- You aren't charged for config aggregators. There are 2 setup by Control Tower, one in the management account and one in the audit account. Each one gives that account a view of compliance with detective controls across your multi-account environment. Remember, aggregators simply give you a read-only view of the resources, they aren't recording any resource changes. Refer to How AWS Control Tower Works
- Preventive controls are implemented by Service Control Policies (SCPs), not Config. Detective controls are implemented with AWS Config rules. You will see the compliance status of a detective control both in AWS config and Control Tower. Config rules implemented by Control Tower will be prefixed with
AWSControlTower_in the Config console.
- You use an AWS Config conformance pack to evaluate how your accounts may be affected by some AWS Control Tower controls BEFORE you enable the control. To determine how enrollment into AWS Control Tower may affect your accounts, see Extend AWS Control Tower governance using AWS Config conformance packs. The Frameworks you see in Control Tower are groups of control aligned to that particular framework.
- asked 2 years ago
- Why is my AWS Config data not getting collected by the aggregator for my AWS account or AWS Organizations account?AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 years ago
- EXPERTpublished 3 months ago