Gerald Bachlmayr gezza-b

## gist:17aa0dd1d8f081be2240bbab6e93df35
{
    "source": ["aws.config"],
    "detail-type": ["Config Rules Compliance Change"],
    "detail": {
      "messageType": ["ComplianceChangeNotification"],
      "configRuleName": [
        "approved-amis-by-id"
      ]
    }
  }

## gist:8ff24f828cf462f44f3bb734f57b16d5
Resources:
  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      Name: !Ref RecorderName
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
      RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'


## gist:251f3ba1200f2987babc9296cc4eb7bf
  ConfigDeliveryChannel:
    Type: AWS::Config::DeliveryChannel
    Properties:
      ConfigSnapshotDeliveryProperties:
        DeliveryFrequency: 'One_Hour'
      Name: !Ref ConfigDeliveryChannel
      S3BucketName: !Ref ConfigBucketName

## gist:0d9cd1b2a7489508ee672dc4fa3efc18
  Ec2ApprovedAmiRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: Ec2ApprovedAmiRule
      InputParameters: !Sub '{ "amiIds" : "${AllowedAmi}" }'
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::Instance"
      Source:
        Owner: AWS

## gist:08c9d7f71f53e32d18c67aca057b8778
Parameters:
  AllowedAmi:
    Description: Environment type
    Type: String
    Default: "ami-06fcc1f0bc2c8943f"

## gist:5c2ca6b02e00205dc0be9e4c3567ad49
  Ec2ApprovedAmiRemediation:
    Type: AWS::Config::RemediationConfiguration
    Properties:
      Automatic: true
      ConfigRuleName: !Ref Ec2ApprovedAmiRule
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'

## gist:6bdd5e2f7baac6be2653e0e96d5e11ad
        InstanceId:
          StaticValue:
            Values:
              - instanceId
      MaximumAutomaticAttempts: 2
      ResourceType: "AWS::EC2::Instance"
      RetryAttemptSeconds: 60
      TargetId: "AWS-StopEC2Instance"
      TargetType: "SSM_DOCUMENT"

## aggregator-org.yml
Resources:
  ConfigAggregator:
    Type: AWS::Config::ConfigurationAggregator
    Properties:
      ConfigurationAggregatorName: !Ref AggregatorName
      OrganizationAggregationSource:
        AllAwsRegions: true
        RoleArn: !GetAtt OrgRecorderRole.Arn

## org-recorder-role1.yml
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - config.amazonaws.com
            Action:

## org-recorder-role2.yml
      Path: /
      Description: Role for the AWS Config Recorder
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
      RoleName: OrgRecorderRole
	{
	"source": ["aws.config"],
	"detail-type": ["Config Rules Compliance Change"],
	"detail": {
	"messageType": ["ComplianceChangeNotification"],
	"configRuleName": [
	"approved-amis-by-id"
	]
	}
	}
	Resources:
	ConfigRecorder:
	Type: AWS::Config::ConfigurationRecorder
	Properties:
	Name: !Ref RecorderName
	RecordingGroup:
	AllSupported: true
	IncludeGlobalResourceTypes: true
	RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'
	ConfigDeliveryChannel:
	Type: AWS::Config::DeliveryChannel
	Properties:
	ConfigSnapshotDeliveryProperties:
	DeliveryFrequency: 'One_Hour'
	Name: !Ref ConfigDeliveryChannel
	S3BucketName: !Ref ConfigBucketName
	Ec2ApprovedAmiRule:
	Type: AWS::Config::ConfigRule
	Properties:
	ConfigRuleName: Ec2ApprovedAmiRule
	InputParameters: !Sub '{ "amiIds" : "${AllowedAmi}" }'
	Scope:
	ComplianceResourceTypes:
	- "AWS::EC2::Instance"
	Source:
	Owner: AWS
	Parameters:
	AllowedAmi:
	Description: Environment type
	Type: String
	Default: "ami-06fcc1f0bc2c8943f"
	Ec2ApprovedAmiRemediation:
	Type: AWS::Config::RemediationConfiguration
	Properties:
	Automatic: true
	ConfigRuleName: !Ref Ec2ApprovedAmiRule
	Parameters:
	AutomationAssumeRole:
	StaticValue:
	Values:
	- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'
	InstanceId:
	StaticValue:
	Values:
	- instanceId
	MaximumAutomaticAttempts: 2
	ResourceType: "AWS::EC2::Instance"
	RetryAttemptSeconds: 60
	TargetId: "AWS-StopEC2Instance"
	TargetType: "SSM_DOCUMENT"
	Resources:
	ConfigAggregator:
	Type: AWS::Config::ConfigurationAggregator
	Properties:
	ConfigurationAggregatorName: !Ref AggregatorName
	OrganizationAggregationSource:
	AllAwsRegions: true
	RoleArn: !GetAtt OrgRecorderRole.Arn
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- config.amazonaws.com
	Action:
	Path: /
	Description: Role for the AWS Config Recorder
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
	RoleName: OrgRecorderRole