Configuration Aggregator to All Regions Disabled

  • Query id: ac5a0bc0-a54c-45aa-90c3-15f7703b9132
  • Query name: Configuration Aggregator to All Regions Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

AWS Config Configuration Aggregator All Regions must be set to True
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file
resource "aws_config_configuration_aggregator" "positive1" {
  name = "example"

  account_aggregation_source {
    account_ids = ["123456789012"]
    regions     = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"]
  }
}

resource "aws_config_configuration_aggregator" "positive2" {
  depends_on = [aws_iam_role_policy_attachment.organization]

  name = "example" # Required

  organization_aggregation_source {
    all_regions = false
    role_arn    = aws_iam_role.organization.arn
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_config_configuration_aggregator" "negative1" {
  name = "example"

  account_aggregation_source {
    all_regions = true

  }
}

resource "aws_config_configuration_aggregator" "negative2" {
  depends_on = [aws_iam_role_policy_attachment.organization]

  name = "example" # Required

  organization_aggregation_source {
    all_regions = true
    role_arn    = aws_iam_role.organization.arn
  }
}