Ensure that Amazon Config is configured to include global resources in order to have complete visibility over the configuration changes made within your AWS cloud account. Global resources are not tied to a specific AWS region and can be used in all regions. Supported global resource types are IAM users, groups, roles, and IAM customer managed policies.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Including global resources into your Amazon Config settings will allow you to keep track of IAM resources such as IAM users, groups, roles, and managed policies. The configuration data recorded by this feature can be extremely useful during security audits that are targeting your entire AWS account (i.e. all regions).
Note: If Amazon Config is enabled in multiple regions and is configured to record changes made to global resources, the service will record these changes in every region available and this would result in multiple configuration items with the same information. To prevent duplicate entries, the Config service should be configured to include global resources in one region only (unless you want the configuration items to be available in multiple AWS regions).
Audit
To determine if Amazon Config service is missing the ability to record configuration changes made to global resources, perform the following operations:
Remediation / Resolution
To include global AWS resources into Amazon Config settings, perform the following operations:
References
- AWS Documentation
- How AWS Config Works
- Concepts
- Selecting Which Resources AWS Config Records
- AWS Command Line Interface (CLI) Documentation
- describe-configuration-recorders
- put-configuration-recorder