This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"Resource": "arn:aws:s3:::awsconfigconforms-yourname/*", | |
"Condition": { | |
"StringEquals": { | |
"aws:PrincipalOrgID": "youraccount" | |
}, | |
"ArnLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Path: / | |
Description: Role for the AWS Config Recorder | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations | |
RoleName: OrgRecorderRole |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- config.amazonaws.com | |
Action: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resources: | |
ConfigAggregator: | |
Type: AWS::Config::ConfigurationAggregator | |
Properties: | |
ConfigurationAggregatorName: !Ref AggregatorName | |
OrganizationAggregationSource: | |
AllAwsRegions: true | |
RoleArn: !GetAtt OrgRecorderRole.Arn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
InstanceId: | |
StaticValue: | |
Values: | |
- instanceId | |
MaximumAutomaticAttempts: 2 | |
ResourceType: "AWS::EC2::Instance" | |
RetryAttemptSeconds: 60 | |
TargetId: "AWS-StopEC2Instance" | |
TargetType: "SSM_DOCUMENT" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ec2ApprovedAmiRemediation: | |
Type: AWS::Config::RemediationConfiguration | |
Properties: | |
Automatic: true | |
ConfigRuleName: !Ref Ec2ApprovedAmiRule | |
Parameters: | |
AutomationAssumeRole: | |
StaticValue: | |
Values: | |
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Parameters: | |
AllowedAmi: | |
Description: Environment type | |
Type: String | |
Default: "ami-06fcc1f0bc2c8943f" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ec2ApprovedAmiRule: | |
Type: AWS::Config::ConfigRule | |
Properties: | |
ConfigRuleName: Ec2ApprovedAmiRule | |
InputParameters: !Sub '{ "amiIds" : "${AllowedAmi}" }' | |
Scope: | |
ComplianceResourceTypes: | |
- "AWS::EC2::Instance" | |
Source: | |
Owner: AWS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ConfigDeliveryChannel: | |
Type: AWS::Config::DeliveryChannel | |
Properties: | |
ConfigSnapshotDeliveryProperties: | |
DeliveryFrequency: 'One_Hour' | |
Name: !Ref ConfigDeliveryChannel | |
S3BucketName: !Ref ConfigBucketName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resources: | |
ConfigRecorder: | |
Type: AWS::Config::ConfigurationRecorder | |
Properties: | |
Name: !Ref RecorderName | |
RecordingGroup: | |
AllSupported: true | |
IncludeGlobalResourceTypes: true | |
RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig' | |
NewerOlder