Authorizing Aggregator Accounts to Collect AWS Config Configuration and Compliance Data Using the Console - AWS Config

Authorizing Aggregator Accounts to Collect AWS Config Configuration and Compliance Data Using the Console

AWS Config allows you to authorize aggregator accounts to collect AWS Config configuration and compliance data.

On the Authorizations page, you can do the following:

  • Add Authorization to allow an aggregator account and region to collect AWS Config configuration and compliance data.

  • Authorize a pending request from an aggregator account to collect AWS Config configuration and compliance data.

  • Delete an authorization for an aggregator account.

Add Authorization for Aggregator Accounts and Regions

You can add authorization to grant permission to aggregator accounts and regions to collect AWS Config configuration and compliance data.

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Navigate to the Authorizations page and choose Add authorization.

    Note

    There are two types of aggregators: Individual accounts aggregator and Organization aggregator

    For the individual accounts aggregator, authorization is required for any included source account regions including external account regions or Organization member account regions.

    For the organization aggregator, authorization is not required for Organization member account regions since authorization is integrated with the Organizations service.

    Aggregators do not automatically enable AWS Config on your behalf

    AWS Config needs to be enabled in the source account region for either type of aggregator, in order for AWS Config data to be generated in the source account region.

  3. For Aggregator account, type the 12-digit account ID of an aggregator account.

  4. For Aggregator region, choose the AWS Regions where aggregator account is allowed to collect AWS Config configuration and compliance data.

  5. Choose Add authorization to confirm your selection.

    AWS Config displays an aggregator account, region, and authorization status.

    Note

    You can also add authorization to aggregator accounts and regions programatically using AWS CloudFormation sample template. For more information, see AWS::Config::AggregationAuthorization in the AWS CloudFormation user guide.

Authorize a Pending Request for an Aggregator Account

If you have a pending authorization request from an existing aggregator account you will see the request status on the Authorizations page. You can authorize a pending request from this page.

  1. For the aggregator account you want to authorize, choose Authorize in the Actions column.

    A confirmation message is displayed to confirm you grant permission to an aggregator account and region for collecting AWS Config data.

  2. Choose Authorize to grant this permission for an aggregator account and region.

    The authorization status changes from Requesting for authorization to Authorized.

Delete Authorization for an Existing Aggregator Account

  1. For the aggregator account you want to delete authorization, choose Delete in the Actions column.

    A warning message is displayed. When you delete this authorization, AWS Config data is not shared with an aggregator account.

    Note

    After authorization for an aggregator is deleted the data will remain in the aggregator account for up to 24 hours before being deleted.

  2. Choose Delete to confirm your selection.

    The aggregator account is deleted.

Learn More