Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure AWS Config is enabled in all regions Rule

This rule ensures that AWS Config is enabled in all regions for compliance with Logging benchmarks.

RuleEnsure AWS Config is enabled in all regions
Frameworkcis_v130
Severity
Low

Ensure AWS Config is enabled in all regions for CIS v1.3.0

The Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0 contains recommendations for AWS account security. One of the recommendations is to ensure that AWS Config is enabled in all available regions of your AWS account. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.

Having AWS Config enabled is crucial for compliance monitoring, security analysis, change management, and operational troubleshooting.

Troubleshooting Steps

If you find that AWS Config is not enabled in all regions, below are the steps to troubleshoot and enable it:

  1. 1.
    Check AWS Config Dashboard: Log in to the AWS Management Console, navigate to the AWS Config console, and check if it’s enabled in all regions.
  2. 2.
    Audit with AWS CLI: Use the AWS CLI to list all the regions and verify the status of AWS Config in each region.

AWS CLI Commands

To verify AWS Config using AWS CLI, you can use the following command to list all regions:

aws ec2 describe-regions --query "Regions[].RegionName" --output text

Then, for each region returned from the above command, check if AWS Config is enabled:

aws configservice describe-configuration-recorders --region <region-name>

Replace

<region-name>
with each of the region names obtained from the first command to check the AWS Config status in that particular region.

Step by Step Guide for Remediation

Step 1: Enabling AWS Config

Follow these steps to enable AWS Config across all regions:

  1. 1.
    Open AWS Config Console: Navigate to the AWS Config service in the AWS Management Console.
  2. 2.
    Select Region: Select a region from the top right corner where AWS Config is not enabled.
  3. 3.
    Set Up AWS Config: Click on "Get started" if it’s your first time using AWS Config, or select "Settings" if AWS Config is already set up.
  4. 4.
    Resource types to record: Choose the resource types that you want AWS Config to record.
  5. 5.
    Amazon S3 bucket: Specify an S3 bucket for AWS Config to store configuration snapshots and history files.
  6. 6.
    AWS IAM Role: Create a role to give AWS Config the permission to check other AWS services.
  7. 7.
    Amazon SNS topic (optional): Set up an SNS topic to receive notifications about configuration changes.
  8. 8.
    Choose “Record All Resources”: Ensure you configure AWS Config to record all resources including global resources for comprehensive coverage.
  9. 9.
    Repeat for All Regions: Perform steps 2 to 8 for each region where AWS Config is not enabled.

Step 2: AWS CLI Command to Enable AWS Config

For enabling AWS Config via CLI, you can use the

put-configuration-recorder
and
start-configuration-recorder
commands.

Below is an example of how to configure and start the recorder in a region:

aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::<account-id>:role/<role-name>,recordingGroup=allSupported=true,includeGlobalResourceTypes=true --region <region-name>

aws configservice start-configuration-recorder --configuration-recorder-name default --region <region-name>

Make sure to replace

<account-id>
,
<role-name>
, and
<region-name>
with your AWS account ID, relevant IAM role, and specific region.

It is important to remember that this guide aims to be as concise as possible while still providing all necessary remediation steps. When implementing changes, always follow best practices such as backup strategies, change management protocols, and carry out actions in line with your organization’s compliance requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now