AWS Config Recorder Enabled in All Regions
Overview
This check verifies that AWS Config recorders are enabled and actively recording in all AWS regions. AWS Config tracks changes to your AWS resources over time, creating a configuration history that is essential for security auditing, compliance verification, and troubleshooting.
Risk
Without AWS Config recording enabled in all regions, you have blind spots in your AWS environment:
- Changes to resources in unmonitored regions go undetected
- Adversaries could create or modify resources in regions without Config, avoiding detection
- Compliance audits may fail due to incomplete configuration history
- Incident response is hindered when you cannot see what changed and when
- Drift detection and change tracking become unreliable
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to configure AWS Config
- An S3 bucket for storing configuration snapshots (you can create one during setup)
Required IAM permissions (for administrators)
Your IAM user or role needs these permissions:
config:PutConfigurationRecorderconfig:PutDeliveryChannelconfig:StartConfigurationRecorderconfig:DescribeConfigurationRecordersconfig:DescribeConfigurationRecorderStatuss3:CreateBucket(if creating a new bucket)iam:PassRole(to assign the Config service role)
AWS Console Method
-
Open AWS Config in the Console
- Go to AWS Config Console in us-east-1
- If this is your first time, click Get started or Set up AWS Config
-
Configure resource recording
- Under Recording strategy, choose one:
- All resource types (recommended for comprehensive coverage)
- Specific resource types (if you only need certain resources)
- Check Include globally recorded resource types to capture IAM resources
- Under Recording strategy, choose one:
-
Set up the delivery channel
- Under Amazon S3 bucket, either:
- Create a new bucket (AWS will name it for you), or
- Choose an existing bucket
- Optionally add an S3 key prefix to organize your snapshots
- Under Amazon S3 bucket, either:
-
Configure the IAM role
- Select Use an existing AWS Config service-linked role (recommended)
- Or let AWS create a new role for you
-
Review and confirm
- Click Confirm
- AWS Config will start recording immediately
-
Repeat for other regions
- Use the region selector in the top-right corner to switch regions
- Repeat steps 1-5 for each region where you have (or may have) resources
AWS CLI (optional)
Step 1: Create an S3 bucket for Config snapshots
If you do not already have a bucket:
aws s3 mb s3://config-bucket-<your-account-id> \
--region us-east-1
Step 2: Create the configuration recorder
aws configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::<your-account-id>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group allSupported=true,includeGlobalResourceTypes=true \
--region us-east-1
Step 3: Create the delivery channel
aws configservice put-delivery-channel \
--delivery-channel name=default,s3BucketName=config-bucket-<your-account-id> \
--region us-east-1
Step 4: Start the configuration recorder
aws configservice start-configuration-recorder \
--configuration-recorder-name default \
--region us-east-1
Automate for all regions
To enable Config in all regions, loop through them:
# Get all enabled regions
REGIONS=$(aws ec2 describe-regions --query 'Regions[].RegionName' --output text)
for REGION in $REGIONS; do
echo "Enabling AWS Config in $REGION..."
# Create configuration recorder
aws configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::<your-account-id>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group allSupported=true,includeGlobalResourceTypes=false \
--region $REGION
# Create delivery channel
aws configservice put-delivery-channel \
--delivery-channel name=default,s3BucketName=config-bucket-<your-account-id> \
--region $REGION
# Start the recorder
aws configservice start-configuration-recorder \
--configuration-recorder-name default \
--region $REGION
done
Note: Set includeGlobalResourceTypes=true only in one region (typically us-east-1) to avoid duplicate recording of IAM resources.
CloudFormation (optional)
This template enables AWS Config with a recorder and delivery channel. Deploy it in each region where you need Config enabled.
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable AWS Config recorder with delivery channel
Parameters:
S3BucketName:
Type: String
Description: S3 bucket for AWS Config snapshots
IncludeGlobalResources:
Type: String
Default: 'false'
AllowedValues:
- 'true'
- 'false'
Description: Include global IAM resources (set true in only one region)
Conditions:
IncludeGlobalResourceTypes: !Equals [!Ref IncludeGlobalResources, 'true']
Resources:
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: default
RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: !If [IncludeGlobalResourceTypes, true, false]
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
Properties:
Name: default
S3BucketName: !Ref S3BucketName
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: TwentyFour_Hours
Outputs:
ConfigRecorderName:
Description: Name of the AWS Config recorder
Value: !Ref ConfigRecorder
DeliveryChannelName:
Description: Name of the delivery channel
Value: !Ref ConfigDeliveryChannel
Deploy with:
aws cloudformation deploy \
--template-file config-recorder.yaml \
--stack-name aws-config-recorder \
--parameter-overrides \
S3BucketName=config-bucket-<your-account-id> \
IncludeGlobalResources=true \
--region us-east-1
For other regions, set IncludeGlobalResources=false:
aws cloudformation deploy \
--template-file config-recorder.yaml \
--stack-name aws-config-recorder \
--parameter-overrides \
S3BucketName=config-bucket-<your-account-id> \
IncludeGlobalResources=false \
--region us-west-2
Terraform (optional)
# Variables
variable "s3_bucket_name" {
description = "S3 bucket for AWS Config snapshots"
type = string
}
variable "include_global_resource_types" {
description = "Include global IAM resources (set true in only one region)"
type = bool
default = false
}
# Data source for current account
data "aws_caller_identity" "current" {}
# AWS Config recorder
resource "aws_config_configuration_recorder" "main" {
name = "default"
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
recording_group {
all_supported = true
include_global_resource_types = var.include_global_resource_types
}
recording_mode {
recording_frequency = "CONTINUOUS"
}
}
# Delivery channel
resource "aws_config_delivery_channel" "main" {
name = "default"
s3_bucket_name = var.s3_bucket_name
snapshot_delivery_properties {
delivery_frequency = "TwentyFour_Hours"
}
depends_on = [aws_config_configuration_recorder.main]
}
# Start the recorder
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.main.name
is_enabled = true
depends_on = [aws_config_delivery_channel.main]
}
# Outputs
output "recorder_name" {
description = "Name of the AWS Config recorder"
value = aws_config_configuration_recorder.main.name
}
output "recorder_status" {
description = "Whether the recorder is enabled"
value = aws_config_configuration_recorder_status.main.is_enabled
}
Deploy with:
terraform init
terraform plan -var="s3_bucket_name=config-bucket-123456789012" -var="include_global_resource_types=true"
terraform apply -var="s3_bucket_name=config-bucket-123456789012" -var="include_global_resource_types=true"
To deploy in multiple regions, use Terraform workspaces or separate configurations with different provider blocks.
Verification
After enabling AWS Config, verify the recorder is active:
-
In the AWS Console:
- Go to AWS Config > Settings
- Confirm Recording is on appears at the top
- Check the Recorder section shows status as "Recording"
- Verify the S3 bucket is correctly configured
-
Check multiple regions:
- Use the region selector to switch to other regions
- Verify each region shows "Recording is on"
CLI verification commands
Check if the recorder exists and its configuration:
aws configservice describe-configuration-recorders \
--region us-east-1
Check the recorder status (look for "recording": true):
aws configservice describe-configuration-recorder-status \
--region us-east-1
Expected output for a healthy recorder:
{
"ConfigurationRecordersStatus": [
{
"name": "default",
"lastStatus": "SUCCESS",
"recording": true,
"lastStartTime": "2024-01-15T10:30:00.000Z"
}
]
}
Check all regions at once:
for REGION in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
echo "Region: $REGION"
aws configservice describe-configuration-recorder-status \
--region $REGION \
--query 'ConfigurationRecordersStatus[0].{recording:recording,lastStatus:lastStatus}' \
--output table 2>/dev/null || echo " No recorder configured"
done
Additional Resources
- AWS Documentation: Setting Up AWS Config
- AWS Documentation: AWS Config Concepts
- AWS Documentation: AWS Config Managed Rules
- CIS AWS Foundations Benchmark
Notes
- Service-linked role: AWS Config uses a service-linked role (
AWSServiceRoleForConfig) that AWS creates automatically. If it does not exist, you may need to create it first or let the console create it during setup. - Global resources: Only enable
IncludeGlobalResourceTypesin one region (typically us-east-1) to avoid recording IAM resources multiple times. - S3 bucket location: The S3 bucket can be in a different region from the Config recorder. Many organizations use a single bucket for all regions.
- Costs: AWS Config charges per configuration item recorded. Costs scale with the number of resources and the frequency of changes.
- Aggregator option: For multi-account or multi-region visibility, consider setting up an AWS Config Aggregator to view compliance across all accounts and regions in one place.
- Existing recorders: If a recorder already exists but is stopped, you only need to start it rather than create a new one.