Profile Applicability:

  • Level 1

Description:
This control ensures that AWS Config is enabled in all AWS regions to record configuration changes and resource compliance across the entire environment. AWS Config continuously monitors and records AWS resource configurations and relationships, enabling security and compliance auditing, change management, and operational troubleshooting.


Rationale:
Enabling AWS Config in all regions ensures complete visibility into configuration changes across all AWS resources. Without AWS Config enabled globally, changes made in unmonitored regions could go undetected, introducing compliance and security gaps. Global enablement ensures consistent governance, rapid detection of unauthorized changes, and adherence to compliance frameworks such as ISO 27001, SOC 2, and HIPAA.


Impact:

  • Positive Impact: Improves visibility and compliance posture by monitoring configuration changes across all regions.
  • Negative Impact: Slight increase in AWS costs due to configuration recording and storage of configuration snapshots.


Default Value:
By default, AWS Config is not enabled in any region. It must be manually configured per region or globally using AWS Organizations.


Pre-Requisite:

  • IAM permissions required:
    • config:DescribeConfigurationRecorders
    • config:PutConfigurationRecorder
    • config:PutDeliveryChannel
    • config:StartConfigurationRecorder
  • An S3 bucket must exist to store AWS Config data.
  • (Optional) An SNS topic can be created for configuration change notifications.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to AWS Config → Dashboard.
  3. Verify that AWS Config is enabled in the current region.
  4. Repeat this verification process for all regions by switching regions in the console.
  5. Ensure that:
    • A Configuration Recorder is active.
    • A Delivery Channel is configured to deliver logs to an S3 bucket.
    • Recording is enabled for all resources.
  6. If Config is not enabled in any region, the account is non-compliant.


Implementation Plan

Using AWS Console:

  1. Navigate to the AWS Config Console.
  2. In the left panel, select Settings.
  3. If AWS Config is not enabled, click Get started.
  4. Under Resource recording, select Record all resources supported in this region.
  5. Under Delivery method, choose or create an S3 bucket to store configuration data.
  6. (Optional) Specify an SNS topic for notifications.
  7. Click Save.
  8. Repeat these steps in every AWS region.
  9. (Recommended) Use AWS Organizations → Config Aggregator to aggregate configuration data from all accounts and regions into a single dashboard.


Backout Plan

Using AWS Console:

  1. Navigate to AWS Config Console → Settings.
  2. Select the active Configuration Recorder.
  3. Choose Stop recording.
  4. Delete the Configuration Recorder and Delivery Channel if AWS Config should no longer be used.
  5. Repeat for all regions as needed.


References: