Configuration Aggregator to All Regions Disabled

  • Query id: 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d
  • Query name: Configuration Aggregator to All Regions Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

AWS Config Configuration Aggregator All Regions must be set to True
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  OperatorEmail:
    Description: "Email address to notify when new logs are published."
    Type: String
Resources:
  ConfigurationAggregator1:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
      AccountAggregationSources:
        - AccountIds:
            - '123456789012'
            - '987654321012'
          AwsRegions:
            - us-west-2
            - us-east-1
    ConfigurationAggregatorName: MyConfigurationAggregator
  ConfigurationAggregator2:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
      AccountAggregationSources:
        - AccountIds:
            - '123456789012'
            - '987654321012'
          AwsRegions:
            - us-west-2
            - us-east-1
          AllAwsRegions: false
    ConfigurationAggregatorName: MyConfigurationAggregator
  ConfigurationAggregator3:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
      OrganizationAggregationSource:
        RoleArn: >-
          arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
        AwsRegions:
          - us-west-2
          - us-east-1
      ConfigurationAggregatorName: MyConfigurationAggregator
  ConfigurationAggregator4:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
      OrganizationAggregationSource:
        RoleArn: >-
          arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
        AwsRegions:
          - us-west-2
          - us-east-1
        AllAwsRegions: false
      ConfigurationAggregatorName: MyConfigurationAggregator
Positive test num. 2 - json file
{
  "Resources": {
    "ConfigurationAggregator5": {
      "Type": "AWS::Config::ConfigurationAggregator",
      "Properties": {
        "AccountAggregationSources": [
          {
            "AccountIds": [
              "123456789012",
              "987654321012"
            ],
            "AwsRegions": [
              "us-west-2",
              "us-east-1"
            ]
          }
        ],
        "ConfigurationAggregatorName": "MyConfigurationAggregator"
      }
    },
    "ConfigurationAggregator6": {
      "Type": "AWS::Config::ConfigurationAggregator",
      "Properties": {
        "AccountAggregationSources": [
          {
            "AccountIds": [
              "123456789012",
              "987654321012"
            ],
            "AwsRegions": [
              "us-west-2",
              "us-east-1"
            ],
            "AllAwsRegions": false
          }
        ],
        "ConfigurationAggregatorName": "MyConfigurationAggregator"
      }
    },
    "ConfigurationAggregator7": {
      "Type": "AWS::Config::ConfigurationAggregator",
      "Properties": {
        "OrganizationAggregationSource": {
          "RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
          "AwsRegions": [
            "us-west-2",
            "us-east-1"
          ]
        },
        "ConfigurationAggregatorName": "MyConfigurationAggregator"
      }
    },
    "ConfigurationAggregator8": {
      "Type": "AWS::Config::ConfigurationAggregator",
      "Properties": {
        "OrganizationAggregationSource": {
          "RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
          "AwsRegions": [
            "us-west-2",
            "us-east-1"
          ],
          "AllAwsRegions": false
        },
        "ConfigurationAggregatorName": "MyConfigurationAggregator"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  ConfigurationAggregator9:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
      AccountAggregationSources:
        - AccountIds:
            - '123456789012'
            - '987654321012'
          AwsRegions:
            - us-west-2
            - us-east-1
          AllAwsRegions: true
      ConfigurationAggregatorName: MyConfigurationAggregator
  ConfigurationAggregator10:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
      OrganizationAggregationSource:
        RoleArn: >-
          arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
        AwsRegions:
          - us-west-2
          - us-east-1
        AllAwsRegions: true
      ConfigurationAggregatorName: MyConfigurationAggregator
Negative test num. 2 - json file
{
  "Resources": {
    "ConfigurationAggregator6": {
      "Type": "AWS::Config::ConfigurationAggregator",
      "Properties": {
        "AccountAggregationSources": [
          {
            "AccountIds": [
              "123456789012",
              "987654321012"
            ],
            "AwsRegions": [
              "us-west-2",
              "us-east-1"
            ],
            "AllAwsRegions": true
          }
        ],
        "ConfigurationAggregatorName": "MyConfigurationAggregator"
      }
    },
    "ConfigurationAggregator8": {
      "Type": "AWS::Config::ConfigurationAggregator",
      "Properties": {
        "OrganizationAggregationSource": {
          "RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
          "AwsRegions": [
            "us-west-2",
            "us-east-1"
          ],
          "AllAwsRegions": true
        },
        "ConfigurationAggregatorName": "MyConfigurationAggregator"
      }
    }
  }
}