More Info:

Ensure that AWS Config service is configured to include Global resources in order to have complete visibility over the configuration changes made within your AWS account. Global resources are not tied to a specific AWS region and can be used in all regions. Supported Global resource types are IAM users, groups, roles and customer managed policies.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR, APRA, MAS, NIST4

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “AWS Config Should Include Global Resources” for AWS using the AWS console, follow these steps:
  1. Sign in to the AWS Management Console.
  2. Navigate to the AWS Config console at AWS Config Console.
  3. In the main navigation panel, under AWS Config, choose Settings.
  4. Choose Edit to access the configuration settings available for AWS Config in the selected AWS region.
  5. In the General settings section, ensure that Record all resources supported in this region option is selected, select the Include global resources (e.g., AWS IAM resources) checkbox, and choose Save to apply the changes. This will enable you to keep track of configuration changes made to global AWS resources such as IAM resources.
  6. Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

To remediate the misconfiguration “AWS Config should include global resources” using the AWS CLI, follow these steps:
  1. Run the following command to describe the role ARN of the IAM role set for the AWS Config recorder:
aws configservice describe-configuration-recorders \
    --region us-east-1 \
    --query 'ConfigurationRecorders[*].roleARN'
  1. The command output should return the ARN of the requested IAM role:
[
	"arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
]
  1. Use the role ARN returned in the previous step to create a new configuration recorder for AWS Config to track configuration changes made to global AWS resources:
aws configservice put-configuration-recorder \
    --region us-east-1 \
    --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
    --recording-group allSupported=true,includeGlobalResourceTypes=true
  1. If you need to enable AWS Config for other regions, change the AWS cloud region from the navigation bar and repeat the above steps.
  1. To remediate the misconfiguration “AWS Config Should Include Global Resources” using Python, you can use the AWS SDK for Python (Boto3) to create a Lambda function that enables AWS Config in all regions and ensures that global resources are included.
Here’s an example Python script to remediate the policy.
import boto3

# Create a Boto3 client for AWS Config
config = boto3.client('config')

# Get a list of all regions in the AWS account
ec2 = boto3.client('ec2')
regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']]

# Enable AWS Config for all regions
for region in regions:
    # Describe the IAM role for AWS Config
    role_arn_response = config.describe_configuration_recorders()
    role_arn = role_arn_response['ConfigurationRecorders'][0]['roleARN']

    # Create configuration recorder
    config.put_configuration_recorder(
        ConfigurationRecorder={
            'name': 'default',
            'roleARN': role_arn,
            'recordingGroup': {
                'allSupported': True,
                'includeGlobalResourceTypes': True,
                'resourceTypes': []
            }
        }
    )
    print(f"Enabled AWS Config in region {region}")

    # Start the evaluation
    config.start_config_rules_evaluation(config_rule_names=['global-resources'])
  1. Once you run this code, AWS Config will be enabled for all regions in your AWS account, and the misconfiguration “AWS Config Should Include Global Resources” will be remediated.

Additional Reading: