CloudWiki
Rules
Medium

Ensure AWS Config is configured to include global resources

Security & Compliance
Description

To have full visibility over configuration changes made in your AWS account, it is important to configure the AWS Config service to include Global resources. Global resources, which are not limited to a particular AWS region and can be utilized in all regions, include IAM users, groups, roles, and customer-managed policies. Enabling the inclusion of Global resources in your AWS Config settings will enable you to monitor changes made to IAM resources such as users, groups, roles, and managed policies. This feature records configuration data that can be particularly valuable during security audits that target your entire AWS account, spanning all regions.

Remediation

To ensure that AWS Config is configured to include global resources, you can follow these remediation steps:

  1. Log in to the AWS Management Console and navigate to the AWS Config service.
  2. From the AWS Config dashboard, click on "Settings" on the left-hand navigation menu.
  3. Under the "Resource types to record" section, select the "Global resources" checkbox.
  4. From the dropdown list of global resource types, select IAM users, groups, roles, and customer-managed policies.
  5. Click the "Save" button to save the changes.
  6. Verify that the global resources are now included in the list of recorded resource types by reviewing the AWS Config dashboard.
  7. Monitor the AWS Config service regularly to ensure that global resources are being recorded and that any configuration changes made to these resources are being tracked.

By following these steps, you can ensure that AWS Config is configured to include global resources, allowing you to monitor changes made to IAM resources across all regions. This will enable you to have complete visibility over the configuration changes made within your AWS account and help you stay compliant with industry regulations and security best practices.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.