multiaccountsetup.amazonaws.com"
],
"DateEnabled": 1607020860.881
}
]
}
```
1. Next, enter the following command to register a member account as a delegated administrator for AWS Config.
```
aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id MemberAccountID
```
and
```
aws organizations register-delegated-administrator --service-principal=config.amazonaws.com --account-id MemberAccountID
```
1. To check if the registration of delegated administrator is complete, enter the following command from the management account and press Enter to execute the command.
```
aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
```
and
```
aws organizations list-delegated-administrators --service-principal=config.amazonaws.com
```
You should see output similar to the following:
```
{
"DelegatedAdministrators": [
{
"Id": "MemberAccountID",
"Arn": "arn:aws:organizations::ManagementAccountID:account/o-c7esubdi38/MemberAccountID",
"Email": "name@amazon.com",
"Name": "name",
"Status": "ACTIVE",
"JoinedMethod": "INVITED",
"JoinedTimestamp": 1604867734.48,
"DelegationEnabledDate": 1607020986.801
}
]
}
```
# Editing Aggregators for AWS Config
You can use the AWS Config console or the AWS CLI to edit your aggregators.
------
#### [ Editing Aggregators (Console) ]
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the **Aggregator** page, and choose the aggregator name.
1. Choose **Actions** and then choose **Edit**.
1. Use the sections on the **Edit aggregator** page to change the source accounts, IAM roles, or regions for the aggregator.
**Note**
You cannot change source type from individual account(s) to organization and vice versa.
1. Choose **Save**.
------
#### [ Editing Aggregators (AWS CLI) ]
1. You can use the `put-configuration-aggregator` command to update or edit a configuration aggregator.
Enter the following command to add a new account ID to **MyAggregator**:
```
aws configservice put-configuration-aggregator --configuration-aggregator-name MyAggregator --account-aggregation-sources "[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"
```
1. Depending on your source account you should see output similar to the following:
**For individuals accounts**
```
{
"ConfigurationAggregator": {
"ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-xz2upuu6",
"CreationTime": 1517952090.769,
"ConfigurationAggregatorName": "MyAggregator",
"AccountAggregationSources": [
{
"AllAwsRegions": true,
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3",
"AccountID4"
]
}
],
"LastUpdatedTime": 1517952566.445
}
}
```
OR
**For an organization**
```
{
"ConfigurationAggregator": {
"ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "MyAggregator",
"OrganizationAggregationSource": {
"AllAwsRegions": true,
"RoleArn": "arn:aws:iam::account-of-role-to-assume:role/name-of-role"
},
"LastUpdatedTime": 1517942461.442
}
}
```
------
# Deleting Aggregators for AWS Config
You can use the AWS Config console or the AWS CLI to delete your aggregators.
------
#### [ Deleting Aggregators (Console) ]
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the **Aggregator** page, and choose the aggregator name.
1. Choose **Actions** and then choose **Delete**.
A warning message is displayed. Deleting an aggregator results in the loss of all aggregated data. You cannot recover this data but data in the source account(s) is not impacted.
1. Choose **Delete** to confirm your selection.
------
#### [ Deleting Aggregators (AWS CLI) ]
Enter the following command:
```
aws configservice delete-configuration-aggregator --configuration-aggregator-name MyAggregator
```
If successful, the command executes with no additional output.
------
# Authorizing Aggregator Accounts to Collect AWS Config Configuration and Compliance Data
*Authorization* refers to the permissions you grant to an aggregator account and region to collect your AWS Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of AWS Organizations. You can use the AWS Config console or the AWS CLI to authorize aggregator accounts.
**Topics**
+ [
## Considerations
](#aggregated-add-authorization-considerations)
+ [
## Adding Authorization
](#aggregated-add-authorization-procedure)
## Considerations
**There are two types of aggregators: Individual account aggregator and Organization aggregator**
For an individual account aggregator, authorization is required for all source accounts and Regions that you want to include, including both external accounts and Regions and Organization member accounts and Regions.
For an organization aggregator, authorization is not required for Organization member account regions since authorization is integrated with the AWS Organizations service.
**Aggregators do not automatically enable AWS Config on your behalf**
AWS Config needs to be enabled in the source account and Region for either type of aggregator, in order for AWS Config data to be generated in the source account and Region.
## Adding Authorization
------
#### [ Adding Authorization (Console) ]
You can add authorization to grant permission to aggregator accounts and Regions to collect AWS Config configuration and compliance data.
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the **Authorizations** page and choose **Add authorization**.
1. For **Aggregator account**, type the 12-digit account ID of an aggregator account.
1. For **Aggregator region**, choose the AWS Regions where the aggregator account is allowed to collect AWS Config configuration and compliance data.
1. Choose **Add authorization** to confirm your selection.
AWS Config displays an aggregator account, Region, and authorization status.
**Note**
You can also add authorizations to aggregator accounts and Regions programatically using CloudFormation sample templates. For more information, see [AWS::Config::AggregationAuthorization](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html) in the *CloudFormation User Guide*.
------
#### [ Authorizing a Pending Request (Console) ]
If you have a pending authorization request from an existing aggregator account you will see the request status on the **Authorizations** page. You can authorize a pending request from this page.
1. Choose the aggregator account that you want to authorize, and then choose **Authorize**.
A confirmation message is displayed to confirm that you want to grant the aggregator account permission to collect AWS Config data from this account.
1. Choose **Authorize** again to confirm that you want to grant permission to the aggregator account.
The authorization status changes from **Requesting for authorization** to **Authorized**.
**Authorization approval period**
Authorization approval is required to add source accounts to an individual account aggregator. A pending authorization approval request will be available for 7 days after an individual account aggregator adds a source account.
------
#### [ Adding Authorization (AWS CLI) ]
1. Open a command prompt or a terminal window.
1. Enter the following command:
```
aws configservice put-aggregation-authorization --authorized-account-id AccountID --authorized-aws-region Region
```
1. You should see output similar to the following:
```
{
"AggregationAuthorization": {
"AuthorizedAccountId": "AccountID",
"AggregationAuthorizationArn": "arn:aws:config:Region:AccountID:aggregation-authorization/AccountID/Region",
"CreationTime": 1518116709.993,
"AuthorizedAwsRegion": "Region"
}
}
```
------
# Deleting Authorization for Aggregator Accounts to Collect AWS Config Configuration and Compliance Data
*Authorization* refers to the permissions you grant to an aggregator account and region to collect your AWS Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of AWS Organizations. You can use the AWS Config console or the AWS CLI to delete authorizations.
**Topics**
+ [
## Considerations
](#aggregated-delete-authorization-considerations)
+ [
## Deleting Authorization
](#aaggregated-delete-authorization-procedure)
## Considerations
**There are two types of aggregators: Individual account aggregator and Organization aggregator**
For an individual account aggregator, authorization is required for all source accounts and Regions that you want to include, including both external accounts and Regions and Organization member accounts and Regions.
For an organization aggregator, authorization is not required for Organization member account regions since authorization is integrated with the AWS Organizations service.
**Aggregators do not automatically enable AWS Config on your behalf**
AWS Config needs to be enabled in the source account and Region for either type of aggregator, in order for AWS Config data to be generated in the source account and Region.
## Deleting Authorization
------
#### [ Deleting Authorization (Console) ]
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Choose the aggregator account that you want to delete authorization, and then choose **Delete**.
A warning message is displayed. When you delete this authorization, AWS Config data will no longer be shared with the aggregator account.
1. Choose **Delete** again to confirm your selection.
The aggregator account is now deleted.
------
#### [ Deleting Authorization (AWS CLI) ]
Enter the following command:
```
aws configservice delete-aggregation-authorization --authorized-account-id AccountID --authorized-aws-region Region
```
If successful, the command executes with no additional output.
------
# Viewing Aggregators for AWS Config
You can use the AWS Config console or the AWS CLI to view your aggregators.
------
#### [ Viewing Aggregators (Console) ]
To view your conformance packs in the AWS Management Console, see [Aggregator Dashboard](https://docs.aws.amazon.com/config/latest/developerguide/viewing-the-aggregate-dashboard.html).
------
#### [ Viewing Aggregators (AWS CLI) ]
1. Enter the following command:
```
aws configservice describe-configuration-aggregators
```
1. Depending on your source account you should see output similar to the following:
**For individuals accounts**
```
{
"ConfigurationAggregators": [
{
"ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "MyAggregator",
"AccountAggregationSources": [
{
"AllAwsRegions": true,
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3"
]
}
],
"LastUpdatedTime": 1517942461.455
}
]
}
```
OR
**For an organization**
```
{
"ConfigurationAggregator": {
"ConfigurationAggregatorArn": "arn:aws:config:Region:AccountID:config-aggregator/config-aggregator-floqpus3",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "MyAggregator",
"OrganizationAggregationSource": {
"AllAwsRegions": true,
"RoleArn": "arn:aws:iam::account-of-role-to-assume:role/name-of-role"
},
"LastUpdatedTime": 1517942461.442
}
}
```
------
# Troubleshooting for Multi-Account Multi-Region Data Aggregation for AWS Config
AWS Config might not aggregate data from source accounts for one of the following reasons:
****
| If this happens | Do this |
| --- | --- |
| AWS Config is not enabled in the source account for accounts within an Organization. | Enable AWS Config in the source account and authorize the aggregator account to collect data. |
| Authorization is not granted to an aggregator account. | Sign in to the source account and grant authorization to the aggregator account to collect AWS Config data. |
| There might be a temporary issue that is preventing data aggregation. | Data aggregation is subject to delays. Wait for a few minutes. |
AWS Config might not aggregate data from an organization for one of the following reasons:
****
| If this happens | Do this |
| --- | --- |
| AWS Config is unable to access your organization details due to invalid IAM role. | Create an IAM role or select a valid IAM role from the IAM role list. If the IAM role is invalid for more than 7 days, AWS Config deletes data for entire organization. |
| AWS Config service access is disabled in your organization. | You can enable integration between AWS Config and AWS Organizations through the EnableAWSServiceAccess API. If you choose Add my organization in console, AWS Config automatically enables the integration between AWS Config and AWS Organizations. |
| AWS Config is unable to access your organization details because all features is not enabled in your organization. | [Enable all features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in AWS Organizations console. |
| Organizational changes such as adding an account, removing an account, enabling service access, and disabling service access are not updated in Middle East (Bahrain) and Asia Pacific (Hong Kong) regions immediately. | Organizational changes are subject to 2 hour delay. Wait for 2 hours to see all organization changes. |