AWS Config controls - AWS Security Hub

AWS Config controls

These controls are related to AWS Config resources.

These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.

[Config.1] AWS Config should be enabled

Related requirements: PCI DSS v3.2.1/10.5.2,PCI DSS v3.2.1/11.5, CIS AWS Foundations Benchmark v1.2.0/2.5, CIS AWS Foundations Benchmark v1.4.0/3.5, NIST.800-53.r5 CM-3, NIST.800-53.r5 CM-6(1), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(2)

Category: Identify > Inventory

Severity: Medium

Resource type: AWS::::Account

AWS Config rule: None (custom Security Hub rule)

Schedule type: Periodic

Parameters: None

This control checks whether AWS Config is enabled in your account in the current Region and is recording all resources. The control fails if AWS Config isn't enabled or isn't recording all resources.

The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources.

Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.


Config.1 requires that AWS Config is enabled in all Regions in which you use Security Hub.

Because Security Hub is a Regional service, the check performed for this control checks only the current Region for the account. It does not check all Regions.

To allow security checks against global resources in each Region, you also must record global resources. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.

The globally recorded resource types that AWS Config supports are IAM users, groups, roles, and customer managed policies. You can consider disabling Security Hub controls that check these resource types in Regions where global resource recording is turned off. Since IAM is a global service, IAM resources will only be recorded in the Region in which global resource recording is turned on. For more information, see Security Hub controls that you might want to disable.


To enable AWS Config and configure it to record all resources, see Manual setup in the AWS Config Developer Guide. To record global resources and ensure no resource types are excluded, select All resources with customizable overrides. Remove any Override settings, and set the recording frequency to Continuous recording.

You can also use an AWS CloudFormation template to automate this process. For more information, see the AWS CloudFormation StackSets sample templates in the AWS CloudFormation User Guide.