Fix AWS Config Recorder Missing Resources Across Regions

I was auditing our cloud infrastructure compliance and noticed something odd: AWS Config showed all our EC2 instances in us-east-1, but instances in eu-west-1 were invisible. It’s not that the instances didn’t exist—they were running fine. AWS Config simply wasn’t monitoring them. The problem was clear once I realized: Config recorders are regional, and I’d only set up the recorder in one region. In this post, I’ll walk through exactly what causes this and how to fix it.

The Problem

AWS Config is enabled and running, but it doesn’t show resources created in certain AWS regions. Security Hub or AWS Config compliance rules report data for some regions but show nothing for others. Your security dashboard shows an incomplete picture of your infrastructure.

Symptom	Cause
Resources visible in `us-east-1` but missing in `eu-west-1`	Config recorder not enabled in `eu-west-1`
Config shows some resource types but not others	`AllSupported: false` in recording group
New service launched; Config doesn’t track it	Service not added to Config’s scope

Why Does This Happen?

Config recorder not enabled in those regions — Config recorders are regional. You must set up and start the recorder separately in each region where you want monitoring. A recorder in us-east-1 can’t see resources in eu-west-1.
Recording group doesn’t include all supported resources — By default, if AllSupported: false, Config only records specific resource types you specify. New resources in AWS aren’t automatically added.
Delivery channel S3 bucket or SNS topic missing — Config needs a regional delivery channel to store configuration snapshots. If the bucket or topic doesn’t exist in a region, the recorder can’t start.
IAM role missing or insufficient permissions — The AWSServiceRoleForConfig role must exist with proper permissions in each region, or recordings fail.
Recorder is stopped — The recorder exists but is in a STOPPED state, so it’s not actively recording.

The Fix

Step 1: Check Recorder Status in All Regions

Create a script to check recorder status across all regions:

# Check recorder status in all regions
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' \
  --output text --region us-east-1); do
  echo "=== Region: $region ==="
  aws configservice describe-configuration-recorders \
    --region "$region" \
    --query 'ConfigurationRecorders[*].[Name,RecordingGroup.AllSupported,RecordingGroup.ResourceTypes]' \
    --output table
done

Step 2: Create the Config Service Role (if it doesn’t exist)

# Create the IAM role and attach the managed policy
aws iam create-service-linked-role --service-name config.amazonaws.com

# OR if it already exists, verify the policy
aws iam get-role --role-name AWSServiceRoleForConfig

Step 3: Enable the Recorder in Missing Regions

For each region where the recorder is missing or stopped, enable it:

# Enable Config recorder in eu-west-1
aws configservice put-configuration-recorder \
  --region eu-west-1 \
  --configuration-recorder \
    name=default,\
    roleARN=arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig,\
    recordingGroup="{allSupported=true,includeGlobalResources=true}"

Step 4: Create a Delivery Channel

Config needs an S3 bucket to store configuration snapshots:

# Create the delivery channel in each region
aws configservice put-delivery-channel \
  --region eu-west-1 \
  --delivery-channel name=default,s3BucketName=my-config-bucket,configSnapshotDeliveryProperties={deliveryFrequency=TwentyFour_Hours}

Make sure the bucket exists and has the correct policy:

# Create bucket (if it doesn't exist)
aws s3api create-bucket --bucket my-config-bucket --region eu-west-1 \
  --create-bucket-configuration LocationConstraint=eu-west-1

# Apply the bucket policy for Config
cat > config-bucket-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSConfigBucketPermissionsCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "s3:GetBucketVersioning",
      "Resource": "arn:aws:s3:::my-config-bucket"
    },
    {
      "Sid": "AWSConfigBucketExistenceCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-config-bucket"
    },
    {
      "Sid": "AWSConfigBucketPutObject",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-config-bucket/*"
    }
  ]
}
EOF

aws s3api put-bucket-policy --bucket my-config-bucket --policy file://config-bucket-policy.json

Step 5: Start the Recorder

# Start the recorder in each region
for region in eu-west-1 eu-central-1; do
  aws configservice start-configuration-recorder \
    --region "$region" \
    --configuration-recorder-names default
done

Step 6: Verify Recorder is Running

# Check recorder status
aws configservice describe-configuration-recorder-status \
  --region eu-west-1 \
  --query 'ConfigurationRecordersStatus[*].[Name,Recording,LastStatusChangeTime]' \
  --output table

Is This Safe?

Yes. AWS Config is a compliance and governance service. Setting up recorders in all regions is a security best practice for multi-region deployments.

Key Takeaway

Config recorders are regional and must be enabled separately in each region. Always enable allSupported=true to capture all resource types, and verify recorders are in the Recording=true state. Check status across all regions regularly to catch coverage gaps early.

Have questions or ran into a different security issue? Connect with me on LinkedIn or X.