Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

AWS Config Aggregator Source Status

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Config-006

Ensure that AWS Config Aggregator is configured and its sources are successfully collecting configuration and compliance data from all accounts and regions within your AWS cloud environment. An aggregator is an AWS Config resource type that collects configuration and compliance data from multiple source accounts and regions, or from an organization in AWS Organizations. The DescribeConfigurationAggregatorSourcesStatus API returns status information for each source within an aggregator, including the LastUpdateStatus which can be SUCCEEDED, FAILED, or OUTDATED. A source with a FAILED or OUTDATED status indicates that the aggregator is not receiving up-to-date data from that source, potentially due to authorization issues, disabled AWS Config in the source account, or network connectivity problems.

This rule can help you work with the AWS Well-Architected Framework.

Security
Operational
excellence

Monitoring the health of AWS Config Aggregator sources is critical for maintaining a complete and accurate view of your multi-account, multi-region cloud environment. When aggregator sources report a FAILED or OUTDATED status, the centralized compliance and configuration data becomes incomplete, which can lead to blind spots in your security posture, missed compliance violations, and inaccurate reporting during audits. Ensuring that all aggregator sources are successfully collecting data allows your operations and security teams to rely on the aggregated view for compliance monitoring, change tracking, and resource relationship analysis across your entire AWS organization.

Audit

To determine if AWS Config Aggregator sources are successfully collecting data, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

  3. In the main navigation panel, under AWS Config, choose Aggregators.

  4. If no configuration aggregators are listed, the Amazon Config multi-account, multi-region data aggregation is not enabled in the selected AWS region. If one or more aggregators are listed, click on the name (link) of the configuration aggregator that you want to examine.

  5. On the aggregator details page, review the Source accounts tab to check the status of each source. If the Last update status column displays FAILED or OUTDATED for any source account or region, the selected AWS Config Aggregator is not successfully collecting data from all sources.

  6. Repeat steps no. 4 and 5 for each configuration aggregator available in the selected region.

  7. Change the AWS cloud region from the navigation bar and repeat steps no. 3 – 6 for each AWS region.

Using AWS CLI

  1. Run describe-configuration-aggregators command (OSX/Linux/UNIX) to list the names of all Amazon Config configuration aggregators available in the selected AWS region:

    aws configservice describe-configuration-aggregators \
	--region us-east-1 \
	--query "ConfigurationAggregators[*].ConfigurationAggregatorName"

  2. The command output should return the requested aggregator names:

    [
	"cc-org-aggregator"
]

    If the describe-configuration-aggregators command output returns an empty array (i.e. []), the Amazon Config multi-account, multi-region data aggregation is not enabled in the selected AWS region.

  3. Run describe-configuration-aggregator-sources-status command (OSX/Linux/UNIX) using the name of the configuration aggregator returned at the previous step, to return the status of each aggregation source:

    aws configservice describe-configuration-aggregator-sources-status \
	--region us-east-1 \
	--configuration-aggregator-name cc-org-aggregator

  4. The command output should return the status details for each aggregation source:

    {
	"AggregatedSourceStatusList": [
		{
			"SourceId": "123456789012",
			"SourceType": "ACCOUNT",
			"AwsRegion": "us-east-1",
			"LastUpdateStatus": "SUCCEEDED",
			"LastUpdateTime": "2026-03-10T14:30:00.000000+00:00"
		},
		{
			"SourceId": "123412341234",
			"SourceType": "ACCOUNT",
			"AwsRegion": "us-east-1",
			"LastUpdateStatus": "FAILED",
			"LastUpdateTime": "2026-03-09T10:15:00.000000+00:00",
			"LastErrorCode": "AccessDeniedException",
			"LastErrorMessage": "Access denied when trying to aggregate data from source account."
		},
		{
			"SourceId": "567856785678",
			"SourceType": "ACCOUNT",
			"AwsRegion": "eu-west-1",
			"LastUpdateStatus": "OUTDATED",
			"LastUpdateTime": "2026-03-08T08:00:00.000000+00:00"
		}
	]
}

    Check the "LastUpdateStatus" property value for each source returned by the describe-configuration-aggregator-sources-status command output. If any source has the "LastUpdateStatus" value set to "FAILED" or "OUTDATED", as shown in the output example above, the selected AWS Config Aggregator is not successfully collecting data from all accounts and regions.

  5. Repeat steps no. 3 and 4 for each configuration aggregator available in the selected region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 for each AWS region.

Remediation / Resolution

To ensure that AWS Config Aggregator sources are successfully collecting configuration and compliance data, perform the following operations:

Note: Aggregator source failures are typically caused by missing authorization in source accounts, AWS Config not being enabled in the source account or region, or IAM permission issues. The remediation steps below cover the most common scenarios. Ensure that AWS Config is enabled in all source accounts and regions before proceeding (see the Config-001 rule for enabling AWS Config).

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "AWS Config Configuration Aggregator with Organization Aggregation Source",
	"Resources": {
		"ConfigurationAggregator": {
			"Type": "AWS::Config::ConfigurationAggregator",
			"Properties": {
				"ConfigurationAggregatorName": "cc-org-aggregator",
				"OrganizationAggregationSource": {
					"RoleArn": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
					"AllAwsRegions": true
				}
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Description: AWS Config Configuration Aggregator with Organization Aggregation Source
	Resources:
		ConfigurationAggregator:
		Type: AWS::Config::ConfigurationAggregator
		Properties:
			ConfigurationAggregatorName: cc-org-aggregator
			OrganizationAggregationSource:
			RoleArn: arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
			AllAwsRegions: true

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 5.0"
		}
	}
	required_version = ">= 1.0.0"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_config_configuration_aggregator" "cc_org_aggregator" {
	name = "cc-org-aggregator"

	organization_aggregation_source {
		all_regions = true
		role_arn    = "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
	}
}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

  3. In the main navigation panel, under AWS Config, choose Aggregators.

  4. Click on the name (link) of the configuration aggregator that has sources with FAILED or OUTDATED status (see Audit section part I to identify the right resource).

  5. On the aggregator details page, review the Source accounts tab to identify which source accounts or regions are reporting failures.

  6. For each failing source, verify and resolve the underlying issue:

    1. Authorization issues: If the source account has not authorized the aggregator account, navigate to the source account's Amazon Config console. Choose Authorizations from the main navigation panel, choose Add authorization, and provide the aggregator account ID and region to grant the necessary permissions.
    2. AWS Config not enabled: If AWS Config is not enabled in the source account or region, navigate to the source account's Amazon Config console and enable the service (see the Config-001 rule for detailed instructions).
    3. IAM role issues: If the aggregator uses an organization aggregation source, verify that the IAM role specified for the aggregator has the required permissions. Choose Edit on the aggregator page and update the IAM role if necessary.

  7. After resolving the underlying issues, return to the aggregator details page and monitor the Source accounts tab. The Last update status for all sources should change to SUCCEEDED within a few minutes.

  8. Repeat steps no. 4 – 7 for each non-compliant configuration aggregator in the selected region.

  9. Change the AWS cloud region from the navigation bar and repeat steps no. 3 – 8 for each AWS region.

Using AWS CLI

  1. Run describe-configuration-aggregator-sources-status command (OSX/Linux/UNIX) to identify the failing sources for the non-compliant aggregator (see Audit section part II to identify the right resource):

    aws configservice describe-configuration-aggregator-sources-status \
	--region us-east-1 \
	--configuration-aggregator-name cc-org-aggregator \
	--update-status FAILED OUTDATED

  2. The command output should return only the sources with FAILED or OUTDATED status:

    {
	"AggregatedSourceStatusList": [
		{
			"SourceId": "123412341234",
			"SourceType": "ACCOUNT",
			"AwsRegion": "us-east-1",
			"LastUpdateStatus": "FAILED",
			"LastUpdateTime": "2026-03-09T10:15:00.000000+00:00",
			"LastErrorCode": "AccessDeniedException",
			"LastErrorMessage": "Access denied when trying to aggregate data from source account."
		}
	]
}

  3. To resolve authorization issues for individual account aggregation, run put-aggregation-authorization command (OSX/Linux/UNIX) from the failing source account to authorize the aggregator account to collect configuration and compliance data:

    aws configservice put-aggregation-authorization \
	--region us-east-1 \
	--authorized-account-id 123456789012 \
	--authorized-aws-region us-east-1

  4. The command output should return the information available for the new aggregation authorization:

    {
	"AggregationAuthorization": {
		"AuthorizedAccountId": "123456789012",
		"AggregationAuthorizationArn": "arn:aws:config:us-east-1:123412341234:aggregation-authorization/123456789012/us-east-1",
		"CreationTime": "2026-03-11T12:00:00.000000+00:00",
		"AuthorizedAwsRegion": "us-east-1"
	}
}

  5. To update an organization-based aggregator or reconfigure the aggregator with the correct settings, run put-configuration-aggregator command (OSX/Linux/UNIX) to recreate or update the configuration aggregator:

    aws configservice put-configuration-aggregator \
	--region us-east-1 \
	--configuration-aggregator-name cc-org-aggregator \
	--organization-aggregation-source "RoleArn=arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig,AllAwsRegions=true"

  6. The command output should return the information available for the updated configuration aggregator:

    {
	"ConfigurationAggregator": {
		"ConfigurationAggregatorArn": "arn:aws:config:us-east-1:123456789012:config-aggregator/config-aggregator-abcdabcd",
		"CreationTime": "2026-01-15T09:30:00.000000+00:00",
		"ConfigurationAggregatorName": "cc-org-aggregator",
		"OrganizationAggregationSource": {
			"AllAwsRegions": true,
			"RoleArn": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
		},
		"LastUpdatedTime": "2026-03-11T12:05:00.000000+00:00"
	}
}

  7. Run describe-configuration-aggregator-sources-status command (OSX/Linux/UNIX) again to verify that all aggregation sources now report a SUCCEEDED status:

    aws configservice describe-configuration-aggregator-sources-status \
	--region us-east-1 \
	--configuration-aggregator-name cc-org-aggregator \
	--update-status FAILED OUTDATED

  8. The command output should return an empty list, confirming that all sources are successfully collecting data:

    {
	"AggregatedSourceStatusList": []
}

  9. Repeat steps no. 1 – 8 for each non-compliant configuration aggregator.

  10. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 9 for each AWS region.

References

Publication date Mar 12, 2026

Related Config rules