Ensure AWS Config is enabled in all regions

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions.

Risk Level: Low
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.TF.AWS.LOG.04
Covered by Spectral: No
Category: Security, Identity, & Compliance


aws_config_configuration_recorder should have all_supported=true


  1. Run this command to show all AWS Config recorders and their properties aws configservice describe-configuration-recorders 2. Evaluate the output to ensure that there's at least one recorder for which recordingGroup object includes allSupported = true AND includeGlobalResourceTypes = true 3. Run this command to show the status for all AWS Config recorders aws configservice describe-configuration-recorder-status 4. In the output, find recorders with name key matching the recorders that met criteria in step 2. Ensure that at least one of them includes recording = true and lastStatus = SUCCESS

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • Terraform AWS CIS Foundations