Profile Applicability

  • Level 1

Description:

AWS Config is a service that provides an inventory of AWS resources, tracks resource configuration history, and monitors configuration changes. Enabling AWS Config in all regions ensures that all AWS resources are continuously monitored for compliance and configuration changes, regardless of the region they are deployed in.

By enabling AWS Config in all regions, organizations can maintain consistent visibility across their entire AWS environment, regardless of the location of resources, and ensure that any configuration changes are tracked, recorded, and monitored for compliance.

Rationale:

Enabling AWS Config across all regions provides:

  • Consistency in monitoring resources across all regions to ensure compliance.

  • Visibility into configuration changes for all AWS resources, helping to identify and address security and compliance issues quickly.

  • Historical data on resource configuration changes, which is crucial for audits and troubleshooting.

Without enabling AWS Config in all regions, some AWS resources may be left unmonitored, increasing the risk of compliance violations or misconfigurations going undetected.

Impact:

Failure to enable AWS Config in all regions can result in:

  • Potential non-compliance with security and regulatory standards.

  • Incomplete visibility into the configuration of AWS resources across different regions.

  • Difficulty in detecting configuration changes or troubleshooting issues in regions that are not being monitored.

Enabling AWS Config in all regions ensures comprehensive monitoring, reporting, and auditing capabilities for AWS resources across all regions.

Default Value:

By default, AWS Config is not enabled in all regions. You must manually enable AWS Config in each region where you have AWS resources.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • config:DescribeConfigurationRecorders

    • config:PutConfigurationRecorder

  • AWS Config service must be enabled in the regions where you want to monitor resource configurations

Remediation;

Test Plan:

Using AWS Console:

  1. Go to the AWS Config Console.

  2. Verify that AWS Config is enabled in all regions where you have resources.

  3. Confirm that the Configuration Recorder is set to record resources in all available regions.

  4. Check that the Configuration Recorder is properly logging all resource configurations and changes.

Using AWS CLI:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[*].{Region:Region,RecorderStatus:status}" --output table

To enable AWS Config in any missing regions:

aws configservice put-configuration-recorder --configuration-recorder-name <recorder-name> --role-arn <role-arn> --recording-group allSupported=true,includeGlobalResourceTypes=true
Implementation Plan:

Using AWS Console:

  1. Enable AWS Config in all regions:

    • Go to the AWS Config Console.

    • Click on Settings and ensure that the Configuration Recorder is enabled across all regions.

    • Choose the Recording Group to include all supported resources and configure it to monitor all regions.

  2. Verify the status in all regions:

    • In the AWS Config Console, navigate to the Regional Settings to confirm that AWS Config is enabled in each region.

Using AWS CLI:

  1. Enable AWS Config in all regions:

aws configservice put-configuration-recorder --configuration-recorder-name <recorder-name> --role-arn <role-arn> --recording-group allSupported=true,includeGlobalResourceTypes=true

  1. Check AWS Config status:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[*].{Region:Region,RecorderStatus:status}" --output table

Backout Plan:

Using AWS Console:

  1. If enabling AWS Config across regions creates excessive overhead or performance issues:

    • Go to the AWS Config Console.

    • Disable AWS Config for the regions experiencing issues.

    • Alternatively, adjust the scope of the resources being monitored by modifying the configuration recorder settings.

  2. Modify AWS Config settings to exclude non-critical resources or reduce the frequency of configuration recordings.

Using AWS CLI:

  1. Temporarily disable AWS Config in specific regions:

aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

  1. Stop configuration recording in regions where AWS Config is enabled:

aws configservice put-configuration-recorder --configuration-recorder-name <recorder-name> --role-arn <role-arn> --recording-group allSupported=false

  1. Re-enable monitoring once issues are resolved:

aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services