NEW Upcoming Enablement Session: Optimizing Auto Scaling Groups for ECS - Register Now

NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now

AWS Remediation Knowledge Base > Security

Disabled AWS Config for Regions

  • Risk level: Medium
  • Rule ID: CONFIG-001

This rule checks whether AWS config is enabled in your AWS account.

AWS Config is a service that allows you to inspect, audit, and review your AWS resource configurations. Config monitors and records all AWS resource configurations in real-time, enabling you to match recorded configurations against desired configurations seamlessly.

AWS Config also helps to analyze changes in AWS resource configurations, dig into particular resource configuration histories, and evaluate compliance with the configuration defined in your internal policies.

nOps recommends you consider enabling AWS Config for better security.

This rule can help you with the following:

  • AWS Well-Architected Framework Lens

Audit

Perform the following steps to check if AWS Config is enabled:

  • Using AWS Console

1. Access the Config dashboard at https://console.aws.amazon.com/config/

2. The landing page result will help determine whether you have AWS Config enabled in the current region or not:

a. If you see a Get Started page as shown below, then AWS Config is not enabled in your AWS Account for this region

b. If you see a Config Dashboard as shown below, this means AWS Config is (or was in the past) enabled for your AWS Account in this region

c. Now go to Settings in the Left Navigation panel and check the status of Recorder. If it says, Recording is on with a Green tick; this means that AWS Config is currently enabled in your AWS account for the current region.

3. Switch to another AWS region using the top navigation panel and repeat Step 2 to verify if AWS Config recording is enabled in that region.

  • Using AWS CLI

1. Execute the get-status command with an accompanying --region parameter to To discover the current state of AWS Config’s generated Recorders and Delivery Channels

aws configservice get-status \\
	--region us-east-1

 
2. Examine the output to see if AWS Config Service is enabled in this region or not as follows:
 
a. If the resulting output returns an empty Configuration Recorders and Delivery Channels value, then AWS Config is not enabled in this region

**Output**
Configuration Recorders:
Delivery Channels:

b. If the output returns some values for Configuration Recorders and Delivery Channels, but the value for Recorder is OFF, then the AWS Config Service was previously enabled but is now turned OFF.

**Output**
Configuration Recorders:

name: default
recorder: OFF

Delivery Channels:

name: default
last stream delivery status: NOT_APPLICABLE
last history delivery status: SUCCESS

 
3. Switch to another AWS region by changing --region parameter to determine AWS Config status in another region.

Remediation / Resolution

  • Using AWS Console

1. Access the Config dashboard at https://console.aws.amazon.com/config/

2. Click on the Get Started button and configure the recording settings as specified on the next page.

3. Configure General Settings as detailed below**:**

a. Resource types to record

  • If you which to record all supported resources in your AWS account, choose the following
    • Record all resources supported in this region
    • Include Global Resources if you also wish to track any global resource like IAM Users, Roles, etc.
  • If you wish to record only a subset of resources, select the Record specific resource types option and choose the desired Resource category and Resource Type.

b. Next, for the AWS Config role, you can either decide to create a new AWS Config service-linked role or select an existing AWS Role with the required permissions in your account.

4. In the Delivery Method section, choose one of the following for the Amazon S3 bucket sub-section:

a. Create a bucket – to store configuration history using a new S3 bucket.

b. Choose a bucket from your account – to store configuration history using an existing bucket.

c. Choose a bucket from another account – to store configuration history using an existing bucket from another different AWS account.

For simplicity, we will choose to Create a bucket in this example.

5. (Optional), if you want AWS Config to send configuration changes notifications to an SNS topic, then select the Stream configuration changes and notifications to an Amazon SNS topic box under Amazon SNS topic. This will provide more configuration options to choose from, as shown below:

a. Create a topic – Enter the Topic Name to select a new SNS topic for notifications.

b. Choose a topic from your account – to select an existing SNS Topic in the same AWS account.

c. Choose a topic from another account – If you choose this option, you need to provide a complete ARN of the SNS topic from another account rather than just its name.

For simplicity, we will choose to Create a topic with the name config-topic.

6. Click the Next button to proceed to the Rules page. On this page, you will have the option to select pre-configured **AWS Managed Rules**. If you don’t want to use any AWS Managed Rules, you can skip this step and click on the Next button.

7. Review the settings on the next page and Confirm

8. Wait until AWS Config discovers and records the configurations of resources in this region (or global resources if you specified them in Step 2).

  • Using AWS CLI

1. To enable AWS Config, you must first create an S3 bucket to store the recorded configurations history/snapshots, an IAM Role for AWS Config Service to access resources in your account, and optionally an SNS Topic to notify in case of configuration changes. These can be accomplished as follows:

a. S3 bucket: To create an S3 bucket in the specified region, execute the create-bucket command with the associated parameters as shown below.

aws s3api create-bucket \\
	--bucket my-config-demo-bucket \\
	--region us-east-1 \\
	--create-bucket-configuration LocationConstraint=us-east-1

**Output** 
{
    "Location": "/my-config-demo-bucket"
}

LocationConstraint is not required for us-east-1 as that is the default region selected by the cli command.

b. SNS Topic: To create an SNS topic in the specified region, execute the create-topic command as shown below:

aws sns create-topic \\
	--region us-east-1 \\
	--name config-topic

**Output**
{
    "TopicArn": "arn:aws:sns:us-east-1:XXXXXXXXXXX:config-topic"
}

c. IAM Role: To create an IAM Role with the required permissions, carry out the following actions:

a. First, let’s create a trust policy for AWS Config to assume the role. To do that, create a trust-policy.json file with the following details:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

b. Next, to create the IAM role, execute the create-role command with the --assume-role-policy-document parameter as shown below

aws iam create-role \\
	--role-name my-config-role \\
	--assume-role-policy-document file://*trust-policy.json

Output*
{
    "Role": {
        "Path": "/",
        "RoleName": "my-config-role",
        "RoleId": "AROAZKBUAKOU6MYI6CY",
        "Arn": "arn:aws:iam::XXXXXXXXXX:role/my-config-role",
        "CreateDate": "2021-11-26T22:37:54+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "config.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}

c. After that, create an IAM Policy to add permissions to the role so that AWS Config can record configurations.

A sample policy file has been given below, but you can create your policy based on what resources you want AWS Config to monitor and record.

Create a role-policy.json file with the content given below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "appstream:Get*",
                "autoscaling:Describe*",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudformation:List*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "config:Put*",
                "directconnect:Describe*",
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:Describe*",
                "elasticache:Describe*",
                "elasticbeanstalk:Check*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticloadbalancing:Describe*",
                "elastictranscoder:Read*",
                "elastictranscoder:List*",
                "iam:List*",
                "iam:Get*",
                "kinesis:Describe*",
                "kinesis:Get*",
                "kinesis:List*",
                "opsworks:Describe*",
                "opsworks:Get*",
                "route53:Get*",
                "route53:List*",
                "redshift:Describe*",
                "redshift:ViewQueriesInConsole",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "s3:Get*",
                "s3:List*",
                "sdb:GetAttributes",
                "sdb:List*",
                "sdb:Select*",
                "ses:Get*",
                "ses:List*",
                "sns:Get*",
                "sns:List*",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "storagegateway:List*",
                "storagegateway:Describe*",
                "trustedadvisor:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::my-config-demo-bucket/*"
            ],
            "Condition": {
                "StringLike": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3::: my-config-demo-bucket"
        },
        {
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:us-east-1:XXXXXXXX:config-topic"
        }
    ]
}

d. Lastly, attach the IAM Policy to the IAM Role created above by executing the put-role-policy command as shown below:

aws iam put-role-policy \\
	--role-name my-config-role \\
	--policy-name config-policy \\
	--policy-document file://role-policy.json \\
  --profile smartique

**Output**
None

 
2. Execute the subscribe command to register Delivery Channels and Recorders for AWS Config Service as shown below:

aws configservice subscribe \\
	--region us-east-1 \\
	--s3-bucket my-config-demo-bucket \\
	--sns-topic arn:aws:sns:us-east-1:XXXXXXXXX:config-topic \\
	--iam-role arn:aws:iam::XXXXXXXXXX:role/my-config-role \\
  --profile smartique

**Output**
Using existing S3 bucket: my-config-demo-bucket
Using existing SNS topic: arn:aws:sns:us-east-1:XXXXXXXXX:config-topic
Subscribe succeeded:

Configuration Recorders: [
    {
        "name": "default",
        "roleARN": "arn:aws:iam::XXXXXXXXX:role/my-config-role",
        "recordingGroup": {
            "allSupported": true,
            "includeGlobalResourceTypes": false,
            "resourceTypes": []
        }
    }
]

Delivery Channels: [
    {
        "name": "default",
        "s3BucketName": "my-config-demo-bucket",
        "snsTopicARN": "arn:aws:sns:us-east-1:XXXXXXXX:config-topic"
    }
]

3. Switch to a different region and repeat steps 2 and 3 to enable AWS Config in that region.

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.
Get Started
Schedule Demo
Contact Us

nOps is an AI-powered FinOps platform that makes it easy manage and optimize your cloud usage, commitments, and spend.

Products

Solutions

Resources

Company

Documentation

© nOps 2024. All Rights Reserved.

Linkedin-in Youtube Instagram Facebook