---
title: Configuration aggregator to all regions disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Configuration aggregator to all regions
  disabled
---

# Configuration aggregator to all regions disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-config-configuration-aggregator-to-all-regions-disabled` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Low

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/config_aggregator_module.html#parameter-organization_source)

### Description{% #description %}

AWS Config aggregators must collect configuration data from all AWS Regions to provide centralized, complete visibility of resource state. This ensures cross-region misconfigurations and compliance violations are detected.

For Ansible tasks using the `community.aws.config_aggregator` or `aws_config_aggregator` modules, set the `all_aws_regions` property to `true` under the relevant `account_sources` entries or the `organization_source` block. Resources that omit `all_aws_regions` or have it set to `false` are flagged, as they do not provide full regional coverage.

Secure examples for Ansible (account and organization sources):

```yaml
- name: Create AWS Config Aggregator (account sources)
  community.aws.config_aggregator:
    name: my-config-aggregator
    account_sources:
      - account_ids: ['123456789012']
        all_aws_regions: true

- name: Create AWS Config Aggregator (organization source)
  community.aws.config_aggregator:
    name: org-config-aggregator
    organization_source:
      role_arn: arn:aws:iam::111122223333:role/ConfigAggregatorRole
      all_aws_regions: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create cross-account aggregator
  community.aws.config_aggregator:
    name: test_config_rule
    state: present
    account_sources:
      account_ids:
      - 1234567890
      - 0123456789
      - 9012345678
      all_aws_regions: yes
    organization_source:
      all_aws_regions: yes
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Create cross-account aggregator
  community.aws.config_aggregator:
    name: test_config_rule
    state: present
    account_sources:
      account_ids:
      - 1234567890
      - 0123456789
      - 9012345678
      all_aws_regions: no
    organization_source:
      all_aws_regions: yes
- name: Create cross-account aggregator2
  community.aws.config_aggregator:
    name: test_config_rule
    state: present
    account_sources:
      account_ids:
      - 1234567890
      - 0123456789
      - 9012345678
      all_aws_regions: yes
    organization_source:
      all_aws_regions: no
```