Config changes alarm

AWS-CW-009 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect AWS Config configuration changes (StopConfigurationRecorder, DeleteDeliveryChannel). Without this monitoring, compliance monitoring can be disabled undetected.

Why it matters

AWS Config continuously records resource configurations and evaluates compliance rules. If an attacker disables Config by stopping the configuration recorder or deleting the delivery channel, they can make infrastructure changes that violate compliance rules without any record or alert. This is especially dangerous in regulated environments where Config rules enforce PCI-DSS, HIPAA, or SOC 2 requirements. Disabling Config also removes the ability to see configuration history, making it impossible to determine what changed and when during incident response. AWS Config is often the only service tracking configuration drift from Terraform or CloudFormation desired state.

Common causes

Cost optimization efforts may disable Config in regions that appear unused, not realizing that an attacker could launch resources in those unmonitored regions. Terraform destroy operations can accidentally remove Config resources if the configuration recorder is managed as code. Teams testing Config rules in development may stop the recorder temporarily and forget to re-enable it.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.9 \
  --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutConfigurationRecorder)) }' \
  --metric-transformations metricName=CIS-4-9,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.9 \
  --metric-name CIS-4-9 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_9" {
  name           = "CIS-4.9"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutConfigurationRecorder)) }"

  metric_transformation {
    name      = "CIS-4-9"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_9" {
  alarm_name          = "CIS-4.9"
  metric_name         = "CIS-4-9"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.9 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.