Skip to content

Instantly share code, notes, and snippets.

View gezza-b's full-sized avatar

Gerald Bachlmayr gezza-b

View GitHub Profile
@gezza-b
gezza-b / s3-conform-policy.json
Last active April 27, 2020 09:53
s3-conform-policy
"Resource": "arn:aws:s3:::awsconfigconforms-yourname/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "youraccount"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
}
@gezza-b
gezza-b / org-recorder-role2.yml
Created April 27, 2020 09:46
org-recorder-role2
Path: /
Description: Role for the AWS Config Recorder
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
RoleName: OrgRecorderRole
@gezza-b
gezza-b / org-recorder-role1.yml
Last active April 27, 2020 09:45
org-recorder-role1
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action:
@gezza-b
gezza-b / aggregator-org.yml
Created April 27, 2020 09:39
aggregator-org
Resources:
ConfigAggregator:
Type: AWS::Config::ConfigurationAggregator
Properties:
ConfigurationAggregatorName: !Ref AggregatorName
OrganizationAggregationSource:
AllAwsRegions: true
RoleArn: !GetAtt OrgRecorderRole.Arn
@gezza-b
gezza-b / gist:6bdd5e2f7baac6be2653e0e96d5e11ad
Last active April 26, 2020 07:14
AWS Config - Remediation Configuration - part 1
InstanceId:
StaticValue:
Values:
- instanceId
MaximumAutomaticAttempts: 2
ResourceType: "AWS::EC2::Instance"
RetryAttemptSeconds: 60
TargetId: "AWS-StopEC2Instance"
TargetType: "SSM_DOCUMENT"
@gezza-b
gezza-b / gist:5c2ca6b02e00205dc0be9e4c3567ad49
Last active April 26, 2020 07:14
AWS Config - Remediation Configuration - part 1
Ec2ApprovedAmiRemediation:
Type: AWS::Config::RemediationConfiguration
Properties:
Automatic: true
ConfigRuleName: !Ref Ec2ApprovedAmiRule
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'
@gezza-b
gezza-b / gist:08c9d7f71f53e32d18c67aca057b8778
Last active April 26, 2020 07:16
Parameters - AWS Config Rule for approved AMIs
Parameters:
AllowedAmi:
Description: Environment type
Type: String
Default: "ami-06fcc1f0bc2c8943f"
@gezza-b
gezza-b / gist:0d9cd1b2a7489508ee672dc4fa3efc18
Last active April 26, 2020 07:15
AWS Config Rule for approved AMIs
Ec2ApprovedAmiRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: Ec2ApprovedAmiRule
InputParameters: !Sub '{ "amiIds" : "${AllowedAmi}" }'
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Instance"
Source:
Owner: AWS
@gezza-b
gezza-b / gist:251f3ba1200f2987babc9296cc4eb7bf
Last active April 26, 2020 07:17
AWS Config Delivery Channel
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
Properties:
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: 'One_Hour'
Name: !Ref ConfigDeliveryChannel
S3BucketName: !Ref ConfigBucketName
Resources:
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: !Ref RecorderName
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'