--- title: Configuration aggregator to all regions disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Configuration aggregator to all regions disabled --- # Configuration aggregator to all regions disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-config-configuration-aggregator-to-all-regions-disabled` **Provider:** AWS **Platform:** CloudFormation **Severity:** Low **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.html) ### Description{% #description %} Configuration Aggregators that do not collect data from all AWS Regions create cross-region blind spots, which can lead to incomplete compliance monitoring and limit forensic investigation during incidents. For resources of type `AWS::Config::ConfigurationAggregator`, each entry in `AccountAggregationSources` and the `OrganizationAggregationSource` property must include the `AllAwsRegions` attribute set to `true`. Resources that omit aggregation sources, omit the `AllAwsRegions` key, or set `AllAwsRegions` to `false` will be flagged. Secure configuration example (CloudFormation YAML): ```yaml MyConfigAggregator: Type: AWS::Config::ConfigurationAggregator Properties: AccountAggregationSources: - AccountIds: ["111111111111"] AllAwsRegions: true OrganizationAggregationSource: RoleArn: arn:aws:iam::111111111111:role/ConfigAggregatorRole AllAwsRegions: true ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Resources: ConfigurationAggregator9: Type: 'AWS::Config::ConfigurationAggregator' Properties: AccountAggregationSources: - AccountIds: - '123456789012' - '987654321012' AwsRegions: - us-west-2 - us-east-1 AllAwsRegions: true ConfigurationAggregatorName: MyConfigurationAggregator ConfigurationAggregator10: Type: 'AWS::Config::ConfigurationAggregator' Properties: OrganizationAggregationSource: RoleArn: >- arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations AwsRegions: - us-west-2 - us-east-1 AllAwsRegions: true ConfigurationAggregatorName: MyConfigurationAggregator ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: Description: "Email address to notify when new logs are published." Type: String Resources: ConfigurationAggregator1: Type: 'AWS::Config::ConfigurationAggregator' Properties: AccountAggregationSources: - AccountIds: - '123456789012' - '987654321012' AwsRegions: - us-west-2 - us-east-1 ConfigurationAggregatorName: MyConfigurationAggregator ConfigurationAggregator2: Type: 'AWS::Config::ConfigurationAggregator' Properties: AccountAggregationSources: - AccountIds: - '123456789012' - '987654321012' AwsRegions: - us-west-2 - us-east-1 AllAwsRegions: false ConfigurationAggregatorName: MyConfigurationAggregator ConfigurationAggregator3: Type: 'AWS::Config::ConfigurationAggregator' Properties: OrganizationAggregationSource: RoleArn: >- arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations AwsRegions: - us-west-2 - us-east-1 ConfigurationAggregatorName: MyConfigurationAggregator ConfigurationAggregator4: Type: 'AWS::Config::ConfigurationAggregator' Properties: OrganizationAggregationSource: RoleArn: >- arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations AwsRegions: - us-west-2 - us-east-1 AllAwsRegions: false ConfigurationAggregatorName: MyConfigurationAggregator ```