AWS Control Tower 3.0 creates two Config Aggregators - why?


I created a new organization using AWS Control Tower (version 3.0). It seems that it has created two aggregators:

  • An accounts aggregator under the audit account named control aws-controltower-GuardrailsComplianceAggregator. This aggregator is defined to collect from specific accounts (all member accounts, excluding the management account), and from all regions. However, at least in my case, the authorizations given from these accounts to aggregation seem messed up - each account was only set up to authorize aggregation from 5 regions, and the aggregator indeed identifies the aggregation from some accounts and regions as failed as a result. FYI, I currently created my control tower landing zone on a single region, not sure why this setup happened.
  • An organization aggregator in the management account named aws-controltower-ConfigAggregatorForOrganizations. This organization aggregator automatically collects from all accounts and regions in the organization, and it is working well.

Any idea why both aggregators were defined? I know that until a recent version of the landing zone, there was no support for organization aggregators. But now that it has been added, why keep the account-specific aggregator in the audit account (that seems to be misconfigured anyway)?

On the flip side, given that the best practice is to use the audit account for, well, auditing - why is the organization aggregator defined on the management account and not the audit account? Doesn't that mean that to enjoy its aggregation I need to login to the management account?


asked 4 months ago58 views