AWS Config now supports organization-wide resource data aggregation in a delegated administrator account
AWS Config lets you assess, audit, and evaluate how your AWS resources are configured, and helps you determine your overall compliance against the configurations specified in your internal guidelines. You can use AWS Config aggregators to collect your configuration and compliance data from the below sources, and aggregate that data into a single account and AWS Region to get a centralized view of your resource inventory and compliance.
- Multiple accounts and multiple AWS Regions.
- A single account and multiple AWS Regions.
- An organization in AWS Organizations and all the accounts in the organization that have AWS Config enabled.
Starting today, in addition to the management account, you can use a delegated administrator account to aggregate data from all member accounts of an organization in AWS Organizations without any additional authorization. This capability provides more flexibility as it enables different teams within an organization, such as auditing, security, and compliance to use separate accounts and to aggregate organization-wide data in their respective administration accounts for centralized governance. This also enables the separation of duties within an organization and eliminates the need for those teams to gain access to the management account to access the aggregated data.
You can get started by registering a member account of your organization as a delegated administrator account using the RegisterDelegatedAdministrator API. You can deploy AWS Config rules and conformance packs across your organization and use the AWS Config console or APIs to create an aggregator to collect data from all member accounts and aggregate the data into that delegated administrator account.
The delegated administrator support in aggregators is available at no additional cost to AWS Config customers in all commercial AWS Regions where AWS Config aggregators is supported. For more information about AWS Config and the Aggregators feature, see the AWS Config webpage and the AWS Config Developer Guide.