Skip to main content
emnode / learn
Compliance High severity

AWS Security Hub · Config

Config.1: AWS Config is off, so most other controls cannot evaluate

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Config.1 check?

Config.1 fails when AWS Config is not enabled and recording in the Region — specifically that a configuration recorder exists, is running, and covers your resources.

Why does Config.1 matter?

AWS Config is the engine many Security Hub controls rely on to evaluate resource state over time. If Config is off, a large share of your other controls simply cannot run, so a green dashboard may just mean nothing is being measured. It is also your record of configuration drift and change history.

How do I fix Config.1?

  1. Enable AWS Config with a recorder that includes all supported resource types (and global resources in your home Region).
  2. Set a delivery channel to an S3 bucket and keep the recorder running continuously.
  3. Deploy Config across all active Regions and accounts, ideally via the organization aggregator.

Remediation script · bash

# 1. AWS Config: bind to the service-linked role, record all resources, then start.
ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
aws iam create-service-linked-role --aws-service-name config.amazonaws.com 2>/dev/null || true
aws configservice put-configuration-recorder \
  --configuration-recorder "name=default,roleARN=arn:aws:iam::${ACCOUNT}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig,recordingGroup={allSupported=true,includeGlobalResourceTypes=true}"
aws configservice start-configuration-recorder --configuration-recorder-name default

# 2. IAM Access Analyzer: create an external access analyzer in this Region.
aws accessanalyzer create-analyzer --analyzer-name external-access --type ACCOUNT

# 3. Systems Manager: enroll an instance role, then confirm it is managed.
aws iam attach-role-policy --role-name app-instance-role \
  --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws ssm describe-instance-information \
  --query 'InstanceInformationList[].{Id:InstanceId,Ping:PingStatus}' --output table

Full walkthrough (console steps, edge cases and verification) in the lesson Enable AWS security tooling (Config, Access Analyzer, SSM).

Full lesson Enable AWS security tooling (Config, Access Analyzer, SSM) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Config controls ↗ Check your own account for Config.1 →
Part of the learning path See what's happening