Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWSTemplateFormatVersion: '2010-09-09'
Description: Configure The Organizational Config Service Aggregator and Conformance Pack Infrastructure
Parameters:
pOrganizationConformancePackBucketSuffix:
Description: Suffix to append to awsconfigconforms when creating the bucket
Type: String
pOrganizationId:
Description: AWS Organization ID
Type: String
pCreateBucket:
Description: If true, the ConformancePackResults Bucket is created
Type: String
AllowedValues:
- "true"
- "false"
Default: "true"
Conditions:
CreateBucket: !Equals [ !Ref pCreateBucket, "true" ]
Resources:
ConformancePackDeliveryS3Bucket:
Type: AWS::S3::Bucket
Condition: CreateBucket
Properties:
BucketName: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
AccessControl: Private
# LoggingConfiguration:
# DestinationBucketName:
# Ref: pLoggingBucket
# LogFilePrefix: !Join ['', ['S3logs/', !Ref pBucketName, '/']]
# VersioningConfiguration:
# Status: Disabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ConformancePackDeliveryS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
PolicyDocument:
Statement:
- Sid: AllowGetObject
Effect: Allow
Principal: '*'
Action:
- s3:getObject
- s3:PutObject
Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}/*"
Condition:
StringEquals:
aws:PrincipalOrgID: !Ref pOrganizationId
- Sid: AllowGetBucketAcl
Effect: Allow
Principal: '*'
Action:
- s3:GetBucketAcl
Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
Condition:
StringEquals:
aws:PrincipalOrgID: !Ref pOrganizationId
ConfigTopic:
Type: "AWS::SNS::Topic"
Properties:
TopicName: !Sub "${AWS::StackName}"
DisplayName: "Organizational Config Topic"
# Why they don't have a service linked role here is beyond me
ConfigAggregatorRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "aws-config-aggregator-role-${AWS::StackName}"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: config.amazonaws.com
Action:
- sts:AssumeRole
Path: /service-role/
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
# Create the Aggregator
ConfigAggregator:
Type: AWS::Config::ConfigurationAggregator
Properties:
ConfigurationAggregatorName: !Sub "${AWS::StackName}-Aggregator"
OrganizationAggregationSource:
AllAwsRegions: True
RoleArn: !GetAtt ConfigAggregatorRole.Arn
Outputs:
ConfigTopicArn:
Value: !Ref ConfigTopic
TemplateVersion:
Value: "1.0.0"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.