- Newest
- Most votes
- Most comments
Hello Craig.
The "Unprocessed Resource Identifiers" property in the response body returned when calling the "BatchGetAggregateResourceConfig"[1] API operation, contains a list of resource identifiers that were not processed with the current scope, meaning that the current configuration items in place for the AWS resources present in your AWS Config Aggregator, does not match the values that were included for the below key-names in the "ResourceIdentifiers" request parameter:
- ResourceId
- ResourceType
- SourceAccountId
- SourceRegion
When calling the "BatchGetAggregateResourceConfig" API operation, you would commonly specify the following values for the below key-names in the "ResourceIdentifiers":
-
ResourceId: The resource identifier of the AWS Resource, for example, the Unique Identifier of an Managed IAM policy[2].
-
ResourceType: The AWS resource type, such as "AWS::IAM::Policy".
-
SourceAccountId: The source AWS Account ID where the AWS resource is located and where the data is being aggregated from. This is commonly an external AWS Account, or it can either be the Organization Management Account, or an AWS Account that is a member of an AWS Organization.
-
SourceRegion: The source region where the data is aggregated and this is generally the AWS region where the AWS Config recorder is enabled in the source AWS Account.
For example, if you use the AWS CLI tools to call the "BatchGetAggregateResourceConfig" API operation (see below example) and specify "us-east-1" as the value for the key-name "SourceRegion", but the AWS Account that is provided as the value for the "SourceAccountId" only has the AWS Config recorder enabled in the "eu-west-1" region, then the response output contained the results in the "Unprocessed Resource Identifiers" property.
aws configservice batch-get-aggregate-resource-config --configuration-aggregator-name <aggregator_name> --resource-identifiers ResourceType=AWS::IAM::Policy,SourceAccountId=<member_AWS_Account> ,SourceRegion=us-east-1,ResourceId=<Unique_ID_of_managedpolicy>
If including the value "eu-west-1" for the key-name "SourceRegion", which is where the AWS Config recorder is enabled for the AWS Account included as the value for the key-name "SourceAccountId", the response body contained the results in the "BaseConfigurationItems" element.
In case of the resource-type "AWS::IAM::Policy", to have the results be returned in the "BaseConfigurationItems", you would need to review the values included for the key-names "SourceAccountId" and "SourceRegion" in the request parameter "ResourceIdentifiers" and confirm the following:
- Ensure that the value for "SourceAccountId" key-name is the AWS Account where the Resource Identifier is located in, as well as ensuring that the value for key-name "SourceRegion", is the AWS region where the Config recorder is enabled for the AWS Account set as the key-name "SourceAccountId".
References:
[1] BatchGetAggregateResourceConfig - Response Elements - https://docs.aws.amazon.com/config/latest/APIReference/API_BatchGetAggregateResourceConfig.html#API_BatchGetAggregateResourceConfig_ResponseElements
[2] IAM identifiers - Understanding unique ID prefixes - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-prefixes
I sincerely hope the above helps.
Relevant content
- asked 5 months ago
- asked a year ago
- asked a year ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
