AWS Config Aggregator & Automated Compliance Reports

In my previous articles (part 1 and 2), we explored the fundamentals of AWS Config and its role in maintaining compliance across AWS environments. Now, we will take a step further and set up data aggregation with AWS Config Aggregator and automate the compliance reporting process using a simple yet effective Python script. This article shows how to leverage AWS Config with the boto3 library to identify non-compliant resources across multiple AWS regions. Automating this process can streamline security audits, reduce manual intervention, and ensure a proactive compliance posture.

The script discussed here interacts with AWS Config Aggregator to fetch non-compliant resources and generates detailed reports with resource links. With minimal setup, you can implement this solution to monitor your AWS environment and request necessary actions based on the findings.

AWS Config Aggregator

If you have resources spread across multiple AWS regions – or even multiple accounts – manually checking each one for compliance can be time-consuming and inefficient.  Fortunately, AWS Config Aggregator simplifies this by collecting configuration data from all regions and accounts into a single, centralized view.

Let’s get a quick look at how to configure and use Aggregator when you use multiple AWS regions in single account: 

Prerequisites

• AWS Config recorder is enabled in all necessary AWS regions

Instruction

First, go to the Aggregators page and click on the Create aggregator button to create your aggregator.

On the next page, check the box to enable data aggregation, enter a name for your aggregator, and use your account ID as the source (since the aggregator will be in the same account). Select all the regions where you have AWS Config Recorder enabled – in my case, that’s us-east-1, us-east-2, and us-west-1. Finally, click Create aggregator to complete the setup.

Now, if you open the aggregator page, you will see the Incomplete authorization status. To fix it, you should configure the Authorization in each AWS region where you have the Config Recorder to allow the aggregator to scrape the data.

Go to the Authorizations page in Aggregators and click Add authorization.

Set the AWS Account ID and Region where your aggregator was created and click on Add authorization to allow the aggregator to scrape the data from this region.

Now on the Aggregator page, you should see the OK in the Authorization status column.

Once the Aggregator is configured and authorized, you can choose it on the Aggregators page and see the resource inventory, compliance status, and Top 5 noncompliant rules.

Alternatively, you can use Advanced queries and query the necessary data across multiple regions. In the Query scope choose the aggregator, that you created and create the query, for example, I need to get a list of instance types in each region.

SELECT
  configuration.instanceType,
  awsRegion,
  COUNT(*)
WHERE
  resourceType = 'AWS::EC2::Instance'
GROUP BY
  configuration.instanceType,
  awsRegion

To delete the aggregator, go to the Aggregators page, choose the necessary aggregator, and click on Delete in the Actions expand.

For more details on AWS Config Aggregators, check out the official AWS documentation:  AWS Config Aggregator Overview.

Creating Custom Compliance Reports with AWS CLI/boto3

My solution is heavily based on the following sample AWS Config Reporting for Non-Compliant Resources. This script automates reporting for resources that have remained non-compliant over a specified period.. I made some tweaks to suit my needs better — like adding severity levels, tracking remediation tasks, and including links to Jira tickets.

Prerequisites

• Python 3
• AWS CLI configured
• AWS Config recorder enabled
• AWS Config rules configured
• AWS Config Aggregator configured

How to Use the Script

1. Clone the repository with source code - https://github.com/deadsen/aws-config-reporter.git
2. Open the terminal in the cloned repository
3. Install dependencies with pip install -r requirements.txt
4. Ensure that your AWS CLI profile and credentials are configured
5. Run the script with the following command:

python3 main.py --aggregator-name MyAggregator

Where MyAggregator is the name of the AWS Config Aggregator name you use.

6. After running, the script generates a CSV file in the ./reports folder. You can Open it in Excel or Google Sheets to review the data.

Report generated ./reports/Non_compliant_resources-2025-01-10.csv
['Non_compliant_resources-2025-01-10.csv']

The report will look like this:

With a few manual adjustments, it transforms into this:

Summary

With AWS Config and a bit of Python, you can automate compliance monitoring and reporting. This script helps you stay on top of non-compliant resources and take action faster. Also, this script is customizable  –so you can tweak it to match your organization’s needs. 

The next level of automation may be configuration of automated remediation, for example to create Jira tasks with predefined text based on the rules. This  gives you the full potential to have completely automated compliance checks and reports. Automating these checks saves time, improves security, and makes audits way less stressful.

References

• Automate AWS Config reporting for noncompliant resources that have been non-compliant for a period of time
• AWS Config Aggregator Overview