3.5 Ensure AWS Config is enabled in all regions - 'Review defined S3 Bucket'

Information

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.

Rationale:

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Impact:

It is recommended AWS Config be enabled in all regions.

Solution

To implement AWS Config configuration:
From Console:

Select the region you want to focus on in the top right of the console

Click Services

Click Config

Define which resources you want to record in the selected region

Choose to include global resources (IAM resources)

Specify an S3 bucket in the same account or in another managed AWS account

Create an SNS Topic from the same AWS account or another managed AWS account

From Command Line:

Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.

Run this command to set up the configuration recorder

aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole

Run this command to start the configuration recorder:

start-configuration-recorder --configuration-recorder-name <value>

See Also

https://workbench.cisecurity.org/files/3416

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, CSCv7|1.4, CSCv7|11.2, CSCv7|16.1

Plugin: amazon_aws

Control ID: fd37d18b2f365b659321df0bd3cc10c97563969bcd9765f9aae1b54de6f13eec