Add flag to allow recording global resource config in all regions

[bharanin]

The default configuration for SecurityHub and related AWS/CIS/PCI benchmarks expect to find global resource recording in each region - and all get rather unhappy if it's not there. SecurityHub, specifically, complains that AWS Config is not setup properly.

Guidance from AWS on this:

• They enable global recording in all regions with their provided tooling: https://github.com/awslabs/aws-securityhub-multiaccount-scripts
• Note this as a best practice here (item 2): https://aws.amazon.com/blogs/security/nine-aws-security-hub-best-practices/
• Recommend conditionally disabling several controls in non-primary regions (see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html#config-resource-recording) if only recording global resources in a single region.

This PR adds a flag to allow turning on global recording in all regions. Default is currently false to avoid introducing a bunch of unexpected updates, but it might in fact be better to default true.

[nozaq]

@bharanin Thanks for the patch and useful links to the guidance!

AWS Config best practices recommends to record global resources only in one region, so I'm afraid the recommendations from AWS might be inconsistent 🤔
I'll dig into the script a little more.

[nozaq]

I found that [AWS SecurityHub User' Guide] (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html) recommended to record global resources in a single region then disable controls enforcing AWS Config enabled.
It seems disabling individual controls isn't supported through terraform though 😢
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription

From AWS User Guide

When you enable resource recording as part of enabling AWS Config, choose to record all resources that are supported in a given Region. You only need to record global resources in a single Region.
If you do not record global resources in all Regions, then in the Regions where you do not record global resources, you must disable the control 2.5 – Ensure AWS Config is enabled. CIS 2.5 generates failed findings in Regions where global resources are not recorded. For details about other controls that you may want to disable in Regions where global resources are not recorded, see the following topics.

[bharanin]

@nozaq thanks for digging in on this (and more generally for your work on this module - it's a really great resource).

I do love it when the docs are all consistent 😂 fwiw, the SecurityHub recommendations seem to frame the global recording choice as a cost-saving option and note there are a bunch of other controls you need to disable as well:

CIS AWS Foundations Benchmark 1.2-1.14, 1.16, 1.20, 1.22, and 2.5 controls
To save on the cost of AWS Config, you can disable recording of global resources in all but one Region, and then disable these controls that deal with global resources in all Regions except for the Region that runs global recording.

If you disable these 1.x controls and disable recording of global resources in a particular Region, you should also disable 2.5.
This is because 2.5 requires recording of global resources in order to pass.

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html

Given the mixed guidance, I'd argue it's reasonable to give module users the choice to enable in all regions. In my use cases I'd probably rather deal with the added cost of extra recording than all the follow-up rule deactivations (especially given that we can't do this in tf).

[lorengordon]

Look like there is an issue for this feature, as well as a PR. Hopefully terraform will support it soon!

[sbower]

It would indeed be nice to toggle this on for all regions. The module user then can make the choice on cost.

[nozaq]

@bharanin I understood tha usecase, the PR lgtm. Defaults the flag to false makes a lot of sense given all docs we have gone through, I believe 👍🏼

@lorengordon @sbower Sorry for taking a time to merge it, I'll merge it into master. Please let me know if you guys have any issues, thanks!