Ensure AWS Config is enabled in all regions
Severity: Medium
Resource Types: AWS::ConfigService::ConfigurationRecorder
Description
AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources.
The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.
Remediation
To implement AWS Config configuration:
From Console
- Open the AWS Config console at Config.
- Select the Region to configure AWS Config in.
- On the Settings page, do the following:
- Under Resource types to record, select Record all resources supported in this region and Include global resources (e.g., AWS IAM resources).
- Under Amazon S3 bucket, specify the bucket to use or create a bucket and optionally include a prefix.
- Under Amazon SNS topic, select an Amazon SNS topic from your account or create one.
- Under AWS Config role, either choose Create AWS Config service-linked role or choose Choose a role from your account and then select the role to use.
- Choose Next.
- On the AWS Config rules page, choose Skip.
- Choose Confirm.
From Command Line
- Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
- Run this command to set up the configuration recorder
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
- Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>