Ensure AWS Config must record all possible resources

Error: AWS Config must record all possible resources

Bridgecrew Policy ID: BC_AWS_GENERAL_183
Checkov Check ID: CKV2_AWS_48
Severity: MEDIUM

AWS Config must record all possible resources

Description

This policy identifies resources for which AWS Config recording is enabled but recording for all possible resources are disabled. AWS Config provides an inventory of your AWS resources and a history of configuration changes to these resources. You can use AWS Config to define rules that evaluate these configurations for compliance. Hence, it is important to enable this feature.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

resource "aws_config_configuration_recorder" "pass_recorder" {
  name     = "example"
  role_arn = aws_iam_role.r.arn

  recording_group {
    include_global_resource_types = true
  }

}

resource "aws_config_configuration_recorder_status" "pass" {
  name       = aws_config_configuration_recorder.pass_recorder.name
  is_enabled = true
}