I set up an AWS Config aggregator in our security account to centralize compliance monitoring across all linked accounts. Everything looked good in the console, but the aggregator kept showing zero resources despite having thousands of EC2 instances across linked accounts. After an hour of debugging, I realized we forgot one critical step: authorizing the aggregator account in each member account. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
Your AWS Config aggregator is configured and deployed, but it’s not collecting resources from member accounts:
- Aggregator shows “0 resources” even though accounts have EC2 instances, RDS databases, etc.
- Some accounts appear in the aggregator but have zero resources
- Aggregator source status shows “Not authorized” or “Not aggregating”
- Resources appear only from your own account
Why Does This Happen?
- Member accounts haven’t authorized the aggregator: For non-org aggregators, each member account must explicitly authorize the aggregator account. Without authorization, Config can’t read resources.
- AWS Config service access not enabled for the organization: If using org-based aggregators, the Config service access (
config.amazonaws.com) must be enabled at the organization level first. - AWS Config recorder not running in member accounts: AWS Config must be set up and actively recording in each member account. If the recorder is disabled or not created, there’s nothing to aggregate.
- Aggregator source regions don’t match recorder regions: If you configure the aggregator to collect from
us-east-1but Config is only running ineu-west-1, you’ll see no data. - Aggregator account not added as a source: If you’re using account-based (non-org) sources, you must explicitly add each member account ID to the aggregator configuration.
The Fix
Option 1: Organization-Based Aggregator (Recommended)
If using AWS Organizations, use org-based aggregation. First, enable AWS Config service access:
# Enable Config access for the organization
aws organizations enable-aws-service-access \
--service-principal config.amazonaws.com
# Verify it's enabled
aws organizations list-aws-service-access-enabled-for-organization \
--query 'EnabledServicePrincipals[?ServicePrincipal==`config.amazonaws.com`]'
Next, create or update the aggregator to use organization sources:
# Create an org-based aggregator in the management/security account
aws configservice put-configuration-aggregator \
--configuration-aggregator-name org-aggregator \
--account-aggregation-sources '[
{
"AllAwsRegions": true,
"OrganizationAggregationSource": {
"AllAwsRegions": true,
"RoleArn": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
}
}
]'
Then, ensure AWS Config is enabled in all member accounts. Use AWS Control Tower (if available) or CloudFormation StackSets to deploy Config across accounts.
Option 2: Account-Based Aggregator (Manual Authorization)
If not using Organizations, manually authorize each account. In the aggregator account (security account):
# Create an account-based aggregator
aws configservice put-configuration-aggregator \
--configuration-aggregator-name manual-aggregator \
--account-aggregation-sources '[
{
"AccountIds": ["111111111111", "222222222222", "333333333333"],
"AllAwsRegions": true
}
]'
Then, in each member account, authorize the aggregator:
# In member account 111111111111:
aws configservice put-aggregation-authorization \
--authorized-account-id 123456789012 \
--authorized-aws-region us-east-1
# Repeat for other regions if needed
aws configservice put-aggregation-authorization \
--authorized-account-id 123456789012 \
--authorized-aws-region eu-west-1
Verify authorization in the member account:
aws configservice describe-aggregation-authorizations \
--query 'AggregationAuthorizations[*].{AuthorizedAccountId,AuthorizedAwsRegion}'
Step 3: Enable AWS Config Recorder in Member Accounts
Ensure Config is running in each member account:
# In a member account, check if recorder exists
aws configservice describe-configuration-recorders \
--query 'ConfigurationRecorders[*].{Name:Name,RecordingGroup:RecordingGroup,Status:Status}'
# If no recorder, create one
aws configservice put-config-recorder \
--configuration-recorder-name default \
--role-arn arn:aws:iam::111111111111:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group allSupported=true
# Start the recorder
aws configservice start-config-recorder \
--configuration-recorder-names default
Step 4: Check Aggregator Status
From the aggregator account, verify sources are authorized and collecting:
# Describe the aggregator
aws configservice describe-configuration-aggregators \
--configuration-aggregator-names org-aggregator \
--query 'ConfigurationAggregators[0]'
# Get aggregation status by account and region
aws configservice get-aggregation-authorization_status \
--configuration-aggregator-name org-aggregator \
--query 'AggregationAuthorizationStatus[*].{AccountId,AwsRegion,AuthorizationStatus}'
# List aggregated resources
aws configservice get-aggregate-compliance_details_by_config_rule \
--configuration-aggregator-name org-aggregator \
--query 'Results[0:5]'
How to Run This
- In the management account, enable Config service access:
aws organizations enable-aws-service-access --service-principal config.amazonaws.com - Create an org-based aggregator in the security/audit account
- Ensure AWS Config recorder is enabled in all member accounts
- If using account-based sources, run
put-aggregation-authorizationin each member account - Wait 5–10 minutes for resources to appear in the aggregator
- Run
describe-configuration-aggregatorsto verify status
Is This Safe?
Completely safe. These commands enable Config and aggregation—no data is deleted or modified. Authorization is read-only at the aggregator level.
Key Takeaway
Config aggregators require member accounts to authorize the aggregator account (if account-based) or organization-level service access enabled (if org-based). Always ensure Config recorder is enabled in member accounts and matches the regions configured in the aggregator.