3 個答案
- 最新
- 最多得票
- 最多評論
2
Hi There
#1: Where are you looking for the aggregator? If you try to see it in the Config service console, you wont be able to as AWS config is not enabled in the management account. You can use the cli to view it:
[cloudshell-user@ip-1#-##-##-## ~]$ aws configservice describe-configuration-aggregators
{
"ConfigurationAggregators": [
{
"ConfigurationAggregatorName": "aws-controltower-ConfigAggregatorForOrganizations",
"ConfigurationAggregatorArn": "arn:aws:config:us-east-1:1234567890:config-aggregator/config-aggregator-9hebwzc6",
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::1234567890:role/service-role/AWSControlTowerConfigAggregatorRoleForOrganizations",
"AllAwsRegions": true
},
"CreationTime": "2023-06-28T12:50:26.429000+00:00",
"LastUpdatedTime": "2023-06-28T12:50:26.659000+00:00"
}
]
}
#2: Please take a look at these 2 blog posts for steps to deploy conformance packs across your org using a delegated admin account
0
Hi Matt.
Using cli, I was able to see aggregator. So, if AWS Config is not enabled in the management account, how does an aggregator appear by cli?
Thanks.
已回答 7 個月前
0
Hi,
If you have default Control tower set up, then config aggregator will be set up in an Audit account and not Management account. Hope this will help.
已回答 2 個月前
相關內容
AWS 官方已更新 1 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 3 年前
The aggregator does not require the full config service to be enabled. The aggregator is only there to monitor for accounts not managed by CT.
The AWS Control Tower management account creates an organization-level aggregator, which assists in detecting external AWS Config rules, so that AWS Control Tower does not need to gain access to unmanaged accounts. The AWS Control Tower console shows you how many externally created AWS Config rules you have for a given account, and links you to the AWS Config console, where you can view details about those external rules.