Configuration Aggregator to All Regions Disabled
- Query id: 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d
- Query name: Configuration Aggregator to All Regions Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
AWS Config Configuration Aggregator All Regions must be set to True
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
ConfigurationAggregator1:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
AccountAggregationSources:
- AccountIds:
- '123456789012'
- '987654321012'
AwsRegions:
- us-west-2
- us-east-1
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator2:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
AccountAggregationSources:
- AccountIds:
- '123456789012'
- '987654321012'
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator3:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
OrganizationAggregationSource:
RoleArn: >-
arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
AwsRegions:
- us-west-2
- us-east-1
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator4:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
OrganizationAggregationSource:
RoleArn: >-
arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator
Positive test num. 2 - json file
{
"Resources": {
"ConfigurationAggregator5": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
]
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator6": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator7": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
]
},
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator8": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
},
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
ConfigurationAggregator9:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
AccountAggregationSources:
- AccountIds:
- '123456789012'
- '987654321012'
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: true
ConfigurationAggregatorName: MyConfigurationAggregator
ConfigurationAggregator10:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
OrganizationAggregationSource:
RoleArn: >-
arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: true
ConfigurationAggregatorName: MyConfigurationAggregator
Negative test num. 2 - json file
{
"Resources": {
"ConfigurationAggregator6": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": true
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
},
"ConfigurationAggregator8": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": true
},
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
}
}
}