Control: 3.5 Ensure AWS Config is enabled in all regions

Description

AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Remediation

To implement AWS Config configuration:

From Console

Open the AWS Config console at Config.
Select the Region to configure AWS Config in.
On the Settings page, do the following:
- Under Resource types to record, select Record all resources supported in this region and Include global resources (e.g., AWS IAM resources).
- Under Amazon S3 bucket, specify the bucket to use or create a bucket and optionally include a prefix.
- Under Amazon SNS topic, select an Amazon SNS topic from your account or create one.
- Under AWS Config role, either choose Create AWS Config service-linked role or choose Choose a role from your account and then select the role to use.
Choose Next.
On the AWS Config rules page, choose Skip.
Choose Confirm.

From Command Line

Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
Run this command to set up the configuration recorder

aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole

Run this command to start the configuration recorder:

start-configuration-recorder --configuration-recorder-name <value>

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v150_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v150_3_5 --share

SQL

This control uses a named query:

-- pgFormatter-ignore
-- Get count for any region with all matching criteria
with global_recorders as (
  select
    count(*) as global_config_recorders
  from
    aws_config_configuration_recorder
  where
    recording_group -> 'IncludeGlobalResourceTypes' = 'true'
    and recording_group -> 'AllSupported' = 'true'
    and status ->> 'Recording' = 'true'
    and status ->> 'LastStatus' = 'SUCCESS'
)
select
  'arn:aws::' || a.region || ':' || a.account_id as resource,
  case
  -- When any of the region satisfies with above CTE
  -- In left join of <aws_config_configuration_recorder> table, regions now having
  -- 'Recording' and 'LastStatus' matching criteria can be considered as OK
    when
      g.global_config_recorders >= 1
      and status ->> 'Recording' = 'true'
      and status ->> 'LastStatus' = 'SUCCESS'
    then 'ok'
  -- Skip any regions that are disabled in the account.
    when a.opt_in_status = 'not-opted-in' then 'skip'
    else 'alarm'
  end as status,
  -- Below cases are for citing respective reasons for control state
  case
    when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'
    else
  case
    when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'
    else a.region || ' IncludeGlobalResourceTypes disabled,'
  end ||
  case
    when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'
    else ' AllSupported disabled,'
  end ||
  case
    when status ->> 'Recording' = 'true' then ' Recording enabled'
    else ' Recording disabled'
  end ||
  case
    when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'
    else ' and LastStatus is not SUCCESS.'
  end
  end as reason
  , a.region, a.account_id
from
  global_recorders as g,
  aws_region as a
  left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;