Why did I get an AWS Config error after enabling AWS Security Hub?

Last updated: 2020-07-01

I followed the instructions for setting up AWS Security Hub and received an error similar to one of the following:

"AWS Config is not enabled on some accounts."

"AWS Config is not enabled in all regions”

"An error has occurred with AWS Config. Contact AWS Support."

Resolution

Use the following best practices for configuring and troubleshooting AWS Config with Security Hub.

Note: AWS Config rules created by Security Hub do not incur any additional costs.

Verify that AWS Config is enabled in the same AWS Region as Security Hub

AWS Config must be manually enabled in the same Region as Security Hub.

1.    Open the AWS Config console in the same Region that you have Security Hub enabled.

2.    If AWS Config is not enabled, follow the instructions for setting up AWS Config with the Console.

Note: If you have Security Hub configured in multiple Regions, repeat these steps for each Region.

Verify AWS Config is recording all resources including global in your Region

You can modify the type of resources that AWS Config records.

1.    Open the AWS Config console, and choose Settings.

2.    In Settings, confirm Recording is on.

3.    In Resource types to record, select Record all resources supported in this region.

4.     In Resource types to record, select Include global resources (e.g., AWS IAM resources).

5.    Choose Save.

Note:

  • These settings apply to all of your AWS accounts that are configured with Security Hub, including AWS Organizations member accounts.
  • If you do not want to record all resource types in AWS Config, be sure that the required resource types for CIS, PCI DSS, and AWS Foundational Security Best Practices controls are recording.
  • You do not need to enable global resources in all Regions. To avoid duplicate configuration settings, you can enable global settings in only the same AWS Region as Security Hub per AWS account.
  • It can take up to 24 hours for the recorder settings to complete.

Use Amazon CloudWatch log filter patterns to search AWS CloudTrail log data

Use these instructions to search for and troubleshoot AWS Config error messages.

1.    Follow steps 1-4 in Search log entries using the console.

2.    In Filter, paste the following example syntax, and then choose enter on your device:

EventSource: config.amazonaws.com

3.    Note the error. Then, follow the instructions for How can I troubleshoot AWS Config console error messages?

Verify the permissions on the Security Hub service-linked role

AWS Security Hub uses service-linked roles to provide permissions to AWS services. The following AWS Identity and Access Management (IAM) permission allows access to AWS Config with Security Hub:

{
"Effect": "Allow",
"Action": [
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeConfigRuleEvaluationStatus"
],
"Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
}

Did this article help you?

Anything we could improve?


Need more help?