Profile Applicability:

Level 2

Description:

AWS Config is a managed service that continuously monitors and records AWS resource configurations. It tracks changes, compliance status, and relationships between resources across AWS accounts.

Why Enable AWS Config?

  •  Monitors AWS resource changes in real time.

  •  Tracks compliance with security policies.

  • Helps detect unauthorized changes to infrastructure.

  •  Supports auditing & forensics in case of security incidents.

  •  Ensures compliance with CIS, SOC 2, PCI-DSS, HIPAA, and ISO 27001.

Rationale:

  • Provides historical change tracking of AWS resources.

  • Improves security posture by tracking misconfigurations.

  • Enables continuous compliance monitoring.

  • Helps with post-incident forensic analysis.

Impact:

Pros:

  1. Helps detect misconfigurations & unauthorized changes.

  2. Supports auditing and regulatory compliance.

  3. Improves security monitoring and troubleshooting.

Cons:

  1. Incurs additional costs for AWS Config logs stored in S3.

  2. Requires proper configuration (SNS notifications, S3 logging).

Default Value:

AWS Config is NOT enabled by default in all regions. Must be manually enabled per AWS account & region.

Pre-Requisites:

IAM permissions required:

  • config:PutConfigurationRecorder

  • config:PutDeliveryChannel

  • config:StartConfigurationRecorder

  • s3:PutBucketPolicy

  • sns:CreateTopic

AWS CLI installed for automation.

Remediation:

Test Plan:

Using AWS Console

Step 1: Check AWS Config Status

  1. Log in to the AWS Management Console

  2. Navigate to AWS Config Console → AWS Config Dashboard

  1. Select each AWS Region

  2. If AWS Config is enabled, you will see:

    • Config Recorder = Enabled

    • Record All AWS Resources = Enabled

    • Include Global Resources = Enabled

    • S3 bucket & SNS Topic configured

  3. Repeat for all AWS Regions.

 If AWS Config is enabled in all regions, no further action is needed.
 If AWS Config is disabled in any region, follow remediation steps.

Using AWS CLI

Step 1: Check AWS Config Recorders

aws configservice describe-configuration-recorders --query 'ConfigurationRecorders[*]'

Expected Output (if AWS Config is enabled):

[
    {
        "name": "default",
        "roleARN": "arn:aws:iam::123456789012:role/service-role/AWSConfigRole",
        "recordingGroup": {
            "allSupported": true,
            "includeGlobalResourceTypes": true
        }
    }
]

If allSupported is false, AWS Config is not tracking all resources!

Step 2: Check AWS Config Recorder Status

aws configservice describe-configuration-recorder-status --query 'ConfigurationRecordersStatus[*]'

Expected Output (if AWS Config is running):

[
    {
        "name": "default",
        "recording": true,
        "lastStatus": "SUCCESS"
    }
]

If recording=false, AWS Config is not capturing changes!


Implementation Steps:

Method 1: Enable AWS Config via AWS Console

Step 1: Enable AWS Config in Each Region

  1. Log in to the AWS Console

  2. Navigate to AWS Config Console

  1. Select a Region

  2. Click Get Started (if AWS Config is not enabled)

                       

  1. Select "Record all resources supported in this region" 

           

  1. Enable Global Resource Tracking  (IAM, CloudFront, Route53)

 

  1. Select S3 Bucket & SNS Topic for logs

               

  1. Click Save changes

  •  Repeat for all AWS Regions.

Enable AWS Config via AWS CLI

Step 1: Enable AWS Config Recorder

aws configservice put-configuration-recorder \
    --configuration-recorder name=default \
    --role-arn arn:aws:iam::123456789012:role/AWSConfigRole \
    --recording-group allSupported=true,includeGlobalResourceTypes=true

  • This command enables AWS Config in all regions.

Step 2: Set Up AWS Config Delivery Channel

{
    "name": "default",
    "s3BucketName": "my-config-bucket",
    "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:MyTopic",
    "configSnapshotDeliveryProperties": {
        "deliveryFrequency": "Twelve_Hours"
    }
}
  • This command sets up AWS Config logging to S3 & SNS.
aws configservice put-delivery-channel --delivery-channel file://config-delivery.json

Step 3: Start AWS Config Recorder

aws configservice start-configuration-recorder --configuration-recorder-name default

  • This command starts AWS Config monitoring.


Backout Plan:

If AWS Config causes issues:

  • Stop AWS Config Recorder:
 aws configservice stop-configuration-recorder --configuration-recorder-name default
  • Delete AWS Config Delivery Channel:
 aws configservice delete-delivery-channel --delivery-channel-name default
  • Delete AWS Config Recorder:
 aws configservice delete-configuration-recorder --configuration-recorder-name default

Ensure disabling AWS Config is justified before proceeding.

References: