Skip to content

AWS config is not enabled in all regions

Description

AWS Config is a web service that performs the configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes: the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

We recommend you enable AWS Config in all regions.

Fix - Runtime

AWS Console

To implement AWS Config configuration using the AWS Management Console, follow these steps:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. At the top right of the console select the region you want to focus on.
  3. Click Services.
  4. Click Config.
  5. Define which resources you want to record in the selected region. Include global resources (IAM resources).
  6. Select an S3 bucket in the same account, or in another managed AWS account.
  7. Create an SNS Topic from the same AWS account, or from another managed AWS account.

CLI Command

To change the policy using the following steps and commands:

  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
  2. Set up the configuration recorder:
aws configservice subscribe 
--s3-bucket my-config-bucket 
--sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice 
--iam-role arn:aws:iam::012345678912:role/myConfigRole 
  1. Start the configuration recorder:
start-configuration-recorder 
--configuration-recorder-name <value>

Fix - Buildtime

Terraform

  • Resource: aws_config_configuration_aggregator
  • Argument: all_regions
resource "aws_config_configuration_aggregator" "organization" {
  name = "example"
  account_aggregation_source {
    account_ids  = ["123456789012"]
+   all_regions  = true
  }