AWS Config

Config Service Delivery Failing

This plugin ensures the AWS Config Service is properly delivering changes to account resources to the designated S3 bucket.

Risk Level: Low

Description

This plugin ensures the AWS Config Service is properly delivering changes to account resources to the designated S3 bucket. If the recorder is not delivering logs, AWS Config will not monitor or track any new configuration changes which are crucial in determining how a single change can affect other resources.

About the Service

AWS Config: AWS Config simplifies assessment, auditing and evaluation of the AWS resources’ configurations. It provides a detailed report on the relationship between various AWS resources based on their configuration. Apart from monitoring, AWS Config also determines the overall compliance based on the settings specified in your internal policies.

Impact

If the logs are not being delivered, critical configuration changes for all AWS services will not be recorded by AWS Config. In order to have complete visibility of your configuration changes, it is recommended to activate config recorders. Incorrect configurations can lead to exposing sensitive information globally.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in. 
  3. Scroll down and select Dashboard from the left navigation pane.
  4. If an error message stating “AWS Config does not have sufficient permissions to record one or more AmazonIdentityManagement resources using arn:aws:iam:::role/service-role/<IAM_role>” is displayed, the vulnerability exists.
  5. Repeat steps for all the regions you want to investigate.

Steps for Remediation

Enable the AWS Config Service for all regions and resources in an account. Ensure that it is properly recording and delivering logs. 

  1. Log In to your AWS Console.
  2. Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in. 
  3. Scroll down and select Settings from the left navigation pane.
  4. Click on the Edit button from the top right corner.
  5. Under General Settings, check the option for Use an existing AWS Config service-linked role.
  6. Click on Save after making all the changes.
  7. Repeat steps for all the vulnerable regions.