diff --git a/aws_sra_examples/solutions/config/config_org/lambda/src/app.py b/aws_sra_examples/solutions/config/config_org/lambda/src/app.py
index 65fef0a0f..f71af8439 100644
--- a/aws_sra_examples/solutions/config/config_org/lambda/src/app.py
+++ b/aws_sra_examples/solutions/config/config_org/lambda/src/app.py
@@ -509,7 +509,10 @@ def orchestrator(event: Dict[str, Any], context: Any) -> None:
         event: event data
         context: runtime information
     """
-    if event.get("RequestType"):
+    if event.get("Terraform"):
+        LOGGER.info("...calling terraform handler...")
+        process_event_cloudformation(event, context)
+    elif event.get("RequestType"):
         LOGGER.info("...calling helper...")
         helper(event, context)
     elif event.get("Records") and event["Records"][0]["EventSource"] == "aws:sns":
diff --git a/aws_sra_examples/terraform/common/main.tf b/aws_sra_examples/terraform/common/main.tf
index f6988e0f4..ad4dff5ba 100644
--- a/aws_sra_examples/terraform/common/main.tf
+++ b/aws_sra_examples/terraform/common/main.tf
@@ -123,7 +123,8 @@ resource "local_file" "config_file_creation" {
     enable_cloudtrail_org      = false
     enable_iam_password_policy = false
     enable_inspector           = false
-    
+    enable_config_org          = false
+
     ########################################################################
     # Guard Duty Settings
     ########################################################################
diff --git a/aws_sra_examples/terraform/common/variables.tf b/aws_sra_examples/terraform/common/variables.tf
index 2c23b10b7..65706f3f5 100644
--- a/aws_sra_examples/terraform/common/variables.tf
+++ b/aws_sra_examples/terraform/common/variables.tf
@@ -2,9 +2,15 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 ########################################################################
+variable "account_region" {
+  type = string
+  description = "Default Account Region to deploy in"
+  default     = "us-east-1"
+}
+
 variable "control_tower" {
   description = "AWS Control Tower landing zone deployed/in-use"
-  default     = "true"
+  default     = "false"
 }
 
 variable "governed_regions" {
diff --git a/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf b/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf
index 50e76c05e..5386c375e 100644
--- a/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf
+++ b/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf
@@ -289,7 +289,7 @@ resource "aws_lambda_function" "cloudtrail_org_lambda_function" {
   #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
   #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
   #checkov:skip=CKV_AWS_50: X-Ray tracing is enabled for Lambda
-  
+
   description   = "Creates an Organization CloudTrail"
   function_name = var.cloudtrail_lambda_function_name
   role          = aws_iam_role.cloudtrail_lambda_role.arn
diff --git a/aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf b/aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf
index d0153a966..20ca17c8c 100644
--- a/aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf
+++ b/aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf
@@ -144,7 +144,7 @@ resource "aws_s3_bucket_policy" "org_trail_bucket_policy" {
 resource "aws_secretsmanager_secret" "org_trail_s3_bucket_secret" {
   #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
   #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
-  
+
   count = var.sra_secrets_key_alias_arn != "" ? 1 : 0
 
   name        = "sra/cloudtrail_org_s3_bucket"
diff --git a/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/data.tf b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/main.tf b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/main.tf
new file mode 100644
index 000000000..1f2b81c1f
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/main.tf
@@ -0,0 +1,36 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+resource "aws_iam_role" "r_config_aggregator_role" {
+  name = var.p_aggregator_role_name
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "config.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+  ]
+
+  tags = {
+    "${var.p_sra_solution_name_key}" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_config_configuration_aggregator" "r_organization_config_aggregator" {
+  name = var.p_aggregator_name
+
+  account_aggregation_source {
+    account_ids = [data.aws_caller_identity.current.account_id]
+    all_regions = true
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/providers.tf b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/providers.tf
new file mode 100644
index 000000000..226f1ca46
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/providers.tf
@@ -0,0 +1,13 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/variables.tf b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/variables.tf
new file mode 100644
index 000000000..d8bb029ba
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/variables.tf
@@ -0,0 +1,27 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_aggregator_name" {
+  type        = string
+  description = "Config Aggregator Name"
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_aggregator_role_name" {
+  type        = string
+  description = "Config Aggregator Role Name"
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_sra_solution_name" {
+  type        = string
+  description = "The SRA solution name. The default value is the folder name of the solution"
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_sra_solution_name_key" {
+  type        = string
+  description = "The key used for tagging resources with the SRA solution name."
+  default     = "sra-solution"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration/data.tf b/aws_sra_examples/terraform/solutions/config_org/configuration/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration/invoke.tf b/aws_sra_examples/terraform/solutions/config_org/configuration/invoke.tf
new file mode 100644
index 000000000..d82ae53af
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration/invoke.tf
@@ -0,0 +1,31 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+resource "aws_lambda_invocation" "new_lambda_invoke" {
+  function_name = aws_lambda_function.r_config_org_lambda_function.function_name
+
+  input = jsonencode({
+    "Terraform" : "true",
+    "RequestType" : "Create",
+    "ResourceType" : "Custom::LambdaCustomResource",
+    "ResourceProperties" : {
+      "ServiceToken" : "${aws_lambda_function.r_config_org_lambda_function.arn}",
+      "AUDIT_ACCOUNT" : "${var.p_audit_account_id}",
+      "CONFIGURATION_ROLE_NAME" : "${var.p_config_configuration_role_name}",
+      "CONTROL_TOWER_REGIONS_ONLY" : "${var.p_control_tower_regions_only}",
+      "ENABLED_REGIONS" : "${var.p_enabled_regions}",
+      "ALL_SUPPORTED" : "${var.p_all_supported}",
+      "INCLUDE_GLOBAL_RESOURCE_TYPES" : "${var.p_include_global_resource_types}",
+      "DELIVERY_CHANNEL_NAME" : "${var.p_delivery_channel_name}",
+      "FREQUENCY" : "${var.p_frequency}",
+      "RESOURCE_TYPES" : "${var.p_resource_types}",
+      "RECORDER_NAME" : "${var.p_recorder_name}",
+      "KMS_KEY_SECRET_NAME" : "${var.p_kms_key_arn_secret_name}",
+      "HOME_REGION" : "${var.p_home_region}",
+      "SNS_TOPIC_ARN_FANOUT" : "${aws_sns_topic.r_config_org_topic.arn}",
+      "PUBLISHING_DESTINATION_BUCKET_ARN" : "arn:aws:s3:::${var.p_publishing_destination_bucket_name}"
+    }
+  })
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration/main.tf b/aws_sra_examples/terraform/solutions/config_org/configuration/main.tf
new file mode 100644
index 000000000..ee2978eeb
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration/main.tf
@@ -0,0 +1,479 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+locals {
+  graviton_regions = [
+    "ap-northeast-1",
+    "ap-south-1",
+    "ap-southeast-1",
+    "ap-southeast-2",
+    "eu-central-1",
+    "eu-west-1",
+    "eu-west-2",
+    "us-east-1",
+    "us-east-2",
+    "us-west-2",
+  ]
+  account_id = data.aws_caller_identity.current.account_id
+  region     = data.aws_region.current.name
+  src_path   = "${path.root}/../../solutions/config/config_org/lambda/src/"
+
+  compliance_frequency_single_day = var.p_compliance_frequency == 1
+  create_dlq_alarm                = var.p_sra_alarm_email != ""
+  create_lambda_log_group         = var.p_create_lambda_log_group == "true"
+  is_all_supported                = var.p_all_supported == "true"
+  use_graviton                    = contains(local.graviton_regions, data.aws_region.current.name)
+  use_kms_key                     = var.p_lambda_log_group_kms_key != ""
+  not_global_region_us_east_1     = var.p_current_region != "us-east-1"
+}
+
+resource "aws_cloudwatch_log_group" "r_config_org_lambda_log_group" {
+  count             = local.create_lambda_log_group ? 1 : 0
+  name              = "/aws/lambda/${var.p_config_org_lambda_function_name}"
+  retention_in_days = var.p_lambda_log_group_retention
+  kms_key_id        = local.use_kms_key != "" ? var.p_lambda_log_group_kms_key : null
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+########################################################################
+# Lambda Policies Documents
+########################################################################
+resource "aws_iam_role" "r_config_org_lambda_role" {
+  name = var.p_config_org_lambda_role_name
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRole",
+        Effect = "Allow",
+        Principal = {
+          Service = ["lambda.amazonaws.com"]
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "sra_config_org_policy_organizations" {
+  name        = "sra-config-org-policy-organizations"
+  description = "IAM policy for Macie Org Lambda Organizations"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "OrganizationsReadAccess"
+        Effect = "Allow"
+        Action = [
+          "organizations:DescribeAccount",
+          "organizations:ListAccounts"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "ssm_access" {
+  name        = "ssm-access"
+  description = "IAM policy for SSM access"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:GetParameter",
+          "ssm:GetParameters"
+        ],
+        Resource = [
+          "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/sra*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "sra_config_org_policy_sns" {
+  name        = "sra-config-org-policy-sns"
+  description = "IAM policy for SNS access"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "SNSPublish"
+        Effect = "Allow"
+        Action = [
+          "sns:Publish",
+          "sns:PublishBatch"
+        ],
+        Resource = aws_sns_topic.r_config_org_topic.arn
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "sra_config_org_policy_iam" {
+  name        = "sra-config-org-policy-iam-lambda"
+  description = "IAM policy for IAM access"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "AssumeRole"
+        Effect = "Allow"
+        Action = ["sts:AssumeRole"]
+        Condition = {
+          StringEquals = {
+            "aws:PrincipalOrgId" = var.p_organization_id
+          }
+        },
+        Resource = [
+          "arn:aws:iam::*:role/${var.p_config_configuration_role_name}"
+        ]
+      },
+      {
+        Sid      = "AllowReadIamActions"
+        Effect   = "Allow"
+        Action   = ["iam:GetRole"]
+        Resource = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*"
+      },
+      {
+        Sid    = "AllowCreateServiceLinkedRole"
+        Effect = "Allow"
+        Action = ["iam:CreateServiceLinkedRole"]
+        Condition = {
+          StringLike = {
+            "iam:AWSServiceName" = "config.amazonaws.com"
+          }
+        },
+        Resource = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
+      },
+      {
+        Sid      = "AllowPolicyActions"
+        Effect   = "Allow"
+        Action   = ["iam:PutRolePolicy"]
+        Resource = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "sra_config_org_policy_logs" {
+  name        = "sra-config-org-policy-logs"
+  description = "IAM policy for logs access"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "CreateLogGroupAndEvents"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.p_config_org_lambda_function_name}:log-stream:*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "sra_config_org_policy_sqs" {
+  name        = "sra-config-org-policy-sqs"
+  description = "IAM policy for SQS access"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid      = "SQSSendMessage"
+        Effect   = "Allow"
+        Action   = ["sqs:SendMessage"],
+        Resource = aws_sqs_queue.r_config_org_dlq.arn
+      }
+    ]
+  })
+}
+
+########################################################################
+# Policy Attachment
+########################################################################
+resource "aws_iam_role_policy_attachment" "r_config_org_lambda_role_organizations" {
+  role       = aws_iam_role.r_config_org_lambda_role.name
+  policy_arn = aws_iam_policy.sra_config_org_policy_organizations.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_lambda_role_ssm_access" {
+  role       = aws_iam_role.r_config_org_lambda_role.name
+  policy_arn = aws_iam_policy.ssm_access.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_lambda_role_sns" {
+  role       = aws_iam_role.r_config_org_lambda_role.name
+  policy_arn = aws_iam_policy.sra_config_org_policy_sns.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_lambda_role_iam" {
+  role       = aws_iam_role.r_config_org_lambda_role.name
+  policy_arn = aws_iam_policy.sra_config_org_policy_iam.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_lambda_role_logs" {
+  role       = aws_iam_role.r_config_org_lambda_role.name
+  policy_arn = aws_iam_policy.sra_config_org_policy_logs.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_lambda_role_sqs" {
+  role       = aws_iam_role.r_config_org_lambda_role.name
+  policy_arn = aws_iam_policy.sra_config_org_policy_sqs.arn
+}
+
+########################################################################
+# Lambda Function
+########################################################################
+data "archive_file" "hash_check" {
+  type        = "zip"
+  source_dir  = local.src_path
+  output_path = "${path.module}/lambda/lambda_function.zip"
+  excludes    = ["lambda_function.zip, data.zip"]
+}
+
+resource "null_resource" "package_lambda" {
+  triggers = {
+    src_hash = "${data.archive_file.hash_check.output_sha}"
+  }
+
+  provisioner "local-exec" {
+    command = <<EOF
+    rm -rf ${path.module}/lambda/package && mkdir ${path.module}/lambda/package
+    python3 -m pip install -r ${local.src_path}requirements.txt -t ${path.module}/lambda/package
+    cp ${local.src_path}*.py ${path.module}/lambda/package/
+    cd ${path.module}/lambda/package
+    zip -r ../lambda_function.zip .
+    EOF
+  }
+}
+
+data "archive_file" "zipped_lambda" {
+  depends_on  = [null_resource.package_lambda]
+  type        = "zip"
+  source_dir  = "${path.module}/lambda/package"
+  output_path = "${path.module}/lambda/lambda_function.zip"
+  excludes    = ["lambda_function.zip, data.zip"]
+}
+
+resource "aws_lambda_function" "r_config_org_lambda_function" {
+  #checkov:skip=CKV_AWS_272: Ensure AWS Lambda function is configured to validate code-signing
+  #checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) 
+  #checkov:skip=CKV_AWS_173: Check encryption settings for Lambda environment variable
+  #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
+  #checkov:skip=CKV_AWS_50: X-Ray tracing is enabled for Lambda
+
+  function_name = var.p_config_org_lambda_function_name
+  description   = "configure Config for the Organization"
+  role          = aws_iam_role.r_config_org_lambda_role.arn
+  handler       = "app.lambda_handler"
+  memory_size   = 512
+  runtime       = "python3.9"
+  timeout       = 900
+
+  source_code_hash = data.archive_file.zipped_lambda.output_base64sha256
+  filename         = data.archive_file.zipped_lambda.output_path
+
+  dead_letter_config {
+    target_arn = aws_sqs_queue.r_config_org_dlq.arn
+  }
+
+  environment {
+    variables = {
+      AUDIT_ACCOUNT                     = var.p_audit_account_id
+      LOG_LEVEL                         = var.p_lambda_log_level
+      AWS_PARTITION                     = data.aws_partition.current.partition
+      CONFIGURATION_ROLE_NAME           = var.p_config_configuration_role_name
+      CONTROL_TOWER_REGIONS_ONLY        = var.p_control_tower_regions_only
+      ENABLED_REGIONS                   = var.p_enabled_regions
+      ALL_SUPPORTED                     = var.p_all_supported
+      INCLUDE_GLOBAL_RESOURCE_TYPES     = var.p_include_global_resource_types
+      FREQUENCY                         = var.p_frequency
+      RESOURCE_TYPES                    = var.p_resource_types == "" ? null : var.p_resource_types
+      DELIVERY_S3_KEY_PREFIX            = var.p_delivery_s3_key_prefix
+      S3_BUCKET_NAME                    = "${var.p_config_org_delivery_bucket_prefix}-${var.p_log_archive_account_id}-${var.p_home_region}"
+      DELIVERY_CHANNEL_NAME             = var.p_delivery_channel_name
+      CONFIG_TOPIC_NAME                 = var.p_config_topic_name
+      RECORDER_NAME                     = var.p_recorder_name
+      KMS_KEY_SECRET_NAME               = var.p_kms_key_arn_secret_name
+      HOME_REGION                       = var.p_home_region
+      SNS_TOPIC_ARN_FANOUT              = aws_sns_topic.r_config_org_topic.arn
+      PUBLISHING_DESTINATION_BUCKET_ARN = "arn:${data.aws_partition.current.partition}:s3:::${var.p_publishing_destination_bucket_name}"
+    }
+  }
+}
+
+resource "aws_lambda_permission" "r_config_org_topic_lambda_permission" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.r_config_org_lambda_function.arn
+  principal     = "sns.amazonaws.com"
+  source_arn    = aws_sns_topic.r_config_org_topic.arn
+}
+
+resource "aws_sns_topic" "r_config_org_topic" {
+  display_name      = "${var.p_sra_solution_name}-configuration"
+  kms_master_key_id = "alias/aws/sns"
+  tags = {
+    "sra-solution" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_sns_topic_subscription" "r_config_org_topic_subscription" {
+  endpoint  = aws_lambda_function.r_config_org_lambda_function.arn
+  protocol  = "lambda"
+  topic_arn = aws_sns_topic.r_config_org_topic.arn
+}
+
+resource "aws_sqs_queue" "r_config_org_dlq" {
+  name                      = "${var.p_sra_solution_name}-dlq"
+  kms_master_key_id         = "alias/aws/sqs"
+  message_retention_seconds = 345600
+
+  lifecycle {
+    prevent_destroy       = false
+    create_before_destroy = true
+  }
+}
+
+resource "aws_sqs_queue_policy" "r_config_org_dlq_policy" {
+  queue_url = aws_sqs_queue.r_config_org_dlq.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "SQS:SendMessage",
+      Condition = {
+        ArnEquals = {
+          "aws:SourceArn" = aws_lambda_function.r_config_org_lambda_function.arn
+        }
+      },
+      Effect = "Allow",
+      Principal = {
+        Service = "events.amazonaws.com"
+      },
+      Resource = aws_sqs_queue.r_config_org_dlq.arn
+    }]
+  })
+}
+
+resource "aws_sns_topic" "r_config_org_dlq_alarm_topic" {
+  count             = var.p_sra_alarm_email != "" ? 1 : 0
+  display_name      = "${var.p_sra_solution_name}-dlq-alarm"
+  kms_master_key_id = "alias/aws/sns"
+  name              = "${var.p_sra_solution_name}-dlq-alarm"
+}
+
+resource "aws_sns_topic_subscription" "r_config_org_dlq_alarm_topic_subscription" {
+  count     = var.p_sra_alarm_email != "" ? 1 : 0
+  endpoint  = var.p_sra_alarm_email
+  protocol  = "email"
+  topic_arn = aws_sns_topic.r_config_org_dlq_alarm_topic[0].arn
+}
+
+resource "aws_cloudwatch_metric_alarm" "r_config_org_dlq_alarm" {
+  count                     = var.p_sra_alarm_email != "" ? 1 : 0
+  alarm_name                = "SRA DLQ alarm if the queue depth is 1"
+  comparison_operator       = "GreaterThanThreshold"
+  evaluation_periods        = 1
+  metric_name               = "ApproximateNumberOfMessagesVisible"
+  namespace                 = "AWS/SQS"
+  period                    = 300
+  statistic                 = "Sum"
+  threshold                 = 1
+  alarm_description         = "SRA DLQ alarm if the queue depth is 1"
+  alarm_actions             = [aws_sns_topic.r_config_org_dlq_alarm_topic[0].arn]
+  insufficient_data_actions = [aws_sns_topic.r_config_org_dlq_alarm_topic[0].arn]
+
+  dimensions = {
+    QueueName = aws_sqs_queue.r_config_org_dlq.name
+  }
+}
+
+resource "aws_cloudwatch_event_rule" "r_scheduled_compliance_rule" {
+  name                = "${var.p_control_tower_life_cycle_rule_name}-organization-compliance"
+  description         = "SRA Config Trigger for scheduled organization compliance"
+  schedule_expression = local.compliance_frequency_single_day ? "rate(${var.p_compliance_frequency} day)" : "rate(${var.p_compliance_frequency} days)"
+  state               = "ENABLED"
+}
+
+resource "aws_cloudwatch_event_target" "r_scheduled_compliance_rule_target" {
+  rule      = aws_cloudwatch_event_rule.r_scheduled_compliance_rule.name
+  target_id = var.p_config_org_lambda_function_name
+  arn       = aws_lambda_function.r_config_org_lambda_function.arn
+}
+
+resource "aws_lambda_permission" "r_permission_for_scheduled_compliance_rule_to_invoke_lambda" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.r_config_org_lambda_function.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.r_scheduled_compliance_rule.arn
+}
+
+resource "aws_iam_role" "r_cross_region_event_rule_role" {
+  count = local.not_global_region_us_east_1 ? 1 : 0
+
+  name = var.p_event_rule_role_name
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = "sts:AssumeRole",
+        Principal = {
+          Service = "events.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "sra-account-org-config-policy-events"
+    policy = jsonencode({
+      Version = "2012-10-17",
+      Statement = [
+        {
+          Effect   = "Allow",
+          Action   = "events:PutEvents",
+          Resource = "arn:${data.aws_partition.current.partition}:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:event-bus/default"
+        }
+      ]
+    })
+  }
+}
+
+resource "aws_cloudwatch_event_rule" "r_organizations_rule" {
+  name        = "${var.p_control_tower_life_cycle_rule_name}-org-update"
+  description = "SRA Config Trigger on Organizations update"
+  event_pattern = jsonencode({
+    source        = ["aws.organizations"],
+    "detail-type" = ["AWS Service Event via CloudTrail", "AWS API Call via CloudTrail"],
+    detail = {
+      eventSource = ["organizations.amazonaws.com"],
+      eventName   = ["AcceptHandshake", "CreateAccountResult"]
+    }
+  })
+  state = "ENABLED"
+}
+
+resource "aws_cloudwatch_event_target" "r_organizations_rule_target" {
+  rule      = aws_cloudwatch_event_rule.r_organizations_rule.name
+  target_id = var.p_config_org_lambda_function_name
+  arn       = aws_lambda_function.r_config_org_lambda_function.arn
+}
+
+resource "aws_lambda_permission" "r_permission_for_organizations_rule_to_invoke_lambda" {
+  statement_id  = "AllowExecutionFromOrganizations"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.r_config_org_lambda_function.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.r_organizations_rule.arn
+}
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration/providers.tf b/aws_sra_examples/terraform/solutions/config_org/configuration/providers.tf
new file mode 100644
index 000000000..30cfbfd12
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration/providers.tf
@@ -0,0 +1,14 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+      #configuration_aliases = [aws.main, aws.management, aws.log_archive]
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration/variables.tf b/aws_sra_examples/terraform/solutions/config_org/configuration/variables.tf
new file mode 100644
index 000000000..faed7eea2
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration/variables.tf
@@ -0,0 +1,181 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_sra_solution_name" {
+  description = "SRA Solution Name"
+  type        = string
+  default     = "sra-config-org"
+}
+
+variable "p_audit_account_id" {
+  description = "AWS Account ID of the Audit (Security Tooling) account."
+  type        = string
+}
+
+variable "p_log_archive_account_id" {
+  description = "AWS Account ID of the Log Archive account."
+  type        = string
+}
+
+variable "p_organization_id" {
+  description = "AWS Organizations ID"
+  type        = string
+}
+
+variable "p_home_region" {
+  description = "Name of the home region"
+  type        = string
+}
+
+variable "p_current_region" {
+  description = "Current Region"
+  type        = string
+}
+
+variable "p_sra_alarm_email" {
+  description = "(Optional) Email address for receiving DLQ alarms"
+  type        = string
+  default     = ""
+}
+
+variable "p_kms_key_arn" {
+  description = "Logging S3 bucket KMS Key ARN"
+  type        = string
+}
+
+variable "p_recorder_name" {
+  description = "Config delivery s3 bucket name"
+  type        = string
+  default     = "sra-ConfigRecorder"
+}
+
+variable "p_all_supported" {
+  description = "Indicates whether to record all supported resource types. If set to 'false', then the 'Resource Types' parameter must have a value."
+  type        = string
+  default     = "true"
+}
+
+variable "p_include_global_resource_types" {
+  description = "Indicates whether AWS Config records all supported global resource types."
+  type        = string
+  default     = "true"
+}
+
+variable "p_resource_types" {
+  description = "(Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is set to 'false', then this parameter becomes required."
+  type        = string
+  default     = ""
+}
+
+variable "p_frequency" {
+  description = "The frequency with which AWS Config delivers configuration snapshots. (One_Hour, Three_Hours, Six_Hours, Twelve_Hours, TwentyFour_Hours)"
+  type        = string
+  default     = "One_Hour"
+}
+
+variable "p_config_org_delivery_bucket_prefix" {
+  description = "Config Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-config-delivery-123456789012-us-east-1"
+  type        = string
+  default     = "sra-config-org-delivery"
+}
+
+variable "p_publishing_destination_bucket_name" {
+  description = "Config S3 bucket name"
+  type        = string
+}
+
+variable "p_delivery_s3_key_prefix" {
+  description = "Organization ID to use as the S3 Key prefix for storing the audit logs"
+  type        = string
+}
+
+variable "p_delivery_channel_name" {
+  description = "Config delivery channel name"
+  type        = string
+  default     = "sra-config-s3-delivery"
+}
+
+variable "p_config_topic_name" {
+  description = "Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to."
+  type        = string
+  default     = "sra-ConfigNotifications"
+}
+
+variable "p_kms_key_arn_secret_name" {
+  description = "Secrets Manager secret name"
+  type        = string
+  default     = "sra/config_org_delivery_key_arn"
+}
+
+variable "p_config_org_lambda_role_name" {
+  description = "Config configuration Lambda role name"
+  type        = string
+  default     = "sra-config-org-lambda"
+}
+
+variable "p_config_org_lambda_function_name" {
+  description = "Lambda function name"
+  type        = string
+  default     = "sra-config-org"
+}
+
+variable "p_config_configuration_role_name" {
+  description = "Config Configuration role to assume"
+  type        = string
+  default     = "sra-config-configuration"
+}
+
+variable "p_control_tower_regions_only" {
+  description = "Only enable in the Control Tower governed regions"
+  type        = string
+  default     = "true"
+}
+
+variable "p_enabled_regions" {
+  description = "(Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions."
+  type        = string
+  default     = ""
+}
+
+variable "p_create_lambda_log_group" {
+  description = "Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption."
+  type        = string
+  default     = "false"
+}
+
+variable "p_lambda_log_group_retention" {
+  description = "Specifies the number of days you want to retain log events"
+  type        = string
+  default     = 14
+}
+
+variable "p_lambda_log_group_kms_key" {
+  description = "(Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys."
+  type        = string
+  default     = ""
+}
+
+variable "p_lambda_log_level" {
+  description = "Lambda Function Logging Level"
+  type        = string
+  default     = "INFO"
+}
+
+variable "p_compliance_frequency" {
+  description = "Frequency (in days between 1 and 30, default is 7) to check organizational compliance"
+  type        = number
+  default     = 7
+}
+
+variable "p_control_tower_life_cycle_rule_name" {
+  description = "The name of the AWS Control Tower Life Cycle Rule."
+  type        = string
+  default     = "sra-config-org-trigger"
+}
+
+variable "p_event_rule_role_name" {
+  description = "Event rule role name for putting events on the home region event bus"
+  type        = string
+  default     = "sra-config-global-events"
+}
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration_role/data.tf b/aws_sra_examples/terraform/solutions/config_org/configuration_role/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration_role/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration_role/main.tf b/aws_sra_examples/terraform/solutions/config_org/configuration_role/main.tf
new file mode 100644
index 000000000..6e3448ad0
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration_role/main.tf
@@ -0,0 +1,147 @@
+resource "aws_iam_role" "r_config_recorder_role" {
+  name               = var.p_config_configuration_role_name
+  assume_role_policy = data.aws_iam_policy_document.r_config_recorder_assume_role_policy.json
+
+  tags = {
+    "${var.p_sra_solution_tag_key}" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_iam_policy" "r_config_org_policy_iam" {
+  name   = "sra-config-org-policy-iam"
+  policy = data.aws_iam_policy_document.r_config_org_policy_iam.json
+}
+
+resource "aws_iam_policy" "r_config_org_policy_config" {
+  name   = "sra-config-org-policy-config"
+  policy = data.aws_iam_policy_document.r_config_org_policy_config.json
+}
+
+resource "aws_iam_policy" "r_config_org_policy_secrets_manager" {
+  name   = "sra-config-org-policy-secrets-manager"
+  policy = data.aws_iam_policy_document.r_config_org_policy_secrets_manager.json
+}
+
+resource "aws_iam_policy" "r_config_org_policy_kms" {
+  name   = "sra-config-org-policy-kms"
+  policy = data.aws_iam_policy_document.r_config_org_policy_kms.json
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_attach_iam" {
+  role       = aws_iam_role.r_config_recorder_role.name
+  policy_arn = aws_iam_policy.r_config_org_policy_iam.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_attach_config" {
+  role       = aws_iam_role.r_config_recorder_role.name
+  policy_arn = aws_iam_policy.r_config_org_policy_config.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_attach_secrets_manager" {
+  role       = aws_iam_role.r_config_recorder_role.name
+  policy_arn = aws_iam_policy.r_config_org_policy_secrets_manager.arn
+}
+
+resource "aws_iam_role_policy_attachment" "r_config_org_attach_kms" {
+  role       = aws_iam_role.r_config_recorder_role.name
+  policy_arn = aws_iam_policy.r_config_org_policy_kms.arn
+}
+
+data "aws_iam_policy_document" "r_config_recorder_assume_role_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.p_management_account_id}:root"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalArn"
+      values   = ["arn:aws:iam::${var.p_management_account_id}:role/${var.p_config_org_lambda_role_name}"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "r_config_org_policy_iam" {
+  statement {
+    sid       = "AllowReadIamActions"
+    effect    = "Allow"
+    actions   = ["iam:GetRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*"]
+  }
+
+  statement {
+    sid       = "AllowIamPassRole"
+    effect    = "Allow"
+    actions   = ["iam:PassRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"]
+  }
+
+  statement {
+    sid     = "AllowCreateServiceLinkedRole"
+    effect  = "Allow"
+    actions = ["iam:CreateServiceLinkedRole"]
+    condition {
+      test     = "StringLike"
+      variable = "iam:AWSServiceName"
+      values   = ["config.amazonaws.com"]
+    }
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"]
+  }
+
+  statement {
+    sid       = "AllowDeleteServiceLinkRole"
+    effect    = "Allow"
+    actions   = ["iam:DeleteServiceLinkedRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"]
+  }
+}
+
+data "aws_iam_policy_document" "r_config_org_policy_config" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "config:DeleteDeliveryChannel",
+      "config:DescribeConfigurationRecorders",
+      "config:DescribeDeliveryChannels",
+      "config:StartConfigurationRecorder",
+      "config:PutDeliveryChannel",
+      "config:DeleteConfigurationRecorder",
+      "config:DescribeConfigurationRecorderStatus",
+      "config:PutConfigurationRecorder"
+    ]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "r_config_org_policy_secrets_manager" {
+  statement {
+    effect  = "Allow"
+    actions = ["secretsmanager:GetSecretValue"]
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalAccount"
+      values   = [var.p_audit_account_id]
+    }
+    resources = ["arn:aws:secretsmanager:${var.p_home_region}:${var.p_audit_account_id}:secret:${var.p_kms_key_arn_secret_name}*"]
+  }
+}
+
+data "aws_iam_policy_document" "r_config_org_policy_kms" {
+  statement {
+    effect  = "Allow"
+    actions = ["kms:Decrypt"]
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalAccount"
+      values   = [var.p_audit_account_id]
+    }
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "kms:ResourceAliases"
+      values   = ["alias/sra-secrets-key"]
+    }
+    resources = ["*"]
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration_role/providers.tf b/aws_sra_examples/terraform/solutions/config_org/configuration_role/providers.tf
new file mode 100644
index 000000000..30cfbfd12
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration_role/providers.tf
@@ -0,0 +1,14 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+      #configuration_aliases = [aws.main, aws.management, aws.log_archive]
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/configuration_role/variables.tf b/aws_sra_examples/terraform/solutions/config_org/configuration_role/variables.tf
new file mode 100644
index 000000000..0d0eec073
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/configuration_role/variables.tf
@@ -0,0 +1,48 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_sra_solution_name" {
+  description = "SRA Solution Name"
+  type        = string
+  default     = "sra-config-org"
+}
+
+variable "p_config_configuration_role_name" {
+  type        = string
+  description = "Config Configuration IAM Role Name"
+  default     = "sra-config-configuration"
+}
+
+variable "p_config_org_lambda_role_name" {
+  type        = string
+  description = "Lambda Role Name"
+  default     = "sra-config-org-lambda"
+}
+
+variable "p_management_account_id" {
+  type        = string
+  description = "Organization Management Account ID"
+}
+
+variable "p_sra_solution_tag_key" {
+  type        = string
+  description = "The SRA solution tag key applied to all resources created by the solution that support tagging."
+  default     = "sra-solution"
+}
+
+variable "p_audit_account_id" {
+  type        = string
+  description = "AWS Account ID of the Audit account."
+}
+
+variable "p_home_region" {
+  type        = string
+  description = "Name of the home region"
+}
+
+variable "p_kms_key_arn_secret_name" {
+  type        = string
+  description = "Secrets Manager secret name"
+  default     = "sra/config_org_delivery_key_arn"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/data.tf b/aws_sra_examples/terraform/solutions/config_org/data.tf
new file mode 100644
index 000000000..b9bcf7772
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/data.tf
@@ -0,0 +1,14 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {
+  provider = aws.main
+}
+data "aws_caller_identity" "current" {
+  provider = aws.main
+}
+data "aws_region" "current" {
+  provider = aws.main
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/data.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/main.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/main.tf
new file mode 100644
index 000000000..24af28fd9
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/main.tf
@@ -0,0 +1,134 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+resource "aws_kms_key" "r_config_delivery_key" {
+  description         = "SRA Config Delivery Key"
+  enable_key_rotation = true
+
+  policy = data.aws_iam_policy_document.r_config_delivery_key_policy.json
+
+  tags = {
+    "${var.p_sra_solution_name_key}" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_kms_alias" "r_config_delivery_key_alias" {
+  name          = "alias/${var.p_config_org_delivery_key_alias}"
+  target_key_id = aws_kms_key.r_config_delivery_key.key_id
+}
+
+resource "aws_secretsmanager_secret" "r_config_delivery_key_secret" {
+  #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
+  #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
+
+  name        = "sra/config_org_delivery_key_arn"
+  description = "Config Delivery KMS Key ARN"
+
+  tags = {
+    "sra-solution" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "r_config_delivery_key_secret_version" {
+  secret_id = aws_secretsmanager_secret.r_config_delivery_key_secret.id
+
+  secret_string = jsonencode({
+    ConfigDeliveryKeyArn = aws_kms_key.r_config_delivery_key.arn
+  })
+}
+
+resource "aws_secretsmanager_secret_policy" "r_config_delivery_key_secret_policy" {
+  secret_arn = aws_secretsmanager_secret.r_config_delivery_key_secret.arn
+  policy     = data.aws_iam_policy_document.r_config_delivery_key_secret_policy.json
+}
+
+data "aws_iam_policy_document" "r_config_delivery_key_policy" {
+  statement {
+    sid       = "EnableIAMUserPermissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+  statement {
+    sid       = "AllowConfigToEncryptLogs"
+    effect    = "Allow"
+    actions   = ["kms:GenerateDataKey"]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid     = "AllowAliasCreationDuringSetup"
+    effect  = "Allow"
+    actions = ["kms:CreateAlias"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = ["${data.aws_caller_identity.current.account_id}"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = ["cloudformation.${data.aws_region.current.name}.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid       = "AllowLogArchiveAndManagementAccountAccess"
+    effect    = "Allow"
+    actions   = ["kms:Decrypt"]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.p_log_archive_account_id}:root",
+        "arn:aws:iam::${var.p_management_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowAccountAccess"
+    effect = "Allow"
+    actions = [
+      "kms:DescribeKey",
+      "kms:Decrypt"
+    ]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "r_config_delivery_key_secret_policy" {
+  statement {
+    actions   = ["secretsmanager:GetSecretValue"]
+    effect    = "Allow"
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.p_management_account_id}:root"]
+    }
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "secretsmanager:VersionStage"
+      values   = ["AWSCURRENT"]
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/output.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/output.tf
new file mode 100644
index 000000000..f42edb6f7
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/output.tf
@@ -0,0 +1,4 @@
+output "config_delivery_kms_key_arn" {
+  description = "ARN of the KMS Key used for Config delivery encryption"
+  value       = aws_kms_key.r_config_delivery_key.arn
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/providers.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/providers.tf
new file mode 100644
index 000000000..226f1ca46
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/providers.tf
@@ -0,0 +1,13 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/variables.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/variables.tf
new file mode 100644
index 000000000..8c0529b4a
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_kms_key/variables.tf
@@ -0,0 +1,37 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_config_org_delivery_key_alias" {
+  type        = string
+  description = "Config Delivery KMS Key Alias"
+  default     = "sra-config-org-delivery-key"
+}
+
+variable "p_log_archive_account_id" {
+  type        = string
+  description = "AWS Account ID of the Log Archive account."
+}
+
+variable "p_management_account_id" {
+  type        = string
+  description = "Management Account ID"
+}
+
+variable "p_sras_secrets_key_alias_arn" {
+  type        = string
+  description = "(Optional) SRA Secrets Manager KMS Key Alias ARN"
+  default     = ""
+}
+
+variable "p_sra_solution_name" {
+  type        = string
+  description = "The SRA solution name. The default value is the folder name of the solution"
+  default     = "sra-config-org"
+}
+
+variable "p_sra_solution_name_key" {
+  type        = string
+  description = "The key used for tagging resources with the SRA solution name."
+  default     = "sra-solution"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/data.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/main.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/main.tf
new file mode 100644
index 000000000..c34b2b93c
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/main.tf
@@ -0,0 +1,116 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+resource "aws_s3_bucket" "r_config_delivery_s3_bucket" {
+  #checkov:skip=CKV2_AWS_61: Ensure that an S3 bucket has a lifecycle configuration
+  #checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled
+  #checkov:skip=CKV2_AWS_62: Ensure S3 buckets should have event notifications enabled
+  #checkov:skip=CKV_AWS_144: Ensure that S3 bucket has cross-region replication enabled
+  bucket = "${var.p_config_org_delivery_bucket_prefix}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
+
+  tags = {
+    "sra-solution" = var.p_sra_solution_name
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "r_config_delivery_s3_bucket" {
+  bucket = aws_s3_bucket.r_config_delivery_s3_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.p_config_org_delivery_kms_key_arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "r_config_delivery_s3_bucket" {
+  bucket = aws_s3_bucket.r_config_delivery_s3_bucket.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "r_config_delivery_s3_bucket" {
+  bucket = aws_s3_bucket.r_config_delivery_s3_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "r_config_delivery_s3_bucket" {
+  #checkov:skip=CKV2_AWS_65: Ensure access control lists for S3 buckets are disabled
+  bucket = aws_s3_bucket.r_config_delivery_s3_bucket.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_policy" "r_config_s3_bucket_policy" {
+  bucket = aws_s3_bucket.r_config_delivery_s3_bucket.id
+
+  policy = data.aws_iam_policy_document.r_config_s3_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "r_config_s3_bucket_policy" {
+  statement {
+    sid    = "AllowSSLRequestsOnly"
+    effect = "Deny"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = ["s3:*"]
+    resources = [
+      "${aws_s3_bucket.r_config_delivery_s3_bucket.arn}",
+      "${aws_s3_bucket.r_config_delivery_s3_bucket.arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+
+  statement {
+    sid    = "AWSBucketPermissionsCheck"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+    actions   = ["s3:GetBucketAcl"]
+    resources = ["${aws_s3_bucket.r_config_delivery_s3_bucket.arn}"]
+  }
+
+  statement {
+    sid    = "AWSConfigBucketExistenceCheck"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+    actions   = ["s3:ListBucket"]
+    resources = ["${aws_s3_bucket.r_config_delivery_s3_bucket.arn}"]
+  }
+
+  statement {
+    sid    = "AWSBucketDeliveryForConfig"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.r_config_delivery_s3_bucket.arn}/${var.p_organization_id}/AWSLogs/*/*"]
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/output.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/output.tf
new file mode 100644
index 000000000..2016a2e9f
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/output.tf
@@ -0,0 +1,7 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+output "config_delivery_bucket_name" {
+  value = aws_s3_bucket.r_config_delivery_s3_bucket.id
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/providers.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/providers.tf
new file mode 100644
index 000000000..226f1ca46
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/providers.tf
@@ -0,0 +1,13 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/variables.tf b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/variables.tf
new file mode 100644
index 000000000..debcce3d0
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/delivery_s3_bucket/variables.tf
@@ -0,0 +1,31 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_config_org_delivery_bucket_prefix" {
+  type        = string
+  description = "Config Delivery S3 bucket prefix. The account and region will get added to the end."
+  default     = "sra-config-org-delivery"
+}
+
+variable "p_organization_id" {
+  type        = string
+  description = "SSM Parameter for AWS Organizations ID"
+}
+
+variable "p_config_org_delivery_kms_key_arn" {
+  type        = string
+  description = "KMS Key ARN to use for encrypting Config snapshots sent to S3"
+}
+
+variable "p_sra_solution_name" {
+  type        = string
+  description = "The SRA solution name. The default value is the folder name of the solution"
+  default     = "sra-config-org"
+}
+
+variable "p_s3_key_prefix" {
+  type        = string
+  description = "Organization ID to use as the S3 Key prefix for storing the audit logs"
+  default     = "/sra/control-tower/organization-id"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/global_events/data.tf b/aws_sra_examples/terraform/solutions/config_org/global_events/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/global_events/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/global_events/main.tf b/aws_sra_examples/terraform/solutions/config_org/global_events/main.tf
new file mode 100644
index 000000000..475f76a8e
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/global_events/main.tf
@@ -0,0 +1,30 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+resource "aws_cloudwatch_event_rule" "r_organizations_rule" {
+  name        = "${var.p_sra_solution_name}-forward-org-events"
+  description = "SRA Config Forward Organizations events to home region."
+
+  event_pattern = jsonencode({
+    source        = ["aws.organizations"],
+    "detail-type" = ["AWS Service Event via CloudTrail"],
+    detail = {
+      eventSource = ["organizations.amazonaws.com"],
+      eventName = [
+        "AcceptHandshake",
+        "CreateAccountResult"
+      ]
+    }
+  })
+
+  role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.p_event_rule_role_name}"
+  state    = "ENABLED"
+}
+
+resource "aws_cloudwatch_event_target" "r_organizations_rule_target" {
+  rule      = aws_cloudwatch_event_rule.r_organizations_rule.name
+  arn       = "arn:aws:events:${var.p_home_region}:${data.aws_caller_identity.current.account_id}:event-bus/default"
+  target_id = "${var.p_sra_solution_name}-org-events-to-home-region"
+  role_arn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.p_event_rule_role_name}"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/global_events/providers.tf b/aws_sra_examples/terraform/solutions/config_org/global_events/providers.tf
new file mode 100644
index 000000000..226f1ca46
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/global_events/providers.tf
@@ -0,0 +1,13 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/global_events/variables.tf b/aws_sra_examples/terraform/solutions/config_org/global_events/variables.tf
new file mode 100644
index 000000000..13b532f51
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/global_events/variables.tf
@@ -0,0 +1,21 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_event_rule_role_name" {
+  type        = string
+  description = "Event rule role name for putting events on the home region event bus"
+  default     = "sra-config-global-events"
+}
+
+variable "p_home_region" {
+  type        = string
+  description = "Name of the Control Tower home region"
+  default     = "us-east-1"
+}
+
+variable "p_sra_solution_name" {
+  type        = string
+  description = "The SRA solution name. The default value is the folder name of the solution."
+  default     = "sra-config-org"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/main.tf b/aws_sra_examples/terraform/solutions/config_org/main.tf
new file mode 100644
index 000000000..e38efd269
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/main.tf
@@ -0,0 +1,121 @@
+locals {
+  aws_partition  = data.aws_partition.current.partition
+  aws_account_id = data.aws_caller_identity.current.account_id
+  aws_region     = data.aws_region.current.name
+
+  c_not_global_region_us_east_1 = local.aws_region != "us-east-1"
+  c_register_delegated_admin    = var.p_register_delegated_admin_account == true
+  c_control_tower_regions       = var.p_control_tower_regions_only == true
+
+  is_audit_account = data.aws_caller_identity.current.account_id == var.p_audit_account_id
+  is_log_account   = data.aws_caller_identity.current.account_id == var.p_audit_account_id
+  is_home_region   = data.aws_region.current.name == var.p_home_region
+}
+
+module "m_config_sns_topic" {
+  depends_on = [module.m_configuration_role]
+  count      = local.is_audit_account ? 1 : 0
+  source     = "./sns"
+
+  p_configuration_email              = var.p_configuration_email
+  p_config_org_sns_key_alias         = var.p_config_org_sns_key_alias
+  p_config_topic_name                = var.p_config_topic_name
+  p_subscribe_to_configuration_topic = var.p_subscribe_to_configuration_topic
+}
+
+module "m_configuration_role" {
+  count = local.is_home_region ? 1 : 0
+
+  source = "./configuration_role"
+
+  providers = {
+    aws = aws.main
+  }
+
+  p_audit_account_id      = var.p_audit_account_id
+  p_management_account_id = var.p_management_account_id
+  p_home_region           = var.p_home_region
+}
+
+// delivery kms
+module "m_delivery_kms" {
+  count  = local.is_audit_account ? 1 : 0
+  source = "./delivery_kms_key"
+
+  providers = {
+    aws = aws.main
+  }
+
+  p_log_archive_account_id = var.p_log_archive_account_id
+  p_management_account_id  = var.p_management_account_id
+}
+
+// delivery bucket
+module "m_delivery_bucket" {
+  depends_on = [module.m_configuration_role, module.m_delivery_kms]
+  count      = local.is_audit_account && local.is_home_region ? 1 : 0
+  source     = "./delivery_s3_bucket"
+
+  providers = {
+    aws = aws.log_archive
+  }
+
+  p_organization_id                   = var.p_organization_id
+  p_config_org_delivery_bucket_prefix = var.p_config_org_delivery_bucket_prefix
+  p_config_org_delivery_kms_key_arn   = module.m_delivery_kms[0].config_delivery_kms_key_arn
+}
+
+// configuration
+module "m_configuration" {
+  depends_on = [module.m_configuration_role, module.m_delivery_bucket]
+  count      = local.is_audit_account && local.is_home_region ? 1 : 0
+  source     = "./configuration"
+
+  providers = {
+    aws = aws.management
+  }
+
+  p_publishing_destination_bucket_name = module.m_delivery_bucket[0].config_delivery_bucket_name
+  p_home_region                        = var.p_home_region
+  p_delivery_s3_key_prefix             = var.p_organization_id
+  p_kms_key_arn                        = module.m_delivery_kms[0].config_delivery_kms_key_arn
+  p_audit_account_id                   = var.p_audit_account_id
+  p_organization_id                    = var.p_organization_id
+  p_log_archive_account_id             = var.p_log_archive_account_id
+  p_current_region                     = data.aws_region.current.name
+}
+
+// global events
+module "m_global_events" {
+  count  = local.is_audit_account && local.is_home_region && local.c_not_global_region_us_east_1 ? 1 : 0
+  source = "./global_events"
+
+  providers = {
+    aws = aws.management
+  }
+
+  p_home_region       = var.p_home_region
+  p_sra_solution_name = var.p_sra_solution_name
+}
+
+// org-sns
+module "m_org_sns_kms_key" {
+  count = local.is_audit_account ? 1 : 0
+
+  source = "./sns"
+
+  providers = {
+    aws = aws.main
+  }
+}
+
+// config aggregator
+module "m_config_aggregator" {
+  count = local.is_audit_account && local.is_home_region ? 1 : 0
+
+  source = "./aggregator_org_configuration"
+
+  providers = {
+    aws = aws.main
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/data.tf b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/main.tf b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/main.tf
new file mode 100644
index 000000000..f7ecd0cfb
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/main.tf
@@ -0,0 +1,60 @@
+resource "aws_kms_key" "r_config_sns_key" {
+  description         = "SRA Config SNS Key"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.r_config_sns_key_policy.json
+  tags = {
+    "sra-solution" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_kms_alias" "r_config_sns_key_alias" {
+  name          = "alias/${var.p_config_org_sns_key_alias}"
+  target_key_id = aws_kms_key.r_config_sns_key.key_id
+}
+
+data "aws_iam_policy_document" "r_config_sns_key_policy" {
+  statement {
+    sid       = "Enable IAM User Permissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+  statement {
+    sid       = "Allow Config to encrypt logs"
+    effect    = "Allow"
+    actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid       = "Allow alias creation during setup"
+    effect    = "Allow"
+    actions   = ["kms:CreateAlias"]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = ["cloudformation.${data.aws_region.current.name}.amazonaws.com"]
+    }
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+}
+
+#Add email policy
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/providers.tf b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/providers.tf
new file mode 100644
index 000000000..c5ab4eeb1
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/providers.tf
@@ -0,0 +1,17 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+      #configuration_aliases = [aws.main, aws.management, aws.log_archive]
+      tags = {
+        "sra-solution" = var.p_sra_solution_name
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/variables.tf b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/variables.tf
new file mode 100644
index 000000000..efac86273
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/org_sns-kms-key/variables.tf
@@ -0,0 +1,21 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_sra_solution_name" {
+  description = "SRA Solution Name"
+  type        = string
+  default     = "sra-config-org"
+}
+
+variable "p_config_org_sns_key_alias" {
+  default     = "sra-config-org-sns-key"
+  description = "(Optional) SRA Secrets Manager KMS Key Alias ARN"
+  type        = string
+}
+
+variable "p_sra_solution_name" {
+  default     = "sra-config-org"
+  description = "The SRA solution name. The default value is the folder name of the solution"
+  type        = string
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/providers.tf b/aws_sra_examples/terraform/solutions/config_org/providers.tf
new file mode 100644
index 000000000..f698760b7
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/providers.tf
@@ -0,0 +1,14 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source                = "hashicorp/aws"
+      version               = ">= 5.1.0"
+      configuration_aliases = [aws.main, aws.management, aws.log_archive]
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/sns/data.tf b/aws_sra_examples/terraform/solutions/config_org/sns/data.tf
new file mode 100644
index 000000000..97f34e1ef
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/sns/data.tf
@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/sns/main.tf b/aws_sra_examples/terraform/solutions/config_org/sns/main.tf
new file mode 100644
index 000000000..d84e2e3f4
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/sns/main.tf
@@ -0,0 +1,36 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+resource "aws_sns_topic" "config_org_topic" {
+  name              = var.p_config_topic_name
+  display_name      = var.p_config_topic_name
+  kms_master_key_id = "arn:${data.aws_partition.current.partition}:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/${var.p_config_org_sns_key_alias}"
+  tags = {
+    "sra-solution" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_sns_topic_policy" "sns_all_configuration_topic_policy" {
+  arn    = aws_sns_topic.config_org_topic.arn
+  policy = data.aws_iam_policy_document.sns_policy.json
+}
+
+data "aws_iam_policy_document" "sns_policy" {
+  statement {
+    actions   = ["sns:Publish"]
+    effect    = "Allow"
+    resources = [aws_sns_topic.config_org_topic.arn]
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "sns_all_configuration_email_notification" {
+  count     = var.p_subscribe_to_configuration_topic ? 1 : 0
+  topic_arn = aws_sns_topic.config_org_topic.arn
+  protocol  = "email"
+  endpoint  = var.p_configuration_email
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/sns/providers.tf b/aws_sra_examples/terraform/solutions/config_org/sns/providers.tf
new file mode 100644
index 000000000..30cfbfd12
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/sns/providers.tf
@@ -0,0 +1,14 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+      #configuration_aliases = [aws.main, aws.management, aws.log_archive]
+    }
+  }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/sns/variables.tf b/aws_sra_examples/terraform/solutions/config_org/sns/variables.tf
new file mode 100644
index 000000000..e81ed2a9c
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/sns/variables.tf
@@ -0,0 +1,33 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_configuration_email" {
+  type        = string
+  description = "Email for receiving all AWS configuration events"
+  default     = ""
+}
+
+variable "p_config_org_sns_key_alias" {
+  type        = string
+  default     = "sra-config-org-sns-key"
+  description = "Config SNS KMS Key Alias"
+}
+
+variable "p_config_topic_name" {
+  type        = string
+  default     = "sra-ConfigNotifications"
+  description = "Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to."
+}
+
+variable "p_sra_solution_name" {
+  type        = string
+  default     = "sra-config-org"
+  description = "The SRA solution name. The default value is the folder name of the solution"
+}
+
+variable "p_subscribe_to_configuration_topic" {
+  type        = bool
+  default     = false
+  description = "Indicates whether ConfigurationEmail will be subscribed to the ConfigurationTopicName topic."
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/config_org/variables.tf b/aws_sra_examples/terraform/solutions/config_org/variables.tf
new file mode 100644
index 000000000..62539f465
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/config_org/variables.tf
@@ -0,0 +1,219 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_sra_solution_name" {
+  description = "SRA Solution Name"
+  type        = string
+  default     = "sra-config-org"
+}
+
+variable "p_config_org_sns_key_alias" {
+  description = "Config SNS KMS Key Alias"
+  type        = string
+  default     = "sra-config-org-sns-key"
+}
+
+variable "p_sra_alarm_email" {
+  description = "(Optional) SRA Alarm Email"
+  type        = string
+  default     = ""
+}
+
+variable "p_sra_solution_version" {
+  description = "SRA Solution Version"
+  type        = string
+  default     = "v1.0"
+}
+
+variable "p_management_account_id" {
+  description = "Management Account ID"
+  type        = string
+}
+
+variable "p_audit_account_id" {
+  description = "Audit Account ID"
+  type        = string
+}
+
+variable "p_log_archive_account_id" {
+  description = "Log Archive Account ID"
+  type        = string
+}
+
+variable "p_organization_id" {
+  description = "Organization ID"
+  type        = string
+}
+
+variable "p_root_organizational_unit_id" {
+  description = "Root Organizational Unit ID"
+  type        = string
+}
+
+variable "p_home_region" {
+  description = "Home Region"
+  type        = string
+}
+
+variable "p_customer_control_tower_regions" {
+  description = "Customer Regions"
+  type        = string
+  default     = "/sra/regions/customer-control-tower-regions"
+}
+
+variable "p_stack_set_admin_role" {
+  description = "Stack Set Role"
+  type        = string
+  default     = "sra-stackset"
+}
+
+variable "p_stack_execution_role" {
+  description = "Stack execution role"
+  type        = string
+  default     = "sra-execution"
+}
+
+variable "p_control_tower_regions_only" {
+  description = "Common Prerequisites Regions Only"
+  type        = bool
+  default     = true
+}
+
+variable "p_enabled_regions" {
+  description = "(Optional) Enabled Regions"
+  type        = string
+  default     = ""
+}
+
+variable "p_recorder_name" {
+  description = "Recorder Name"
+  type        = string
+  default     = "sra-ConfigRecorder"
+}
+
+variable "p_all_supported" {
+  description = "All Supported"
+  type        = bool
+  default     = true
+}
+
+variable "p_include_global_resource_types" {
+  description = "Include Global Resource Types"
+  type        = bool
+  default     = true
+}
+
+variable "p_resource_types" {
+  description = "(Optional) Resource Types"
+  type        = string
+  default     = ""
+}
+
+variable "p_delivery_channel_name" {
+  description = "Delivery Channel Name"
+  type        = string
+  default     = "sra-config-s3-delivery"
+}
+
+variable "p_config_org_delivery_bucket_prefix" {
+  description = "Config Delivery Bucket Prefix"
+  type        = string
+  default     = "sra-config-org-delivery"
+}
+
+variable "p_delivery_s3_key_prefix" {
+  description = "Delivery S3 Key Prefix"
+  type        = string
+  default     = "/sra/control-tower/organization-id"
+}
+
+variable "p_config_org_delivery_key_alias" {
+  description = "Config Delivery KMS Key Alias"
+  type        = string
+  default     = "sra-config-org-delivery-key"
+}
+
+variable "p_frequency" {
+  description = "Frequency"
+  type        = string
+  default     = "1hour"
+}
+
+variable "p_kms_key_arn_secret_name" {
+  description = "KMS Key Arn Secret Name"
+  type        = string
+  default     = "sra/config_org_delivery_key_arn"
+}
+
+variable "p_config_topic_name" {
+  description = "Config SNS Topic Name"
+  type        = string
+  default     = "sra-ConfigNotifications"
+}
+
+variable "p_subscribe_to_configuration_topic" {
+  description = "Subscribe to Configuration Topic"
+  type        = bool
+  default     = false
+}
+
+variable "p_configuration_email" {
+  description = "Configuration Email"
+  type        = string
+  default     = ""
+}
+
+variable "p_aggregator_name" {
+  description = "Config Aggregator Name"
+  type        = string
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_aggregator_role_name" {
+  description = "Config Aggregator Role Name"
+  type        = string
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_register_delegated_admin_account" {
+  description = "Register Delegated Admin Account"
+  type        = bool
+  default     = true
+}
+
+variable "p_create_lambda_log_group" {
+  description = "Create Lambda Log Group"
+  type        = bool
+  default     = false
+}
+
+variable "p_lambda_log_group_retention" {
+  description = "Lambda Log Group Retention"
+  type        = number
+  default     = 14
+}
+
+variable "p_lambda_log_group_kms_key" {
+  description = "(Optional) Lambda Logs KMS Key"
+  type        = string
+  default     = ""
+}
+
+variable "p_lambda_log_level" {
+  description = "Lambda Log Level"
+  type        = string
+  default     = "INFO"
+}
+
+variable "p_compliance_frequency" {
+  description = "Frequency to Check for Organizational Compliance"
+  type        = number
+  default     = 7
+}
+
+variable "p_control_tower_life_cycle_rule_name" {
+  description = "Lifecycle Rule Name"
+  type        = string
+  default     = "sra-config-org-trigger"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/guard_duty/kms_key/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/kms_key/main.tf
index 092a31f4a..41298020c 100644
--- a/aws_sra_examples/terraform/solutions/guard_duty/kms_key/main.tf
+++ b/aws_sra_examples/terraform/solutions/guard_duty/kms_key/main.tf
@@ -93,7 +93,7 @@ resource "aws_kms_alias" "guardduty_delivery_key_alias" {
 
 resource "aws_secretsmanager_secret" "guardduty_delivery_key_secret" {
   #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
-  
+
   count       = var.create_secret ? 1 : 0
   name        = "sra/guardduty_org_delivery_key_arn"
   description = "GuardDuty Delivery KMS Key ARN"
diff --git a/aws_sra_examples/terraform/solutions/macie/delivery_kms_key/main.tf b/aws_sra_examples/terraform/solutions/macie/delivery_kms_key/main.tf
index ac610b2de..2bc61f8ce 100644
--- a/aws_sra_examples/terraform/solutions/macie/delivery_kms_key/main.tf
+++ b/aws_sra_examples/terraform/solutions/macie/delivery_kms_key/main.tf
@@ -93,7 +93,7 @@ resource "aws_kms_alias" "macie_delivery_key_alias" {
 resource "aws_secretsmanager_secret" "macie_delivery_key_secret" {
   #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
   #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
-  
+
   count       = var.secrets_key_alias_arn != "" ? 1 : 0
   name        = "sra/macie_org_delivery_key_arn"
   description = "Macie Delivery KMS Key ARN"
diff --git a/aws_sra_examples/terraform/solutions/main.tf b/aws_sra_examples/terraform/solutions/main.tf
index 91624bce6..7aaafdd77 100644
--- a/aws_sra_examples/terraform/solutions/main.tf
+++ b/aws_sra_examples/terraform/solutions/main.tf
@@ -195,3 +195,22 @@ module "iam_password_policy" {
   require_symbols                = var.iam_password_policy_require_symbols
   require_uppercase_characters   = var.iam_password_policy_require_uppercase_characters
 }
+
+module "config" {
+  count = var.enable_config_org ? 1 : 0
+
+  providers = {
+    aws.main        = aws.target_config
+    aws.management  = aws.management_config
+    aws.log_archive = aws.log_archive_config
+  }
+
+  source = "./config_org"
+
+  p_organization_id             = var.organization_id
+  p_log_archive_account_id      = local.log_archive_account_id
+  p_root_organizational_unit_id = var.root_organizational_unit_id
+  p_audit_account_id            = local.audit_account_id
+  p_home_region                 = var.home_region
+  p_management_account_id       = local.management_account_id
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/providers.tf b/aws_sra_examples/terraform/solutions/providers.tf
index deacd7c9d..456cbae2a 100644
--- a/aws_sra_examples/terraform/solutions/providers.tf
+++ b/aws_sra_examples/terraform/solutions/providers.tf
@@ -55,4 +55,53 @@ provider "aws" {
       Owner = "Security"
     }
   }
+}
+
+provider "aws" {
+  alias  = "management_config"
+  region = var.account_region
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${var.management_account_id}:role/sra-execution"
+    session_name = "Pipeline_Run"
+  }
+
+  default_tags {
+    tags = {
+      Owner        = "Security"
+      sra-solution = "sra-config-org"
+    }
+  }
+}
+
+provider "aws" {
+  alias  = "target_config"
+  region = var.account_region
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${var.account_id}:role/sra-execution"
+    session_name = "Pipeline_Run"
+  }
+  default_tags {
+    tags = {
+      Owner        = "Security"
+      sra-solution = "sra-config-org"
+    }
+  }
+}
+
+provider "aws" {
+  alias  = "log_archive_config"
+  region = var.account_region
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${var.log_archive_account_id}:role/sra-execution"
+    session_name = "Pipeline_Run"
+  }
+  default_tags {
+    tags = {
+      Owner        = "Security"
+      sra-solution = "sra-config-org"
+    }
+  }
 }
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/variables.tf b/aws_sra_examples/terraform/solutions/variables.tf
index c52aa8301..910708147 100644
--- a/aws_sra_examples/terraform/solutions/variables.tf
+++ b/aws_sra_examples/terraform/solutions/variables.tf
@@ -349,3 +349,11 @@ variable "disable_cloudtrail" {
   type        = bool
   default     = false
 }
+
+########################################################################
+# AWS Config Organization
+########################################################################
+variable "enable_config_org" {
+  description = "Enables the AWS Config Organization"
+  type        = bool
+}
\ No newline at end of file