🛡️ AWS Account Config is not enabled in all regions🟢

Contextual name: 🛡️ Config is not enabled in all regions🟢
ID: /ce/ca/aws/account/config-in-all-regions
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY, SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Account
- 🔌 AWS Config Recorder - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: AWS Config Enabled
Internal: dec-x-88fa51c8

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-88fa51c8	1

Description

Open File

Description

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.

Rationale

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Impact

Enabling AWS Config in all regions provides comprehensive visibility into resource configurations, enhancing security and compliance monitoring. However, this may incur additional costs and require proper configuration management.

Audit

Process to evaluate AWS Config configuration per region:

From Console

Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

On the top right of the console select target Region.

... see more

Remediation

Open File

Remediation

To implement AWS Config configuration:

From Console

Select the region you want to focus on in the top right of the console.

Click Services.

Click Config.

If a Config recorder is enabled in this region, you should navigate to the Settings page from the navigation menu on the left hand side. If a Config recorder is not yet enabled in this region then you should select Get Started.

Select Record all resources supported in this region.

Choose to include global resources (IAM resources).

Specify an S3 bucket in the same account or in another managed AWS account.

Create an SNS Topic from the same AWS account or another managed AWS account.

From Command Line

Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.

Run this command to create a new configuration recorder:
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::012345678912:role/myConfigRole --recording-group allSupported=true,includeGlobalResourceTypes=true

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Config.1] AWS Config should be enabled and use the service-linked role for resource recording			1	no data
💼 CIS AWS v1.2.0 → 💼 2.5 Ensure AWS Config is enabled in all regions			1	no data
💼 CIS AWS v1.3.0 → 💼 3.5 Ensure AWS Config is enabled in all regions			1	no data
💼 CIS AWS v1.4.0 → 💼 3.5 Ensure AWS Config is enabled in all regions			1	no data
💼 CIS AWS v1.5.0 → 💼 3.5 Ensure AWS Config is enabled in all regions - Level 2 (Automated)			1	no data
💼 CIS AWS v2.0.0 → 💼 3.5 Ensure AWS Config is enabled in all regions - Level 2 (Automated)			1	no data
💼 CIS AWS v3.0.0 → 💼 3.3 Ensure AWS Config is enabled in all regions - Level 2 (Automated)			1	no data
💼 CIS AWS v4.0.0 → 💼 3.3 Ensure AWS Config is enabled in all regions (Automated)			1	no data
💼 CIS AWS v4.0.1 → 💼 3.3 Ensure AWS Config is enabled in all regions (Automated)			1	no data
💼 CIS AWS v5.0.0 → 💼 3.3 Ensure AWS Config is enabled in all regions (Automated)			1	no data
💼 CIS AWS v6.0.0 → 💼 4.3 Ensure AWS Config is enabled in all regions (Automated)			1	no data
💼 Cloudaware Framework → 💼 System Configuration			45	no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		65	no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		25	no data
💼 FedRAMP High Security Controls → 💼 CM-6(1) Automated Management, Application, and Verification (M)(H)			1	no data
💼 FedRAMP High Security Controls → 💼 CM-8 System Component Inventory (L)(M)(H)	4		5	no data
💼 FedRAMP High Security Controls → 💼 CM-8(2) Automated Maintenance (H)			1	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	51	no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65	no data
💼 FedRAMP Low Security Controls → 💼 CM-8 System Component Inventory (L)(M)(H)			2	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		19	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-6(1) Automated Management, Application, and Verification (M)(H)			1	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-8 System Component Inventory (L)(M)(H)	2		5	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142	no data
💼 NIST CSF v2.0 → 💼 ID.AM-01: Inventories of hardware managed by the organization are maintained			4	no data
💼 NIST CSF v2.0 → 💼 ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained			9	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			31	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	65	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	25	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-6(1) Configuration Settings _ Automated Management, Application, and Verification			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-8 System Component Inventory	9		5	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-8(2) System Component Inventory _ Automated Maintenance			1	no data
💼 PCI DSS v3.2.1 → 💼 10.5.2 Protect audit trail files from unauthorized modifications.		1	4	no data
💼 PCI DSS v3.2.1 → 💼 11.5 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files.	1		2	no data
💼 PCI DSS v4.0.1 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.			4	no data
💼 PCI DSS v4.0.1 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			1	no data
💼 PCI DSS v4.0 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.		2	4	no data
💼 PCI DSS v4.0 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			1	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Audit​

From Console​

Remediation​

Remediation​

From Console​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Audit

From Console

Remediation

Remediation

From Console

From Command Line

policy.yaml

Linked Framework Sections