Configuration aggregator to all regions disabled
Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Observability
Learn More
Description
Configuration Aggregators that do not collect data from all AWS Regions create cross-region blind spots, which can lead to incomplete compliance monitoring and limit forensic investigation during incidents.
For resources of type AWS::Config::ConfigurationAggregator, each entry in AccountAggregationSources and the OrganizationAggregationSource property must include the AllAwsRegions attribute set to true. Resources that omit aggregation sources, omit the AllAwsRegions key, or set AllAwsRegions to false will be flagged.
Secure configuration example (CloudFormation YAML):
MyConfigAggregator:
Type: AWS::Config::ConfigurationAggregator
Properties:
AccountAggregationSources:
- AccountIds: ["111111111111"]
AllAwsRegions: true
OrganizationAggregationSource:
RoleArn: arn:aws:iam::111111111111:role/ConfigAggregatorRole
AllAwsRegions: true
Compliant Code Examples
Resources:
ConfigurationAggregator9:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
AccountAggregationSources:
- AccountIds:
- '123456789012'
- '987654321012'
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: true
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator10:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
OrganizationAggregationSource:
RoleArn: >-
arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: true
ConfigurationAggregatorName: MyConfigurationAggregator
{
"Resources": {
"ConfigurationAggregator6": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": true
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator8": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": true
},
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"ConfigurationAggregator5": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
]
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator6": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator7": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
]
},
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator8": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
},
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
}
}
}
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
ConfigurationAggregator1:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
AccountAggregationSources:
- AccountIds:
- '123456789012'
- '987654321012'
AwsRegions:
- us-west-2
- us-east-1
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator2:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
AccountAggregationSources:
- AccountIds:
- '123456789012'
- '987654321012'
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator3:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
OrganizationAggregationSource:
RoleArn: >-
arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
AwsRegions:
- us-west-2
- us-east-1
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator4:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
OrganizationAggregationSource:
RoleArn: >-
arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator
