AWS Config Should Include Global Resources

More Info:

Ensure that AWS Config service is configured to include Global resources in order to have complete visibility over the configuration changes made within your AWS account. Global resources are not tied to a specific AWS region and can be used in all regions. Supported Global resource types are IAM users, groups, roles and customer managed policies.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR, APRA, MAS, NIST4

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “AWS Config should include global resources” using the AWS CLI, follow these steps:

Run the following command to describe the role ARN of the IAM role set for the AWS Config recorder:

aws configservice describe-configuration-recorders \
    --region us-east-1 \
    --query 'ConfigurationRecorders[*].roleARN'

The command output should return the ARN of the requested IAM role:

[
	"arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
]

Use the role ARN returned in the previous step to create a new configuration recorder for AWS Config to track configuration changes made to global AWS resources:

aws configservice put-configuration-recorder \
    --region us-east-1 \
    --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
    --recording-group allSupported=true,includeGlobalResourceTypes=true

If you need to enable AWS Config for other regions, change the AWS cloud region from the navigation bar and repeat the above steps.

Using Python

To remediate the misconfiguration “AWS Config Should Include Global Resources” using Python, you can use the AWS SDK for Python (Boto3) to create a Lambda function that enables AWS Config in all regions and ensures that global resources are included.

Here’s an example Python script to remediate the policy.

import boto3

# Create a Boto3 client for AWS Config
config = boto3.client('config')

# Get a list of all regions in the AWS account
ec2 = boto3.client('ec2')
regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']]

# Enable AWS Config for all regions
for region in regions:
    # Describe the IAM role for AWS Config
    role_arn_response = config.describe_configuration_recorders()
    role_arn = role_arn_response['ConfigurationRecorders'][0]['roleARN']

    # Create configuration recorder
    config.put_configuration_recorder(
        ConfigurationRecorder={
            'name': 'default',
            'roleARN': role_arn,
            'recordingGroup': {
                'allSupported': True,
                'includeGlobalResourceTypes': True,
                'resourceTypes': []
            }
        }
    )
    print(f"Enabled AWS Config in region {region}")

    # Start the evaluation
    config.start_config_rules_evaluation(config_rule_names=['global-resources'])

Once you run this code, AWS Config will be enabled for all regions in your AWS account, and the misconfiguration “AWS Config Should Include Global Resources” will be remediated.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AWS Config Should Include Global Resources

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: