aggregate-all-regions
Explanation
The configuration aggregator should be configured with all_regions for the source.
This will help limit the risk of any unmonitored configuration in regions that are thought to be unused.
Possible Impact
Sources that aren't covered by the aggregator are not include in the configuration
Suggested Resolution
Set the aggregator to cover all regions
Insecure Example
The following example will fail the aws-config-aggregate-all-regions check.
resource "aws_config_configuration_aggregator" "bad_example" {
name = "example"
account_aggregation_source {
account_ids = ["123456789012"]
regions = ["us-west-2", "eu-west-1"]
}
}
Secure Example
The following example will pass the aws-config-aggregate-all-regions check.
resource "aws_config_configuration_aggregator" "good_example" {
name = "example"
account_aggregation_source {
account_ids = ["123456789012"]
all_regions = true
}
}