Skip to main content

πŸ“ AWS Account Config is not enabled in all regions 🟒

  • Contextual name: πŸ“ Config is not enabled in all regions 🟒
  • ID: /ce/ca/aws/account/config-in-all-regions
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-88fa51c81

Logic​

Description​

Open File

Description​

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.

Rationale​

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Impact​

Enabling AWS Config in all regions provides comprehensive visibility into resource configurations, enhancing security and compliance monitoring. However, this may incur additional costs and require proper configuration management.

Audit​

Process to evaluate AWS Config configuration per region:

From Console​
  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
  2. On the top right of the console select target Region.

... see more

Remediation​

Open File

Remediation​

To implement AWS Config configuration:

From Console​

  1. Select the region you want to focus on in the top right of the console.
  2. Click Services.
  3. Click Config.
  4. If a Config recorder is enabled in this region, you should navigate to the Settings page from the navigation menu on the left hand side. If a Config recorder is not yet enabled in this region then you should select Get Started.
  5. Select Record all resources supported in this region.
  6. Choose to include global resources (IAM resources).
  7. Specify an S3 bucket in the same account or in another managed AWS account.
  8. Create an SNS Topic from the same AWS account or another managed AWS account.

From Command Line​

  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
  2. Run this command to create a new configuration recorder:
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::012345678912:role/myConfigRole --recording-group allSupported=true,includeGlobalResourceTypes=true

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Config.1] AWS Config should be enabled and use the service-linked role for resource recording1
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.5 Ensure AWS Config is enabled in all regions1
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions1
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions - Level 2 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.5 Ensure AWS Config is enabled in all regions - Level 2 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions - Level 2 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.3 Ensure AWS Config is enabled in all regions (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)421
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6(1) Automated Management, Application, and Verification (M)(H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-8 System Component Inventory (L)(M)(H)41
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-8(2) Automated Maintenance (H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-8 System Component Inventory (L)(M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)217
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6(1) Automated Management, Application, and Verification (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-8 System Component Inventory (L)(M)(H)21
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-01: Inventories of hardware managed by the organization are maintained3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked24
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81521
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6(1) Configuration Settings _ Automated Management, Application, and Verification1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-8 System Component Inventory91
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-8(2) System Component Inventory _ Automated Maintenance1
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.2 Protect audit trail files from unauthorized modifications.24
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.5 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.1