AWS::Config::ConfigurationAggregator - AWS CloudFormation (original) (raw)

The details about the configuration aggregator, including information about source accounts, regions, and metadata of the aggregator.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

AccountAggregationSources

Provides a list of source accounts and regions to be aggregated.

Required: No

Type: Array of AccountAggregationSource

Minimum: 0

Maximum: 1

Update requires: No interruption

ConfigurationAggregatorName

The name of the aggregator.

Required: No

Type: String

Pattern: [\w\-]+

Minimum: 1

Maximum: 256

Update requires: Replacement

OrganizationAggregationSource

Provides an organization and list of regions to be aggregated.

Required: No

Type: OrganizationAggregationSource

Update requires: No interruption

Tags

An array of tag object.

Required: No

Type: Array of Tag

Maximum: 50

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ConfigurationAggregatorName, such as myConfigurationAggregator.

For more information about using the Ref function, see Ref.

Fn::GetAtt

ConfigurationAggregatorArn

The Amazon Resource Name (ARN) of the aggregator.

Examples

• Configuration Aggregator With Multiple Accounts Multiple Regions
• Configuration Aggregator for an Organization

Configuration Aggregator With Multiple Accounts Multiple Regions

The following example creates a ConfigurationAggregator.

JSON

"ConfigurationAggregator": {
    "Type": "AWS::Config::ConfigurationAggregator",
    "Properties": {
      "AccountAggregationSources": [
        {
          "AccountIds": [
            "123456789012",
            "987654321012"
          ],
          "AwsRegions": [
            "us-west-2",
            "us-east-1"
          ],
          "AllAwsRegions": false
        }
      ],
      "ConfigurationAggregatorName": "MyConfigurationAggregator"
    }
  }

YAML

ConfigurationAggregator:
  Type: 'AWS::Config::ConfigurationAggregator'
  Properties:
    AccountAggregationSources:
      - AccountIds:
          - '123456789012'
          - '987654321012'
        AwsRegions:
          - us-west-2
          - us-east-1
        AllAwsRegions: false
    ConfigurationAggregatorName: MyConfigurationAggregator

Configuration Aggregator for an Organization

The following example creates a ConfigurationAggregator for an organization.

Considerations

• The aggregator account must be the management account or a delegated administrator account in the organization
• AWS Config must be enabled with proper service access in the organization
• The role must have proper permissions to call AWS Organizations APIs

JSON

"ConfigurationAggregator": {
    "Type": "AWS::Config::ConfigurationAggregator",
    "Properties": {
        "OrganizationAggregationSource": {
            "RoleArn": { "Fn::GetAtt" : [ "MyRole", "Arn" ] },
            "AwsRegions": [
                "us-west-2",
                "us-east-1"
            ],
            "AllAwsRegions": false
        },
        "ConfigurationAggregatorName": "MyConfigurationAggregator"
    }
}
    
"MyRole": {
    "Type": "AWS::IAM::Role",
    "Properties": {
        "ManagedPolicyArns": [
            "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
        ],
        "Path": "/service-role/",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [ 
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "config.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "Policies": [
            {
                "PolicyName": "OrganizationAccess",
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [
                                "organizations:DescribeOrganization",
                                "organizations:ListAWSServiceAccessForOrganization",
                                "organizations:ListAccounts"
                            ],
                            "Resource": "*"
                        }
                    ]
                }
            }
        ]
    }
}

YAML

ConfigurationAggregator:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
        OrganizationAggregationSource:
            RoleArn: !GetAtt MyRole.Arn
            AwsRegions:
                - us-west-2
                - us-east-1
            AllAwsRegions: false
        ConfigurationAggregatorName: MyConfigurationAggregator
              
MyRole:
    Type: AWS::IAM::Role
    Properties: 
        ManagedPolicyArns: 
            - arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
        Path: "/service-role/"
        AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Principal:
                    Service:
                        - config.amazonaws.com
                Action:
                    - 'sts:AssumeRole'
        Policies:
            - PolicyName: OrganizationAccess
              PolicyDocument:
                Version: "2012-10-17"
                Statement:
                    - Effect: Allow
                      Action:
                        - organizations:DescribeOrganization
                        - organizations:ListAWSServiceAccessForOrganization
                        - organizations:ListAccounts
                      Resource: "*"