Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Config Global Resources

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Config-003

Ensure that Amazon Config is configured to include global resources in order to have complete visibility over the configuration changes made within your AWS cloud account. Global resources are not tied to a specific AWS region and can be used in all regions. Supported global resource types are IAM users, groups, roles, and IAM customer managed policies.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Including global resources into your Amazon Config settings will allow you to keep track of IAM resources such as IAM users, groups, roles, and managed policies. The configuration data recorded by this feature can be extremely useful during security audits that are targeting your entire AWS account (i.e. all regions).

Note: If Amazon Config is enabled in multiple regions and is configured to record changes made to global resources, the service will record these changes in every region available and this would result in multiple configuration items with the same information. To prevent duplicate entries, the Config service should be configured to include global resources in one region only (unless you want the configuration items to be available in multiple AWS regions).


Audit

To determine if Amazon Config service is missing the ability to record configuration changes made to global resources, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 Choose Edit to access the configuration settings available for Amazon Config in the selected AWS region.

05 In the General settings section, ensure that Record all resources supported in this region option is selected, and check if Include global resources (e.g., AWS IAM resources) checkbox is selected. If the setting checkbox is not selected, the configuration changes made to your AWS global resources such as IAM users, groups, roles, and IAM customer managed policies are not recorded by Amazon Config.

06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-configuration-recorders command (OSX/Linux/UNIX) with custom query filters to determine if the Amazon Config service is configured to record changes made to global resources such as IAM resources:

aws configservice describe-configuration-recorders
  --region us-east-1
  --query 'ConfigurationRecorders[*].recordingGroup.includeGlobalResourceTypes'

02 The command output should return the requested configuration setting status (true for enabled, false for disabled):

[
	false
]

If the value returned by the describe-configuration-recorders command output is false, as shown in the example above, the configuration changes made to your AWS global resources such as IAM users, groups, roles, and IAM policies are not recorded by Amazon Config.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To include global AWS resources into Amazon Config settings, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ConfigurationRecorder": {
			"Type": "AWS::Config::ConfigurationRecorder",
			"Properties": {
				"Name": "default",
				"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
				"RecordingGroup": {
					"AllSupported": true,
					"IncludeGlobalResourceTypes": true
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	ConfigurationRecorder:
		Type: AWS::Config::ConfigurationRecorder
		Properties:
		Name: default
		RoleARN: arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
		RecordingGroup:
			AllSupported: true
			IncludeGlobalResourceTypes: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_config_configuration_recorder" "configuration-recorder" {
	name     = "default"
	role_arn = "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
	recording_group {
		all_supported                 = true
		include_global_resource_types = true
	}
}

resource "aws_config_configuration_recorder_status" "configuration-recorder-status" {
	is_enabled = true
	name       = aws_config_configuration_recorder.configuration-recorder.name
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 Choose Edit to access the configuration settings available for Amazon Config in the selected AWS region.

05 In the General settings section, ensure that Record all resources supported in this region option is selected, select the Include global resources (e.g., AWS IAM resources) checkbox, and chooseSave to apply the changes. This will enable you to keep track of configuration changes made to global AWS resources such as IAM resources.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-configuration-recorders command (OSX/Linux/UNIX) with custom query filters to describe the role ARN of the IAM role set for the Amazon Config recorder:

aws configservice describe-configuration-recorders
  --region us-east-1
  --query 'ConfigurationRecorders[*].roleARN'

02 The command output should return the ARN of the requested IAM role:

[
	"arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
]

03 Run put-configuration-recorder command (OSX/Linux/UNIX) using the role ARN returned at previous step as the input parameter, to create a new configuration recorder for Amazon Config in order to track configuration changes made to global AWS resources such as IAM resources (the command does not produce an output):

aws configservice put-configuration-recorder
  --region us-east-1
  --configuration-recorder name=default,roleARN= arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
  --recording-group allSupported=true,includeGlobalResourceTypes=true

References

Publication date Oct 15, 2016