Logging & Monitoring Configurations

Configuration to enable AWS Config including support configuration such as S3 Buckets and Iam Roles as required. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

CloudFormation |AWS CLI

Items

Size

2.3 KB

YAML/JSON

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigurationRecorder:
    Type: 'AWS::Config::ConfigurationRecorder'
    Properties:
      RoleARN:
        'Fn::GetAtt':
          - IamRoleForAwsConfig
          - Arn
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
  DeliveryChannel:
    Type: 'AWS::Config::DeliveryChannel'
    Properties:
      S3BucketName:
        Ref: S3BucketForAwsConfig
  S3BucketForAwsConfig:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: ''
  S3BucketPolicyForAwsConfig:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: ''
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource: 'arn:aws:s3:::'
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: 's3:PutObject'
            Resource: 'arn:aws:s3:::/AWSLogs/*'
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
  IamRoleForAwsConfig:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: IamRoleForAwsConfig
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: config.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: allow-access-to-config-s3-bucket
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 's3:PutObject'
                Resource:
                  - 'arn:aws:s3:::/prefix/AWSLogs/*'
                Condition:
                  StringLike:
                    's3:x-amz-acl': bucket-owner-full-control
              - Effect: Allow
                Action:
                  - 's3:GetBucketAcl'
                Resource: 'arn:aws:s3:::'
Parameters: {}
Metadata: {}
Conditions: {}