Skip to content

Latest commit

 

History

History
29 lines (25 loc) · 3.4 KB

config-service-enabled.md

File metadata and controls

29 lines (25 loc) · 3.4 KB
Raw

CloudSploit

AWS / ConfigService / Config Service Enabled

Quick Info
Plugin Title Config Service Enabled
Cloud AWS
Category ConfigService
Description Ensures the AWS Config Service is enabled to detect changes to account resources
More Info The AWS Config Service tracks changes to a number of resources in an AWS account and is invaluable in determining how account changes affect other resources and in recovery in the event of an account intrusion or accidental configuration change.
AWS Link https://aws.amazon.com/config/details/
Recommended Action Enable the AWS Config Service for all regions and resources in an account. Ensure that it is properly recording and delivering logs.

Detailed Remediation Steps

  1. Log in to the AWS Management Console.
  2. Select the "Services" option and search for AWS Config.
  3. If the AWS console redirects to "Get Started" page then the Config Service is not enabled in the selected region.
  4. Repeat step number 2 - 3 to verify "Config Service" is enabled or not in the other regions.
  5. Navigate on "AWS Config" and click on the "Get Started" button.
  6. On the "Settings" page under the "Resource types to record" select both "Record all resources supported in this region" to track configuration changes for all AWS resource and "Include global resources" to include any type of global AWS resource such as "AWS IAM resource".
  7. Under the "AWS Config role" choose the "Use an existing AWS Config service-linked role".
  8. Under the "Amazon S3 bucket" option choose either of the options available as "Create a bucket" to create a new bucket, "Choose a bucket from your account" to use an existing S3 bucket, "Choose a bucket from another account" as to use S3 bucket from another AWS account as per the requirement.
  9. On the "Amazon SNS topic" choose either of the options available as "Create a topic" to create a new simple notification service topic, "Choose a topic from your account" to choose the existing SNS topic and "Choose a topic from another account" to choose the "SNS Topic" from the another AWS account and in the "Topic Name" field enter an unique name for the "SNS Topic". Then click on the "Next" button.
  10. On the Rules page select all the "AWS Config rules" from all available pages to check the configuration of the resources against rules that are defined and click on the "Next" button.
  11. Review the changes and click on the "Confirm" button to make the necessary changes.
  12. Repeat step number 5 - 11 to enable the AWS Config Service for all regions and resources in an account.