Updated on 2025-04-15 GMT+08:00

Overview

Functions

A resource aggregator enables you to aggregate resource configurations and compliance data from multiple accounts or an organization for centralized data query.

You can only view aggregated resources and their compliance data instead of modifying resource data. For example, you cannot use a resource aggregator to deploy rules or access snapshots from a source account.

You can only use aggregators to query or view resource data from source accounts. If you need to modify or delete resources, go to related service consoles.

Constraints

The resource aggregator is subjective to the following constraints:

  • Up to 30 account-level aggregators can be created in an account.
  • An account-level aggregator can aggregate data from up to 30 source accounts.
  • You can add, update, and delete up to 1,000 source accounts every 7 days for an account-level aggregator.
  • Up to 1 organization-level aggregator can be created in an account.
  • You can only create one organization-level aggregator within 24 hours. If you create and then delete an organization-level aggregator, you cannot create one within 24 hours.
  • To aggregate resource configuration data from source accounts, the resource recorder in each source account must be enabled.
  • Organization-level aggregator will only aggregate data from member accounts that are in the normal state.

More source account constraints are as follows:

  • If the resource recorder in a source account has not been enabled, neither resource nor conformance data can be aggregated.
  • If only some resources are selected for the resource recorder in a source account, only the selected resources and conformance data will be aggregated.
  • If the resource recorder in a source account is enabled and then disabled, data aggregated from the source account will be deleted.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.

Setting Up An Aggregator

To collect resource data from source accounts, perform the following operations:

  1. Create an aggregator. For more details, see Creating a Resource Aggregator.
  2. Enable the resource recorder from every source account. For more details, see Configuring the Resource Recorder.
  3. Authorize the aggregator account to collect resource configurations and compliance data from source accounts. For more details, see Authorizing an Aggregator Account.
  4. View resource configurations and compliance data aggregated. For more details, see Viewing Aggregated Rules and Viewing Aggregated Resources.

Basic Concepts

Source Account

A source account is an account from which Config aggregates resource configurations and compliance data. A source account can be an account or an organization.

Aggregator

An aggregator is a kind of Config resource allowing you to collect resource configuration and compliance data from multiple resource accounts.

Aggregator Account

An aggregator account is an account used to create an aggregator.

Authorization

Authorization is the process of granting an aggregator the permission to collect resource configurations and conformance data from source accounts. An organization-level aggregator, however, does not need authorization to collect data from member accounts.