Last active
September 15, 2023 11:21
-
-
Save seansummers/1a557d7001bbfd8ff57b51a28f507a23 to your computer and use it in GitHub Desktop.
AWS Configuration Tracking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
AWSTemplateFormatVersion: '2010-09-09' | |
Description: Global assets needed for Inventory Discovery | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- Label: | |
default: Inventory Settings | |
Parameters: | |
- BucketName | |
- Topic | |
- Label: | |
default: AWS CloudTrail Service Settings | |
Parameters: | |
- CloudWatch | |
- CloudWatchRetention | |
ParameterLabels: | |
BucketName: | |
default: S3 Bucket (with policy) | |
CloudWatch: | |
default: Log CloudTrail to CloudWatch? | |
CloudWatchRetention: | |
default: CloudWatch Retention | |
Topic: | |
default: SNS Snapshot Delivery Notification | |
Parameters: | |
BucketName: | |
Type: String | |
Description: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html | |
Default: '' | |
CloudWatch: | |
Type: String | |
AllowedValues: | |
- 'YES' | |
- 'NO' | |
Default: 'YES' | |
CloudWatchRetention: | |
Type: String | |
Description: days | |
AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] | |
Default: 90 | |
Topic: | |
Type: String | |
Description: SNS Arn | |
Default: '' | |
Conditions: | |
HasTopic: !Not | |
- !Equals | |
- !Ref Topic | |
- '' | |
CreateBucket: !Equals | |
- !Ref BucketName | |
- '' | |
CreateCloudWatch: !Equals | |
- !Ref CloudWatch | |
- 'YES' | |
Resources: | |
Bucket: | |
Type: AWS::S3::Bucket | |
Condition: CreateBucket | |
DeletionPolicy: Retain | |
Properties: | |
AccessControl: LogDeliveryWrite | |
BucketEncryption: | |
ServerSideEncryptionConfiguration: | |
- ServerSideEncryptionByDefault: | |
SSEAlgorithm: AES256 | |
VersioningConfiguration: | |
Status: Enabled | |
LifecycleConfiguration: | |
Rules: | |
- Id: Retention7Years | |
Status: Enabled | |
ExpirationInDays: 2555 | |
NoncurrentVersionExpirationInDays: 2555 | |
BucketPolicy: | |
Type: AWS::S3::BucketPolicy | |
Condition: CreateBucket | |
DeletionPolicy: Retain | |
Properties: | |
Bucket: !Ref Bucket | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: s3:GetBucketAcl | |
Principal: | |
Service: | |
- cloudtrail.amazonaws.com | |
- config.amazonaws.com | |
Resource: !GetAtt Bucket.Arn | |
- Sid: ConfigLogs | |
Effect: Allow | |
Action: s3:PutObject | |
Principal: | |
Service: config.amazonaws.com | |
Resource: !Sub '${Bucket.Arn}/AWSLogs/${AWS::AccountId}/Config/*' | |
Condition: | |
StringEquals: | |
s3:x-amz-acl: bucket-owner-full-control | |
- Sid: CloudTrailLogs | |
Effect: Allow | |
Action: s3:PutObject | |
Principal: | |
Service: cloudtrail.amazonaws.com | |
Resource: !Sub '${Bucket.Arn}/AWSLogs/${AWS::AccountId}/*' | |
Condition: | |
StringEquals: | |
s3:x-amz-acl: bucket-owner-full-control | |
- Sid: RequireHTTPS | |
Effect: Deny | |
Action: s3:* | |
Principal: '*' | |
Resource: | |
- !GetAtt Bucket.Arn | |
- !Sub '${Bucket.Arn}/*' | |
Condition: | |
Bool: | |
aws:SecureTransport: false | |
- Sid: RequireEncryptedPut | |
Effect: Deny | |
Action: s3:PutObject | |
Principal: '*' | |
Resource: !Sub '${Bucket.Arn}/*' | |
Condition: | |
StringNotEquals: | |
s3:x-amz-server-side-encryption: AES256 | |
ConfigRole: | |
Type: AWS::IAM::Role | |
Properties: | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/service-role/AWSConfigRole | |
AssumeRolePolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: sts:AssumeRole | |
Principal: | |
Service: config.amazonaws.com | |
DiscoveryPolicy: | |
Type: AWS::IAM::ManagedPolicy | |
Properties: | |
Description: AWS Discovery calls as of 2018-05-24. | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- acm:List* | |
- acm-pca:List* | |
- alexaforbusiness:Get* | |
- alexaforbusiness:List* | |
- apigateway:Get* | |
- appstream:Describe* | |
- appsync:List* | |
- athena:List* | |
- autoscaling:Describe* | |
- autoscaling-plans:Describe* | |
- batch:Describe* | |
- batch:List* | |
- ce:Get* | |
- cloud9:Describe* | |
- cloud9:List* | |
- clouddirectory:List* | |
- cloudformation:Describe* | |
- cloudformation:List* | |
- cloudfront:List* | |
- cloudhsm:List* | |
- cloudhsmv2:Describe* | |
- cloudsearch:Describe* | |
- cloudsearch:List* | |
- cloudtrail:Describe* | |
- cloudwatch:Describe* | |
- cloudwatch:List* | |
- codebuild:List* | |
- codecommit:List* | |
- codedeploy:List* | |
- codepipeline:List* | |
- codestar:List* | |
- cognito-sync:List* | |
- comprehend:List* | |
- config:Describe* | |
- config:Get* | |
- datapipeline:List* | |
- dax:Describe* | |
- devicefarm:List* | |
- directconnect:Describe* | |
- dms:Describe* | |
- ds:Describe* | |
- dynamodb:List* | |
- dynamodbstreams:List* | |
- ec2:Describe* | |
- ecs:List* | |
- efs:Describe* | |
- elasticache:Describe* | |
- elasticbeanstalk:Describe* | |
- elasticbeanstalk:List* | |
- elastictranscoder:List* | |
- elb:Describe* | |
- elbv2:Describe* | |
- emr:List* | |
- es:Describe* | |
- es:List* | |
- events:Describe* | |
- events:List* | |
- firehose:List* | |
- fms:Get* | |
- gamelift:Describe* | |
- gamelift:List* | |
- glue:Get* | |
- greengrass:Get* | |
- greengrass:List* | |
- guardduty:Get* | |
- guardduty:List* | |
- iam:List* | |
- importexport:List* | |
- inspector:List* | |
- iot:Describe* | |
- iot:Get* | |
- iot:List* | |
- iot1click-devices:List* | |
- iotanalytics:Describe* | |
- iotanalytics:List* | |
- kinesis:List* | |
- kinesisanalytics:List* | |
- kinesisvideo:Describe* | |
- kinesisvideo:List* | |
- kms:Describe* | |
- kms:List* | |
- lambda:List* | |
- lex-models:Get* | |
- lightsail:Get* | |
- logs:Describe* | |
- machinelearning:Describe* | |
- mediaconvert:Describe* | |
- mediaconvert:List* | |
- medialive:List* | |
- mediapackage:List* | |
- mediastore:Describe* | |
- mediastore:List* | |
- mediastore-data:List* | |
- mgh:List* | |
- mobile:List* | |
- mq:List* | |
- mturk:Get* | |
- mturk:List* | |
- opsworks:Describe* | |
- opsworkscm:Describe* | |
- organizations:Describe* | |
- organizations:List* | |
- pinpoint:Get* | |
- polly:List* | |
- pricing:Describe* | |
- pricing:Get* | |
- rds:Describe* | |
- redshift:Describe* | |
- rekognition:List* | |
- resource-groups:List* | |
- resourcegroupstaggingapi:Get* | |
- route53:List* | |
- route53domains:List* | |
- s3:ListBuckets | |
- sagemaker:List* | |
- sdb:List* | |
- secretsmanager:List* | |
- serverlessrepo:List* | |
- servicecatalog:List* | |
- servicediscovery:List* | |
- ses:Describe* | |
- ses:Get* | |
- ses:List* | |
- shield:Get* | |
- shield:List* | |
- sms:Get* | |
- snowball:Describe* | |
- snowball:List* | |
- sns:List* | |
- sqs:List* | |
- ssm:Describe* | |
- ssm:Get* | |
- ssm:List* | |
- stepfunctions:List* | |
- storagegateway:Describe* | |
- storagegateway:List* | |
- transcribe:List* | |
- waf:List* | |
- waf-regional:List* | |
- workdocs:Describe* | |
- workmail:List* | |
- workspaces:Describe* | |
- xray:Get* | |
Resource: '*' | |
CloudTrail: | |
Type: AWS::CloudTrail::Trail | |
Properties: | |
IsLogging: true | |
EventSelectors: | |
- ReadWriteType: WriteOnly | |
IncludeGlobalServiceEvents: true | |
IsMultiRegionTrail: true | |
CloudWatchLogsLogGroupArn: !If | |
- CreateCloudWatch | |
- !GetAtt CloudTrailLogGroup.Arn | |
- !Ref AWS::NoValue | |
CloudWatchLogsRoleArn: !If | |
- CreateCloudWatch | |
- !GetAtt CloudTrailLogRole.Arn | |
- !Ref AWS::NoValue | |
S3BucketName: !If | |
- CreateBucket | |
- !Ref Bucket | |
- !Ref BucketName | |
EnableLogFileValidation: true | |
SnsTopicName: !If | |
- HasTopic | |
- !Ref Topic | |
- !Ref AWS::NoValue | |
CloudTrailLogGroup: | |
Type: AWS::Logs::LogGroup | |
Condition: CreateCloudWatch | |
Properties: | |
LogGroupName: !If | |
- CreateBucket | |
- !Ref Bucket | |
- !Ref BucketName | |
RetentionInDays: !Ref CloudWatchRetention | |
CloudTrailLogRole: | |
Type: AWS::IAM::Role | |
Condition: CreateCloudWatch | |
Properties: | |
Policies: | |
- PolicyName: CloudTrailCloudWatchLogs | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- logs:CreateLogStream | |
- logs:PutLogEvents | |
Resource: !GetAtt CloudTrailLogGroup.Arn | |
AssumeRolePolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: sts:AssumeRole | |
Principal: | |
Service: cloudtrail.amazonaws.com | |
ConfigAggregator: | |
Type: AWS::Config::ConfigurationAggregator | |
Properties: | |
ConfigurationAggregatorName: !Ref AWS::StackName | |
AccountAggregationSources: | |
- AllAwsRegions: true | |
AccountIds: | |
- !Ref AWS::AccountId | |
Outputs: | |
InventoryBucket: | |
Condition: CreateBucket | |
Description: S3 Bucket configured for AWS Config and CloudTrail | |
Value: !Ref Bucket | |
ConfigRole: | |
Description: IAM Role ARN for AWS Config recorders | |
Value: !GetAtt ConfigRole.Arn | |
PolicyArn: | |
Description: IAM Policy ARN for inventory discovery | |
Value: !Ref DiscoveryPolicy | |
CloudTrailLog: | |
Condition: CreateCloudWatch | |
Description: CloudTrail CloudWatch Log ARN | |
Value: !GetAtt CloudTrailLogGroup.Arn | |
... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
AWSTemplateFormatVersion: '2010-09-09' | |
Description: AWS Config Regional | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- Label: | |
default: AWS Config Service Settings | |
Parameters: | |
- BucketName | |
- ConfigRoleArn | |
- DeliveryFrequency | |
- Topic | |
ParameterLabels: | |
BucketName: | |
default: S3 Bucket with policy for AWS Config delivery | |
ConfigRoleArn: | |
default: IAM Role for AWS Config Service | |
DeliveryFrequency: | |
default: Frequency for snapshot delivery to S3 | |
Topic: | |
default: SNS Topic for snapshot delivery notification | |
Parameters: | |
BucketName: | |
Type: String | |
Default: '' | |
ConfigRoleArn: | |
Type: String | |
Description: IAM Role ARN | |
DeliveryFrequency: | |
Type: String | |
Description: hours between snapshots | |
AllowedValues: | |
- One_Hour | |
- Three_Hours | |
- Six_Hours | |
- Twelve_Hours | |
- TwentyFour_Hours | |
Default: TwentyFour_Hours | |
Topic: | |
Type: String | |
Description: SNS Arn | |
Default: '' | |
Conditions: | |
HasTopic: !Not | |
- !Equals | |
- !Ref Topic | |
- '' | |
Resources: | |
DeliveryChannel: | |
Type: AWS::Config::DeliveryChannel | |
Properties: | |
Name: default # only one per region, so here we are | |
ConfigSnapshotDeliveryProperties: | |
DeliveryFrequency: !Ref DeliveryFrequency | |
S3BucketName: !Ref BucketName | |
SnsTopicARN: !If | |
- HasTopic | |
- !Ref Topic | |
- !Ref AWS::NoValue | |
ConfigurationRecorder: | |
Type: AWS::Config::ConfigurationRecorder | |
Properties: | |
Name: default # only one per region, so here we are | |
RoleARN: !Ref ConfigRoleArn | |
RecordingGroup: | |
IncludeGlobalResourceTypes: true | |
AllSupported: true | |
# ResourceTypes: (if not Allsupported) | |
# http://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources | |
... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment