AWS Config Should Be Enabled

​

More Info:

Ensure that AWS Config service is enabled in all regions in order to have complete visibility over your AWS infrastructure configuration changes.

​

Risk Level

High

​

Address

Security

​

Compliance Standards

CBP

​

Remediation

​

Using Console:

• Steps:
  1. Log in to the AWS Management Console.
  2. Navigate to the AWS Config service.
  3. Check if there are any Configuration Recorders configured.
  4. If there are no Configuration Recorders, create a new one by clicking on “Create Configuration Recorder” and follow the setup wizard.
  5. If there are Configuration Recorders:
     • Review each Configuration Recorder.
     • Ensure that the “Include global resources” option is enabled.
     • Edit the Configuration Recorder if necessary to enable global resource recording.

​

Using CLI:

• Commands:

  aws configservice put-configuration-recorder --configuration-recorder name=default --recording-group allSupported=true
  

• Steps:
  1. Use the above CLI command to update the Configuration Recorder to include global resource recording.
  2. Replace name=default with the name of your Configuration Recorder.

​

Using Python

• Logic:

  import boto3
  
  def enable_global_resource_recording():
      try:
          config = boto3.client('config')
  
          # Check if Configuration Recorders exist
          recorders = config.describe_configuration_recorders()['ConfigurationRecorders']
          if not recorders:
              # Create a new Configuration Recorder
              config.put_configuration_recorder(ConfigurationRecorder={
                  'name': 'default',
                  'recordingGroup': {'allSupported': True}
              })
              print("Configuration Recorder created with global resource recording enabled.")
          else:
              for recorder in recorders:
                  if not recorder.get('recordingGroup', {}).get('allSupported', False):
                      # Update existing Configuration Recorder to enable global resource recording
                      config.put_configuration_recorder(ConfigurationRecorder={
                          'name': recorder['name'],
                          'recordingGroup': {'allSupported': True}
                      })
                      print(f"Global resource recording enabled for Configuration Recorder: {recorder['name']}")
                      break
              else:
                  print("Global resource recording is already enabled for all Configuration Recorders.")
  
      except Exception as e:
          print(f"Error: {e}")
  
  # Execute remediation
  enable_global_resource_recording()
  

Ensure that you have the necessary permissions to update AWS Config settings using the AWS CLI or Python script. Also, review and test the changes before applying them to production environments.

​

Additional Reading:

• [https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html]