Security Hub controls for AWS Config
These Security Hub controls evaluate the AWS Config service and resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[Config.1] AWS Config should be enabled and use the service-linked role for resource recording
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.5, CIS AWS Foundations Benchmark v1.4.0/3.5, CIS AWS Foundations Benchmark v3.0.0/3.3, NIST.800-53.r5 CM-3, NIST.800-53.r5 CM-6(1), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(2), PCI DSS v3.2.1/10.5.2, PCI DSS v3.2.1/11.5
Category: Identify > Inventory
Severity: Medium
Resource type: AWS::::Account
AWS Config rule: None (custom Security Hub rule)
Schedule type: Periodic
Parameters:
Parameter | Description | Type | Allowed custom values | Security Hub default value |
---|---|---|---|---|
|
The control doesn’t evaluate whether AWS Config uses the service-linked role if the parameter is set to |
Boolean |
|
|
This control checks whether AWS Config is enabled in your account in the current AWS Region, records all
resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role.
The name of the service-linked role is AWSServiceRoleForConfig. If you don't use the service-linked role and don't set the includeConfigServiceLinkedRoleCheck
parameter to
false
, the control fails because other roles might not have the necessary permissions for AWS Config to
accurately record your resources.
The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes within resources. Global resources are resources that are available in any Region.
The control is evaluated as follows:
If the current Region is set as your aggregation Region, the control produces
PASSED
findings only if AWS Identity and Access Management (IAM) global resources are recorded (if you have enabled controls that require them).If the current Region is set as a linked Region, the control doesn’t evaluate whether IAM global resources are recorded.
If the current Region isn’t in your aggregator, or if cross-Region aggregation isn’t set up in your account, the control produces
PASSED
findings only if IAM global resources are recorded (if you have enabled controls that require them).
Control results aren't impacted by whether you choose daily or continuous recording of changes in resource state in AWS Config.
However, the results of this control can change when new controls are released if you have configured
automatic enablement of new controls or have a central configuration policy that
automatically enables new controls. In these cases, if you don't record all resources, you must
configure recording for resources that are associated with new controls in order to receive a PASSED
finding.
Security Hub security checks work as intended only if you enable AWS Config in all Regions and configure resource recording for controls that require it.
Note
Config.1 requires that AWS Config is enabled in all Regions in which you use Security Hub.
Since Security Hub is a Regional service, the check performed for this control evaluates only the current Region for the account.
To allow security checks against IAM global resources in a Region, you must record IAM
global resources in that Region. Regions that don’t have IAM global resources recorded will receive a
default PASSED
finding for controls that check IAM global resources. Since IAM global resources are
identical across AWS Regions, we recommend that you record IAM global resources in only the home Region
(if cross-Region aggregation is enabled in your account). IAM resources will be recorded only in the Region in which
global resource recording is turned on.
The IAM globally recorded resource types that AWS Config supports are IAM users, groups, roles, and customer managed policies. You can consider disabling Security Hub controls that check these resource types in Regions where global resource recording is turned off. For more information, see Suggested controls to disable in Security Hub.
Remediation
For a list of which resources must be recorded for each control, see Required AWS Config resources for Security Hub control findings.
In the home Region and Regions that aren’t part of an aggregator, record all resources that are required for controls that are enabled in the current Region, including IAM global resources if you have enabled controls that require IAM global resources.
In linked Regions, you can use any AWS Config recording mode, as long as you are recording all resources that correspond
to controls that are enabled in the current Region. In linked Regions, if you have controls enabled that require recording of IAM
global resources, you won’t receive a FAILED
finding (your recording of other resources is sufficient).
To enable AWS Config and configure it to record resources, see Setting up AWS Config with the console in the AWS Config Developer Guide. You can also use an AWS CloudFormation template to automate this process. For more information, see AWS CloudFormation StackSets sample templates in the AWS CloudFormation User Guide.