houey/EnhancedEnableAWSConfigForOrganizations.yml

## EnhancedEnableAWSConfigForOrganizations.yml
AWSTemplateFormatVersion: 2010-09-09
Description:  Enable AWS Config with central logging and notification with enhanced cost conciousness using two lines for opt in usage with large numbers of ResourceTypes

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Recorder Configuration
        Parameters:
          - AllSupported
          - IncludeGlobalResourceTypes
          - ResourceTypes1
          - ResourceTypes2
      - Label:
          default: Delivery Channel Configuration
        Parameters:
          - DeliveryChannelName
          - S3BucketName
          - S3KeyPrefix
          - Frequency
      - Label:
          default: Delivery Notifications
        Parameters:
          - SNS
          - TopicArn
          - NotificationEmail
    ParameterLabels:
      AllSupported:
        default: Support all resource types
      IncludeGlobalResourceTypes:
        default: Include global resource types
      ResourceTypes1:
        default: List of resource types if not all supported part1
      ResourceTypes2:
        default: List of resource types if not all supported part1
      DeliveryChannelName:
        default: Configuration delivery channel name
      S3BucketName:
        default: Central S3 bucket
      S3KeyPrefix:
        default: Prefix for the specified Amazon S3 bucket
      Frequency:
        default: Snapshot delivery frequency
      SNS:
        default: SNS notifications
      TopicArn:
        default: SNS topic name
      NotificationEmail:
        default: Notification Email (optional)

Parameters:
  AllSupported:
    Type: String
    Default: False
    Description: Indicates whether to record all supported resource types.
    AllowedValues:
      - True
      - False

  IncludeGlobalResourceTypes:
    Type: String
    Default: False
    Description: Indicates whether AWS Config records all supported global resource types.
    AllowedValues:
      - True
      - False

  ResourceTypes1:
    Type: String
    Description: First list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
    Default: AWS::ACM::Certificate,AWS::AutoScaling::AutoScalingGroup,AWS::AutoScaling::LaunchConfiguration,AWS::AutoScaling::ScalingPolicy,AWS::AutoScaling::ScheduledAction,AWS::CloudTrail::Trail,AWS::CloudWatch::Alarm,AWS::CodePipeline::Pipeline,AWS::DynamoDB::Table,AWS::EC2::CustomerGateway,AWS::EC2::EIP,AWS::EC2::EgressOnlyInternetGateway,AWS::EC2::FlowLog,AWS::EC2::Host,AWS::EC2::Instance,AWS::EC2::InternetGateway,AWS::EC2::NatGateway,AWS::EC2::NetworkAcl,AWS::EC2::NetworkInterface,AWS::EC2::RouteTable,AWS::EC2::SecurityGroup,AWS::EC2::Subnet,AWS::EC2::VPC,AWS::EC2::VPCEndpoint,AWS::EC2::VPCEndpointService,AWS::EC2::VPCPeeringConnection,AWS::EC2::VPNConnection,AWS::EC2::VPNGateway,AWS::EC2::Volume,AWS::ElasticLoadBalancing::LoadBalancer,AWS::ElasticLoadBalancingV2::LoadBalancer,AWS::Elasticsearch::Domain,AWS::IAM::Group,AWS::IAM::Policy,AWS::IAM::Role,AWS::IAM::User,AWS::KMS::Key,AWS::Lambda::Function,AWS::RDS::DBCluster,AWS::RDS::DBClusterSnapshot,AWS::RDS::DBInstance,AWS::RDS::DBSecurityGroup,AWS::RDS::DBSnapshot,AWS::RDS::DBSubnetGroup,AWS::RDS::EventSubscription,AWS::Redshift::Cluster,AWS::Redshift::ClusterParameterGroup,AWS::Redshift::ClusterSecurityGroup,AWS::Redshift::ClusterSnapshot,AWS::Redshift::ClusterSubnetGroup,AWS::Redshift::EventSubscription,AWS::S3::AccountPublicAccessBlock,AWS::S3::Bucket,AWS::SNS::Topic,AWS::SQS::Queue,AWS::AccessAnalyzer::Analyzer,AWS::AmazonMQ::Broker,AWS::ApiGateway::RestApi,AWS::ApiGateway::Stage,AWS::ApiGatewayV2::Api,AWS::ApiGatewayV2::Stage,AWS::AppConfig::Application,AWS::AppConfig::ConfigurationProfile,AWS::AppConfig::Environment,AWS::AppSync::GraphQLApi,AWS::Athena::DataCatalog,AWS::Athena::WorkGroup,AWS::Backup::BackupPlan,AWS::Backup::BackupSelection,AWS::Backup::BackupVault,AWS::Backup::RecoveryPoint,AWS::Backup::ReportPlan,AWS::Batch::ComputeEnvironment,AWS::Batch::JobQueue,AWS::Cloud9::EnvironmentEC2,AWS::CloudFormation::Stack,AWS::CodeBuild::Project,AWS::CodeDeploy::Application,AWS::CodeDeploy::DeploymentConfig,AWS::CodeDeploy::DeploymentGroup,AWS::Config::ConformancePackCompliance,AWS::DMS::Certificate,AWS::DMS::EventSubscription,AWS::DMS::ReplicationInstance,AWS::DMS::ReplicationSubnetGroup,AWS::DMS::ReplicationTask,AWS::DataSync::LocationEFS,AWS::DataSync::LocationFSxLustre,AWS::DataSync::LocationFSxWindows,AWS::DataSync::LocationHDFS,AWS::DataSync::LocationNFS,AWS::DataSync::LocationObjectStorage,AWS::DataSync::LocationS3,AWS::DataSync::LocationSMB,AWS::DataSync::Task,AWS::EC2::LaunchTemplate,AWS::EC2::NetworkInsightsAccessScopeAnalysis,AWS::EC2::RegisteredHAInstance,AWS::EC2::TransitGateway,AWS::EC2::TransitGatewayAttachment,AWS::EC2::TransitGatewayRouteTable,AWS::ECR::RegistryPolicy,AWS::ECR::Repository

  ResourceTypes2:
    Type: String
    Description: Second list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
    Default: AWS::ECS::Cluster,AWS::ECS::Service,AWS::ECS::TaskDefinition,AWS::EFS::AccessPoint,AWS::EFS::FileSystem,AWS::EKS::Addon,AWS::EKS::Cluster,AWS::EKS::FargateProfile,AWS::EKS::IdentityProviderConfig,AWS::EMR::SecurityConfiguration,AWS::ElasticBeanstalk::Application,AWS::ElasticBeanstalk::ApplicationVersion,AWS::ElasticBeanstalk::Environment,AWS::ElasticLoadBalancingV2::Listener,AWS::EventSchemas::Discoverer,AWS::EventSchemas::Registry,AWS::EventSchemas::RegistryPolicy,AWS::EventSchemas::Schema,AWS::Events::ApiDestination,AWS::Events::Archive,AWS::Events::Connection,AWS::Events::Endpoint,AWS::Events::EventBus,AWS::Glue::Classifier,AWS::Glue::Job,AWS::Glue::MLTransform,AWS::GuardDuty::Detector,AWS::GuardDuty::Filter,AWS::GuardDuty::IPSet,AWS::GuardDuty::ThreatIntelSet,AWS::ImageBuilder::ContainerRecipe,AWS::ImageBuilder::DistributionConfiguration,AWS::ImageBuilder::InfrastructureConfiguration,AWS::Kinesis::Stream,AWS::Kinesis::StreamConsumer,AWS::KinesisAnalyticsV2::Application,AWS::Lightsail::Bucket,AWS::Lightsail::Certificate,AWS::Lightsail::Disk,AWS::Lightsail::StaticIp,AWS::MSK::Cluster,AWS::NetworkFirewall::Firewall,AWS::NetworkFirewall::FirewallPolicy,AWS::NetworkFirewall::RuleGroup,AWS::OpenSearch::Domain,AWS::QLDB::Ledger,AWS::RDS::GlobalCluster,AWS::RUM::AppMonitor,AWS::ResilienceHub::ResiliencyPolicy,AWS::Route53Resolver::ResolverEndpoint,AWS::Route53Resolver::ResolverRule,AWS::Route53Resolver::ResolverRuleAssociation,AWS::SES::ConfigurationSet,AWS::SES::ContactList,AWS::SES::Template,AWS::SSM::FileData,AWS::SageMaker::CodeRepository,AWS::SageMaker::EndpointConfig,AWS::SageMaker::Model,AWS::SageMaker::NotebookInstance,AWS::SageMaker::NotebookInstanceLifecycleConfig,AWS::SageMaker::Workteam,AWS::SecretsManager::Secret,AWS::ServiceCatalog::CloudFormationProduct,AWS::ServiceCatalog::CloudFormationProvisionedProduct,AWS::ServiceCatalog::Portfolio,AWS::ServiceDiscovery::HttpNamespace,AWS::ServiceDiscovery::PublicDnsNamespace,AWS::ServiceDiscovery::Service,AWS::ShieldRegional::Protection,AWS::StepFunctions::Activity,AWS::StepFunctions::StateMachine,AWS::Transfer::Workflow,AWS::WAFRegional::RateBasedRule,AWS::WAFRegional::Rule,AWS::WAFRegional::RuleGroup,AWS::WAFRegional::WebACL,AWS::WAFv2::IPSet,AWS::WAFv2::ManagedRuleSet,AWS::WAFv2::RegexPatternSet,AWS::WAFv2::RuleGroup,AWS::WAFv2::WebACL,AWS::XRay::EncryptionConfig

  DeliveryChannelName:
    Type: String
    Default: default
    Description: The name of the delivery channel.

  S3BucketName:
    Type: String
    Description: Central S3 bucket where AWS Config delivers configuration snapshots and history.
    Default: log-archive-aws-config
    AllowedPattern: ".+"

  S3KeyPrefix:
    Type: String
    Description: The prefix for the Amazon S3 bucket (optional).
    Default: aws-config-logs

  Frequency:
    Type: String
    Default: 24hours
    Description: The frequency with which AWS Config delivers configuration snapshots.
    AllowedValues:
      - Disabled
      - 1hour
      - 3hours
      - 6hours
      - 12hours
      - 24hours

  SNS:
    Type: String
    Default: False
    Description: Describes wether AWS Config sends SNS notifications.
    AllowedValues:
      - True
      - False

  TopicArn:
    Type: String
    Default: <New Topic>
    Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. Topic ARN must belong to the same Region where you will be deploying the Stack.

  NotificationEmail:
    Type: String
    Default: <None>
    Description: Email address for AWS Config notifications (for new topics).

Conditions:
  IsAllSupported: !Equals
    - !Ref AllSupported
    - True
  IsGeneratedDeliveryChannelName: !Equals
    - !Ref DeliveryChannelName
    - <Generated>
  CreateBucket: !Equals
    - !Ref S3BucketName
    - <New Bucket>
  UsePrefix: !Not
    - !Equals
      - !Ref S3KeyPrefix
      - <No Prefix>
  DisableSnapshots: !Equals
    - !Ref Frequency
    - Disabled
  UseSNS: !Equals
    - !Ref SNS
    - True
  CreateTopic: !And
    - !Equals
      - !Ref TopicArn
      - <New Topic>
    - !Condition UseSNS
  CreateSubscription: !And
    - !Condition CreateTopic
    - !Not
      - !Equals
        - !Ref NotificationEmail
        - <None>

Mappings:
  Settings:
    FrequencyMap:
      Disabled : TwentyFour_Hours
      1hour    : One_Hour
      3hours   : Three_Hours
      6hours   : Six_Hours
      12hours  : Twelve_Hours
      24hours  : TwentyFour_Hours

Resources:

  ConfigBucket:
    Condition: CreateBucket
    DeletionPolicy: Retain
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: AES256

  ConfigBucketPolicy:
    Condition: CreateBucket
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ConfigBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:GetBucketAcl
            Resource:
              - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
          - Sid: AWSConfigBucketExistenceCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:ListBucket
            Resource:
              - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
          - Sid: AWSConfigBucketDelivery
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:PutObject
            Resource: !If
              - UsePrefix
              - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/${S3KeyPrefix}/AWSLogs/${AWS::AccountId}/*"
              - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
            Condition:
              StringLike:
                's3:x-amz-acl': 'bucket-owner-full-control'

  ConfigTopic:
    Condition: CreateTopic
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Sub "config-topic-${AWS::AccountId}"
      DisplayName: AWS Config Notification Topic
      KmsMasterKeyId: "alias/aws/sns"

  ConfigTopicPolicy:
    Condition: CreateTopic
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref ConfigTopic
      PolicyDocument:
        Statement:
          - Sid: AWSConfigSNSPolicy
            Action:
              - sns:Publish
            Effect: Allow
            Resource: !Ref ConfigTopic
            Principal:
              Service:
                - config.amazonaws.com

  EmailNotification:
    Condition: CreateSubscription
    Type: AWS::SNS::Subscription
    Properties:
      Endpoint: !Ref NotificationEmail
      Protocol: email
      TopicArn: !Ref ConfigTopic

  ConfigRole:
    Type: AWS::IAM::ServiceLinkedRole
    Properties:
      AWSServiceName: config.amazonaws.com

  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      RecordingGroup:
        AllSupported: !Ref AllSupported
        IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
        ResourceTypes: !Split
          - ','
          - !Join
              - ','
              - - !Ref ResourceTypes1
                - !Ref ResourceTypes2
      RoleARN:
        Fn::Sub:
          "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"

  ConfigDeliveryChannel:
    Type: AWS::Config::DeliveryChannel
    Properties:
      Name: !If
        - IsGeneratedDeliveryChannelName
        - !Ref AWS::NoValue
        - !Ref DeliveryChannelName
      ConfigSnapshotDeliveryProperties: !If
        - DisableSnapshots
        - !Ref AWS::NoValue
        - DeliveryFrequency: !FindInMap
            - Settings
            - FrequencyMap
            - !Ref Frequency
      S3BucketName: !If
        - CreateBucket
        - !Ref ConfigBucket
        - !Ref S3BucketName
      S3KeyPrefix: !If
        - UsePrefix
        - !Ref S3KeyPrefix
        - !Ref AWS::NoValue
      SnsTopicARN: !If
        - UseSNS
        - !If
          - CreateTopic
          - !Ref ConfigTopic
          - !Ref TopicArn
        - !Ref AWS::NoValue
	AWSTemplateFormatVersion: 2010-09-09
	Description: Enable AWS Config with central logging and notification with enhanced cost conciousness using two lines for opt in usage with large numbers of ResourceTypes

	Metadata:
	AWS::CloudFormation::Interface:
	ParameterGroups:
	- Label:
	default: Recorder Configuration
	Parameters:
	- AllSupported
	- IncludeGlobalResourceTypes
	- ResourceTypes1
	- ResourceTypes2
	- Label:
	default: Delivery Channel Configuration
	Parameters:
	- DeliveryChannelName
	- S3BucketName
	- S3KeyPrefix
	- Frequency
	- Label:
	default: Delivery Notifications
	Parameters:
	- SNS
	- TopicArn
	- NotificationEmail
	ParameterLabels:
	AllSupported:
	default: Support all resource types
	IncludeGlobalResourceTypes:
	default: Include global resource types
	ResourceTypes1:
	default: List of resource types if not all supported part1
	ResourceTypes2:
	default: List of resource types if not all supported part1
	DeliveryChannelName:
	default: Configuration delivery channel name
	S3BucketName:
	default: Central S3 bucket
	S3KeyPrefix:
	default: Prefix for the specified Amazon S3 bucket
	Frequency:
	default: Snapshot delivery frequency
	SNS:
	default: SNS notifications
	TopicArn:
	default: SNS topic name
	NotificationEmail:
	default: Notification Email (optional)

	Parameters:
	AllSupported:
	Type: String
	Default: False
	Description: Indicates whether to record all supported resource types.
	AllowedValues:
	- True
	- False

	IncludeGlobalResourceTypes:
	Type: String
	Default: False
	Description: Indicates whether AWS Config records all supported global resource types.
	AllowedValues:
	- True
	- False

	ResourceTypes1:
	Type: String
	Description: First list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
	Default: AWS::ACM::Certificate,AWS::AutoScaling::AutoScalingGroup,AWS::AutoScaling::LaunchConfiguration,AWS::AutoScaling::ScalingPolicy,AWS::AutoScaling::ScheduledAction,AWS::CloudTrail::Trail,AWS::CloudWatch::Alarm,AWS::CodePipeline::Pipeline,AWS::DynamoDB::Table,AWS::EC2::CustomerGateway,AWS::EC2::EIP,AWS::EC2::EgressOnlyInternetGateway,AWS::EC2::FlowLog,AWS::EC2::Host,AWS::EC2::Instance,AWS::EC2::InternetGateway,AWS::EC2::NatGateway,AWS::EC2::NetworkAcl,AWS::EC2::NetworkInterface,AWS::EC2::RouteTable,AWS::EC2::SecurityGroup,AWS::EC2::Subnet,AWS::EC2::VPC,AWS::EC2::VPCEndpoint,AWS::EC2::VPCEndpointService,AWS::EC2::VPCPeeringConnection,AWS::EC2::VPNConnection,AWS::EC2::VPNGateway,AWS::EC2::Volume,AWS::ElasticLoadBalancing::LoadBalancer,AWS::ElasticLoadBalancingV2::LoadBalancer,AWS::Elasticsearch::Domain,AWS::IAM::Group,AWS::IAM::Policy,AWS::IAM::Role,AWS::IAM::User,AWS::KMS::Key,AWS::Lambda::Function,AWS::RDS::DBCluster,AWS::RDS::DBClusterSnapshot,AWS::RDS::DBInstance,AWS::RDS::DBSecurityGroup,AWS::RDS::DBSnapshot,AWS::RDS::DBSubnetGroup,AWS::RDS::EventSubscription,AWS::Redshift::Cluster,AWS::Redshift::ClusterParameterGroup,AWS::Redshift::ClusterSecurityGroup,AWS::Redshift::ClusterSnapshot,AWS::Redshift::ClusterSubnetGroup,AWS::Redshift::EventSubscription,AWS::S3::AccountPublicAccessBlock,AWS::S3::Bucket,AWS::SNS::Topic,AWS::SQS::Queue,AWS::AccessAnalyzer::Analyzer,AWS::AmazonMQ::Broker,AWS::ApiGateway::RestApi,AWS::ApiGateway::Stage,AWS::ApiGatewayV2::Api,AWS::ApiGatewayV2::Stage,AWS::AppConfig::Application,AWS::AppConfig::ConfigurationProfile,AWS::AppConfig::Environment,AWS::AppSync::GraphQLApi,AWS::Athena::DataCatalog,AWS::Athena::WorkGroup,AWS::Backup::BackupPlan,AWS::Backup::BackupSelection,AWS::Backup::BackupVault,AWS::Backup::RecoveryPoint,AWS::Backup::ReportPlan,AWS::Batch::ComputeEnvironment,AWS::Batch::JobQueue,AWS::Cloud9::EnvironmentEC2,AWS::CloudFormation::Stack,AWS::CodeBuild::Project,AWS::CodeDeploy::Application,AWS::CodeDeploy::DeploymentConfig,AWS::CodeDeploy::DeploymentGroup,AWS::Config::ConformancePackCompliance,AWS::DMS::Certificate,AWS::DMS::EventSubscription,AWS::DMS::ReplicationInstance,AWS::DMS::ReplicationSubnetGroup,AWS::DMS::ReplicationTask,AWS::DataSync::LocationEFS,AWS::DataSync::LocationFSxLustre,AWS::DataSync::LocationFSxWindows,AWS::DataSync::LocationHDFS,AWS::DataSync::LocationNFS,AWS::DataSync::LocationObjectStorage,AWS::DataSync::LocationS3,AWS::DataSync::LocationSMB,AWS::DataSync::Task,AWS::EC2::LaunchTemplate,AWS::EC2::NetworkInsightsAccessScopeAnalysis,AWS::EC2::RegisteredHAInstance,AWS::EC2::TransitGateway,AWS::EC2::TransitGatewayAttachment,AWS::EC2::TransitGatewayRouteTable,AWS::ECR::RegistryPolicy,AWS::ECR::Repository

	ResourceTypes2:
	Type: String
	Description: Second list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
	Default: AWS::ECS::Cluster,AWS::ECS::Service,AWS::ECS::TaskDefinition,AWS::EFS::AccessPoint,AWS::EFS::FileSystem,AWS::EKS::Addon,AWS::EKS::Cluster,AWS::EKS::FargateProfile,AWS::EKS::IdentityProviderConfig,AWS::EMR::SecurityConfiguration,AWS::ElasticBeanstalk::Application,AWS::ElasticBeanstalk::ApplicationVersion,AWS::ElasticBeanstalk::Environment,AWS::ElasticLoadBalancingV2::Listener,AWS::EventSchemas::Discoverer,AWS::EventSchemas::Registry,AWS::EventSchemas::RegistryPolicy,AWS::EventSchemas::Schema,AWS::Events::ApiDestination,AWS::Events::Archive,AWS::Events::Connection,AWS::Events::Endpoint,AWS::Events::EventBus,AWS::Glue::Classifier,AWS::Glue::Job,AWS::Glue::MLTransform,AWS::GuardDuty::Detector,AWS::GuardDuty::Filter,AWS::GuardDuty::IPSet,AWS::GuardDuty::ThreatIntelSet,AWS::ImageBuilder::ContainerRecipe,AWS::ImageBuilder::DistributionConfiguration,AWS::ImageBuilder::InfrastructureConfiguration,AWS::Kinesis::Stream,AWS::Kinesis::StreamConsumer,AWS::KinesisAnalyticsV2::Application,AWS::Lightsail::Bucket,AWS::Lightsail::Certificate,AWS::Lightsail::Disk,AWS::Lightsail::StaticIp,AWS::MSK::Cluster,AWS::NetworkFirewall::Firewall,AWS::NetworkFirewall::FirewallPolicy,AWS::NetworkFirewall::RuleGroup,AWS::OpenSearch::Domain,AWS::QLDB::Ledger,AWS::RDS::GlobalCluster,AWS::RUM::AppMonitor,AWS::ResilienceHub::ResiliencyPolicy,AWS::Route53Resolver::ResolverEndpoint,AWS::Route53Resolver::ResolverRule,AWS::Route53Resolver::ResolverRuleAssociation,AWS::SES::ConfigurationSet,AWS::SES::ContactList,AWS::SES::Template,AWS::SSM::FileData,AWS::SageMaker::CodeRepository,AWS::SageMaker::EndpointConfig,AWS::SageMaker::Model,AWS::SageMaker::NotebookInstance,AWS::SageMaker::NotebookInstanceLifecycleConfig,AWS::SageMaker::Workteam,AWS::SecretsManager::Secret,AWS::ServiceCatalog::CloudFormationProduct,AWS::ServiceCatalog::CloudFormationProvisionedProduct,AWS::ServiceCatalog::Portfolio,AWS::ServiceDiscovery::HttpNamespace,AWS::ServiceDiscovery::PublicDnsNamespace,AWS::ServiceDiscovery::Service,AWS::ShieldRegional::Protection,AWS::StepFunctions::Activity,AWS::StepFunctions::StateMachine,AWS::Transfer::Workflow,AWS::WAFRegional::RateBasedRule,AWS::WAFRegional::Rule,AWS::WAFRegional::RuleGroup,AWS::WAFRegional::WebACL,AWS::WAFv2::IPSet,AWS::WAFv2::ManagedRuleSet,AWS::WAFv2::RegexPatternSet,AWS::WAFv2::RuleGroup,AWS::WAFv2::WebACL,AWS::XRay::EncryptionConfig

	DeliveryChannelName:
	Type: String
	Default: default
	Description: The name of the delivery channel.

	S3BucketName:
	Type: String
	Description: Central S3 bucket where AWS Config delivers configuration snapshots and history.
	Default: log-archive-aws-config
	AllowedPattern: ".+"

	S3KeyPrefix:
	Type: String
	Description: The prefix for the Amazon S3 bucket (optional).
	Default: aws-config-logs

	Frequency:
	Type: String
	Default: 24hours
	Description: The frequency with which AWS Config delivers configuration snapshots.
	AllowedValues:
	- Disabled
	- 1hour
	- 3hours
	- 6hours
	- 12hours
	- 24hours

	SNS:
	Type: String
	Default: False
	Description: Describes wether AWS Config sends SNS notifications.
	AllowedValues:
	- True
	- False

	TopicArn:
	Type: String
	Default: <New Topic>
	Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. Topic ARN must belong to the same Region where you will be deploying the Stack.

	NotificationEmail:
	Type: String
	Default: <None>
	Description: Email address for AWS Config notifications (for new topics).

	Conditions:
	IsAllSupported: !Equals
	- !Ref AllSupported
	- True
	IsGeneratedDeliveryChannelName: !Equals
	- !Ref DeliveryChannelName
	- <Generated>
	CreateBucket: !Equals
	- !Ref S3BucketName
	- <New Bucket>
	UsePrefix: !Not
	- !Equals
	- !Ref S3KeyPrefix
	- <No Prefix>
	DisableSnapshots: !Equals
	- !Ref Frequency
	- Disabled
	UseSNS: !Equals
	- !Ref SNS
	- True
	CreateTopic: !And
	- !Equals
	- !Ref TopicArn
	- <New Topic>
	- !Condition UseSNS
	CreateSubscription: !And
	- !Condition CreateTopic
	- !Not
	- !Equals
	- !Ref NotificationEmail
	- <None>

	Mappings:
	Settings:
	FrequencyMap:
	Disabled : TwentyFour_Hours
	1hour : One_Hour
	3hours : Three_Hours
	6hours : Six_Hours
	12hours : Twelve_Hours
	24hours : TwentyFour_Hours

	Resources:

	ConfigBucket:
	Condition: CreateBucket
	DeletionPolicy: Retain
	Type: AWS::S3::Bucket
	Properties:
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256

	ConfigBucketPolicy:
	Condition: CreateBucket
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Ref ConfigBucket
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Sid: AWSConfigBucketPermissionsCheck
	Effect: Allow
	Principal:
	Service:
	- config.amazonaws.com
	Action: s3:GetBucketAcl
	Resource:
	- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
	- Sid: AWSConfigBucketExistenceCheck
	Effect: Allow
	Principal:
	Service:
	- config.amazonaws.com
	Action: s3:ListBucket
	Resource:
	- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
	- Sid: AWSConfigBucketDelivery
	Effect: Allow
	Principal:
	Service:
	- config.amazonaws.com
	Action: s3:PutObject
	Resource: !If
	- UsePrefix
	- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/${S3KeyPrefix}/AWSLogs/${AWS::AccountId}/*"
	- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
	Condition:
	StringLike:
	's3:x-amz-acl': 'bucket-owner-full-control'

	ConfigTopic:
	Condition: CreateTopic
	Type: AWS::SNS::Topic
	Properties:
	TopicName: !Sub "config-topic-${AWS::AccountId}"
	DisplayName: AWS Config Notification Topic
	KmsMasterKeyId: "alias/aws/sns"

	ConfigTopicPolicy:
	Condition: CreateTopic
	Type: AWS::SNS::TopicPolicy
	Properties:
	Topics:
	- !Ref ConfigTopic
	PolicyDocument:
	Statement:
	- Sid: AWSConfigSNSPolicy
	Action:
	- sns:Publish
	Effect: Allow
	Resource: !Ref ConfigTopic
	Principal:
	Service:
	- config.amazonaws.com

	EmailNotification:
	Condition: CreateSubscription
	Type: AWS::SNS::Subscription
	Properties:
	Endpoint: !Ref NotificationEmail
	Protocol: email
	TopicArn: !Ref ConfigTopic

	ConfigRole:
	Type: AWS::IAM::ServiceLinkedRole
	Properties:
	AWSServiceName: config.amazonaws.com

	ConfigRecorder:
	Type: AWS::Config::ConfigurationRecorder
	Properties:
	RecordingGroup:
	AllSupported: !Ref AllSupported
	IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
	ResourceTypes: !Split
	- ','
	- !Join
	- ','
	- - !Ref ResourceTypes1
	- !Ref ResourceTypes2
	RoleARN:
	Fn::Sub:
	"arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"

	ConfigDeliveryChannel:
	Type: AWS::Config::DeliveryChannel
	Properties:
	Name: !If
	- IsGeneratedDeliveryChannelName
	- !Ref AWS::NoValue
	- !Ref DeliveryChannelName
	ConfigSnapshotDeliveryProperties: !If
	- DisableSnapshots
	- !Ref AWS::NoValue
	- DeliveryFrequency: !FindInMap
	- Settings
	- FrequencyMap
	- !Ref Frequency
	S3BucketName: !If
	- CreateBucket
	- !Ref ConfigBucket
	- !Ref S3BucketName
	S3KeyPrefix: !If
	- UsePrefix
	- !Ref S3KeyPrefix
	- !Ref AWS::NoValue
	SnsTopicARN: !If
	- UseSNS
	- !If
	- CreateTopic
	- !Ref ConfigTopic
	- !Ref TopicArn
	- !Ref AWS::NoValue