Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Multi-Account Multi-Region Data Aggregation On AWS Config

Home » AWS » Multi-Account Multi-Region Data Aggregation On AWS Config

Multi-Account Multi-Region Data Aggregation On AWS Config

Last updated on May 2, 2023

AWS Config is a service that tracks changes made to resources associated with an AWS account. This service can give you a detailed view of the resource configuration’s timeline so you can go back in time and identify when and what resource the change was made into. It also enables you to determine the overall compliance against the rules and configurations specified in your guidelines. This simplifies compliance auditing, security analysis, change management, and operational troubleshooting.

Some Use Cases For AWS Config:

  • Determining if CloudTrail is enabled on all regions.
  • Checking if security groups have SSH port open from non-authorized IP Addresses.
  • Determining how many resources exist in your account.
  • Identifying which EBS isn’t encrypted.
  • Checking whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers.
  • Checking whether ACM Certificates in your account are marked for expiration within a specified number of days. 
Tutorials dojo strip

The configuration rule is not limited to the examples above. AWS provides you with several predefined “rules” based on common use cases that you can enable for evaluation on your account. Additionally, AWS Config allows you to make your own custom rules for compliance. In a nutshell, this service is like the law enforcer of your AWS environment. It makes sure that resources on your account follow certain configuration rules and standards that you defined. Non-compliant resources can be remediated by using AWS Systems Manager Automation. Optionally, you can stream the changes and get notified via SNS so you can react in real-time whenever there is a compliance violation.

Without Multi-region Multi-account Data Aggregation

Collecting data from one or three AWS accounts is a walk in the park. You can easily set-up your AWS Config dashboard, go into each region and each account, and pull the data with a custom script or a third-party application then walk away from it. The next time you will look into your dashboard is when there is a violation in the config rule you set.

While this works well in small organizations, this can be a tedious ordeal for enterprise-level organizations. Imagine that you’re an I.T Administrator handling hundreds of AWS Accounts with resources in different regions, and you need to ensure that your company’s internal guidelines on all AWS resources are always met. Doing this with a custom script is possible, but don’t forget that it must also be updated whenever an employee leaves or a new one joins your organization. That entails a lot of work and is an extremely difficult task without an aggregator.

Multi-Account Multi-Region Data Aggregation On AWS Config

An aggregator is an AWS Config resource that collects information about config rules and compliance information from multiple accounts and regions into a single account so you can have a unified view of your organization’s compliance status.

With an aggregator, AWS Config can collect configuration data from the following:

  • Multiple accounts and multiple regions.
  • Single account and multiple regions.
  • An organization in AWS Organizations and all the accounts in that organization.

Benefits of using an aggregator with AWS Config

  • Easy set-up experience to get an enterprise-level view of the compliance and config data in one place.
  • Integrates with AWS Organizations. Whenever a member leaves or joins an organization, the aggregator will update itself automatically.
  • Although using it with AWS Organizations simplifies the set-up, it is also available for those who do not use AWS Organizations.

Getting Started with Multi-region Multi-account Data Aggregation:

Step 1. Go to Config Dashboard on the AWS Console. On the left-most pane, click “Aggregations”

multi-account_multi-region_data_aggregation_on_aws_config1

Step 2. Click “Add aggregator” 

multi-account_multi-region_data_aggregation_on_aws_config2

Step 3.  Check the box that says “Allow AWS Config to replicate data from source account(s)…”. This is required. You also need to provide an aggregator name. On the “Select source accounts” section, you can either add individual account ID’s or add an organization. Choose according to your needs.

multi-account_multi-region_data_aggregation_on_aws_config3

Step 4. Lastly, click all “AWS regions”. You can select specific regions from where you want to aggregate data. But if you want to allow AWS Config to update future AWS Regions for you then you need to click “AWS Regions”

Hit “Save”.

multi-account_multi-region_data_aggregation_on_aws_config4

After completing the creation of the aggregator, you can refresh the AWS Config Dashboard page. It will scan and populate configuration data from all the configured AWS accounts. After the scans, you will see the results of AWS Config on your Dashboard.

References:

https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
https://docs.aws.amazon.com/config/latest/developerguide/aws-config-landing-page.html

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Carlo Acebedo

Carlo is a cloud engineer and a content creator at Tutorials Dojo. He's also a member of the AWS Community builder and holds 5 AWS Certifications. Carlo specializes in building and automating solutions in the Amazon Web Services Cloud.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?