Ensure AWS Config is enabled in all regions Rule
This rule ensures that AWS Config is enabled in all regions for compliance with Logging benchmarks.
| Rule | Ensure AWS Config is enabled in all regions |
| Framework | cis_v130 |
| Severity | ✔ Low |
Ensure AWS Config is enabled in all regions for CIS v1.3.0
The Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0 contains recommendations for AWS account security. One of the recommendations is to ensure that AWS Config is enabled in all available regions of your AWS account. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
Having AWS Config enabled is crucial for compliance monitoring, security analysis, change management, and operational troubleshooting.
Troubleshooting Steps
If you find that AWS Config is not enabled in all regions, below are the steps to troubleshoot and enable it:
- 1.Check AWS Config Dashboard: Log in to the AWS Management Console, navigate to the AWS Config console, and check if it’s enabled in all regions.
- 2.Audit with AWS CLI: Use the AWS CLI to list all the regions and verify the status of AWS Config in each region.
AWS CLI Commands
To verify AWS Config using AWS CLI, you can use the following command to list all regions:
aws ec2 describe-regions --query "Regions[].RegionName" --output text
Then, for each region returned from the above command, check if AWS Config is enabled:
aws configservice describe-configuration-recorders --region <region-name>
Replace
<region-name>Step by Step Guide for Remediation
Step 1: Enabling AWS Config
Follow these steps to enable AWS Config across all regions:
- 1.Open AWS Config Console: Navigate to the AWS Config service in the AWS Management Console.
- 2.Select Region: Select a region from the top right corner where AWS Config is not enabled.
- 3.Set Up AWS Config: Click on "Get started" if it’s your first time using AWS Config, or select "Settings" if AWS Config is already set up.
- 4.Resource types to record: Choose the resource types that you want AWS Config to record.
- 5.Amazon S3 bucket: Specify an S3 bucket for AWS Config to store configuration snapshots and history files.
- 6.AWS IAM Role: Create a role to give AWS Config the permission to check other AWS services.
- 7.Amazon SNS topic (optional): Set up an SNS topic to receive notifications about configuration changes.
- 8.Choose “Record All Resources”: Ensure you configure AWS Config to record all resources including global resources for comprehensive coverage.
- 9.Repeat for All Regions: Perform steps 2 to 8 for each region where AWS Config is not enabled.
Step 2: AWS CLI Command to Enable AWS Config
For enabling AWS Config via CLI, you can use the
put-configuration-recorderstart-configuration-recorderBelow is an example of how to configure and start the recorder in a region:
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::<account-id>:role/<role-name>,recordingGroup=allSupported=true,includeGlobalResourceTypes=true --region <region-name> aws configservice start-configuration-recorder --configuration-recorder-name default --region <region-name>
Make sure to replace
<account-id><role-name><region-name>It is important to remember that this guide aims to be as concise as possible while still providing all necessary remediation steps. When implementing changes, always follow best practices such as backup strategies, change management protocols, and carry out actions in line with your organization’s compliance requirements.