AWS Config recorder uses the AWSServiceRoleForConfig service-linked role
config_recorder_using_aws_service_role
AWS Config recorders are evaluated for use of the service‑linked IAM role AWSServiceRoleForConfig linked to config.amazonaws.com rather than a custom role.
The evaluation inspects active recorders and their role ARN to confirm the AWS‑managed service‑linked role is in use.
Risk
Using a custom or incorrect role can break recording or create blind spots, undermining the integrity and availability of configuration history. Over‑privileged roles weaken least privilege, increasing risk of unauthorized access, stealthy changes, and delayed incident response.
prowler aws --checks config_recorder_using_aws_service_role
Recommendation
Use the AWS‑managed service‑linked role AWSServiceRoleForConfig for all recorders to enforce least privilege and consistent trust.
Avoid custom roles; restrict who can modify the recorder or role; monitor for drift and ensure recording remains enabled as part of defense in depth.
Remediation
aws configservice put-configuration-recorder --configuration-recorder name=<RECORDER_NAME>,roleARN=arn:<PARTITION>:iam::<ACCOUNT_ID>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
Resources:
example_resource:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: example_resource
RoleARN: arn:<PARTITION>:iam::<ACCOUNT_ID>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig # This line fixes the security issue
resource "aws_config_configuration_recorder" "example_resource" {
name = "example_resource"
role_arn = "arn:<PARTITION>:iam::<ACCOUNT_ID>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" # This line fixes the security issue
}
- Open the AWS Console and go to AWS Config
- Choose Settings (or Recording) and click Edit
- For IAM role, select Use service-linked role (AWSServiceRoleForConfig)
- Save changes
Source Code
Resource Type
Other