Ensure AWS Config is enabled in all regions

2.5 Logging (AWS CIS Benchmark).

Description

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.

The recorded information includes the:

  • Configuration item (AWS resource).
  • Relationships between configuration items (AWS resources).
  • Any configuration changes between resources.

It is recommended that AWS Config is enabled in all regions.

Implement AWS Config configuration via the AWS Management Console

Step 1. Select the region you want to focus on in the top right of the console.

Step 2. Click on Services.

Step 3. Click on Config

Step 4. Define which resources you want to record in the selected region.

Step 5. Choose to include global resources (IAM resources).

Step 6. Specify an S3 bucket in the same account or another managed AWS account

Step 7. Create an SNS Topic from the same AWS account or another managed AWS account

Implement AWS Config configuration via CLI

Step 1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.

Step 2. Run this command to set up the configuration recorder aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole

Step 3. Run this command to start the configuration recorder: start-configuration-recorder --configuration-recorder-name <value