AWSOverview
AWS Config is foundational for compliance monitoring. If recording is disabled or incomplete, many controls become blind.
What this control should detect
Accounts/regions where Config recording is disabled, delivery channel is missing, or recording scope is incomplete.
Remediation guidance
AWS Remediation
Service-Wide (Recommended)
Use AWS Organizations and baseline guardrails to enforce Config recorder and delivery channel in all required regions.
Console (Asset-Level)
- Open AWS Config Console.
- Configure recorder for all supported resources.
- Configure a delivery channel (S3 + SNS optional).
- Start recorder and verify status is Recording.
AWS CLI (Asset-Level)
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=<role-arn>,recordingGroup={allSupported=true,includeGlobalResourceTypes=true}
aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=<config-bucket-name>
aws configservice start-configuration-recorder --configuration-recorder-name default
References
- https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html
Query logic
These are the stored checks tied to this control.
Config recorders not fully enabled
Connectors
AWS
Covered asset types
ConfigurationRecorder
Expected check: eq []
{ configurationRecorders(where: { OR: [ { recording: false }, { allSupported: false }, { includeGlobalResourceTypes: false } ] }) { ...AssetFragment } }
