Config configuration aggregator should be using all regions for source
The configuration aggregator should be configured with all_regions for the source.
This will help limit the risk of any unmonitored configuration in regions that are thought to be unused.
Impact
Sources that aren’t covered by the aggregator are not include in the configuration
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Set the aggregator to cover all regions
1
2
3
4
5
6
7
8
|
Resources:
GoodExample:
Type: AWS::Config::ConfigurationAggregator
Properties:
AccountAggregationSources:
- AllAwsRegions: true
ConfigurationAggregatorName: "GoodAccountLevelAggregation"
|
1
2
3
4
5
6
7
8
|
Resources:
GoodExample:
Type: AWS::Config::ConfigurationAggregator
Properties:
OrganizationAggregationSource:
AllAwsRegions: true
ConfigurationAggregatorName: "GoodAccountLevelAggregation"
|
Set the aggregator to cover all regions
1
2
3
4
5
6
7
8
9
|
resource "aws_config_configuration_aggregator" "good_example" {
name = "example"
account_aggregation_source {
account_ids = ["123456789012"]
all_regions = true
}
}
|
Links