Why using the Root account for AWS config?

[Martinagsr]

Hello,

Is it a reason why the root account is used for the AWS Config Aggregator in the SEA?

Why isn't in the operation account?

Thank you

[Brian969]

Hi,

• When the ASEA code for config aggregators was written, AWS platform ONLY supported it in the root account. Allowing the aggregator account to be "designated" is a new feature we do not yet support.
• I would have placed the aggregator in the security/audit account along with all the other central security tooling/services, can you provide some feedback on why you think it should be operations account?
• If you believe this is important, we are tracking roadmap/enhancements using GitHub Issues - can you open an Issue "Enable moving config Aggregator to Securty and/or Ops account" and +1 it.

[Martinagsr]

Hi,

I agree for security account if oprational team don't ask to have access to inventory advanced requests of AWS Config. Security team can access tools in operation account, but operational team should not access security account.

Yes I will open an issue

Thank you

[Brian969]

v1.5.0 enables deploying an aggregator in any of the central-services accounts, shipping this week.