Get a centralized view of resource inventory using AWS config aggregator

Introduction

The service that keeps track of resources and modifications made to resources linked to an AWS account is called AWS Config. To determine when and what resource the change was made into, this service may provide you with a comprehensive view of the resource configuration timeline. Additionally, it allows you to assess overall rule compliance. This makes operational troubleshooting, security analysis, change management, and compliance auditing easier. Challenge to the customer was config service is regional service. Check and manage the resource compliance region wise using config was time consuming task for the operation engineers. The solution for this challenge is config aggregator. In this blog we will take the overview of config aggregator.

Overview of config aggregator

To give you a consistent view of your organization’s compliance status, an aggregator is an AWS Config resource that gathers configuration rule and compliance data from several accounts and regions into a single account.

Using an aggregator, AWS Config can collect  resource configuration data from the following:

1. Multiple accounts and regions
2. All accounts in the Organization
3. Single account multiple region

The way an aggregator gathers AWS Configuration data from various accounts and regions is shown in the following figure.

Benefit of using config aggregator

1. An enterprise-level view of the configuration and compliance data in one location is easy to set up.
2. AWS Organizations are integrated. The aggregator will automatically update itself if a member account joins or leaves from an organization.
3. It is available to anyone who do not utilize AWS Organizations, even if utilizing it with AWS Organizations makes setup simpler.

Terminology in Config aggregator

1. Source account: – The AWS account from which you wish to compile AWS Config resource configuration and compliance information is known as the source account. In AWS Organizations, a source account can be either an individual account or an organization.
2. Aggregator account: – An account where an aggregator is created is known as an aggregator account.
3. Source Region: – The AWS region from which you compile AWS Config configuration and compliance data is known as the source region.

Getting started with config aggregator

1. Sign-in to AWS management console and open config service. From the left navigation pane, choose Aggregators, and then select Create aggregator.
2. In create aggregator page select Allow AWS Config to replicate data from source account(s) 
3. Give name to the aggregator.
4. In Select source accounts, section select Add my organization from where you want to aggregate data.

If you are not using organization, then select Add individual account ID.

5. Select “Create a role” under “Choose IAM role,” then type the name of the IAM role. AWS Config can contact AWS Organizations APIs because of to the AWSConfigRoleForOrganizations managed policy in this recently defined IAM role.

6. In Regions section, choose the regions for which you want to aggregate data. Then select create aggregator.

AWS Config begins collecting information from each member account in your company into an aggregator. The resource configuration and rule compliance status will appear on the aggregator page in config service. AWS Config may take several minutes for the same.

7. Select Resources under aggregator option. You will be able to view the multi account, multi region resources.
8. On the Advanced queries page, you can use sample queries to query data from aggregated configuration items.  Filter the query to check S3 bucket versioning.

9. Click the filter result and then select your aggregator in Query scope. Then select

10. You will be able to view the bucket with versioning disabled in all of your account within organization.

Cost for the aggregator

Config Aggregator does not come with any additional fees. The amount of configuration items that are recorded, the number of active AWS Config rule evaluations, and the number of compliance pack evaluations in your account are the only three factors that affect configuration cost. Aggregator is mainly a means of combining your results for a unified viewing experience.

About CloudThat