Config recorder active

AWS-CFG-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if AWS Config recorders are actively recording. A recorder that exists but is stopped provides no protection.

Why it matters

A Config recorder that exists but is stopped creates a dangerous false sense of security - teams believe configuration changes are being tracked when they are not. This gap often occurs after cost-cutting exercises where Config recording is disabled to save on the per-resource-item charge (approximately $0.003 per item recorded). During this gap, configuration drift, unauthorized changes, and compliance violations accumulate silently. When an incident occurs, investigators discover the recording gap and lose critical evidence. Re-enabling the recorder does not backfill missing history. The cost of Config recording (typically $50-200/month for most accounts) is negligible compared to the cost of a missed compliance audit or undetected security incident.

Common causes

Config recorders get stopped during cost reduction exercises when teams identify the per-item charge as a quick savings target. Infrastructure changes or IAM permission issues can cause the recorder to stop silently, and without monitoring on the recorder status itself, nobody notices. Some teams stop the recorder temporarily during large-scale deployments to avoid a spike in recorded changes and forget to restart it afterward.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws configservice start-configuration-recorder --configuration-recorder-name RECORDER_NAME --region REGION

Remediation: Terraform

resource "aws_config_configuration_recorder_status" "main" {
  name       = aws_config_configuration_recorder.main.name
  is_enabled = true
}