Top / Amazon Web Service / AWS Config / Aggregate Authorization

AWS Config Aggregate Authorization

This page shows how to write Terraform and CloudFormation for AWS Config Aggregate Authorization and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_config_aggregate_authorization (Terraform)

The Aggregate Authorization in AWS Config can be configured in Terraform with the resource name aws_config_aggregate_authorization. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

config.tf#L25
resource "aws_config_aggregate_authorization" "eu-west-2" {
  account_id = aws_organizations_account.organisation-security.id
  region     = "eu-west-2"
}
authorization.tf#L1
resource "aws_config_aggregate_authorization" "config_aggregation" {
  account_id = var.source_account_number
  region = data.aws_region.current.name
main.tf#L7
resource "aws_config_aggregate_authorization" "this" {
  account_id = var.account_id
  region     = var.region
  tags       = var.tags
}

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

  • account_id required - string
  • arn optional computed - string
  • id optional computed - string
  • region required - string
  • tags optional - map from string to string

>> from Terraform Registry

Explanation in Terraform Registry

Manages an AWS Config Aggregate Authorization

>> from Terraform Registry

Tips: Best Practices for The Other AWS Config Resources

In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_config_configuration_aggregator

Ensure to enable AWS Config in all Regions

It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.

Review your AWS Config settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Config::AggregationAuthorization (CloudFormation)

The AggregationAuthorization in Config can be configured in CloudFormation with the resource name AWS::Config::AggregationAuthorization. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

config-aggregation.yml#L27
    Type: AWS::Config::AggregationAuthorization
    OrganizationBinding: !Ref ConfigEnableBinding
    Properties:
      AuthorizedAccountId: Fn::EnumTargetAccounts ConfigAdminBinding '${account}'
      AuthorizedAwsRegion: !Ref primaryGovCloudRegion
allow-central-config.yml#L2
    Type: "AWS::Config::AggregationAuthorization"
    Properties:
      AuthorizedAccountId:
      -Ref : MasterAccount
      AuthorizedAwsRegion: eu-west-1
Parameters:
aggregation-authorizations.yml#L17
    Type: AWS::Config::AggregationAuthorization
    Properties:
      AuthorizedAccountId: !Ref ComplianceAccount
      AuthorizedAwsRegion: !Ref AggregatorRegion
config-recorder-accounts.yml#L149
    Type: AWS::Config::AggregationAuthorization
    Properties:
      AuthorizedAccountId: !Ref AggregatorAccountId
      AuthorizedAwsRegion: !Ref AggregationRegion
  AggregationAuthorizationAccAggrAccountR2:
    Type: AWS::Config::AggregationAuthorization
AWSControlTowerBP-BASELINE-CONFIG.yml#L100
    Type: "AWS::Config::AggregationAuthorization"
    Properties:
      AuthorizedAccountId: !Ref SecurityAccountId
      AuthorizedAwsRegion: us-west-2
  AuthorizerIad:
    Type: "AWS::Config::AggregationAuthorization"
ConfigAggregationAuthorizationSpecification.json#L3
    "AWS::Config::AggregationAuthorization": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
      "Properties": {
        "AuthorizedAccountId": {
          "Required": true,
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
ConfigAggregationAuthorizationSpecification.json#L3
    "AWS::Config::AggregationAuthorization": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
      "Properties": {
        "AuthorizedAccountId": {
          "Required": true,
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
ConfigAggregationAuthorizationSpecification.json#L3
    "AWS::Config::AggregationAuthorization": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
      "Properties": {
        "AuthorizedAccountId": {
          "Required": true,
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
ConfigAggregationAuthorizationSpecification.json#L3
    "AWS::Config::AggregationAuthorization": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
      "Properties": {
        "AuthorizedAccountId": {
          "Required": true,
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
ConfigAggregationAuthorizationSpecification.json#L22
    "AWS::Config::AggregationAuthorization": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
      "Properties": {
        "AuthorizedAccountId": {
          "Required": true,
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

An object that represents the authorizations granted to aggregator accounts and regions.

>> from AWS CloudFormation Documentation

The Other Related AWS Config Resources

Frequently asked questions

What is AWS Config Aggregate Authorization?

AWS Config Aggregate Authorization is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Config Aggregate Authorization?

For Terraform, the ministryofjustice/aws-root-account, aws-samples/multi-region-org-config-rules-terraform and niveklabs/aws source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the org-formation/org-formation-us-gov-cloud-reference, Hack23/cia and o2346/tagging-discipline source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents