AWS Config Recorder Uses the AWSServiceRoleForConfig Service-Linked Role

Overview

This check verifies that your AWS Config recorders use the AWS-managed service-linked role AWSServiceRoleForConfig rather than a custom IAM role. The service-linked role is purpose-built by AWS to provide exactly the permissions Config needs to record your resources.

Risk

Using a custom or incorrect role for AWS Config creates several security and operational risks:

• Recording gaps: A misconfigured role may lack permissions to record certain resource types, creating blind spots
• Over-privileged access: Custom roles often have more permissions than necessary, violating least privilege
• Maintenance burden: You must manually update custom roles when AWS adds new resource types
• Compliance issues: Auditors expect the standard AWS-managed role for Config
• Incident response delays: Gaps in configuration history make it harder to investigate security events

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to modify AWS Config settings
• The recorder must already exist (this check is about updating its role, not creating a new recorder)

Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

• config:PutConfigurationRecorder
• config:DescribeConfigurationRecorders
• iam:PassRole

AWS Console Method

1. Open AWS Config in the Console

   • Go to AWS Config Console in us-east-1
   • In the left navigation, click Settings

2. Edit the recorder settings

   • In the Recording section, click Edit

3. Change to the service-linked role

   • Scroll to the IAM role section
   • Select Use an existing AWS Config service-linked role
   • This will use AWSServiceRoleForConfig automatically

4. Save your changes

   • Click Save
   • AWS Config will continue recording using the service-linked role

5. Repeat for other regions (if applicable)

   • Use the region selector in the top-right corner
   • Check and update the role in any other regions where you have Config enabled

AWS CLI (optional)

Check the current recorder configuration

First, see what role your recorder is currently using:

aws configservice describe-configuration-recorders \
    --region us-east-1 \
    --query 'ConfigurationRecorders[*].{Name:name,RoleARN:roleARN}'

Update the recorder to use the service-linked role

Replace <your-account-id> with your 12-digit AWS account ID:

aws configservice put-configuration-recorder \
    --configuration-recorder name=default,roleARN=arn:aws:iam::<your-account-id>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
    --region us-east-1

Note: This command preserves your existing recording group settings (which resource types to record). If you need to update the recording group at the same time, add the --recording-group parameter.

If the service-linked role does not exist

The service-linked role is usually created automatically when you first set up AWS Config. If it does not exist, create it:

aws iam create-service-linked-role \
    --aws-service-name config.amazonaws.com

Update recorders in all regions

To update recorders across all enabled regions:

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

for REGION in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    # Check if a recorder exists in this region
    RECORDER=$(aws configservice describe-configuration-recorders \
        --region $REGION \
        --query 'ConfigurationRecorders[0].name' \
        --output text 2>/dev/null)

    if [ "$RECORDER" != "None" ] && [ -n "$RECORDER" ]; then
        echo "Updating recorder in $REGION..."
        aws configservice put-configuration-recorder \
            --configuration-recorder name=$RECORDER,roleARN=arn:aws:iam::${ACCOUNT_ID}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
            --region $REGION
    fi
done

CloudFormation (optional)

This template creates or updates an AWS Config recorder to use the service-linked role.

AWSTemplateFormatVersion: '2010-09-09'
Description: Update AWS Config recorder to use service-linked role

Parameters:
  RecorderName:
    Type: String
    Default: default
    Description: Name of the existing AWS Config recorder

Resources:
  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      Name: !Ref RecorderName
      RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true

Outputs:
  ConfigRecorderName:
    Description: Name of the AWS Config recorder
    Value: !Ref ConfigRecorder

  RoleARN:
    Description: IAM role ARN used by the recorder
    Value: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig

Deploy with:

aws cloudformation deploy \
    --template-file config-recorder-role.yaml \
    --stack-name config-recorder-service-role \
    --region us-east-1

Note: If you already manage your Config recorder via CloudFormation, update your existing template to use the service-linked role ARN shown above.

Terraform (optional)

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

# Data source for current account
data "aws_caller_identity" "current" {}

# AWS Config recorder using service-linked role
resource "aws_config_configuration_recorder" "main" {
  name     = "default"
  role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }

  recording_mode {
    recording_frequency = "CONTINUOUS"
  }
}

# Output to confirm the role ARN
output "config_recorder_role_arn" {
  description = "IAM role ARN used by the AWS Config recorder"
  value       = aws_config_configuration_recorder.main.role_arn
}

Deploy with:

terraform init
terraform plan
terraform apply

Importing an existing recorder: If you have an existing Config recorder not managed by Terraform, import it first:

terraform import aws_config_configuration_recorder.main default

Verification

After updating the role, verify your Config recorder is using the service-linked role:

1. In the AWS Console:

   • Go to AWS Config > Settings
   • Look at the IAM role section
   • Confirm it shows AWSServiceRoleForConfig (or the full ARN ending in /AWSServiceRoleForConfig)

2. Check that recording continues:

   • Navigate to AWS Config > Resources
   • Verify that resources are being discovered and tracked

CLI verification commands

Check the role ARN for your recorder:

aws configservice describe-configuration-recorders \
    --region us-east-1 \
    --query 'ConfigurationRecorders[*].{Name:name,RoleARN:roleARN}' \
    --output table

Expected output should show the service-linked role:

-------------------------------------------------------------
|                DescribeConfigurationRecorders             |
+----------+------------------------------------------------+
|   Name   |                    RoleARN                     |
+----------+------------------------------------------------+
|  default | arn:aws:iam::123456789012:role/aws-service-... |
|          | .../config.amazonaws.com/AWSServiceRoleForConfig|
+----------+------------------------------------------------+

Verify the recorder is still actively recording:

aws configservice describe-configuration-recorder-status \
    --region us-east-1 \
    --query 'ConfigurationRecordersStatus[*].{Name:name,Recording:recording,LastStatus:lastStatus}'

Check all regions at once:

for REGION in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    ROLE=$(aws configservice describe-configuration-recorders \
        --region $REGION \
        --query 'ConfigurationRecorders[0].roleARN' \
        --output text 2>/dev/null)

    if [ "$ROLE" != "None" ] && [ -n "$ROLE" ]; then
        if [[ "$ROLE" == *"AWSServiceRoleForConfig"* ]]; then
            echo "$REGION: OK (using service-linked role)"
        else
            echo "$REGION: WARNING (using custom role: $ROLE)"
        fi
    fi
done

Additional Resources

• AWS Documentation: Service-Linked Role for AWS Config
• AWS Documentation: Managing the Configuration Recorder
• AWS Documentation: AWS Config Concepts
• AWS SecurityHub: Config Controls

Notes

• Service-linked role permissions: The AWSServiceRoleForConfig role is maintained by AWS and automatically includes all permissions needed to record supported resource types. When AWS adds support for new resource types, the role is updated automatically.

• No impact to recording: Changing the role does not stop or interrupt recording. The change takes effect immediately for subsequent configuration items.

• Custom roles may still work: If you have a specific business requirement for a custom role (such as restricting which resource types can be recorded), document the justification and ensure the role follows least privilege principles. However, for most use cases, the service-linked role is the recommended approach.

• Multi-account deployments: In AWS Organizations, consider using AWS Config Aggregator and conformance packs to enforce consistent Config settings across all accounts.

• Compliance frameworks: This check maps to C5 and KISA-ISMS-P compliance frameworks, which require proper access controls for audit and monitoring services.