Ensure AWS Config is enabled in all regions

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions.

Risk Level: Low
Cloud Entity: Region
CloudGuard Rule ID: D9.AWS.LOG.04
Category: Global

GSL LOGIC

Region should have configurationRecorders with [allSupported=true]

REMEDIATION

From Portal

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. At the top right of the console select the region you want to focus on.
  3. Click Services.
  4. Click Config.
  5. Define which resources you want to record in the selected region. Include global resources (IAM resources).
  6. Select an S3 bucket in the same account, or in another managed AWS account.
  7. Create an SNS Topic from the same AWS account, or from another managed AWS account.

From Command Line

  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
  2. Run this command to set up the configuration recorder
aws configservice subscribe --s3-bucket BUCKET_NAME --sns-topic SNS_TOPIC_NAME or ARN --iam-role IAM_ROLE_ARN
  1. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name RECORDER_NAME

References

  1. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html
  2. https://docs.aws.amazon.com/config/latest/developerguide/manual-setup.title.html
  3. https://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html
  4. https://docs.aws.amazon.com/cli/latest/reference/configservice/subscribe.html
  5. https://docs.aws.amazon.com/cli/latest/reference/configservice/start-configuration-recorder.html
  6. https://workbench.cisecurity.org/benchmarks/679

Region

Each Amazon EC2 Region is designed to be completely isolated from the other Amazon EC2 Regions. This achieves the greatest possible fault tolerance and stability.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0