Configuration Recorder: IAM Role and Global Resources properties incorrect according to Control Tower setup

[ahuseby]

Hello

I would like to point out a few inconsistencies between this customization solution the the current Config Redorcing configuration initially deployed by Control Tower.

As of version 3.2 of Control Tower landing zone, the member account onfiguration recorder config looks like this:

  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      Name: !Sub ${ManagedResourcePrefix}-BaselineConfigRecorder
      RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
      RecordingGroup:
        AllSupported: !Ref AllSupported
        IncludeGlobalResourceTypes: !If
          - IsHomeRegion
          - !Ref IncludeGlobalResourceTypes
          - 'false'
        ResourceTypes: !If
          - IsAllSupported
          - !Ref AWS::NoValue
          - !Ref ResourceTypes

Currently, this solution configures the configuration recorder like this:

            role_arn = 'arn:aws:iam::' + account_id + ':role/aws-controltower-ConfigRecorderRole'
...
                response = configservice.put_configuration_recorder(
                    ConfigurationRecorder={
                        'name': 'aws-controltower-BaselineConfigRecorder',
                        'roleARN': role_arn,
                        'recordingGroup': {
                            'allSupported': False,
                            'includeGlobalResourceTypes': False,
                            'exclusionByResourceTypes': {
                                'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST
                            },
                            'recordingStrategy': {
                                'useOnly': 'EXCLUSION_BY_RESOURCE_TYPES'
                            }
                        }
                    })

1. The Role ARN used with the configuration recorder should be using the service-linked role, not the aws-controltower-ConfigRecorderRole.
2. Inclusion of global resource types should not be totally excluded, as it is with this solution. This means e.g. no IAM Roles get recorded. Global resources should be recorded, except if the configuration recorder is deployed in a region that is not the Control Tower Landing zone's home region (see the conditional expression in the Cfn template snippet). The includeGlobalResourceTypes is a legacy field, as noted in the API Documentation, but Control Tower does not account for this yet.

[ahuseby]

Actually the issue regarding global resources I've experienced is related to the 'Delete' event upon which this solution attempts to revert the "original" Control Tower setup of the configuration recorder, which is as follows:

aws-control-tower-config-customization/ct_configrecorder_override_consumer.py

Lines 94 to 104 in 961abab

	if event == 'Delete':
	response = configservice.put_configuration_recorder(
	ConfigurationRecorder={
	'name': 'aws-controltower-BaselineConfigRecorder',
	'roleARN': role_arn,
	'recordingGroup': {
	'allSupported': True,
	'includeGlobalResourceTypes': False
	}
	})
	logging.info(f'Response for put_configuration_recorder :{response} ')

The issue here is that includeGlobalResourceTypes is kept set to False. Handling of this should be based on the Control Tower Landing Zone's home region, as described in the Control Tower documentation:

If your landing zone version is 3.0 or later: AWS Control Tower limits recording for global resources, such as IAM users, groups, roles, and customer managed polices, to your home Region only. Copies of global resource changes are not stored in every Region.

[ahuseby]

Linked PR with changes