update to allow exclusions and record Global IAM resource-types in the Control Tower Home region only.

[dap-aws]

Issue #, if available:
How to exclude global resource types #14
#14

Description of changes:

1. Added variable to CFN template.yaml to get the Control Tower Home region which is the region that deploys the Config BASELINE StackSet and the solution. Consistent with this commit:
   4c4eb77

2. Added a static list of the 4 Global IAM resource-types as reference to add and remove to two new lists created.

3. Created two new lists for exclusions: one for resource-types to exclude in the Home region and one for resource-types to exclude for all other CT governed regions, which should contain the 4 Global IAM resource-types.

4. Used a list comprehension to remove or add the 4 Global IAM resource-types accordingly.

5. Confirm if the region is the CT Home region to select the appropriate exclusion list for the recorder in that region.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[vsr2158]

Can you please check and let me know. this is the intended behaviour

https://github.com/aws-samples/aws-control-tower-config-customization?tab=readme-ov-file#configrecorderdailyglobalresourcetypes

[mentzerk]

@vsr2158 - I can confirm the need for something like this. I've been observing something in my environment that would be fixed by this PR or something like it, and it all seems to key around the documentation for Config collecting IAM. If you look at the config docs here: https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all - there's a cut over for things onboarded after Feb 2022. In my observation, it seems like Control Tower handled those Global IAM resources in the past by creating an explicit exclude for them in all valid regions except the home region, then the home region was set to Daily. The functionality in this repo undoes that step, so the net config we see is Daily in the Home Region and continuous in all other regions, which is VERY chatty. This PR would reset that to what Control Tower set up in the first place with Daily in the Home Region and Excluded in the others.

[vsr2158]

The latest code does this.

In the home region

~ $ aws configservice describe-configuration-recorders
{
    "ConfigurationRecorders": [
        {
            "arn": "arn:aws:config:us-west-2:<>:configuration-recorder/aws-controltower-BaselineConfigRecorder/v0phnppi1x2nkt2o",
            "name": "aws-controltower-BaselineConfigRecorder",
            "roleARN": "arn:aws:iam::<>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
            "recordingGroup": {
                "allSupported": false,
                "includeGlobalResourceTypes": false,
                "resourceTypes": [],
                "exclusionByResourceTypes": {
                    "resourceTypes": [
                        "AWS::HealthLake::FHIRDatastore",
                        "AWS::Pinpoint::Segment",
                        "AWS::Pinpoint::ApplicationSettings"
                    ]
                },
                "recordingStrategy": {
                    "useOnly": "EXCLUSION_BY_RESOURCE_TYPES"
                }
            },
            "recordingMode": {
                "recordingFrequency": "CONTINUOUS",
                "recordingModeOverrides": [
                    {
                        "description": "DAILY_OVERRIDE",
                        "resourceTypes": [
                            "AWS::AutoScaling::AutoScalingGroup",
                            "AWS::AutoScaling::LaunchConfiguration",
                            "AWS::IAM::Policy",
                            "AWS::IAM::User",
                            "AWS::IAM::Role",
                            "AWS::IAM::Group"
                        ],
                        "recordingFrequency": "DAILY"
                    }
                ]
            },
            "recordingScope": "PAID"
        }
    ]
}

Other region

~ $ aws configservice describe-configuration-recorders
{
    "ConfigurationRecorders": [
        {
            "arn": "arn:aws:config:ap-southeast-2:<>::configuration-recorder/aws-controltower-BaselineConfigRecorder/9ytqiccxypujlp21",
            "name": "aws-controltower-BaselineConfigRecorder",
            "roleARN": "arn:aws:iam::<>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
            "recordingGroup": {
                "allSupported": false,
                "includeGlobalResourceTypes": false,
                "resourceTypes": [],
                "exclusionByResourceTypes": {
                    "resourceTypes": [
                        "AWS::HealthLake::FHIRDatastore",
                        "AWS::Pinpoint::Segment",
                        "AWS::Pinpoint::ApplicationSettings"
                    ]
                },
                "recordingStrategy": {
                    "useOnly": "EXCLUSION_BY_RESOURCE_TYPES"
                }
            },
            "recordingMode": {
                "recordingFrequency": "CONTINUOUS",
                "recordingModeOverrides": [
                    {
                        "description": "DAILY_OVERRIDE",
                        "resourceTypes": [
                            "AWS::AutoScaling::AutoScalingGroup",
                            "AWS::AutoScaling::LaunchConfiguration"
                        ],
                        "recordingFrequency": "DAILY"
                    }
                ]
            },
            "recordingScope": "PAID"
        }
    ]
}

The parameters being used

$ aws cloudformation describe-stacks --stack-name ct5 --query 'Stacks[0].Parameters'                                                                                                                                         
[
    {
        "ParameterKey": "SourceS3Bucket",
        "ParameterValue": "<>-ccc"
    },
    {
        "ParameterKey": "ConfigRecorderExcludedResourceTypes",
        "ParameterValue": "AWS::HealthLake::FHIRDatastore,AWS::Pinpoint::Segment,AWS::Pinpoint::ApplicationSettings"
    },
    {
        "ParameterKey": "CloudFormationVersion",
        "ParameterValue": "1"
    },
    {
        "ParameterKey": "ExcludedAccounts",
        "ParameterValue": "['111111111111', '222222222222', '333333333333']"
    },
    {
        "ParameterKey": "ConfigRecorderStrategy",
        "ParameterValue": "EXCLUSION"
    },
    {
        "ParameterKey": "ConfigRecorderDefaultRecordingFrequency",
        "ParameterValue": "CONTINUOUS"
    },
    {
        "ParameterKey": "AccountSelectionMode",
        "ParameterValue": "INCLUSION"
    },
    {
        "ParameterKey": "IncludedAccounts",
        "ParameterValue": "['<>']"
    },
    {
        "ParameterKey": "ConfigRecorderIncludedResourceTypes",
        "ParameterValue": "AWS::S3::Bucket,AWS::CloudTrail::Trail"
    },
    {
        "ParameterKey": "ConfigRecorderDailyGlobalResourceTypes",
        "ParameterValue": "AWS::IAM::Policy,AWS::IAM::User,AWS::IAM::Role,AWS::IAM::Group"
    },
    {
        "ParameterKey": "ConfigRecorderDailyResourceTypes",
        "ParameterValue": "AWS::AutoScaling::AutoScalingGroup,AWS::AutoScaling::LaunchConfiguration"
    }
]

[vsr2158]

Template variable = ConfigRecorderDailyGlobalResourceTypes

Lambda env variable = CONTROL_TOWER_HOME_REGION: !Ref "AWS::Region" (set by Cfn templete)
Lambda env variable = CONFIG_RECORDER_OVERRIDE_DAILY_GLOBAL_RESOURCE_LIST

Lambda handler uses = CONFIG_RECORDER_DAILY_GLOBAL_RESOURCE_LIST

Sets home_region = True based on condition

home_region = os.getenv('CONTROL_TOWER_HOME_REGION') == aws_region
            if home_region:
                CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST += CONFIG_RECORDER_DAILY_GLOBAL_RESOURCE_LIST

Sets the Daily recording frequency

                        'recordingMode': {
                            'recordingFrequency': CONFIG_RECORDER_DEFAULT_RECORDING_FREQUENCY,
                            'recordingModeOverrides': [
                                {
                                    'description': 'DAILY_OVERRIDE',
                                    'resourceTypes': CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST,
                                    'recordingFrequency': 'DAILY'
                                }
                            ] if CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST else []
                        }

So I think the latest version has that fix. please let me know if I missed anything.

[mentzerk]

Yes - I'm following that code, and what's in there now works for any IAM setup provisioned after Feb 2022. However - if your Account was provisioned before Feb 2022, this doesn't work. The first block is from your comment is correct, daily for the home region. However, all other regions need an explicit exclude for those global services. Setting the includeGlobalResourceTypes isn't sufficient to prevent collection - so, they fail back to continuous in all other (non-home) regions.

[vsr2158]

There is more complexity to this after discussing with the Config service developer.

IAM resources are NOT recorded in post Feb 2022 launched regions. which means if CT Home region is one of those regions IAM resources will not be recorded at all.

Global resource types | IAM resources

The following IAM resource types are global resources: IAM users, groups, roles, and customer managed policies. These resource types can be recorded by AWS Config in Regions where AWS Config was available before February 2022. This list where you cannot record the global IAM resource types includes the following Regions: Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Asia Pacific (Thailand), Canada West (Calgary), Europe (Spain), Europe (Zurich), Israel (Tel Aviv), Mexico (Central), and Middle East (UAE).

NOTE: the doc is not up to date with all the new regions and I have requested to list pre 2022 regions instead.

Following options are present to address the IAM resource recording
1- Update documentation to highlight this and the customer needs to have CT pre 2022 region as CT home region.
2- If user does NOT have pre 2022 region as CT home region, enable IAM recording in IAD / us-east-1 and customer needs to enable that as CT governed region (to apply IAM controls)