---
title: Configuration aggregator to all regions disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Configuration aggregator to all regions
  disabled
---

# Configuration aggregator to all regions disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-aws-config-configuration-aggregator-to-all-regions-disabled` 

**Cloud Provider:** AWS

**Platform:** Terraform

**Severity:** Low

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions)

### Description{% #description %}

This check ensures that the `all_regions` attribute is set to `true` in AWS Config configuration aggregators, either within `account_aggregation_source` or `organization_aggregation_source` blocks. If `all_regions = false` or specific regions are listed, AWS Config will not aggregate configuration data from all regions, potentially leaving gaps in compliance visibility and risk detection for resources deployed outside the specified regions. Without full regional aggregation, there is an increased risk that misconfigurations or security issues in unmonitored regions go undetected, undermining centralized auditing and governance across an AWS environment.

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "aws_config_configuration_aggregator" "negative1" {
  name = "example"

  account_aggregation_source {
    all_regions = true

  }
}

resource "aws_config_configuration_aggregator" "negative2" {
  depends_on = [aws_iam_role_policy_attachment.organization]

  name = "example" # Required

  organization_aggregation_source {
    all_regions = true
    role_arn    = aws_iam_role.organization.arn
  }
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "aws_config_configuration_aggregator" "positive1" {
  name = "example"

  account_aggregation_source {
    account_ids = ["123456789012"]
    regions     = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"]
  }
}

resource "aws_config_configuration_aggregator" "positive2" {
  depends_on = [aws_iam_role_policy_attachment.organization]

  name = "example" # Required

  organization_aggregation_source {
    all_regions = false
    role_arn    = aws_iam_role.organization.arn
  }
}
```