AWS Service: config (Service-Linked Role)

They are AWS service-linked roles used by AWS services to perform tasks in your AWS account and to allow them to interact with your resources. As you are now using SecurityHub and haven’t received a threat I’d not consider those harmful but rather related to some service, like TrustedAdvisor, Config, that perform checks in the background ti make assessments.

Of course I assumed you have changed accounts passwords, access keys, secret for all users , enabled MFA for all and review access as you are going in cloud trail and security hub

A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. These are not a threat to the security of your account.

In case of AWS Config example : Service-linked roles are predefined by AWS Config and include all the permissions that the service requires to call other AWS services on your behalf.

AWS Config service-linked role - https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html

Also make sure you follow the steps mentioned in this account compromised article - https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/

And just to add some information about service-linked roles (and give you peace of mind about it), by definition those types of roles can only be assumed by the specific AWS service that they are linked with. This is done through the Trust Policy in the role (which you can incidentally also view). In other words, it’s impossible for any other principal to assume and use that role.