How to check the AWS Config configuration status for each region enabled in your account
This page has been translated by machine translation. View original
What I was struggling with
I want to make configuration changes to AWS Config, but I need to check which regions have AWS Config enabled.
Is there a way to retrieve this information all at once?
How to handle it
I created an AWS CLI command and verified that it can retrieve a list of regions where AWS Config is enabled or disabled.
What I tried
This time, I created a command for AWS Config by referencing the "Reference: Security Hub enablement check" command from the blog post below, along with reference information [1] [2] [3] [4].
Security Hubで個人的によく使うAWS CLIコマンドをまとめてみた | DevelopersIO
https://dev.classmethod.jp/articles/security-hub-my-command-list/
Below is the command I created.
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
recorder_status=$(aws configservice describe-configuration-recorder-status \
--region ${region} \
--query "ConfigurationRecordersStatus[].[recording]" \
--output text 2>/dev/null)
if [ "${recorder_status}" = "True" ]; then
echo "ENABLED ${region}"
else
echo "DISABLED ${region}"
fi
done | awk '
/^ENABLED/ && !enabled_header { print "### AWS Config is ENABLED"; enabled_header=1 }
/^DISABLED/ && !disabled_header { print "### AWS Config is DISABLED"; disabled_header=1 }
{ print $2 }
'
I used the created command to run it with the AWS CLI.
This time, I verified it in an environment where Config is enabled in the following 17 regions.
us-east-1
us-east-2
us-west-1
us-west-2
ap-south-1
ap-northeast-3
ap-northeast-2
ap-southeast-1
ap-southeast-2
ap-northeast-1
ca-central-1
eu-central-1
eu-west-3
eu-west-2
eu-west-1
eu-north-1
sa-east-1
The result was as follows, showing the 17 regions where Config is enabled.
###AWS Config is ENABLED
ap-south-1
eu-north-1
eu-west-3
eu-west-2
eu-west-1
ap-northeast-3
ap-northeast-2
ap-northeast-1
ca-central-1
sa-east-1
ap-southeast-1
ap-southeast-2
eu-central-1
us-east-1
us-east-2
us-west-1
us-west-2
Next, I disabled Config only in the Oregon region (us-west-2) and ran the command again, which returned the following result.
###AWS Config is ENABLED
ap-south-1
eu-north-1
eu-west-3
eu-west-2
eu-west-1
ap-northeast-3
ap-northeast-2
ap-northeast-1
ca-central-1
sa-east-1
ap-southeast-1
ap-southeast-2
eu-central-1
us-east-1
us-east-2
us-west-1
###AWS Config is DISABLED
us-west-2
The Oregon region (us-west-2), which I had disabled, was displayed as DISABLED.
Summary
Since AWS Config is configured per region, it's convenient to be able to view the enabled/disabled status all at once.
While this is a simple piece of content, I hope this verification is helpful to someone.
References
[1] Verify that AWS Config started successfully with the AWS CLI - AWS Config
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/gs-cli-verify-subscribe.html
[2] describe-regions — AWS CLI 2.35.15 Command Reference
https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-regions.html
[3] describe-configuration-recorder-status — AWS CLI 2.35.15 Command Reference
https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html
[4] describe-configuration-recorders — AWS CLI 2.35.15 Command Reference
https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html
