Why do I get an AWS Config error after I turn on Security Hub?

Lesedauer: 3 Minute
0

After I turn on AWS Security Hub, I get an AWS Config error.

Short description

When you set up AWS Security Hub, you might receive one of the following errors:

  • "AWS Config is not enabled on some accounts."
  • "AWS Config is not enabled in all regions."
  • "An error has occurred with AWS Config. Contact AWS Support."

Resolution

Use the following best practices to configure and troubleshoot AWS Config with Security Hub.

Note: AWS Config rules that Security Hub creates don't incur additional costs.

Set up AWS Config in the same Region as Security Hub

To set up AWS Config, use the AWS Config console in the same AWS Region where you turned on Security Hub. 

Note: If you configured Security Hub in multiple Regions, then set up AWS Config for each Region.

Update your AWS Config recording strategy

Your AWS Config recording strategy must record all resources, including global resources in your Region.

To update your AWS Config recording strategy, complete the following steps:

  1. Open the AWS Config console.
  2. In the navigation pane, choose Settings.
  3. In Settings, under Recorder, choose Edit.
  4. Under Recording method, for Recording strategy, choose Specific resource types.
  5. Enter the following information:
    For Resource type, choose All globally recorded IAM resource types.
    For Frequency, choose either Continuous or Daily.
  6. Choose Save.

The preceding settings apply to all your AWS accounts that you configured with Security Hub, including AWS Organizations member accounts. You don't need to record all resource types in AWS Config. However, make sure to record the required resource types for Center for Internet Security (CIS), Payment Card Industry Data Security Standard (PCI DSS), and AWS Foundational Security Best Practices controls.

You don't need to turn on global resources in all Regions. To avoid duplicate configuration settings, turn on global settings only in the same Region as Security Hub for each account.

Note: It can take up to 24 hours for the recorder settings to complete.

Use the CloudTrail console to search for AWS Config error messages

Complete the following steps:

  1. Open the AWS CloudTrail console, and view the details for an event.

  2. For Filter, enter the following example syntax, and then press enter:

    EventSource: config.amazonaws.com
  3. Troubleshoot the issue based on the error message.

Related information

AWS Security Hub now generally available

AWS OFFICIAL
AWS OFFICIALAktualisiert vor 2 Monaten