AWS Config must record all possible resources
Description
This policy identifies resources for which AWS Config recording is enabled but recording for all possible resources are disabled. AWS Config provides an inventory of your AWS resources and a history of configuration changes to these resources. You can use AWS Config to define rules that evaluate these configurations for compliance. Hence, it is important to enable this feature.
Code Example
go
resource "aws_config_configuration_recorder" "pass_recorder" {
name = "example"
role_arn = aws_iam_role.r.arn
recording_group {
include_global_resource_types = true
}
}
resource "aws_config_configuration_recorder_status" "pass" {
name = aws_config_configuration_recorder.pass_recorder.name
is_enabled = true
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0482 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV2_AWS_48 |