Aws Config aggregator and Aws Config Rules


Hi All, Can anyone help me in sorting out my queries on aws config.

  1. Firstly, when I am launching control tower, I see 2 config aggregators, one in management account and other in archive account. What is the difference between these two? If there is no difference won't it result in unnecessary costs. If there is a difference, may I know what are the differences and which one is the main config one.

  2. I believe I am correct in my understanding that controls implemented by preventive guardrails, though implemented by aws config has nothing to do with aws config. I mean does the non-compliance things shown by CT and AWS aggregator both differ?

  3. Lets say I want to apply CIS/NIST conformance packs, where should I apply them. Is it under aggregator of management or archive account? I also see an option of frameworks under CT guardrails. What difference does it make if I apply nist as controls on control tower rather than on aws config aggregator.

1 Answer

Hi There

  1. You aren't charged for config aggregators. There are 2 setup by Control Tower, one in the management account and one in the audit account. Each one gives that account a view of compliance with detective controls across your multi-account environment. Remember, aggregators simply give you a read-only view of the resources, they aren't recording any resource changes. Refer to How AWS Control Tower Works
  2. Preventive controls are implemented by Service Control Policies (SCPs), not Config. Detective controls are implemented with AWS Config rules. You will see the compliance status of a detective control both in AWS config and Control Tower. Config rules implemented by Control Tower will be prefixed with AWSControlTower_ in the Config console.
  3. You use an AWS Config conformance pack to evaluate how your accounts may be affected by some AWS Control Tower controls BEFORE you enable the control. To determine how enrollment into AWS Control Tower may affect your accounts, see Extend AWS Control Tower governance using AWS Config conformance packs. The Frameworks you see in Control Tower are groups of control aligned to that particular framework.
profile pictureAWS
answered a year ago
  • matt, I am afraid to say that my first question on why or difference between 2 aggregators still remain unanswered.

    On the second one, yes I was supposed to write detective over preventive. My question is if aws config service exists why there is detective control concept exclusively for CT.

  • Control Tower uses the config aggregator in the management account to get a compliance view of your entire organization for the Control Tower dashboard.

    Compliance with detective controls is determined according to data retrieved from the AWS Config aggregator in the Audit account. Its used for alerts, etc.

    All of the detective controls you see in Control Tower are AWS Config rules under the hood.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions