Skip to main content

Resolve AWS Config is enabled correctly in all regions. (Internal)

S
Written by Shannon DeLange
Updated this week

Resolving AWS Config is enabled correctly in all regions.

This test is checking that the settings specified in the 'How to fix' section of the test have been configured on every in scope region on your connected AWS accounts. You can view the steps below on how to configure this for a region where the service is currently off. If you have AWS Config already enabled but it is failing please see the Common Reasons for failure section.

How to configure AWS Config in a region where the service is disabled:

  1. Sign into AWS and then Select the region you want to focus on in the top right of the console. For example if the test is flagging us-west-2, select us-west-2 from the dropdown:

  2. Once on that region go to the search bar and search for "AWS Config"

  3. Since this has not yet been setup for the region, click the "Get Started" button:

  4. Please click the "All resource types with customizable overrides" as your recording strategy:



    And then choose a recording frequency, the default is continuous:

  5. The test instructions next specify to "Choose to include global resources (IAM resources)".
    To do this you will need to select "all globally recorded IAM resource type" as a resource types, then set the override to "Set to daily record". The test will not pass if this override is not set:

  6. Next the instructions specify to select an S3 bucket in the same account or in another managed AWS account. You also have the option to create a bucket as well. This setting can be found in the Delivery method section, please choose an option that works best for you.



    In this example the "choose an existing bucket" option was selected:

  7. Next the tests asks you to choose an SNS topic on the same account or another managed account. This is also done under the delivery method settings by checking the "Stream configuration changes and notifications to an Amazon SNS topic." check box and choosing to either create a topic or use an existing one:

Common Reasons For Failure

The test will fail is one of the required settings have not been configured at all. If you setup config on a region, and the test is still flagging it, please go to the region, search for the AWS Config service, click settings:



From there make sure recording is 'On':

Then click edit



And then confirm that under recording method (1) All resource types with customizable overrides has been selected, and (2) AWS IAM Policy, IAM User, IAM Role, and IAM Group all are set to daily recording:

Then scroll down to delivery method and confirm (3) You have an S3 bucket on the same account, or another managed account and (4) the checkbox for "Stream configuration changes and notifications to an Amazon SNS topic." has been selected along with an SNS topic:

If all of these settings have been configured and the test continues to fail, please write an email to [email protected] for more investigation and include screenshots of the 4 settings you verified in the steps prior.

Related Articles
CIS Foundation Benchmarks Available in Vanta
Connecting Vanta & AWS account
Porting AWS Integrations Across Regions
How to create AWS Cloudwatch Alarms if the required Metric is hidden
How to enable AWS GuardDuty notifications for Vanta