Multi-Account Multi-Region Data Aggregation - AWS Config

Multi-Account Multi-Region Data Aggregation

An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:

  • Multiple accounts and multiple regions.

  • Single account and multiple regions.

  • An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled.

Use an aggregator to view the resource configuration and compliance data recorded in AWS Config. The following image displays how an aggregator collects AWS Config data from multiple accounts and regions.

            An aggregator collects AWS Config data from multiple accounts and regions.

Aggregators provide a read-only view into the source accounts and regions that the aggregator is authorized to view by replicating data from the source accounts into the aggregator account. Aggregators do not provide mutating access into a source account or region. For example, this means that you cannot deploy rules through an aggregator or push snapshot files to a source account or region through an aggregator.

Using aggregators does not incur any additional costs.

For more information about concepts, see Multi-Account Multi-Region Data Aggregation section in the Concepts topic.

To collect your AWS Config data from source accounts and regions, start with:

  1. Adding an aggregator to aggregate AWS Config configuration and compliance data from multiple accounts and regions.

  2. Authorizing aggregator accounts to collect AWS Config configuration and compliance data.


    There are two types of aggregators: Individual accounts aggregator and Organization aggregator

    For the individual accounts aggregator, authorization is required for any included source account regions including external account regions or Organization member account regions.

    For the organization aggregator, authorization is not required for Organization member account regions since authorization is integrated with the Organizations service.

  3. Monitoring compliance data for rules and accounts in the aggregated view.

Region Support

Currently, multi-account multi-region data aggregation is supported in the following regions:

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 HTTPS
US East (N. Virginia) us-east-1 HTTPS
US West (N. California) us-west-1 HTTPS
US West (Oregon) us-west-2 HTTPS
Africa (Cape Town) af-south-1 HTTPS
Asia Pacific (Hong Kong) ap-east-1 HTTPS
Asia Pacific (Hyderabad) ap-south-2 HTTPS
Asia Pacific (Jakarta) ap-southeast-3 HTTPS
Asia Pacific (Melbourne) ap-southeast-4 HTTPS
Asia Pacific (Mumbai) ap-south-1 HTTPS
Asia Pacific (Osaka) ap-northeast-3 HTTPS
Asia Pacific (Seoul) ap-northeast-2 HTTPS
Asia Pacific (Singapore) ap-southeast-1 HTTPS
Asia Pacific (Sydney) ap-southeast-2 HTTPS
Asia Pacific (Tokyo) ap-northeast-1 HTTPS
Canada (Central) ca-central-1 HTTPS
Canada West (Calgary) ca-west-1 HTTPS
Europe (Frankfurt) eu-central-1 HTTPS
Europe (Ireland) eu-west-1 HTTPS
Europe (London) eu-west-2 HTTPS
Europe (Milan) eu-south-1 HTTPS
Europe (Paris) eu-west-3 HTTPS
Europe (Spain) eu-south-2 HTTPS
Europe (Stockholm) eu-north-1 HTTPS
Europe (Zurich) eu-central-2 HTTPS
Israel (Tel Aviv) il-central-1 HTTPS
Middle East (Bahrain) me-south-1 HTTPS
Middle East (UAE) me-central-1 HTTPS
South America (São Paulo) sa-east-1 HTTPS
AWS GovCloud (US-East) us-gov-east-1 HTTPS
AWS GovCloud (US-West) us-gov-west-1 HTTPS

Learn More