You are configuring an aggregator to collect AWS Config configuration & compliance data using the AWS Config console.
These data need to be captured from resources deployed in multiple regions & part of multiple accounts.
Some of these accounts are part of the AWS Organizations. What additional permissions are required to capture this data?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: D.
An Aggregator resource type is used to collect AWS Config configuration & compliance data from multiple regions & accounts.
While configuring Aggregator, data replication needs to be allowed which allows AWS config permission to replicate data from source account to aggregator account.
Option A is incorrect as data is not required to be replicated between AWS Config Configuration recorder & Aggregator for aggregating data across multiple regions.
Option B is incorrect as data is not required to be replicated between source account & management account in AWS Organizations for aggregating data across multiple regions.
Option C is incorrect as additional permission for replicating data within regions is not required.
For more information on configuring AWS Config Aggregator, refer to the following URL,
https://docs.aws.amazon.com/config/latest/developerguide/setup-aggregator-console.htmlSure, I'll explain each answer in detail:
A. Allow data replication to replicate data from AWS Config Configuration recorder to Aggregator account. This answer is partially correct. In order to capture AWS Config configuration and compliance data from multiple accounts and regions, an aggregator must be set up. However, this answer only addresses how data is replicated from the AWS Config Configuration recorder to the aggregator account. It does not address how data from multiple accounts and regions can be captured. Therefore, this answer is not the best choice.
B. Allow data replication to replicate data from source account to Management account in an Organization which will push data to the aggregator. This answer is the best choice. By allowing data replication to replicate data from the source account to a management account in an AWS Organization, which will then push data to the aggregator, you can capture AWS Config configuration and compliance data from resources deployed in multiple regions and part of multiple accounts, including those in the AWS Organizations. This approach uses the AWS Organizations service to centralize management of accounts and enable cross-account access.
C. Allow data replication to replicate data from one region to another region where an aggregator is deployed. This answer is incorrect. While an aggregator must be deployed in a specific region, allowing data replication to replicate data from one region to another does not address how to capture data from multiple accounts and regions.
D. Allow data replication to replicate data from source accounts to aggregator accounts. This answer is partially correct. While allowing data replication to replicate data from source accounts to aggregator accounts is necessary, it does not address how to capture data from resources deployed in multiple regions and part of multiple accounts, including those in the AWS Organizations. Therefore, this answer is not the best choice.