This plugin ensures the AWS Config Service is enabled to detect changes to account resources.
Risk Level: Low
Description
This plugin ensures the AWS Config Service is enabled to detect changes to account resources. If the recorder is not configured for the region, AWS Config will not monitor or track any new configuration changes which are crucial in determining how a single change can affect other resources.
About the Service
AWS Config: AWS Config simplifies assessment, auditing and evaluation of the AWS resources’ configurations. It provides a detailed report on the relationship between various AWS resources based on their configuration. Apart from monitoring, AWS Config also determines the overall compliance based on the settings specified in your internal policies.
Impact
If the option is not enabled to record changes, critical configuration changes for all AWS services will not be recorded by AWS Config. In order to have complete visibility of your configuration changes, it is recommended to activate config recorders. Incorrect configurations can lead to exposing sensitive information globally.
Steps to Reproduce
Using AWS Console-
- Log In to your AWS Console.
- Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in.
- If you are redirected to the set-up page, the vulnerability exists.
- Repeat steps for all the regions you want to investigate.
Steps for Remediation
Enable the AWS Config Service for all regions and resources in an account. Ensure that it is properly recording and delivering logs.
- Log In to your AWS Console.
- Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in.
- Switch to the vulnerable region, and click on 1-click-setup.
- Click on the Confirm to set up the recorder. For a more detailed setup, you can follow the steps after clicking Get Started button.
- Repeat steps for all the vulnerable regions.