More Info:

Ensure that AWS Config service is enabled in all regions in order to have complete visibility over your AWS infrastructure configuration changes.

Risk Level

High

Address

Security

Compliance Standards

CBP

Remediation

Using Console:

  • Steps:
    1. Log in to the AWS Management Console.
    2. Navigate to the AWS Config service.
    3. Check if there are any Configuration Recorders configured.
    4. If there are no Configuration Recorders, create a new one by clicking on “Create Configuration Recorder” and follow the setup wizard.
    5. If there are Configuration Recorders:
      • Review each Configuration Recorder.
      • Ensure that the “Include global resources” option is enabled.
      • Edit the Configuration Recorder if necessary to enable global resource recording.

Using CLI:

  • Commands: 
    aws configservice put-configuration-recorder --configuration-recorder name=default --recording-group allSupported=true
  • Steps:
    1. Use the above CLI command to update the Configuration Recorder to include global resource recording.
    2. Replace name=default with the name of your Configuration Recorder.

Using Python

  • Logic: 
    import boto3

def enable_global_resource_recording():
    try:
        config = boto3.client('config')

        # Check if Configuration Recorders exist
        recorders = config.describe_configuration_recorders()['ConfigurationRecorders']
        if not recorders:
            # Create a new Configuration Recorder
            config.put_configuration_recorder(ConfigurationRecorder={
                'name': 'default',
                'recordingGroup': {'allSupported': True}
            })
            print("Configuration Recorder created with global resource recording enabled.")
        else:
            for recorder in recorders:
                if not recorder.get('recordingGroup', {}).get('allSupported', False):
                    # Update existing Configuration Recorder to enable global resource recording
                    config.put_configuration_recorder(ConfigurationRecorder={
                        'name': recorder['name'],
                        'recordingGroup': {'allSupported': True}
                    })
                    print(f"Global resource recording enabled for Configuration Recorder: {recorder['name']}")
                    break
            else:
                print("Global resource recording is already enabled for all Configuration Recorders.")

    except Exception as e:
        print(f"Error: {e}")

# Execute remediation
enable_global_resource_recording()

Ensure that you have the necessary permissions to update AWS Config settings using the AWS CLI or Python script. Also, review and test the changes before applying them to production environments.

Additional Reading: