MEV - Software Development PartnerMEV - Software Development Partner
HealthcareLife Science
Services
Services
Software Application Support & MaintenanceSoftware Product DevelopmentStaff Augmentation and POD TeamsTechnology Consulting
Discover All
Solutions
Solutions
Legacy Software Repair ServiceInnovation Lab as a ServiceDigital TransformationM&A Technical Due DiligenceProduct Development AccelerationSoftware Health Check Service
Discover All
PortfolioBlogCareer
Contact UsContact Us
Contact UsContact Us
MEV logoMEV logo white
Contact Us
Contact Us
Healthcare
Life Science
Services
Discover All
Software Application Support & MaintenanceSoftware Product DevelopmentStaff Augmentation and POD TeamsTechnology Consulting
Solutions
Discover All
Legacy Software Repair ServiceInnovation Lab as a ServiceDigital TransformationM&A Technical Due DiligenceProduct Development AccelerationSoftware Health Check Service
Portfolio
Blog
Career
Back to Blog
March 28, 2025

AWS Config Aggregator & Automated Compliance Reports

...
...
Share:

In my previous articles (part 1 and 2), we explored the fundamentals of AWS Config and its role in maintaining compliance across AWS environments. Now, we will take a step further and set up data aggregation with AWS Config Aggregator and automate the compliance reporting process using a simple yet effective Python script. This article shows how to leverage AWS Config with the boto3 library to identify non-compliant resources across multiple AWS regions. Automating this process can streamline security audits, reduce manual intervention, and ensure a proactive compliance posture.

The script discussed here interacts with AWS Config Aggregator to fetch non-compliant resources and generates detailed reports with resource links. With minimal setup, you can implement this solution to monitor your AWS environment and request necessary actions based on the findings.

AWS Config Aggregator

If you have resources spread across multiple AWS regions – or even multiple accounts – manually checking each one for compliance can be time-consuming and inefficient.  Fortunately, AWS Config Aggregator simplifies this by collecting configuration data from all regions and accounts into a single, centralized view.

Let’s get a quick look at how to configure and use Aggregator when you use multiple AWS regions in single account: 

Prerequisites

  • AWS Config recorder is enabled in all necessary AWS regions

Instruction

First, go to the Aggregators page and click on the Create aggregator button to create your aggregator.

On the next page, check the box to enable data aggregation, enter a name for your aggregator, and use your account ID as the source (since the aggregator will be in the same account). Select all the regions where you have AWS Config Recorder enabled – in my case, that’s us-east-1, us-east-2, and us-west-1. Finally, click Create aggregator to complete the setup.

Now, if you open the aggregator page, you will see the Incomplete authorization status. To fix it, you should configure the Authorization in each AWS region where you have the Config Recorder to allow the aggregator to scrape the data.

Go to the Authorizations page in Aggregators and click Add authorization.

Set the AWS Account ID and Region where your aggregator was created and click on Add authorization to allow the aggregator to scrape the data from this region.

Now on the Aggregator page, you should see the OK in the Authorization status column.

Once the Aggregator is configured and authorized, you can choose it on the Aggregators page and see the resource inventory, compliance status, and Top 5 noncompliant rules.


Alternatively, you can use Advanced queries and query the necessary data across multiple regions. In the Query scope choose the aggregator, that you created and create the query, for example, I need to get a list of instance types in each region.

SELECT
  configuration.instanceType,
  awsRegion,
  COUNT(*)
WHERE
  resourceType = 'AWS::EC2::Instance'
GROUP BY
  configuration.instanceType,
  awsRegion


To delete the aggregator, go to the Aggregators page, choose the necessary aggregator, and click on Delete in the Actions expand.

For more details on AWS Config Aggregators, check out the official AWS documentation:  AWS Config Aggregator Overview.

Creating Custom Compliance Reports with AWS CLI/boto3

My solution is heavily based on the following sample AWS Config Reporting for Non-Compliant Resources. This script automates reporting for resources that have remained non-compliant over a specified period.. I made some tweaks to suit my needs better — like adding severity levels, tracking remediation tasks, and including links to Jira tickets.

Prerequisites

  • Python 3
  • AWS CLI configured
  • AWS Config recorder enabled
  • AWS Config rules configured
  • AWS Config Aggregator configured

How to Use the Script

  1. Clone the repository with source code - https://github.com/deadsen/aws-config-reporter.git
  2. Open the terminal in the cloned repository
  3. Install dependencies with pip install -r requirements.txt
  4. Ensure that your AWS CLI profile and credentials are configured
  5. Run the script with the following command:
python3 main.py --aggregator-name MyAggregator

Where MyAggregator is the name of the AWS Config Aggregator name you use.

  1. After running, the script generates a CSV file in the ./reports folder. You can Open it in Excel or Google Sheets to review the data.
Report generated ./reports/Non_compliant_resources-2025-01-10.csv
['Non_compliant_resources-2025-01-10.csv']


The report will look like this:

With a few manual adjustments, it transforms into this:

Summary

With AWS Config and a bit of Python, you can automate compliance monitoring and reporting. This script helps you stay on top of non-compliant resources and take action faster. Also, this script is customizable  –so you can tweak it to match your organization’s needs. 

The next level of automation may be configuration of automated remediation, for example to create Jira tasks with predefined text based on the rules. This  gives you the full potential to have completely automated compliance checks and reports. Automating these checks saves time, improves security, and makes audits way less stressful.

References

  • Automate AWS Config reporting for noncompliant resources that have been non-compliant for a period of time
  • AWS Config Aggregator Overview
Arsen Yushchenko
System Engineer
Software development company

Related Articles

April 29, 2025

Building Faster with No-Code: A Real-World Prototype Delivered in Four Days

All
All
AI
This is some text inside of a div block.
Development Tools
This is some text inside of a div block.
April 22, 2025

Dealmaking Returns to Healthcare—With New Rules

All
All
M&A
This is some text inside of a div block.
Technical Due Diligence
This is some text inside of a div block.
April 9, 2025

Tools and Platforms that Facilitate M&A Due Diligence

All
All
Technical Due Diligence
This is some text inside of a div block.
M&A
This is some text inside of a div block.
Read more articles
Get Your Free Technology DD Checklist
Just share your email to download it for free!
Thank you!
Your free Technology DD checklist is ready for download now.
Open the Сhecklist
Oops! Something went wrong while submitting the form.
MEV company
Contact us
212-933-9921solutions@mev.com
Location
1212 Broadway Plaza, 2nd floor, Walnut Creek, CA
Socials
FacebookInstagramX
Linkedin
Explore
Services
Solutions
PortfolioBlogCareerContactPrivacy Policy
Services
Software Product DevelopmentStaff Augmentation and POD TeamsSupport and MaintenanceTechnology Consulting
Solutions
Innovation Lab as a ServiceDigital TransformationProduct Development AccelerationCustom Solutions DevelopmentM&A Technical Due DiligenceLegacy Software RepairSoftware Health Check Service
Collaboration models
Augmented StaffIntegrated TeamDedicated Team
© 2025 - All Rights Reserved.

We use cookies to bring best personalized experience for you. Check our Privacy Policy to learn more about how we process your personal data

Accept All
Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. More information

Accept all cookies