[Task]: Determine Steps to Setup AWS Config so "AWS Config should be enabled" NIST Requirement is Met

[acouch]

Summary

Currently the AWS Config should be enabled check does not pass.

This issue is to investigate the current AWS Config settings and determine the necessary steps to pass the check.

A separate implementation can be created after the steps are determined. It is possible that there is some reason why we can disable this check or the remediation step can be addressed through documentation.

Acceptance criteria

• [ ] Investigate AWS Config setting requirement
• [ ] Determine steps to pass requirement.

[coilysiren]

IIRC its just a single button click in the UI, very easy!

[acouch]

@coilysiren thanks. Config is enabled but the Security Hub Check doesn't acknowledge that. Hopefully it is as simple as a button click!

[coilysiren]

I think the issue is that we don't have AWS Config enabled in us-east-2, I'm going to click it on now.

[coilysiren]

Ah nope, it's failing on both regions. Somehow?!?!?! 😆 I'll investigate.

[coilysiren]

We're currently excluding AWS IAM from AWS Config reporting. That might be the issue?

[coilysiren]

The exclusion for AWS IAM from AWS Config reporting can be removed here:

• https://us-east-1.console.aws.amazon.com/config/home?region=us-east-1#/settings/edit
• https://us-east-2.console.aws.amazon.com/config/home?region=us-east-2#/settings/edit

[coilysiren]

The control document says:

This control checks whether AWS Config is enabled in your account in the current Region and is recording all resources. The control fails if AWS Config isn't enabled or isn't recording all resources.

So I'm pretty confident that removing the IAM exclusion will fix this.