AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS Config Should Include Global Resources
More Info:
Ensure that AWS Config service is configured to include Global resources in order to have complete visibility over the configuration changes made within your AWS account. Global resources are not tied to a specific AWS region and can be used in all regions. Supported Global resource types are IAM users, groups, roles and customer managed policies.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “AWS Config Should Include Global Resources” for AWS using the AWS console, follow these steps:
-
Log in to your AWS account and navigate to the AWS Config console.
-
Click on the “Rules” tab on the left-hand side of the screen.
-
Locate the “AWS Config Should Include Global Resources” rule and click on it.
-
Click on the “Remediation actions” tab.
-
Click on the “Create remediation action” button.
-
In the “Create remediation action” window, select the “AWS-EnableConfigGlobalResourceTypes” remediation action.
-
Click on the “Create” button to create the remediation action.
-
Once the remediation action is created, select the rule again and click on the “Remediate” button.
-
In the “Remediate” window, select the “AWS-EnableConfigGlobalResourceTypes” remediation action.
-
Click on the “Remediate” button to remediate the misconfiguration.
This will enable AWS Config to include global resources and remediate the misconfiguration.
The misconfiguration “AWS Config should include global resources” means that AWS Config is not currently set up to include global resources such as IAM users, roles, and policies. To remediate this, follow these steps using the AWS CLI:
-
First, ensure that you have the AWS CLI installed and configured on your local machine.
-
Open a terminal or command prompt and run the following command to create a new AWS Config rule that includes global resources:
aws configservice put-config-rule --config-rule file://aws-config-rule-global-resources.json
Note: Replace aws-config-rule-global-resources.json
with the name of the JSON file that contains the AWS Config rule definition. You can create this file using a text editor and the following JSON:
{
"ConfigRuleName": "global-resources",
"Description": "Includes global resources in AWS Config",
"Scope": {
"ComplianceResourceTypes": [
"AWS::IAM::User",
"AWS::IAM::Role",
"AWS::IAM::Policy"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "GLOBAL_RESOURCE"
}
}
- Once the rule is created, run the following command to start evaluating compliance:
aws configservice start-config-rules-evaluation --config-rule-names global-resources
Note: Replace global-resources
with the name of the AWS Config rule you just created.
- Wait for the evaluation to complete. You can check the status of the evaluation by running the following command:
aws configservice describe-config-rule-evaluation-status --config-rule-names global-resources
- If the evaluation shows noncompliant resources, you can remediate them manually or use AWS Config remediation actions to automate the remediation process.
Note: To use AWS Config remediation actions, you must first create a remediation action that specifies the steps to remediate noncompliant resources. You can then associate the remediation action with the AWS Config rule and run it to automatically remediate noncompliant resources.
To remediate the misconfiguration “AWS Config Should Include Global Resources” using Python, you can follow these steps:
-
First, you need to enable AWS Config in the AWS Management Console. Go to the AWS Config console, select the region where you want to enable AWS Config, and click on “Get started”.
-
Next, you need to create a new AWS Config rule in the AWS Management Console. Go to the AWS Config console, click on “Rules”, and then click on “Add rule”.
-
In the “Add rule” dialog box, select “AWS Config Managed Rules” as the rule type, and search for the rule “global-resources-enabled”.
-
Click on “Add” to add the rule to your AWS Config configuration.
-
To remediate the misconfiguration using Python, you can use the AWS SDK for Python (Boto3) to create a Lambda function that automatically enables AWS Config for all regions in your AWS account. Here’s an example Python code to enable AWS Config in all regions:
import boto3
# Create a Boto3 client for AWS Config
config = boto3.client('config')
# Get a list of all regions in the AWS account
ec2 = boto3.client('ec2')
regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']]
# Enable AWS Config for all regions
for region in regions:
response = config.put_configuration_recorder(
ConfigurationRecorder={
'name': 'default',
'roleARN': 'arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com.amazonaws.com/AWSServiceRoleForConfig',
'recordingGroup': {
'allSupported': True,
'includeGlobalResourceTypes': True,
'resourceTypes': []
}
}
)
print(f"Enabled AWS Config in region {region}")
- Once you run this code, AWS Config will be enabled for all regions in your AWS account, and the misconfiguration “AWS Config Should Include Global Resources” will be remediated.