AWS Config
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Config

      Config Service Not Recording

      This plugin ensures the AWS Config Service is enabled to detect changes to account resources.

      Risk Level: Low

      Description

      This plugin ensures the AWS Config Service is enabled to detect changes to account resources. If the recorder is not enabled, AWS Config will not monitor or track any new configuration changes which are crucial in determining how a single change can affect other resources.

      About the Service

      AWS Config: AWS Config simplifies assessment, auditing and evaluation of the AWS resources’ configurations. It provides a detailed report on the relationship between various AWS resources based on their configuration. Apart from monitoring, AWS Config also determines the overall compliance based on the settings specified in your internal policies.

      Impact

      If the option is not enabled to record changes, critical configuration changes for all AWS services will not be recorded by AWS Config. In order to have complete visibility of your configuration changes, it is recommended to activate config recorders. Incorrect configurations can lead to exposing sensitive information globally.

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in. 
      3. Scroll down and select Settings from the left navigation pane.
      4. From the Recorder section, check if the recorder is currently recoding changes or not. If it is turned off, the vulnerability exists.
      5. Repeat steps for all the regions you want to investigate.

      Steps for Remediation

      Enable the AWS Config Service for all regions and resources in an account. Ensure that it is properly recording and delivering logs. 

      1. Log In to your AWS Console.
      2. Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in. 
      3. Scroll down and select Settings from the left navigation pane.
      4. Click on the Edit button from the top right corner.
      5. From the Recorder section, check the option for Enable recording.
      6. Click on Save after making all the changes.
      7. Repeat steps for all the vulnerable regions.