AWS Config should be enabled in all regions

Description

It is recommended that users enable AWS Config in all regions. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Console Remediation Steps

• Navigate to Config.

• Edit AWS Config to be enabled in all regions as described here.

CLI Remediation Steps

• Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites

• Run this command to set up the configuration recorder:

  • aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345xxxxxx:my-config-notice --iam-role arn:aws:iam::012345xxxxxx:role/myConfigRole

• Run this command to start the configuration recorder:

  • aws configservice start-configuration-recorder --configuration-recorder-name <value>

Documentation Links

• Create SNS Topic, S3 Bucket, IAM Role

• Set Up Configuration Recorder

• Start Configuration Recorder