For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/config_configuration_aggregator_to_all_regions_disabled.md. A documentation index is available at /llms.txt.

Configuration aggregator to all regions disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: a2fdf451-89dd-451e-af92-bf6c0f4bab96

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Observability

Learn More

Description

AWS Config aggregators must collect configuration data from all AWS Regions to provide centralized, complete visibility of resource state. This ensures cross-region misconfigurations and compliance violations are detected.

For Ansible tasks using the community.aws.config_aggregator or aws_config_aggregator modules, set the all_aws_regions property to true under the relevant account_sources entries or the organization_source block. Resources that omit all_aws_regions or have it set to false are flagged, as they do not provide full regional coverage.

Secure examples for Ansible (account and organization sources):

- name: Create AWS Config Aggregator (account sources)
  community.aws.config_aggregator:
    name: my-config-aggregator
    account_sources:
      - account_ids: ['123456789012']
        all_aws_regions: true

- name: Create AWS Config Aggregator (organization source)
  community.aws.config_aggregator:
    name: org-config-aggregator
    organization_source:
      role_arn: arn:aws:iam::111122223333:role/ConfigAggregatorRole
      all_aws_regions: true

Compliant Code Examples

- name: Create cross-account aggregator
  community.aws.config_aggregator:
    name: test_config_rule
    state: present
    account_sources:
      account_ids:
      - 1234567890
      - 0123456789
      - 9012345678
      all_aws_regions: yes
    organization_source:
      all_aws_regions: yes

Non-Compliant Code Examples

- name: Create cross-account aggregator
  community.aws.config_aggregator:
    name: test_config_rule
    state: present
    account_sources:
      account_ids:
      - 1234567890
      - 0123456789
      - 9012345678
      all_aws_regions: no
    organization_source:
      all_aws_regions: yes
- name: Create cross-account aggregator2
  community.aws.config_aggregator:
    name: test_config_rule
    state: present
    account_sources:
      account_ids:
      - 1234567890
      - 0123456789
      - 9012345678
      all_aws_regions: yes
    organization_source:
      all_aws_regions: no