AWSTemplateFormatVersion: '2010-09-09' | |
Description: Configure The Organizational Config Service Aggregator and Conformance Pack Infrastructure | |
Parameters: | |
pOrganizationConformancePackBucketSuffix: | |
Description: Suffix to append to awsconfigconforms when creating the bucket | |
Type: String | |
pOrganizationId: | |
Description: AWS Organization ID | |
Type: String | |
pCreateBucket: | |
Description: If true, the ConformancePackResults Bucket is created | |
Type: String | |
AllowedValues: | |
- "true" | |
- "false" | |
Default: "true" | |
Conditions: | |
CreateBucket: !Equals [ !Ref pCreateBucket, "true" ] | |
Resources: | |
ConformancePackDeliveryS3Bucket: | |
Type: AWS::S3::Bucket | |
Condition: CreateBucket | |
Properties: | |
BucketName: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}" | |
AccessControl: Private | |
# LoggingConfiguration: | |
# DestinationBucketName: | |
# Ref: pLoggingBucket | |
# LogFilePrefix: !Join ['', ['S3logs/', !Ref pBucketName, '/']] | |
# VersioningConfiguration: | |
# Status: Disabled | |
BucketEncryption: | |
ServerSideEncryptionConfiguration: | |
- ServerSideEncryptionByDefault: | |
SSEAlgorithm: AES256 | |
ConformancePackDeliveryS3BucketPolicy: | |
Type: AWS::S3::BucketPolicy | |
Properties: | |
Bucket: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}" | |
PolicyDocument: | |
Statement: | |
- Sid: AllowGetObject | |
Effect: Allow | |
Principal: '*' | |
Action: | |
- s3:getObject | |
- s3:PutObject | |
Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}/*" | |
Condition: | |
StringEquals: | |
aws:PrincipalOrgID: !Ref pOrganizationId | |
- Sid: AllowGetBucketAcl | |
Effect: Allow | |
Principal: '*' | |
Action: | |
- s3:GetBucketAcl | |
Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}" | |
Condition: | |
StringEquals: | |
aws:PrincipalOrgID: !Ref pOrganizationId | |
ConfigTopic: | |
Type: "AWS::SNS::Topic" | |
Properties: | |
TopicName: !Sub "${AWS::StackName}" | |
DisplayName: "Organizational Config Topic" | |
# Why they don't have a service linked role here is beyond me | |
ConfigAggregatorRole: | |
Type: AWS::IAM::Role | |
Properties: | |
RoleName: !Sub "aws-config-aggregator-role-${AWS::StackName}" | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: config.amazonaws.com | |
Action: | |
- sts:AssumeRole | |
Path: /service-role/ | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations | |
# Create the Aggregator | |
ConfigAggregator: | |
Type: AWS::Config::ConfigurationAggregator | |
Properties: | |
ConfigurationAggregatorName: !Sub "${AWS::StackName}-Aggregator" | |
OrganizationAggregationSource: | |
AllAwsRegions: True | |
RoleArn: !GetAtt ConfigAggregatorRole.Arn | |
Outputs: | |
ConfigTopicArn: | |
Value: !Ref ConfigTopic | |
TemplateVersion: | |
Value: "1.0.0" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment