Cyscale
Back to controls

Ensure AWS Config is enabled in all regions

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions.

Category

Controls

Low

Applies to

AWS

Coverage

1 queries

Asset types

1 covered

Overview

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions.

Rationale

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Remediation guidance

AWS Remediation

Service-wide fix (recommended): deploy the same AWS Config baseline in every required region and account through your landing zone, StackSets, or account factory process.

Console

  1. Open AWS Config in the affected region.
  2. Go to Settings.
  3. Configure recording for all required resources.
  4. Include global IAM resource types if your baseline requires them.
  5. Choose an approved S3 delivery bucket and optional SNS topic.
  6. Start the recorder and verify it is recording.

AWS CLI

Create or update the recorder:

aws configservice put-configuration-recorder \
  --configuration-recorder name=default,roleARN=<role-arn>,recordingGroup={allSupported=true,includeGlobalResourceTypes=true}

Create or update the delivery channel:

aws configservice put-delivery-channel \
  --delivery-channel name=default,s3BucketName=<config-bucket-name>

Start the recorder:

aws configservice start-configuration-recorder \
  --configuration-recorder-name default

Validate the status:

aws configservice describe-configuration-recorder-status
aws configservice describe-configuration-recorders

Operational notes

  • The older aws configservice subscribe workflow is obsolete for most modern AWS Config setups. Use put-configuration-recorder, put-delivery-channel, and start-configuration-recorder.
  • AWS Config is regional. A working recorder in one region does not cover the others.
  • The destination S3 bucket policy and the AWS Config service role must allow delivery or the recorder can exist without recording correctly.

References

  • https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html
  • https://docs.aws.amazon.com/config/latest/developerguide/managing-recorder_console-start.html
  • https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html

Query logic

These are the stored checks tied to this control.

AWS Config is enabled in all regions

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSLogging5{...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon