AWS Config Should Be Enabled

More Info:

Ensure that AWS Config service is enabled in all regions in order to have complete visibility over your AWS infrastructure configuration changes.

Risk Level

High

Address

Security

Compliance Standards

CBP

Using AWS Console

Open the AWS Management Console and navigate to the AWS Config service. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “AWS Config Should Be Enabled” Policy.)
In the AWS Config homepage, click on the “Get started” button.
In the “AWS Config Setup” page, you’ll be prompted to choose the AWS resources you want to track. You can select specific services or choose to track all resources.
Select the desired option and click on the “Next” button.
In the “Specify Amazon S3 bucket” section, you need to provide an Amazon S3 bucket where AWS Config will store the configuration history and snapshots. a. If you already have an S3 bucket configured, select the “Use existing S3 bucket” option and choose the appropriate bucket from the dropdown menu. b. If you don’t have an S3 bucket, select the “Create a new S3 bucket” option and follow the prompts to create a new bucket with the desired settings and permissions.
Click on the “Next” button.
In the “AWS Config rules” section, you can choose to enable AWS managed rules or custom rules. a. If you want to enable AWS managed rules, select the rules you want to enable by checking the checkboxes next to them. b. If you have custom rules, select the “Use custom rules” option and specify the ARN (Amazon Resource Name) of the custom rule.
Click on the “Next” button.
Review the configuration details on the “Review” page to ensure they are correct.
If everything looks good, click on the “Confirm” button to enable AWS Config.
AWS Config will start capturing configuration details for the selected resources and storing them in the specified S3 bucket.
You can navigate to the AWS Config dashboard to view the captured configuration details, set up additional rules, and access other AWS Config features.

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “AWS Config Should Be Enabled” for AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine or terminal.
Run the following command to enable AWS Config:

aws configservice put-config-rule --config-rule file://rule.json

Note: Make sure to replace rule.json with the name of the JSON file that contains the configuration rule. You can create a new JSON file with the following contents:

{
    "ConfigRuleName": "aws-config-enabled",
    "Description": "Checks whether AWS Config is enabled in the account",
    "Scope": {
        "ComplianceResourceTypes": [
            "AWS::::Account"
        ]
    },
    "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "CONFIG_SERVICE_ENABLED"
    }
}

After running the command, AWS Config will be enabled in your AWS account. You can verify this by going to the AWS Config console and checking the status.

Note: It may take a few minutes for the configuration changes to take effect.

You can also use the following command to check the status of AWS Config:

aws configservice describe-configuration-recorders

This command will show you the status of the configuration recorders for AWS Config.

Once you have verified that AWS Config is enabled, you can close the AWS CLI.

Congratulations! You have successfully remediated the misconfiguration “AWS Config Should Be Enabled” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration “AWS Config Should Be Enabled” for AWS using python, follow these steps:

Import the boto3 library to interact with AWS services using Python.

import boto3

Create a boto3 client for AWS Config.

config_client = boto3.client('config')

Check if AWS Config is enabled. If it is not enabled, enable it using the put_config_rule method.

response = config_client.describe_configuration_recorder_status()
if not response['ConfigurationRecordersStatus'][0]['recording']:
    response = config_client.put_configuration_recorder(
        ConfigurationRecorder={
            'name': 'default',
            'roleARN': 'arn:aws:iam::123456789012:role/config-role',
            'recordingGroup': {
                'allSupported': True,
                'includeGlobalResourceTypes': True
            }
        }
    )

Set the delivery channel for AWS Config. This will specify where the AWS Config data will be delivered.

response = config_client.put_delivery_channel(
    DeliveryChannel={
        'name': 'default',
        's3BucketName': 'myconfigbucket',
        'configSnapshotDeliveryProperties': {
            'deliveryFrequency': 'TwentyFour_Hours'
        }
    }
)

Confirm that AWS Config is enabled.

response = config_client.describe_configuration_recorder_status()
if response['ConfigurationRecordersStatus'][0]['recording']:
    print('AWS Config is enabled.')

Note: Replace 123456789012 with your AWS account number and myconfigbucket with the name of your S3 bucket where you want to store the AWS Config data.

Additional Reading:

https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AWS Config Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Using AWS Console

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Using AWS Console

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Using AWS Console

Triage and Remediation

Remediation

Additional Reading: