Why did I get an AWS Config error after turning on AWS Security Hub?

Short description

When setting up AWS Security Hub, you might have one of the following errors:

• "AWS Config is not enabled on some accounts."
• "AWS Config is not enabled in all regions.”
• "An error has occurred with AWS Config. Contact AWS Support."

Resolution

Use the following best practices for configuring and troubleshooting AWS Config with Security Hub:

Note: AWS Config rules created by Security Hub do not incur any additional costs.

Verify that AWS Config is turned on in the same AWS Region as Security Hub

Manually turn on AWS Config in the same Region as Security Hub as follows:

1.    Open the AWS Config console in the same Region that you have Security Hub turned on.

2.    If AWS Config is not turned on, follow the instructions for setting up AWS Config with the Console.

Note: If you have Security Hub configured in multiple Regions, repeat these steps for each Region.

Verify AWS Config is recording all resources including global in your Region

Modify the type of resources AWS config records as follows:

1.    Open the AWS Config console, and choose Settings.

2.    In Settings, confirm Recording is on.

3.    In Resource types to record, select Record all resources supported in this region.

4.     In Resource types to record, select Include global resources (e.g., AWS IAM resources).

5.    Choose Save.

Note:

• These settings apply to all of your AWS accounts that are configured with Security Hub, including AWS Organizations member accounts.
• You do not have to record all resource types in AWS Config. However, be sure that the required resource types for CIS, PCI DSS, and AWS foundational security best practices controls are recording.
• You do not need to turn on global resources in all Regions. To avoid duplicate configuration settings, you can turn on global settings in only the same AWS Region as Security Hub per AWS account.
• It can take up to 24 hours for the recorder settings to complete.

Use Amazon CloudWatch log filter patterns to search AWS CloudTrail log data

Search for and troubleshoot AWS Config error messages as follows:

1.    Follow steps 1-4 in Search log entries using the console.

2.    In Filter, paste the following example syntax, and then choose enter on your device:

EventSource: config.amazonaws.com<br>

3.    Note the error. Then, follow the instructions for How can I troubleshoot AWS Config console error messages?

Verify the permissions on the Security Hub service-linked role

AWS Security Hub uses service-linked roles to provide permissions to AWS services. The following AWS Identity and Access Management (IAM) permission allows access to AWS Config with Security Hub:

{<br>"Effect": "Allow",<br>"Action": [<br>"config:PutConfigRule",<br>"config:DeleteConfigRule",<br>"config:GetComplianceDetailsByConfigRule",<br>"config:DescribeConfigRuleEvaluationStatus"<br>],<br>"Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"<br>}<br>

For more information, see Using service-linked roles for AWS Security Hub.

---

Related information

AWS Security Hub now generally available