[小ネタ] 全リージョンで一時的に AWS Config の記録対象を「すべて」に設定し、再度設定を復元してみる

[小ネタ] 全リージョンで一時的に AWS Config の記録対象を「すべて」に設定し、再度設定を復元してみる

#AWS Config
Author image

facebook logohatena logotwitter logo
Clock Icon2025.04.29

こんにちは!コンサルティング部のくろすけです!

ある案件で、AWS Security Hub の結果を取得するために AWS Config の設定を一時的に変更し、後で元に戻すという作業が発生しました。

AWS Config の記録対象が Specific resource types(特定のリソースタイプ)の場合、複数のリソースタイプを手動で選択する必要があり、コンソールからの復元作業は非常に面倒です。

そこで今回は、AWS CLI を使って全リージョンの AWS Config 設定を一時的に「すべてのリソース」に変更し、後で元に戻す方法をご紹介します。

はじめに

まず、AWS Config の記録対象に関するベストプラクティスを確認しておきましょう。

  1. すべてのリソースタイプの設定変更を記録します。
    AWS Config を設定する際、AWS Config に記録する必要があるリソースタイプに対して「すべてのリソース」を選択してください。AWS Config は AWS 内の 100 種類以上のリソースタイプをサポートしているため、包括的な設定監査を実施できます。この設定により、新しいリソースタイプが自動的に記録されます。

原文

  1. Record configuration changes to ALL resource types.
    When you are setting up AWS Config, select “All resources” for the resource types that need to be recorded in AWS Config. This ensures that you have a comprehensive configuration audit in place because AWS Config supports more than 100 different resource types in AWS. New resource types would automatically be recorded via this setting.

AWS Config best practices | AWS Cloud Operations Blogより抜粋

つまり、「すべてのリソースタイプを記録する」設定が推奨されているということを念頭に置いていただければと思います。

やってみる

1. AWS Config 記録方法の確認

全てのリージョンの AWS Config の記録方法設定を確認しておきます。

bash -c 'REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text); \
echo "----------------------------------------"; \
for region in ${REGIONS}; do \
  echo "Region: ${region}"; \
  recorder_info=$(aws configservice describe-configuration-recorders \
    --region "${region}" \
    --query "ConfigurationRecorders[0].recordingGroup" \
    --output json 2>/dev/null); \
  if [[ -z "${recorder_info}" || "${recorder_info}" == "null" ]]; then \
    echo "AWS Config recorder does not exist"; \
    continue; \
  fi; \
  all_supported=$(echo "${recorder_info}" | jq -r ".allSupported"); \
  if [[ "${all_supported}" == "true" ]]; then \
    echo "Recording strategy: All resource types with customizable overrides (allSupported=true)"; \
    echo "Number of resource types recorded: All resources (not counted individually)"; \
  else \
    count=$(echo "${recorder_info}" | jq ".resourceTypes | length"); \
    if [[ "${count}" == "null" ]]; then \
      echo "The resource type to be recorded has not been set."; \
    else \
      echo "Recording strategy: Specific resource types (allSupported=false)"; \
      echo "Number of resource types recorded: ${count}"; \
    fi; \
  fi; \
  echo "----------------------------------------"; \
done; \
echo "Output for all regions has been completed"'
出力結果例
----------------------------------------
Region: ap-south-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-north-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-west-3
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-west-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-west-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-northeast-3
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-northeast-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-northeast-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 245
----------------------------------------
Region: ca-central-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: sa-east-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-southeast-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-southeast-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-central-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: us-east-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 249
----------------------------------------
Region: us-east-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: us-west-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: us-west-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 252
----------------------------------------
Output for all regions has been completed

2. AWS Config 記録方法設定のバックアップを取得する

AWS Config 記録方法設定を復元するために、バックアップを取得しておきます。

bash -c 'mkdir -p config-backup; \
REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text); \
for region in ${REGIONS}; do \
  echo "Backing up Config in region: ${region}"; \
  aws configservice describe-configuration-recorders \
    --region "${region}" \
    --output json > "config-backup/config-recorder-${region}.json"; \
done; \
echo "Backup completed. Files saved in ./config-backup/"'
出力結果例
Backing up Config in region: ap-south-1
Backing up Config in region: eu-north-1
Backing up Config in region: eu-west-3
Backing up Config in region: eu-west-2
Backing up Config in region: eu-west-1
Backing up Config in region: ap-northeast-3
Backing up Config in region: ap-northeast-2
Backing up Config in region: ap-northeast-1
Backing up Config in region: ca-central-1
Backing up Config in region: sa-east-1
Backing up Config in region: ap-southeast-1
Backing up Config in region: ap-southeast-2
Backing up Config in region: eu-central-1
Backing up Config in region: us-east-1
Backing up Config in region: us-east-2
Backing up Config in region: us-west-1
Backing up Config in region: us-west-2
Backup completed. Files saved in ./config-backup/

3. AWS Config 記録方法設定を変更する

全てのリージョンの設定をAll resource types with customizable overridesに変更する

bash -c 'ROLE_ARN="${AWS Configのリソース記録に設定するIAMロール}"; \
TMP_FILE="/tmp/config-recorder.json"; \
REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text); \
echo "----------------------------------------"; \
for region in ${REGIONS}; do
  echo "Region: ${region}"; \
  if [[ "${region}" == "ap-northeast-1" ]]; then
    INCLUDE_GLOBAL=true; \
  else
    INCLUDE_GLOBAL=false; \
  fi; \
  cat > "${TMP_FILE}" <<EOF
{
  "ConfigurationRecorder": {
    "name": "default",
    "roleARN": "${ROLE_ARN}",
    "recordingGroup": {
      "allSupported": true,
      "includeGlobalResourceTypes": ${INCLUDE_GLOBAL}
    }
  }
}
EOF
  aws configservice put-configuration-recorder \
    --region "${region}" \
    --cli-input-json file://${TMP_FILE} \
    && echo "Configuration settings update success" \
    || echo "Configuration settings update failed"; \
  aws configservice start-configuration-recorder \
    --region "${region}" \
    --configuration-recorder-name default \
    > /dev/null 2>&1 \
    && echo "Recording start success" \
    || echo "Recording start failed"; \
  echo "----------------------------------------"; \
done'
出力結果例
----------------------------------------
Region: ap-south-1
Configuration settings update success
Recording start success
----------------------------------------
Region: eu-north-1
Configuration settings update success
Recording start success
----------------------------------------
Region: eu-west-3
Configuration settings update success
Recording start success
----------------------------------------
Region: eu-west-2
Configuration settings update success
Recording start success
----------------------------------------
Region: eu-west-1
Configuration settings update success
Recording start success
----------------------------------------
Region: ap-northeast-3
Configuration settings update success
Recording start success
----------------------------------------
Region: ap-northeast-2
Configuration settings update success
Recording start success
----------------------------------------
Region: ap-northeast-1
Configuration settings update success
Recording start success
----------------------------------------
Region: ca-central-1
Configuration settings update success
Recording start success
----------------------------------------
Region: sa-east-1
Configuration settings update success
Recording start success
----------------------------------------
Region: ap-southeast-1
Configuration settings update success
Recording start success
----------------------------------------
Region: ap-southeast-2
Configuration settings update success
Recording start success
----------------------------------------
Region: eu-central-1
Configuration settings update success
Recording start success
----------------------------------------
Region: us-east-1
Configuration settings update success
Recording start success
----------------------------------------
Region: us-east-2
Configuration settings update success
Recording start success
----------------------------------------
Region: us-west-1
Configuration settings update success
Recording start success
----------------------------------------
Region: us-west-2
Configuration settings update success
Recording start success
----------------------------------------

4. AWS Config 記録方法の確認

全てのリージョンの AWS Config の記録方法設定を確認します。
コマンドは手順1と同じです。

出力結果例
----------------------------------------
Region: ap-south-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: eu-north-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: eu-west-3
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: eu-west-2
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: eu-west-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: ap-northeast-3
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: ap-northeast-2
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: ap-northeast-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: ca-central-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: sa-east-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: ap-southeast-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: ap-southeast-2
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: eu-central-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: us-east-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: us-east-2
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: us-west-1
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Region: us-west-2
Recording strategy: All resource types with customizable overrides (allSupported=true)
Number of resource types recorded: All resources (not counted individually)
----------------------------------------
Output for all regions has been completed

5. AWS Config 記録方法設定の復元

手順2で取得したバックアップファイルを使用して、AWS Config 記録方法設定を復元します。

bash -c 'BACKUP_DIR="./config-backup"; \
REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text); \
echo "----------------------------------------"; \
for region in ${REGIONS}; do \
  BACKUP_FILE="$BACKUP_DIR/config-recorder-${region}.json"; \
  if [[ -f "${BACKUP_FILE}" ]]; then \
    echo "Restoring Config recorder in region: ${region}"; \
    RECORDER_JSON=$(cat "${BACKUP_FILE}" | jq -c '.ConfigurationRecorders[0]'); \
    aws configservice put-configuration-recorder \
      --region "${region}" \
      --configuration-recorder "${RECORDER_JSON}" \
      && echo "Configuration settings update success" \
      || echo "Configuration settings update failed"; \
    aws configservice start-configuration-recorder \
      --region "${region}" \
      --configuration-recorder-name default \
      > /dev/null 2>&1 \
      && echo "Recording start success" \
      || echo "Recording start failed"; \
  else \
    echo "No backup found"; \
  fi; \
  echo "----------------------------------------"; \
done; \
echo "Restoration completed."'
出力結果例
----------------------------------------
Restoring Config recorder in region: ap-south-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: eu-north-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: eu-west-3
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: eu-west-2
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: eu-west-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: ap-northeast-3
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: ap-northeast-2
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: ap-northeast-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: ca-central-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: sa-east-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: ap-southeast-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: ap-southeast-2
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: eu-central-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: us-east-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: us-east-2
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: us-west-1
Configuration settings update success
Recording start success
----------------------------------------
Restoring Config recorder in region: us-west-2
Configuration settings update success
Recording start success
----------------------------------------
Restoration completed.

6. AWS Config 記録方法の確認

全てのリージョンの AWS Config の記録方法設定を確認します。
コマンドは手順1と同じです。

出力結果例
----------------------------------------
Region: ap-south-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-north-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-west-3
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-west-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-west-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-northeast-3
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-northeast-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-northeast-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 245
----------------------------------------
Region: ca-central-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: sa-east-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-southeast-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: ap-southeast-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: eu-central-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: us-east-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 249
----------------------------------------
Region: us-east-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: us-west-1
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 241
----------------------------------------
Region: us-west-2
Recording strategy: Specific resource types (allSupported=false)
Number of resource types recorded: 252
----------------------------------------
Output for all regions has been completed

あとがき

今回は、AWS Config の記録対象を一時的に「すべてのリソース」に変更し、後で元に戻す方法をご紹介しました。

地味に面倒な作業ですが、CLI を使えば効率的に対応できます。

冒頭でも触れましたが、基本的には All resource types with customizable overrides(すべてのリソースを記録)を使うのがベストプラクティスです。

ただし、コストや記録対象の制限などの理由で Specific resource types(特定のリソースタイプ) を選択しているケースもあると思いますので、一時的な変更と復元の手順を知っておくと便利なタイミングがあるかもしれません。

Share this article

facebook logohatena logotwitter logo

関連記事

[アップデート]AWS Control Towerに223件のConfigルールが追加されました

[アップデート]AWS Control Towerに223件のConfigルールが追加されました

User avatar
とーち
2025.04.14
Control Towerを有効化する際に作成されるConfigアグリゲータをTerraformで管理してみた

Control Towerを有効化する際に作成されるConfigアグリゲータをTerraformで管理してみた

User avatar
よなみね
2025.04.08
AWS Configのiam-user-unused-credentials-checkは、maxCredentialUsageAgeの値+1日経過すると非準拠となる

AWS Configのiam-user-unused-credentials-checkは、maxCredentialUsageAgeの値+1日経過すると非準拠となる

User avatar
平井裕二
2025.04.07
未使用アクセスキーを無効化するAWS Systems Manager カスタムドキュメントを作成し、AWS Configで自動修復してみた

未使用アクセスキーを無効化するAWS Systems Manager カスタムドキュメントを作成し、AWS Configで自動修復してみた

User avatar
平井裕二
2025.04.04
Classmethod's white logo
Facebook's logo
X's logo
YouTube's logo

© Classmethod, Inc. All rights reserved.