AWS Config Aggregate Authorization
This page shows how to write Terraform and CloudFormation for AWS Config Aggregate Authorization and write them securely.
aws_config_aggregate_authorization (Terraform)
The Aggregate Authorization in AWS Config can be configured in Terraform with the resource name aws_config_aggregate_authorization
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_aggregate_authorization" "eu-west-2" {
account_id = aws_organizations_account.organisation-security.id
region = "eu-west-2"
}
resource "aws_config_aggregate_authorization" "config_aggregation" {
account_id = var.source_account_number
region = data.aws_region.current.name
resource "aws_config_aggregate_authorization" "this" {
account_id = var.account_id
region = var.region
tags = var.tags
}
Parameters
-
account_id
required - string -
arn
optional computed - string -
id
optional computed - string -
region
required - string -
tags
optional - map from string to string
Explanation in Terraform Registry
Manages an AWS Config Aggregate Authorization
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::AggregationAuthorization (CloudFormation)
The AggregationAuthorization in Config can be configured in CloudFormation with the resource name AWS::Config::AggregationAuthorization
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Config::AggregationAuthorization
OrganizationBinding: !Ref ConfigEnableBinding
Properties:
AuthorizedAccountId: Fn::EnumTargetAccounts ConfigAdminBinding '${account}'
AuthorizedAwsRegion: !Ref primaryGovCloudRegion
Type: "AWS::Config::AggregationAuthorization"
Properties:
AuthorizedAccountId:
-Ref : MasterAccount
AuthorizedAwsRegion: eu-west-1
Parameters:
Type: AWS::Config::AggregationAuthorization
Properties:
AuthorizedAccountId: !Ref ComplianceAccount
AuthorizedAwsRegion: !Ref AggregatorRegion
Type: AWS::Config::AggregationAuthorization
Properties:
AuthorizedAccountId: !Ref AggregatorAccountId
AuthorizedAwsRegion: !Ref AggregationRegion
AggregationAuthorizationAccAggrAccountR2:
Type: AWS::Config::AggregationAuthorization
Type: "AWS::Config::AggregationAuthorization"
Properties:
AuthorizedAccountId: !Ref SecurityAccountId
AuthorizedAwsRegion: us-west-2
AuthorizerIad:
Type: "AWS::Config::AggregationAuthorization"
"AWS::Config::AggregationAuthorization": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
"Properties": {
"AuthorizedAccountId": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
"AWS::Config::AggregationAuthorization": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
"Properties": {
"AuthorizedAccountId": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
"AWS::Config::AggregationAuthorization": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
"Properties": {
"AuthorizedAccountId": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
"AWS::Config::AggregationAuthorization": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
"Properties": {
"AuthorizedAccountId": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
"AWS::Config::AggregationAuthorization": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html",
"Properties": {
"AuthorizedAccountId": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html#cfn-config-aggregationauthorization-authorizedaccountid",
Parameters
-
AuthorizedAccountId
required - String -
AuthorizedAwsRegion
required - String -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
An object that represents the authorizations granted to aggregator accounts and regions.
Frequently asked questions
What is AWS Config Aggregate Authorization?
AWS Config Aggregate Authorization is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Aggregate Authorization?
For Terraform, the ministryofjustice/aws-root-account, aws-samples/multi-region-org-config-rules-terraform and niveklabs/aws source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the org-formation/org-formation-us-gov-cloud-reference, Hack23/cia and o2346/tagging-discipline source code examples are useful. See the CloudFormation Example section for further details.