AWS Config Org Aggregator Not showing accounts or results from queries

0

Hi,

Trying to set up a Config Organization Aggregator but im not getting any results.! any idea what im missing?

We have an organization, with some security delegated to a security account (Not sure if thats whats breaking things).

When i create the aggregator in the root account is was returning an error that it couldn't connect to accounts using the default IAM so i let it create one which i can see in the root org has: AWSConfigRoleForOrganizations policy attached. This creates the aggregator But no accounts are listed from it and no results are shown from it.

As a side i tried using the security account and setting it there. But got an error saying that it isnt the root account or set up as a delegate for the service.

asked 10 months ago663 views
3 Answers
0
Accepted Answer

Hi!

So after a 3 days suddenly everything is populated! we only have 5 accounts so really wasnt expecting it to take that long! but it is now fully working.. So good note to wait a week if you aggregator builds and doesnt generate errors!

Would have been good to have tested if the aws cli gave some helpful feedback on it, while it was connecting..

Thanks for the support options

answered 10 months ago
0

Hello!

Here it is a troubleshooting documentation that can help you with this issue: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data-troubleshooting.html

For this specific case, we can consider a couple of the following checks:

  • First of all. Is AWS Config enabled in the source accounts within your organization?
  • Have you enable trusted access in the organization? [1][2]
  • Are "all features" enabled in the organization? [3]

References: [1] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access [2] https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html [3] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html

AWS
answered 10 months ago
  • Hi,

    sorry should have clarified those.

    All accounts are built via terraform and have config enabled (We use it for other things and this is all working) the org is built via:

    resource "aws_organizations_organization" "org" {
      feature_set = "ALL"
      aws_service_access_principals = [
        "sso.amazonaws.com",
        "cloudtrail.amazonaws.com",
        "guardduty.amazonaws.com",
        "securityhub.amazonaws.com",
        "config.amazonaws.com",
        "config-multiaccountsetup.amazonaws.com",
        "member.org.stacksets.cloudformation.amazonaws.com",
        "reporting.trustedadvisor.amazonaws.com",
        "access-analyzer.amazonaws.com"
      ]
    
      enabled_policy_types = [
        "SERVICE_CONTROL_POLICY"
      ]
    }
    

    which i think gives me a yes to configuring all 3 of those

  • Another useful check would be to determine if your organization is being governed by Control Tower. If this is the case; instead of using AWSConfigRoleForOrganizations, you must use AWSControlTowerConfigAggregatorRoleForOrganizations role.

    Besides that I will recommend to use this aws cli command for troubleshooting: https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-aggregator-sources-status.html

    Using the cli would be something like this:

    aws configservice describe-configuration-aggregator-sources-status --configuration-aggregator-name <YOUR-AGREGGATOR-NAME> ``
    

    If everything is working fine, Last Update Status field mus be shown in this way: "LastUpdateStatus": "SUCCEEDED"

    I would recommend to share the output of this command, to figure out, why your aggregator is not retrieving data.

0

Another useful check would be to determine if your organization is being governed by Control Tower. If this is the case; instead of using AWSConfigRoleForOrganizations, you must use AWSControlTowerConfigAggregatorRoleForOrganizations role.

Besides that I will recommend to use this aws cli command for troubleshooting: https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-aggregator-sources-status.html

Using the cli would be something like this:

aws configservice describe-configuration-aggregator-sources-status --configuration-aggregator-name <YOUR-AGREGGATOR-NAME>

If everything is working fine, Last Update Status field mus be shown in this way: "LastUpdateStatus": "SUCCEEDED"

I would recommend to share the output of this command, to figure out, why your aggregator is not retrieving data.

AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions