Open menu
-->

Include Global Resources into AWS Config Settings

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that AWS Config service is configured to include Global resources in order to have complete visibility over the configuration changes made within your AWS account. Global resources are not tied to a specific AWS region and can be used in all regions. Supported Global resource types are IAM users, groups, roles and customer managed policies.

Including Global resources into your AWS Config settings will allow you to keep track of IAM resources such as IAM users, groups, roles and managed policies. The configuration data recorded with this feature enabled can be extremely useful during security audits that are targeting your entire AWS account (i.e. all regions). Note: If AWS Config is enabled in multiple regions and is configured to record changes made to Global resources, the service will record these changes in every region available and this would result in multiple configuration items with the same information. To prevent duplicate entries, the Config service should be configured to include Global resources in one region only (unless you want the configuration items to be available in multiple regions).

Audit

To determine if AWS Config service is missing the ability to record configuration changes made to Global resources (e.g. IAM resources), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Settings.

04 On the Settings page, within Resource types to record section, check if Include global resources (e.g., AWS IAM resources) setting is enabled. If the setting checkbox is not currently enabled, the configuration changes made to your AWS Global resources such as IAM users, groups, roles and customer managed policies are not recorded.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-configuration-recorders command (OSX/Linux/UNIX) using custom query filters to determine if Amazon Config service is configured to record changes made to Global resources such as AWS IAM resources:

aws configservice describe-configuration-recorders
	--region us-east-1
	--query 'ConfigurationRecorders[*].recordingGroup.includeGlobalResourceTypes'

02 The command output should return the Global resources recorder status (true for enabled, false for disabled):

[
    false
]

If the value returned by the describe-configuration-recorders command is false, the configuration changes made to your AWS Global resources such as IAM users, groups, roles and policies are not currently recorded.

03 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To include Global resources into Amazon Config settings, perform the following:

Note: The configuration details for a specific Global resource are the same in all AWS regions. To prevent duplicate configuration items, set AWS Config service to record Global resources within one region only (preferably US East/N. Virginia region).

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Settings.

04 On the Settings page, within Resource types to record section, check Include global resources (e.g., AWS IAM resources) checkbox to enable AWS Config to record configuration changes made to Global resources such as IAM users, groups, roles and customer managed policies.

05 Scroll down to the bottom of the page and click Save to apply the changes and include Global resources into AWS Config settings. Once the configuration changes are saved, the following confirmation message will be displayed: "Success: Your settings were successfully saved."

Using AWS CLI

01 Run describe-configuration-recorders command (OSX/Linux/UNIX) using custom query filters to get the role ARN of the existing AWS Config recorder:

aws configservice describe-configuration-recorders
	--region us-east-1
	--query 'ConfigurationRecorders[*].roleARN'

02 The command output should return the requested role ARN:

[
    "arn:aws:iam::123456789012:role/cc-config-role"
]

03 Run put-configuration-recorder command (OSX/Linux/UNIX) using the role ARN returned at previous step as parameter, to create a new configuration recorder for AWS Config in order to track configuration changes made to Global resources such as IAM resources (the command does not produce an output):

aws configservice put-configuration-recorder
	--region us-east-1
	--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/cc-config-role
	--recording-group allSupported=true,includeGlobalResourceTypes=true

References

Publication date Oct 15, 2016