Detections
Analytics

4.3 Ensure AWS Config is enabled in all regions

Information

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration items (AWS resources), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended that AWS Config be enabled in all regions. In environments using AWS Control Tower or Landing Zone Accelerator (LZA), AWS Config may be centrally managed and automatically enabled across regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Solution

To implement AWS Config configuration:

From Console:

 - Select the region you want to focus on in the top right of the console.
 - Click Services.
 - Click Config.
 - If a Config Recorder is enabled in this region, navigate to the Settings page from the navigation menu on the left-hand side. If a Config Recorder is not yet enabled in this region, select "Get Started".
 - Select "Record all resources supported in this region".
 - Choose to include global resources (IAM resources).
 - Specify an S3 bucket in the same account or in another managed AWS account.
 - Create an SNS Topic from the same AWS account or another managed AWS account.

Note: In AWS Control Tower or Landing Zone Accelerator (LZA) environments, AWS Config setup and recording may be deployed and managed automatically. Configuration changes should be performed through the centralized governance framework rather than directly in individual accounts.

From Command Line:

 - Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html.
 - Run this command to create a new configuration recorder:

aws configservice put-configuration-recorder --configuration-recorder name=<config-recorder-name>,roleARN=arn:aws:iam::<account-id>:role/<iam-role> --recording-group allSupported=true,includeGlobalResourceTypes=true
 - Create a delivery channel configuration file locally which specifies the channel attributes, populated from the prerequisites set up previously:

{
 "name": "<delivery-channel-name>",
 "s3BucketName": "<bucket-name>",
 "snsTopicARN": "arn:aws:sns:<region>:<account-id>:<sns-topic>",
 "configSnapshotDeliveryProperties": {
 "deliveryFrequency": "Twelve_Hours"
 }
}
 - Run this command to create a new delivery channel, referencing the json configuration file made in the previous step:

aws configservice put-delivery-channel --delivery-channel file://<delivery-channel-file>.json
 - Start the configuration recorder by running the following command:

aws configservice start-configuration-recorder --configuration-recorder-name <config-recorder-name>

Impact:

Enabling AWS Config in all regions provides comprehensive visibility into resource configurations, enhancing security and compliance monitoring. However, this may incur additional costs and require proper configuration management.

See Also

https://workbench.cisecurity.org/benchmarks/24575

Item Details

Category: CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

References: 800-53|CM-8, 800-53|CM-8(1), 800-53|PM-5, CCE|CCE-78917-2, CSCv7|1.4

Plugin: amazon_aws

Control ID: 5150bb3c8231fd7a2e133502292d547f019aeacf287add935431744ee00ab346