This CloudFormation template creates an AWS Config configuration recorder and delivery channel, along with the necessary IAM roles and S3 bucket. The template enables the recording of all supported resource types and allows AWS Config to put objects in the specified S3 bucket.

This template enables AWS Config and creates an AWS Config rule, an aggregator (to AWS account 123456789012, us-west-2), and an authorization.

This template creates a ConfigurationAggregator resource for an organization. The OrganizationAggregationSource property specifies the role ARN, AWS regions, and whether to aggregate data from all regions. The ConfigurationAggregatorName property sets the name of the aggregator. The template also creates an IAM Role resource with the necessary permissions for the configuration aggregator.

This template creates an AggregationAuthorization that authorizes another account to aggregate your AWS Config data into a specific region.

This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

A CloudWatch Alarm that triggers when changes are made to AWS Config.

Detect changes to AWS Config and publishes change events to an SNS topic for notification.