MEDIUM Config

AWS Config enabled

Check ID: aws-cfg-001

AWS-CFG-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if AWS Config is enabled in each scanned region. Without Config, there is no configuration history or change tracking.

Why it matters

AWS Config maintains a configuration history for every resource in your account, recording what changed, when it changed, and who made the change. Without Config, you lose the ability to perform drift detection, compliance auditing, and historical investigation of security incidents. When an engineer asks "what changed on this resource last Tuesday?" you will have no answer. AWS Config is also the foundation for Config Rules, which can automatically evaluate resources against security baselines and trigger auto-remediation. Most compliance frameworks (SOC 2, HIPAA, PCI-DSS) require continuous configuration monitoring, which Config provides out of the box.

Common causes

AWS Config is not enabled because it incurs per-resource-item charges that teams want to avoid, especially in accounts with many resources. Account provisioning automation may skip Config setup because it requires an S3 bucket, IAM role, and delivery channel - more complex than a single API call. Teams that rely solely on CloudTrail for auditing may not understand that Config provides a different type of visibility focused on resource configuration state rather than API calls.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::ACCOUNT_ID:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig --recording-group allSupported=true,includeGlobalResourceTypes=true --region REGION

Remediation: Terraform

resource "aws_config_configuration_recorder" "main" {
  name     = "default"
  role_arn = aws_iam_role.config.arn

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related Config checks

HIGH aws-cfg-002

Config recorder active

← All checks