From 6cab3bd7ef7fc1ee74d5ba15dad101563b329bdd Mon Sep 17 00:00:00 2001 From: dap Date: Tue, 8 Apr 2025 12:11:14 -0700 Subject: [PATCH 1/2] Update template.yaml with CONTROL_TOWER_HOME_REGION variable add the CONTROL_TOWER_HOME_REGION: !Ref 'AWS::Region' variable for setting the Global Resource recording in the Home region only. --- template.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template.yaml b/template.yaml index 481f592..bee1e2a 100644 --- a/template.yaml +++ b/template.yaml @@ -111,6 +111,7 @@ Resources: CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST: !Ref ConfigRecorderDailyResourceTypes CONFIG_RECORDER_OVERRIDE_EXCLUDED_RESOURCE_LIST: !Ref ConfigRecorderExcludedResourceTypes CONFIG_RECORDER_DEFAULT_RECORDING_FREQUENCY: !Ref ConfigRecorderDefaultRecordingFrequency + CONTROL_TOWER_HOME_REGION: !Ref 'AWS::Region' ConsumerLambdaEventSourceMapping: Type: AWS::Lambda::EventSourceMapping From fa9ab8f5d15646f9a980beb324a9e25bf4bab4c8 Mon Sep 17 00:00:00 2001 From: dap Date: Tue, 8 Apr 2025 12:16:51 -0700 Subject: [PATCH 2/2] Update ct_configrecorder_override_consumer.py to only include global resources in the Home region. Adds a list and list comprehension to include the 4 global IAM resource-types in recording scope for the Control Tower Home region only. This is necessary since the 'exclusionByResourceTypes' option overrides the 'includeGlobalResourceTypes' option. --- ct_configrecorder_override_consumer.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/ct_configrecorder_override_consumer.py b/ct_configrecorder_override_consumer.py index e607733..ba603fb 100644 --- a/ct_configrecorder_override_consumer.py +++ b/ct_configrecorder_override_consumer.py @@ -86,6 +86,9 @@ def assume_role(account_id, role='AWSControlTowerExecution'): try: role_arn = 'arn:aws:iam::' + account_id + ':role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig' + ## added IAM global resource list + GLOBAL_IAM_RESOURCE_LIST = ['AWS::IAM::Group','AWS::IAM::Policy','AWS::IAM::Role','AWS::IAM::User'] + CONFIG_RECORDER_DAILY_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST') CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST = CONFIG_RECORDER_DAILY_RESOURCE_STRING.split( ',') if CONFIG_RECORDER_DAILY_RESOURCE_STRING != '' else [] @@ -98,6 +101,18 @@ def assume_role(account_id, role='AWSControlTowerExecution'): res = [x for x in CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST if x not in CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST] CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST[:] = res + ## create two new lists - NOT_HOME and HOME + CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_NOT_HOME = [] + CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_HOME = [] + + ## remove any of the global IAM resources from exclusion list for HOME region + home = [x for x in CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST if x not in GLOBAL_IAM_RESOURCE_LIST] + CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_HOME[:] = home + ## take home list and add globals for NOT_HOME exclusion list for linked regions + CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_NOT_HOME = home + GLOBAL_IAM_RESOURCE_LIST + + home_region = os.getenv('CONTROL_TOWER_HOME_REGION') == aws_region + # Event = Delete is when stack is deleted, we rollback changed made and leave it as ControlTower Intended if event == 'Delete': response = configservice.put_configuration_recorder( @@ -119,7 +134,8 @@ def assume_role(account_id, role='AWSControlTowerExecution'): 'allSupported': False, 'includeGlobalResourceTypes': False, 'exclusionByResourceTypes': { - 'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST + ## for exclusion list exclusionByResourceTypes.resourceTypes: if home_region==true use home, else use not_home + 'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_HOME if home_region == True else CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_NOT_HOME }, 'recordingStrategy': { 'useOnly': 'EXCLUSION_BY_RESOURCE_TYPES'