Description
AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.
Rationaleβ
The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.
Impactβ
Enabling AWS Config in all regions provides comprehensive visibility into resource configurations, enhancing security and compliance monitoring. However, this may incur additional costs and require proper configuration management.
Auditβ
Process to evaluate AWS Config configuration per region:
From Consoleβ
- Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
- On the top right of the console select target Region.
- If a Config recorder is enabled in this region, you should navigate to the Settings page from the navigation menu on the left hand side. If a Config recorder is not yet enabled in this region then you should select
Get Started
. - Ensure
Record all resources supported in this region
is checked. - Ensure
Include global resources (e.g., AWS IAM resources)
is checked, unless it is enabled in another region (this is only required in one region) - Ensure the correct S3 bucket has been defined.
- Ensure the correct SNS topic has been defined.
- Repeat steps 2 to 7 for each region.
From Command Lineβ
- Run this command to show all AWS Config recorders and their properties:
aws configservice describe-configuration-recorders
- Evaluate the output to ensure that all recorders have a
recordingGroup
object which includes"allSupported": true
. Additionally, ensure that at least one recorder has"includeGlobalResourceTypes": true
.
Note: There is one more parameter "ResourceTypes"
in recordingGroup object. We don't need to check the same as whenever we set "allSupported": true
, AWS enforces resource types to be empty ("ResourceTypes":[]
).
Sample Output:
{
"ConfigurationRecorders": [
{
"recordingGroup": {
"allSupported": true,
"resourceTypes": [],
"includeGlobalResourceTypes": true
},
"roleARN": "arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>",
"name": "default"
}
]
}
- Run this command to show the status for all AWS Config recorders:
aws configservice describe-configuration-recorder-status
- In the output, find recorders with
name
key matching the recorders that were evaluated in step 2. Ensure that they include"recording": true
and"lastStatus": "SUCCESS"
.