Profile Applicability:
- Level 1
Description:
The AWS Config Recorder is responsible for recording configuration changes to AWS resources in your account. To track these changes securely and reliably, AWS Config requires the use of an IAM role that grants AWS Config the necessary permissions to record resource configurations. This role, known as the service-linked role, is automatically created by AWS when you enable AWS Config. Using the service-linked AWS Config role ensures that AWS Config can operate with the proper permissions and comply with security best practices, making it easier to manage access and resources in your AWS environment.
Rationale:
Using the service-linked AWS Config role ensures that AWS Config can securely track and record resource configuration changes across your AWS environment. This role is automatically created and managed by AWS, which reduces the chances of misconfiguration or unauthorized access. Without the service-linked role, AWS Config may not function properly, or it may lack the necessary permissions to record resource changes, leading to incomplete audit trails and potential compliance gaps.
Impact:
Pros:
Security: Ensures that AWS Config has the right level of permissions to track changes without unnecessary risks.
Operational Efficiency: By using a service-linked role, AWS Config operates without requiring manual configuration of permissions.
Compliance: Helps maintain full visibility into resource configurations for compliance audits
Cons:
Dependency on Service-Linked Role: While the service-linked role is created and managed by AWS, reliance on it means you can't modify its permissions.
Limited Customization: The service-linked role is predefined, so it may not be fully customizable to meet very specific permission requirements.
Default Value:
By default, when you enable AWS Config, the service-linked AWS Config role is automatically created. If you are not using the service-linked role, AWS Config may not function as expected, or there might be gaps in the configuration history recorded by AWS Config.
Pre-requisite:
AWS IAM Permissions:
config:DescribeConfigurationRecorder
iam:ListRoles
iam:AttachRolePolicy
AWS CLI or AWS Console access for configuring AWS Config and IAM roles.
AWS Config must be enabled in your account.
Remediation:
Test plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Config under Services.
In the AWS Config Dashboard, check if AWS Config Recorder is enabled.
Verify that the service-linked role is in use:
Under Settings, you should see the role name that AWS Config is using. It should be the AWSConfigRole (the service-linked role created by AWS).
If the service-linked role is not in use, enable it by selecting Use the default service-linked role option.
Save changes and ensure the configuration recorder is active with the proper permissions.
Using AWS CLI:
Run the following command to describe the configuration recorder and check if the service-linked role is used:
aws configservice describe-configuration-recorder-status --query "ConfigurationRecorders[*].roleARN"
The result should show the ARN of the service-linked role
(e.g., arn:aws:iam::<account-id>:role/aws-service-role/config.amazonaws.com).
If the service-linked role is missing or incorrect, use the following command to set up the recorder with the service-linked role:
aws configservice put-configuration-recorder --configuration-recorder "name=default,roleARN=arn:aws:iam::<account-id>:role/aws-service-role/config.amazonaws.com"
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to AWS Config.
In the AWS Config Dashboard, ensure Configuration Recorder is enabled.
Under Settings, verify that the AWSConfigRole is listed as the role.
If not, click Edit and enable the service-linked role option.
Confirm the changes, and ensure that AWS Config is now correctly using the service-linked role.
Using AWS CLI:
To set up the configuration recorder with the service-linked role, use the following command:
aws configservice put-configuration-recorder --configuration-recorder "name=default,roleARN=arn:aws:iam::<account-id>:role/aws-service-role/config.amazonaws.com"
Verify that the role is being used:
aws configservice describe-configuration-recorder-status --query "ConfigurationRecorders[*].roleARN"
Backout Plan:
Using AWS Console:
If enabling the service-linked role causes issues with AWS Config (e.g., incorrect permissions or untracked resources):
Navigate to AWS Config → Settings → Edit and revert to using a custom role (if applicable).
Save changes and monitor AWS Config to ensure that data is correctly recorded and displayed.
Using AWS CLI:
If there are issues with the service-linked role, revert by changing the role configuration to a custom role (if applicable):
aws configservice put-configuration-recorder --configuration-recorder "name=default,roleARN=arn:aws:iam::<account-id>:role/<custom-role-name>"
Verify that AWS Config is using the correct role by running:
aws configservice describe-configuration-recorder-status --query "ConfigurationRecorders[*].roleARN"
Note :
Service-Linked Role Management: AWS automatically creates and manages the service-linked role for AWS Config. However, if you are using custom IAM roles, make sure that the role has the correct permissions to allow AWS Config to record resource configurations properly.
Automatic Role Creation: AWS automatically creates the service-linked role when you first enable AWS Config. If you have disabled or modified the role, it might require re-enabling through the console or CLI.