Configuration to enable AWS Config including support configuration such as S3 Buckets and Iam Roles as required. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
ConfigurationRecorder:
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
RoleARN:
'Fn::GetAtt':
- IamRoleForAwsConfig
- Arn
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
DeliveryChannel:
Type: 'AWS::Config::DeliveryChannel'
Properties:
S3BucketName: ''
S3BucketForAwsConfig:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: ''
S3BucketPolicyForAwsConfig:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: ''
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: 's3:GetBucketAcl'
Resource: 'arn:aws:s3:::'
- Sid: ' AWSConfigBucketDelivery'
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: 's3:PutObject'
Resource: 'arn:aws:s3:::/AWSLogs/*'
Condition:
StringEquals:
's3:x-amz-acl': bucket-owner-full-control
IamRoleForAwsConfig:
Type: 'AWS::IAM::Role'
Properties:
RoleName: ''
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: config.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: allow-access-to-config-s3-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
Resource:
- 'arn:aws:s3:::/prefix/AWSLogs/*'
Condition:
StringLike:
's3:x-amz-acl': bucket-owner-full-control
- Effect: Allow
Action:
- 's3:GetBucketAcl'
Resource: 'arn:aws:s3:::'
Parameters: {}
Metadata: {}
Conditions: {}