Profile Applicability

  • Level 1

Description:

AWS Config is a service that provides a detailed view of the configuration of AWS resources in your account. It continuously monitors and records your AWS resource configurations to assess compliance with internal practices, industry guidelines, and regulatory requirements.

Monitoring AWS Config configuration changes is crucial to ensure that changes to resources are tracked, documented, and validated, and to identify any configuration drift or non-compliance with security policies.

Rationale:

AWS Config enables organizations to:

  • Track resource configuration history

  • Monitor configuration changes over time

  • Audit changes for compliance or troubleshooting

Unmonitored changes can result in resources being misconfigured, drifting from baseline security configurations, or violating compliance requirements. Monitoring configuration changes ensures that any modifications to critical resources are reviewed and authorized.

Impact:

Failure to monitor AWS Config changes can lead to:

  • Unauthorized or accidental modifications of AWS resources

  • Violation of compliance standards (e.g., HIPAA, SOC 2, PCI DSS)

  • Lack of visibility into the security and configuration state of AWS resources

Monitoring changes to AWS Config provides continuous oversight and helps mitigate these risks.

Default Value:

AWS Config is not enabled by default. To monitor configuration changes, AWS Config must be set up, including the activation of configuration recording and rule monitoring.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • config:DescribeConfigurationRecorder

    • config:DescribeComplianceByConfigRule

    • config:DescribeConfigRules

  • AWS Config should be enabled in all AWS regions for capturing changes

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Config Console.

  2. Verify that Configuration Recorder is active and capturing changes for all relevant resources.

  3. Ensure AWS Config Rules are set up to monitor compliance against security policies.

  4. Review AWS Config History to validate that configuration changes are being recorded correctly.

Using AWS CLI:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output table

To check the compliance status of recorded resources:

aws configservice describe-compliance-by-config-rule --query "ComplianceByConfigRules[?Compliance.ComplianceType!='COMPLIANT']" --output table
Implementation Plan:

Using AWS Console:

  1. Go to the AWS Config Console.

  2. If not already enabled, click Get Started to enable the Configuration Recorder.

  3. Select the resources and resource types that should be recorded (e.g., EC2 instances, S3 buckets, security groups, etc.).

  4. Set up AWS Config Rules to monitor compliance for your AWS resources.

  5. Review configuration history and ensure changes are being logged correctly.

Using AWS CLI:

aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

To enable AWS Config rules:

aws configservice put-config-rule --config-rule <rule-definition>

Backout Plan:

Using AWS Console:

  1. If monitoring AWS Config changes causes excessive logging or performance issues:

    • Go to the AWS Config Console.

    • Disable configuration recording temporarily:

      • Navigate to Configuration Recorder, select Stop.

    • Adjust the scope of the resources being recorded to reduce the number of changes logged.

    • Alternatively, adjust the AWS Config Rules to reduce the number of tracked resources or exclude certain resource types.

  2. Re-enable monitoring once issues are resolved:

    • Go back to the Configuration Recorder and click Start to resume recording.

Using AWS CLI:

  1. If monitoring AWS Config changes causes performance issues:

    • Temporarily stop the configuration recorder:

aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

  1. To modify the scope of tracked resources:

    • Use the following command to update your resource recording settings:

aws configservice put-configuration-recorder --configuration-recorder-name <recorder-name> --recording-group <new-recording-group>

  1. Re-enable monitoring once issues are resolved:

aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services