Amazon Config controls - Amazon Security Hub
[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Config controls

These controls are related to Amazon Config resources.

These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.

[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording

Related requirements: CIS Amazon Foundations Benchmark v1.2.0/2.5, CIS Amazon Foundations Benchmark v1.4.0/3.5, CIS Amazon Foundations Benchmark v3.0.0/3.3, NIST.800-53.r5 CM-3, NIST.800-53.r5 CM-6(1), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(2), PCI DSS v3.2.1/10.5.2, PCI DSS v3.2.1/11.5

Category: Identify > Inventory

Severity: Medium

Resource type: AWS::::Account

Amazon Config rule: None (custom Security Hub rule)

Schedule type: Periodic

Parameters: None

This control checks whether Amazon Config is enabled in your account in the current Amazon Web Services Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked Amazon Config role. If you don't use the service-linked role, the control fails because other roles might not have the necessary permissions for Amazon Config to accurately record your resources.

The Amazon Config service performs configuration management of supported Amazon resources in your account and delivers log files to you. The recorded information includes the configuration item (Amazon resource), relationships between configuration items, and any configuration changes within resources. Global resources are resources that are available in any Region.

The control is evaluated as follows:

  • If the current Region is set as your aggregation Region, the control produces PASSED findings only if Amazon Identity and Access Management (IAM) global resources are recorded (if you have enabled controls that require them).

  • If the current Region is set as a linked Region, the control doesn’t evaluate whether IAM global resources are recorded.

  • If the current Region isn’t in your aggregator, or if cross-Region aggregation isn’t set up in your account, the control produces PASSED findings only if IAM global resources are recorded (if you have enabled controls that require them).

Control results aren't impacted by whether you choose daily or continuous recording of changes in resource state in Amazon Config. However, the results of this control can change when new controls are released if you have configured automatic enablement of new controls or have a central configuration policy that automatically enables new controls. In these cases, if you don't record all resources, you must configure recording for resources that are associated with new controls in order to receive a PASSED finding.

Security Hub security checks work as intended only if you enable Amazon Config in all Regions and configure resource recording for controls that require it.

Note

Config.1 requires that Amazon Config is enabled in all Regions in which you use Security Hub.

Since Security Hub is a Regional service, the check performed for this control evaluates only the current Region for the account.

To allow security checks against IAM global resources in a Region, you must record IAM global resources in that Region. Regions that don’t have IAM global resources recorded will receive a default PASSED finding for controls that check IAM global resources. Since IAM global resources are identical across Amazon Web Services Regions, we recommend that you record IAM global resources in only the home Region (if cross-Region aggregation is enabled in your account). IAM resources will be recorded only in the Region in which global resource recording is turned on.

The IAM globally recorded resource types that Amazon Config supports are IAM users, groups, roles, and customer managed policies. You can consider disabling Security Hub controls that check these resource types in Regions where global resource recording is turned off. For more information, see Security Hub controls that you might want to disable.

Remediation

For a list of which resources must be recorded for each control, see Amazon Config resources required to generate control findings.

In the home Region and Regions that aren’t part of an aggregator, record all resources that are required for controls that are enabled in the current Region, including IAM global resources if you have enabled controls that require IAM global resources.

In linked Regions, you can use any Amazon Config recording mode, as long as you are recording all resources that correspond to controls that are enabled in the current Region. In linked Regions, if you have controls enabled that require recording of IAM global resources, you won’t receive a FAILED finding (your recording of other resources is sufficient).

To enable Amazon Config and configure it to record resources, see Setting up Amazon Config with the console in the Amazon Config Developer Guide. You can also use an Amazon CloudFormation template to automate this process. For more information, see Amazon CloudFormation StackSets sample templates in the Amazon CloudFormation User Guide.