Get a centralized view of resource inventory using AWS config aggregator

Introduction

The service that keeps track of resources and modifications made to resources linked to an AWS account is called AWS Config. To determine when and what resource the change was made into, this service may provide you with a comprehensive view of the resource configuration timeline. Additionally, it allows you to assess overall rule compliance. This makes operational troubleshooting, security analysis, change management, and compliance auditing easier. Challenge to the customer was config service is regional service. Check and manage the resource compliance region wise using config was time consuming task for the operation engineers. The solution for this challenge is config aggregator. In this blog we will take the overview of config aggregator.

Overview of config aggregator

To give you a consistent view of your organization’s compliance status, an aggregator is an AWS Config resource that gathers configuration rule and compliance data from several accounts and regions into a single account.

Using an aggregator, AWS Config can collect  resource configuration data from the following:

1. Multiple accounts and regions
2. All accounts in the Organization
3. Single account multiple region

The way an aggregator gathers AWS Configuration data from various accounts and regions is shown in the following figure.

Benefit of using config aggregator

1. An enterprise-level view of the configuration and compliance data in one location is easy to set up.
2. AWS Organizations are integrated. The aggregator will automatically update itself if a member account joins or leaves from an organization.
3. It is available to anyone who do not utilize AWS Organizations, even if utilizing it with AWS Organizations makes setup simpler.

Terminology in Config aggregator

1. Source account: – The AWS account from which you wish to compile AWS Config resource configuration and compliance information is known as the source account. In AWS Organizations, a source account can be either an individual account or an organization.
2. Aggregator account: – An account where an aggregator is created is known as an aggregator account.
3. Source Region: – The AWS region from which you compile AWS Config configuration and compliance data is known as the source region.

Getting started with config aggregator

1. Sign-in to AWS management console and open config service. From the left navigation pane, choose Aggregators, and then select Create aggregator.
2. In create aggregator page select Allow AWS Config to replicate data from source account(s) 
3. Give name to the aggregator.
4. In Select source accounts, section select Add my organization from where you want to aggregate data.

If you are not using organization, then select Add individual account ID.

5. Select “Create a role” under “Choose IAM role,” then type the name of the IAM role. AWS Config can contact AWS Organizations APIs because of to the AWSConfigRoleForOrganizations managed policy in this recently defined IAM role.

6. In Regions section, choose the regions for which you want to aggregate data. Then select create aggregator.

AWS Config begins collecting information from each member account in your company into an aggregator. The resource configuration and rule compliance status will appear on the aggregator page in config service. AWS Config may take several minutes for the same.

7. Select Resources under aggregator option. You will be able to view the multi account, multi region resources.
8. On the Advanced queries page, you can use sample queries to query data from aggregated configuration items.  Filter the query to check S3 bucket versioning.

9. Click the filter result and then select your aggregator in Query scope. Then select

10. You will be able to view the bucket with versioning disabled in all of your account within organization.

Cost for the aggregator

Config Aggregator does not come with any additional fees. The amount of configuration items that are recorded, the number of active AWS Config rule evaluations, and the number of compliance pack evaluations in your account are the only three factors that affect configuration cost. Aggregator is mainly a means of combining your results for a unified viewing experience.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.