Skip to main content

πŸ“ AWS Account Config is not enabled in all regions 🟒

  • Contextual name: πŸ“ Config is not enabled in all regions 🟒
  • ID: /ce/ca/aws/account/config-in-all-regions
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-88fa51c81

Logic​

Description​

Open File

Description​

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.

Rationale​

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Impact​

Enabling AWS Config in all regions provides comprehensive visibility into resource configurations, enhancing security and compliance monitoring. However, this may incur additional costs and require proper configuration management.

Audit​

Process to evaluate AWS Config configuration per region:

From Console​
  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
  2. On the top right of the console select target Region.

... see more

Remediation​

Open File

Remediation​

To implement AWS Config configuration:

From Console​

  1. Select the region you want to focus on in the top right of the console.
  2. Click Services.
  3. Click Config.
  4. If a Config recorder is enabled in this region, you should navigate to the Settings page from the navigation menu on the left hand side. If a Config recorder is not yet enabled in this region then you should select Get Started.
  5. Select Record all resources supported in this region.
  6. Choose to include global resources (IAM resources).
  7. Specify an S3 bucket in the same account or in another managed AWS account.
  8. Create an SNS Topic from the same AWS account or another managed AWS account.

From Command Line​

  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
  2. Run this command to create a new configuration recorder:
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::012345678912:role/myConfigRole --recording-group allSupported=true,includeGlobalResourceTypes=true

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Config.1] AWS Config should be enabled and use the service-linked role for resource recording1
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.5 Ensure AWS Config is enabled in all regions1
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions1
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions - Level 2 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions - Level 2 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions - Level 2 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration30
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)425
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6(1) Automated Management, Application, and Verification (M)(H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-8 System Component Inventory (L)(M)(H)42
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-8(2) Automated Maintenance (H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4851
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-8 System Component Inventory (L)(M)(H)2
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)219
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6(1) Automated Management, Application, and Verification (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-8 System Component Inventory (L)(M)(H)22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-01: Inventories of hardware managed by the organization are maintained4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained9
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked28
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81725
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6(1) Configuration Settings _ Automated Management, Application, and Verification1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-8 System Component Inventory92
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-8(2) System Component Inventory _ Automated Maintenance1
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.2 Protect audit trail files from unauthorized modifications.14
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.5 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.24
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.1