AWS Config recorder is enabled and not in failure state or disabled
config_recorder_all_regions_enabled
AWS accounts have AWS Config recorders active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.
Risk
Gaps in Config recording create blind spots. Changes in unmonitored Regions aren't captured, weakening integrity and auditability. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying incident response.
Run this check with Prowler CLI
prowler aws --checks config_recorder_all_regions_enabled
Recommendation
Enable AWS Config in every Region with continuous recording and maintain healthy recorder status.
Remediation
Native IaC
Terraform
Other
- In the AWS Console, go to Config
- Click Set up AWS Config (or Settings)
- Select a resource recording option (any) and choose an existing S3 bucket for delivery
- Keep the default AWSServiceRoleForConfig role
- Click Confirm/Turn on to start recording
- Verify on the Settings page that Status shows Recording and not Failure
Source Code
Resource Type
Other