How to Aggregate Compliance Data for Global Engineering Projects in AWS
Question
A global engineering firm has created multiple accounts across multiple regions for global project teams.
Some of these accounts are part of AWS Organizations.
Compliance officer is looking for configuration and compliance data for resources launched across these accounts.
This compliance data should be aggregated in a single region. Which of the following steps can be performed by the Sysops administrator to complete this task?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
To aggregate compliance data from multiple accounts & multiple regions into a single account, Multi-Account Multi-Region Data Aggregation can be used.
For this, an Aggregator needs to be created in a region where aggregated AWS Config configuration and compliance data are required.
Aggregator collects compliance data from multiple source accounts and from multiple regions.
Source Accounts that are part of AWS Organizations do not require to provide any authorization.
Source accounts that are not part of AWS Organizations require authorization which permits Aggregator to collect AWS Config configuration and compliance data.
Option A is incorrect as Aggregator needs to be created in a region where all aggregated compliance data is required, not in all source regions.
Option B is incorrect as Aggregator needs to be created in a region where all aggregated compliance data is required, not in all source regions.
Also, authorization is required only for accounts that are not part of AWS Organizations.
Option D is incorrect as Authorization is required only for accounts that are not part of AWS Organizations.
For more information on Multi-Account Multi-Region Data Aggregation with AWS Config, refer to the following URL,
https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#multi-account-multi-region-data-aggregationTo aggregate configuration and compliance data for resources launched across multiple AWS accounts, a SysOps Administrator can use AWS Config to collect, store, and analyze resource configuration data. The compliance data can be aggregated in a single region using an AWS Config aggregator. An AWS Config aggregator is a resource that you can use to consolidate AWS Config data from multiple source accounts and regions into a single account and region.
To configure an AWS Config aggregator, the SysOps Administrator needs to perform the following steps:
Choose a region for the aggregator: The SysOps Administrator needs to choose a region where all compliance data needs to be aggregated.
Create an aggregator: The SysOps Administrator needs to create an aggregator in the chosen region.
Authorize source accounts: The SysOps Administrator needs to provide authorization to the source accounts that will provide the compliance data. The authorization can be given by creating an IAM role in the source accounts and specifying the aggregator account as the trusted entity.
Specify rules: The SysOps Administrator needs to specify the rules that the aggregator will use to evaluate the compliance data.
Now, looking at the answer options, we can see that option A suggests creating an aggregator in each source region and provide authorization from each source account that is not part of AWS Organizations. This option is incorrect because it suggests creating an aggregator in each source region, which defeats the purpose of aggregating the compliance data in a single region.
Option B suggests creating an aggregator in each source region and provide authorization from each source account that is part of AWS Organizations. This option is also incorrect because it suggests creating an aggregator in each source region, which is not required to aggregate the compliance data in a single region.
Option C suggests creating an aggregator in a region where all compliance data needs to be aggregated and provide authorization from each source account that is not part of AWS Organizations. This option is partially correct. It suggests creating an aggregator in a single region, but it does not consider the source accounts that are part of AWS Organizations.
Option D suggests creating an aggregator in a region where all compliance data needs to be aggregated and provide authorization from each source account that is part of AWS Organizations. This option is the correct answer. It suggests creating an aggregator in a single region and providing authorization to all the source accounts, including those that are part of AWS Organizations.
Therefore, the correct answer is D: Create an aggregator in a region where all compliance data needs to be aggregated and provide authorization from each source account that is part of AWS Organizations.
