Track resource configuration changes View configuration and compliance data

Managing the configuration of AWS resources

The AWS Config service enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides a detailed view of how your resources are configured, shows how they relate to one another, and tracks how these configurations change over time. It's similar to a configuration management database that continuously monitors and records your AWS resource configurations, making it easier to audit resource compliance, analyze security postures, and troubleshoot configuration changes across your AWS environment. This service helps you maintain security and governance by tracking resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.

Track resource configuration changes

AWS Control Tower enables AWS Config configuration recorders in all enrolled accounts to track resource configuration changes. For landing zone versions 3.0 and later, global resources (such as IAM users, groups, roles, and customer-managed policies) are recorded only in the home Region. For landing zone versions earlier than 3.0, these global resources are recorded in all enabled Regions. Each AWS Config recorder is set up with a delivery channel that sends all configuration changes to a centralized Amazon S3 bucket in the Log Archive account. This provides comprehensive tracking of resource configuration changes across the organization. For more information about how AWS Control Tower monitors resource changes with AWS Config, see Monitor resource changes with AWS Config in the AWS Control Tower documentation.

AWS Config configuration recorders are enabled by default by AWS Control Tower and set to continuous recording for all relevant AWS resource types in enrolled accounts. If you are concerned about the costs incurred by AWS Config, you might want to manage these costs. For information about a solution that you can deploy in your landing zone without causing AWS Control Tower drift, see the AWS blog post Customize AWS Config resource tracking in AWS Control Tower environment.

View configuration and compliance data

AWS Config aggregators provide a centralized way to view configuration and compliance data from multiple AWS accounts and Regions. They act as a central collector that consolidates AWS Config data across your organization and makes it easier to monitor resource configurations and compliance at scale. This capability is particularly valuable for enterprises that manage multiple AWS accounts, because it enables centralized auditing, governance, and compliance monitoring across their entire AWS footprint. AWS Control Tower creates two AWS Config aggregators to help manage and monitor your multi-account environment:

Organization-level aggregator (aws-controltower-ConfigAggregatorForOrganizations) is created in the management account of your AWS organization. Its primary purpose is to aggregate AWS Config data from all accounts in your organization, even if those accounts aren't enrolled in AWS Control Tower. AWS Config isn't enabled in the managed account by default, so you can't see this aggregator in the AWS Config console. To view the aggregator in the management account, use the AWS CLI command:
```
aws configservice describe-configuration-aggregators
```
Security aggregator (aws-controltower-GuardRailsComplianceAggregator) is created in the Audit account of your AWS Control Tower environment. Its primary purpose is to monitor compliance with AWS Control Tower guardrails. It aggregates the relevant AWS Config data from all accounts that are enrolled in AWS Control Tower.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Auditing and alerting

FAQ