AWS-ConfigService-Config-Service-Enabled

Owned by naveen
Last updated: Jan 04, 2022
2 min read

Severity: High

Description: This control check AWS config is enabled in all regions. AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config in all regions.

Remediation Steps:

Perform following to set up AWS Config:

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Open the AWS Config in Services

  3. If Presented, Choose Get Started Now, else click on Settings

  4. On the Settings page, click Turn on button to enable Config

  5. For Resource types to record, specify the AWS resource types you want AWS Config to record:

    • All resources - AWS Config records all supported resources with the following options:

      • Record all resources supported in this region - AWS Config records configuration changes for every supported type of regional resource. When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.

      • Include global resources - AWS Config includes supported types of global resources with the resources that it records (for example, IAM resources). When AWS Config adds support for a new global resource type, AWS Config automatically starts recording resources of that type.

  6. For Amazon S3 Bucket, choose the Amazon S3 bucket to which AWS Config sends configuration history and configuration snapshot files:

    • Create a new bucket - For Bucket Name, type a name for your Amazon S3 bucket.

    • Choose a bucket from your account - For Bucket Name, choose your preferred bucket.

    • Choose a bucket from another account - For Bucket Name, type the bucket name.

      If you choose a bucket from another account, that bucket must have policies that grant access permissions to AWS Config.

  7. For Amazon SNS Topic, choose whether AWS Config streams information by selecting the Stream configuration changes and notifications to an Amazon SNS topic. AWS Config sends notifications such as configuration history delivery, configuration snapshot delivery, and compliance.

  8. If you chose to have AWS Config stream to an Amazon SNS topic, choose the target topic:

    • Create a new topic - For Topic Name, type a name for your SNS topic.

    • Choose a topic from your account - For Topic Name, select your preferred topic.

    • Choose a topic from another account - For Topic ARN, type the Amazon Resource Name (ARN) of the topic. If you choose a topic from another account, the topic must have policies that grant access permissions to AWS Config.

  9. For AWS Config role, choose the IAM role that grants AWS Config permission to record configuration information and send this information to Amazon S3 and Amazon SNS:

    • Create a role - AWS Config creates a role that has the required permissions. For Role name, you can customize the name that AWS Config creates.

    • Choose a role from your account - For Role name, choose an IAM role in your account. AWS Config will attach the required policies. 

      Note

      Check the box if you want to use the IAM role as it. AWS Config will not attach policies to the role.

  10. If you are setting up AWS Config in a region that supports rules, choose Next. 

    Otherwise, choose Save.

  11. AWS Config displays the Resource inventory page.

Important:

Reference:

Blue Hexagon Proprietary