Ensure that AWS Config service is configured to include Global resources in order to have complete visibility over the configuration changes made within your AWS account. Global resources are not tied to a specific AWS region and can be used in all regions. Supported Global resource types are IAM users, groups, roles and customer managed policies.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Including Global resources into your AWS Config settings will allow you to keep track of IAM resources such as IAM users, groups, roles and managed policies. The configuration data recorded with this feature enabled can be extremely useful during security audits that are targeting your entire AWS account (i.e. all regions).
Note: If AWS Config is enabled in multiple regions and is configured to record changes made to Global resources, the service will record these changes in every region available and this would result in multiple configuration items with the same information. To prevent duplicate entries, the Config service should be configured to include Global resources in one region only (unless you want the configuration items to be available in multiple regions).
To determine if AWS Config service is missing the ability to record configuration changes made to Global resources (e.g. IAM resources), perform the following actions:
To include Global resources into Amazon Config settings, perform the following:Note: The configuration details for a specific Global resource are the same in all AWS regions. To prevent duplicate configuration items, set AWS Config service to record Global resources within one region only (preferably US East/N. Virginia region).