AWS Control Tower 3.0 creates two Config Aggregators - why?


I created a new organization using AWS Control Tower (version 3.0). It seems that it has created two aggregators:

  • An accounts aggregator under the audit account named control aws-controltower-GuardrailsComplianceAggregator. This aggregator is defined to collect from specific accounts (all member accounts, excluding the management account), and from all regions. However, at least in my case, the authorizations given from these accounts to aggregation seem messed up - each account was only set up to authorize aggregation from 5 regions, and the aggregator indeed identifies the aggregation from some accounts and regions as failed as a result. FYI, I currently created my control tower landing zone on a single region, not sure why this setup happened.
  • An organization aggregator in the management account named aws-controltower-ConfigAggregatorForOrganizations. This organization aggregator automatically collects from all accounts and regions in the organization, and it is working well.

Any idea why both aggregators were defined? I know that until a recent version of the landing zone, there was no support for organization aggregators. But now that it has been added, why keep the account-specific aggregator in the audit account (that seems to be misconfigured anyway)?

On the flip side, given that the best practice is to use the audit account for, well, auditing - why is the organization aggregator defined on the management account and not the audit account? Doesn't that mean that to enjoy its aggregation I need to login to the management account?


asked 2 years ago1353 views
1 Answer

The second aggregator is intended to catch accounts not managed by Control Tower and rules outside of Control Tower Guardrails.

The AWS Control Tower management account creates an organization-level aggregator, which assists in detecting external AWS Config rules, so that AWS Control Tower does not need to gain access to unmanaged accounts. The AWS Control Tower console shows you how many externally created AWS Config rules you have for a given account, and links you to the AWS Config console, where you can view details about those external rules.

answered a year ago
  • Hi, Why the aws-controltower-ConfigAggregatorForOrganization aggregator is not created in Audit account as well? Due to AWS best practices for the management account: Use the management account only for tasks that require the management account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions