AWS-013 Amazon Web Services (AWS)

AWS Config is enabled in all regions.

AWS Config is enabled in all regions.

Domain
Amazon Web Services (AWS)
Area
Logging
Automated / manual
Automated

Risk if it fails

Without config history you cannot prove past state or detect drift.

If you do not record configuration changes, an attacker can quietly weaken a control, do harm, and revert it — and you would never see the change.

How Tess tests it

1 test — each concludes only on cited evidence.

AWS Config is enabled in all regions.

Automated
Procedure
Confirm a recorder exists and is recording all resource types per region.

Read-only command 

aws configservice describe-configuration-recorders
aws configservice describe-configuration-recorder-status

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-013 against your evidence?

Book a demo