Amazon Control Tower Aggregator
Amazon Control Tower Aggregator by Amazon Web Services (AWS) integrates with the AWS Control Tower platform to synchronize and manage EC2 Instance data across multiple AWS accounts and regions. You can bring instance data from Amazon Control Tower into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Amazon Control Tower and how to obtain that information from Amazon. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Amazon Control Tower Aggregator from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Amazon Control Tower with Brinqa:
-
Access key ID: The AWS Access Key ID for an IAM user in the Control Tower Audit Account with permissions to call
config:SelectAggregateResourceConfig. -
Secret access key: The AWS Secret Access Key associated with the Access Key ID above.
-
Region: The home region of the Audit Account where the Config Aggregator is deployed (e.g.,
us-east-1). This specifies where theaws-controltower-GuardrailsComplianceAggregatorresides, not a filter on which regions to pull data from. The connector retrieves data from all regions governed by AWS Control Tower.
The connector authenticates using AWS IAM static credentials (Access Key ID + Secret Access Key). These credentials are used to create an AwsBasicCredentials instance, which is passed to the AWS Config SDK client via StaticCredentialsProvider. All subsequent API calls to SelectAggregateResourceConfig are authenticated with these credentials.
Create an IAM user for Control Tower access
For the Amazon Control Tower Aggregator connector to query the Config Aggregator and retrieve EC2 instance data, you must provide specific AWS credentials and permissions. To create an IAM user, follow these steps:
-
Log in to the AWS Control Tower Audit Account Management Console as an administrator.
-
Navigate to the Identity and Access Management (IAM) dashboard.
-
From the navigation pane under Access management, click Users, and then click Create user.
-
Provide a User name, leave the Provide user access to AWS Management Console option unchecked, and then click Next.
-
Click the Attach policies directly option and then click Create policy.
-
Click the JSON tab and paste the following minimum required policy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["config:SelectAggregateResourceConfig"],"Resource": "*"}]} -
Click Next, provide a name for the policy, and then click Create policy.
-
Back on the Add permissions page, search for and select the policy you just created, and then click Next.
-
Click Create user.
Obtain access keys
After you have created an IAM user, generate the access keys that are required for the connector. To do so, follow these steps:
-
Navigate to the IAM dashboard.
-
From the navigation pane under Access management, click Users.
-
Choose the IAM user you created in the earlier steps.
-
Click the Security credentials tab and then click Create access key.
-
Select the Application running outside AWS use case and then click Next.
-
Provide a description and then click Create access key.
The access key ID and secret access key display. The secret access key is shown only once and cannot be retrieved again, so copy the key and save it to a secure location.
If you do not have the permissions to create access keys, contact your AWS administrator. For additional information, see AWS documentation.
Additional settings
The Amazon Control Tower Aggregator connector contains additional options for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
- Parallel requests: The maximum number of parallel API requests. The default setting is 4.
Types of data to retrieve
The Amazon Control Tower Aggregator connector can retrieve the following types of data from the AWS Config API:
Table 1: Data retrieved from Amazon Control Tower Aggregator
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Instance | Yes | Host |
The Amazon Control Tower Aggregator connector does not currently support operation options for the types of data it retrieves.
This connector does not support date-based incremental sync. Each sync retrieves all EC2 instances across all enrolled accounts and governed regions.
For detailed steps on how to view the data retrieved from Amazon Control Tower Aggregator in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the section below to view the mappings between the source and the Brinqa data model attributes.
Instance
Table 2: Instance attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Configuration.architecture | ARCHITECTURE |
| Configuration.hypervisor | HYPERVISOR |
| Configuration.imageId | IMAGE_ID |
| Configuration.instanceType | INSTANCE_TYPE |
| Configuration.kernelId | KERNEL_ID |
| Configuration.keyName | KEY_NAME |
| Configuration.launchTime | FIRST_SEEN |
| Configuration.launchTime | LAUNCH_TIME |
| Configuration.monitoring.state | MONITORING |
| Configuration.networkInterfaces.macAddress | MAC_ADDRESSES |
| Configuration.networkInterfaces.ownerId | OWNER_IDS |
| Configuration.networkInterfaces.privateIpAddress | IP_ADDRESSES |
| Configuration.networkInterfaces.privateIpAddress | PRIVATE_IP_ADDRESSES |
| Configuration.placement.availabilityZone | AVAILABILITY_ZONE |
| Configuration.platformDetails | OPERATING_SYSTEM |
| Configuration.privateDnsName | HOSTNAMES |
| Configuration.privateDnsName | PRIVATE_DNS_NAMES |
| Configuration.publicDnsName | PUBLIC_DNS_NAMES |
| Configuration.publicIpAddress | IP_ADDRESSES |
| Configuration.publicIpAddress | PUBLIC_IP_ADDRESSES |
| Configuration.ramDiskId | RAM_DISK_ID |
| Configuration.rootDeviceName | ROOT_DEVICE_NAME |
| Configuration.rootDeviceType | ROOT_DEVICE_TYPE |
| Configuration.securityGroups.groupName | SECURITY_GROUPS |
| Configuration.state.name | PROVIDER_STATUS |
| Configuration.state.name | SOURCE_STATUS |
| Configuration.stateTransitionReason | STATE_TRANSITION_REASON |
| Configuration.subnetId | SUBNET_ID |
| Configuration.tags | NAME |
| Configuration.tags | TAGS |
| Configuration.virtualizationType | VIRTUALIZATION_TYPE |
| Configuration.vpcId | VPC_ID |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (set to "Host" and "Virtual Machine") | CATEGORIES |
| Generated (computed from platformDetails, instanceType, and architecture) | DESCRIPTION |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| Generated (sync capture timestamp) | LAST_SEEN |
| Instance.awsRegion | REGION |
| Instance.resourceId | INSTANCE_ID |
| Instance.resourceId | UID |
APIs
The Amazon Control Tower Aggregator connector uses the AWS Config API. Specifically, it uses the following endpoints:
Table 3: Amazon Control Tower Aggregator API endpoints
| Connector Object | API Endpoint |
|---|---|
| Instance | POST SelectAggregateResourceConfig |
Changelog
The Amazon Control Tower Aggregator connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 4: Amazon Control Tower Aggregator connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.20 | Initial Integration+ release. | March 26th, 2026 |
This changelog will be updated as new versions are released. For the latest connector updates, see Integration+ connector releases.