seansummers/inventory-global.template.yml

## inventory-global.template.yml
---
AWSTemplateFormatVersion: '2010-09-09'


Description: Global assets needed for Inventory Discovery


Metadata:

  AWS::CloudFormation::Interface:

    ParameterGroups:
      - Label:
          default: Inventory Settings
        Parameters:
          - BucketName
          - Topic
      - Label:
          default: AWS CloudTrail Service Settings
        Parameters:
          - CloudWatch
          - CloudWatchRetention

    ParameterLabels:
      BucketName:
        default: S3 Bucket (with policy)

      CloudWatch:
        default: Log CloudTrail to CloudWatch?

      CloudWatchRetention:
        default: CloudWatch Retention

      Topic:
        default: SNS Snapshot Delivery Notification


Parameters:

  BucketName:
    Type: String
    Description: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
    Default: ''

  CloudWatch:
    Type: String
    AllowedValues:
      - 'YES'
      - 'NO'
    Default: 'YES'

  CloudWatchRetention:
    Type: String
    Description: days
    AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
    Default: 90

  Topic:
    Type: String
    Description: SNS Arn
    Default: ''


Conditions:

  HasTopic: !Not
    - !Equals
      - !Ref Topic
      - ''

  CreateBucket: !Equals
    - !Ref BucketName
    - ''

  CreateCloudWatch: !Equals
    - !Ref CloudWatch
    - 'YES'


Resources:

  Bucket:
    Type: AWS::S3::Bucket
    Condition: CreateBucket
    DeletionPolicy: Retain
    Properties:
      AccessControl: LogDeliveryWrite
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled
      LifecycleConfiguration:
        Rules:
          - Id: Retention7Years
            Status: Enabled
            ExpirationInDays: 2555
            NoncurrentVersionExpirationInDays: 2555

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: CreateBucket
    DeletionPolicy: Retain
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: s3:GetBucketAcl
            Principal:
              Service:
                - cloudtrail.amazonaws.com
                - config.amazonaws.com
            Resource: !GetAtt Bucket.Arn
          - Sid: ConfigLogs
            Effect: Allow
            Action: s3:PutObject
            Principal:
              Service: config.amazonaws.com
            Resource: !Sub '${Bucket.Arn}/AWSLogs/${AWS::AccountId}/Config/*'
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
          - Sid: CloudTrailLogs
            Effect: Allow
            Action: s3:PutObject
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource: !Sub '${Bucket.Arn}/AWSLogs/${AWS::AccountId}/*'
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
          - Sid: RequireHTTPS
            Effect: Deny
            Action: s3:*
            Principal: '*'
            Resource:
              - !GetAtt Bucket.Arn
              - !Sub '${Bucket.Arn}/*'
            Condition:
              Bool:
                aws:SecureTransport: false
          - Sid: RequireEncryptedPut
            Effect: Deny
            Action: s3:PutObject
            Principal: '*'
            Resource: !Sub '${Bucket.Arn}/*'
            Condition:
              StringNotEquals:
                s3:x-amz-server-side-encryption: AES256

  ConfigRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSConfigRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service: config.amazonaws.com

  DiscoveryPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: AWS Discovery calls as of 2018-05-24.
      PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - acm:List*
                - acm-pca:List*
                - alexaforbusiness:Get*
                - alexaforbusiness:List*
                - apigateway:Get*
                - appstream:Describe*
                - appsync:List*
                - athena:List*
                - autoscaling:Describe*
                - autoscaling-plans:Describe*
                - batch:Describe*
                - batch:List*
                - ce:Get*
                - cloud9:Describe*
                - cloud9:List*
                - clouddirectory:List*
                - cloudformation:Describe*
                - cloudformation:List*
                - cloudfront:List*
                - cloudhsm:List*
                - cloudhsmv2:Describe*
                - cloudsearch:Describe*
                - cloudsearch:List*
                - cloudtrail:Describe*
                - cloudwatch:Describe*
                - cloudwatch:List*
                - codebuild:List*
                - codecommit:List*
                - codedeploy:List*
                - codepipeline:List*
                - codestar:List*
                - cognito-sync:List*
                - comprehend:List*
                - config:Describe*
                - config:Get*
                - datapipeline:List*
                - dax:Describe*
                - devicefarm:List*
                - directconnect:Describe*
                - dms:Describe*
                - ds:Describe*
                - dynamodb:List*
                - dynamodbstreams:List*
                - ec2:Describe*
                - ecs:List*
                - efs:Describe*
                - elasticache:Describe*
                - elasticbeanstalk:Describe*
                - elasticbeanstalk:List*
                - elastictranscoder:List*
                - elb:Describe*
                - elbv2:Describe*
                - emr:List*
                - es:Describe*
                - es:List*
                - events:Describe*
                - events:List*
                - firehose:List*
                - fms:Get*
                - gamelift:Describe*
                - gamelift:List*
                - glue:Get*
                - greengrass:Get*
                - greengrass:List*
                - guardduty:Get*
                - guardduty:List*
                - iam:List*
                - importexport:List*
                - inspector:List*
                - iot:Describe*
                - iot:Get*
                - iot:List*
                - iot1click-devices:List*
                - iotanalytics:Describe*
                - iotanalytics:List*
                - kinesis:List*
                - kinesisanalytics:List*
                - kinesisvideo:Describe*
                - kinesisvideo:List*
                - kms:Describe*
                - kms:List*
                - lambda:List*
                - lex-models:Get*
                - lightsail:Get*
                - logs:Describe*
                - machinelearning:Describe*
                - mediaconvert:Describe*
                - mediaconvert:List*
                - medialive:List*
                - mediapackage:List*
                - mediastore:Describe*
                - mediastore:List*
                - mediastore-data:List*
                - mgh:List*
                - mobile:List*
                - mq:List*
                - mturk:Get*
                - mturk:List*
                - opsworks:Describe*
                - opsworkscm:Describe*
                - organizations:Describe*
                - organizations:List*
                - pinpoint:Get*
                - polly:List*
                - pricing:Describe*
                - pricing:Get*
                - rds:Describe*
                - redshift:Describe*
                - rekognition:List*
                - resource-groups:List*
                - resourcegroupstaggingapi:Get*
                - route53:List*
                - route53domains:List*
                - s3:ListBuckets
                - sagemaker:List*
                - sdb:List*
                - secretsmanager:List*
                - serverlessrepo:List*
                - servicecatalog:List*
                - servicediscovery:List*
                - ses:Describe*
                - ses:Get*
                - ses:List*
                - shield:Get*
                - shield:List*
                - sms:Get*
                - snowball:Describe*
                - snowball:List*
                - sns:List*
                - sqs:List*
                - ssm:Describe*
                - ssm:Get*
                - ssm:List*
                - stepfunctions:List*
                - storagegateway:Describe*
                - storagegateway:List*
                - transcribe:List*
                - waf:List*
                - waf-regional:List*
                - workdocs:Describe*
                - workmail:List*
                - workspaces:Describe*
                - xray:Get*
              Resource: '*'

  CloudTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      EventSelectors:
        - ReadWriteType: WriteOnly
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true
      CloudWatchLogsLogGroupArn: !If
        - CreateCloudWatch
        - !GetAtt CloudTrailLogGroup.Arn
        - !Ref AWS::NoValue
      CloudWatchLogsRoleArn: !If
        - CreateCloudWatch
        - !GetAtt CloudTrailLogRole.Arn
        - !Ref AWS::NoValue
      S3BucketName: !If
        - CreateBucket
        - !Ref Bucket
        - !Ref BucketName
      EnableLogFileValidation: true
      SnsTopicName: !If
        - HasTopic
        - !Ref Topic
        - !Ref AWS::NoValue

  CloudTrailLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: CreateCloudWatch
    Properties:
      LogGroupName: !If
        - CreateBucket
        - !Ref Bucket
        - !Ref BucketName
      RetentionInDays: !Ref CloudWatchRetention

  CloudTrailLogRole:
    Type: AWS::IAM::Role
    Condition: CreateCloudWatch
    Properties:
      Policies:
        - PolicyName: CloudTrailCloudWatchLogs
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !GetAtt CloudTrailLogGroup.Arn
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service: cloudtrail.amazonaws.com

  ConfigAggregator:
    Type: AWS::Config::ConfigurationAggregator
    Properties:
      ConfigurationAggregatorName: !Ref AWS::StackName
      AccountAggregationSources:
        - AllAwsRegions: true
          AccountIds:
            - !Ref AWS::AccountId


Outputs:

    InventoryBucket:
      Condition: CreateBucket
      Description: S3 Bucket configured for AWS Config and CloudTrail
      Value:  !Ref Bucket

    ConfigRole:
      Description: IAM Role ARN for AWS Config recorders
      Value: !GetAtt ConfigRole.Arn

    PolicyArn:
      Description: IAM Policy ARN for inventory discovery
      Value:  !Ref DiscoveryPolicy

    CloudTrailLog:
      Condition: CreateCloudWatch
      Description: CloudTrail CloudWatch Log ARN
      Value: !GetAtt CloudTrailLogGroup.Arn
...

## inventory-regional.template.yml
---
AWSTemplateFormatVersion: '2010-09-09'


Description: AWS Config Regional


Metadata:

  AWS::CloudFormation::Interface:

    ParameterGroups:
      - Label:
          default: AWS Config Service Settings
        Parameters:
          - BucketName
          - ConfigRoleArn
          - DeliveryFrequency
          - Topic

  ParameterLabels:
    BucketName:
      default: S3 Bucket with policy for AWS Config delivery

    ConfigRoleArn:
      default: IAM Role for AWS Config Service

    DeliveryFrequency:
      default: Frequency for snapshot delivery to S3

    Topic:
      default: SNS Topic for snapshot delivery notification


Parameters:

  BucketName:
    Type: String
    Default: ''

  ConfigRoleArn:
    Type: String
    Description: IAM Role ARN

  DeliveryFrequency:
    Type: String
    Description: hours between snapshots
    AllowedValues:
      - One_Hour
      - Three_Hours
      - Six_Hours
      - Twelve_Hours
      - TwentyFour_Hours
    Default: TwentyFour_Hours

  Topic:
    Type: String
    Description: SNS Arn
    Default: ''


Conditions:

  HasTopic: !Not
    - !Equals
      - !Ref Topic
      - ''


Resources:

  DeliveryChannel:
    Type: AWS::Config::DeliveryChannel
    Properties:
        Name: default  # only one per region, so here we are
        ConfigSnapshotDeliveryProperties:
          DeliveryFrequency: !Ref DeliveryFrequency
        S3BucketName: !Ref BucketName
        SnsTopicARN: !If
          - HasTopic
          - !Ref Topic
          - !Ref AWS::NoValue

  ConfigurationRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      Name: default  # only one per region, so here we are
      RoleARN: !Ref ConfigRoleArn
      RecordingGroup:
        IncludeGlobalResourceTypes: true
        AllSupported: true
        # ResourceTypes: (if not Allsupported)
        # http://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources
...
	---
	AWSTemplateFormatVersion: '2010-09-09'


	Description: Global assets needed for Inventory Discovery


	Metadata:

	AWS::CloudFormation::Interface:

	ParameterGroups:
	- Label:
	default: Inventory Settings
	Parameters:
	- BucketName
	- Topic
	- Label:
	default: AWS CloudTrail Service Settings
	Parameters:
	- CloudWatch
	- CloudWatchRetention

	ParameterLabels:
	BucketName:
	default: S3 Bucket (with policy)

	CloudWatch:
	default: Log CloudTrail to CloudWatch?

	CloudWatchRetention:
	default: CloudWatch Retention

	Topic:
	default: SNS Snapshot Delivery Notification


	Parameters:

	BucketName:
	Type: String
	Description: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
	Default: ''

	CloudWatch:
	Type: String
	AllowedValues:
	- 'YES'
	- 'NO'
	Default: 'YES'

	CloudWatchRetention:
	Type: String
	Description: days
	AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
	Default: 90

	Topic:
	Type: String
	Description: SNS Arn
	Default: ''


	Conditions:

	HasTopic: !Not
	- !Equals
	- !Ref Topic
	- ''

	CreateBucket: !Equals
	- !Ref BucketName
	- ''

	CreateCloudWatch: !Equals
	- !Ref CloudWatch
	- 'YES'


	Resources:

	Bucket:
	Type: AWS::S3::Bucket
	Condition: CreateBucket
	DeletionPolicy: Retain
	Properties:
	AccessControl: LogDeliveryWrite
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	VersioningConfiguration:
	Status: Enabled
	LifecycleConfiguration:
	Rules:
	- Id: Retention7Years
	Status: Enabled
	ExpirationInDays: 2555
	NoncurrentVersionExpirationInDays: 2555

	BucketPolicy:
	Type: AWS::S3::BucketPolicy
	Condition: CreateBucket
	DeletionPolicy: Retain
	Properties:
	Bucket: !Ref Bucket
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action: s3:GetBucketAcl
	Principal:
	Service:
	- cloudtrail.amazonaws.com
	- config.amazonaws.com
	Resource: !GetAtt Bucket.Arn
	- Sid: ConfigLogs
	Effect: Allow
	Action: s3:PutObject
	Principal:
	Service: config.amazonaws.com
	Resource: !Sub '${Bucket.Arn}/AWSLogs/${AWS::AccountId}/Config/*'
	Condition:
	StringEquals:
	s3:x-amz-acl: bucket-owner-full-control
	- Sid: CloudTrailLogs
	Effect: Allow
	Action: s3:PutObject
	Principal:
	Service: cloudtrail.amazonaws.com
	Resource: !Sub '${Bucket.Arn}/AWSLogs/${AWS::AccountId}/*'
	Condition:
	StringEquals:
	s3:x-amz-acl: bucket-owner-full-control
	- Sid: RequireHTTPS
	Effect: Deny
	Action: s3:*
	Principal: '*'
	Resource:
	- !GetAtt Bucket.Arn
	- !Sub '${Bucket.Arn}/*'
	Condition:
	Bool:
	aws:SecureTransport: false
	- Sid: RequireEncryptedPut
	Effect: Deny
	Action: s3:PutObject
	Principal: '*'
	Resource: !Sub '${Bucket.Arn}/*'
	Condition:
	StringNotEquals:
	s3:x-amz-server-side-encryption: AES256

	ConfigRole:
	Type: AWS::IAM::Role
	Properties:
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSConfigRole
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action: sts:AssumeRole
	Principal:
	Service: config.amazonaws.com

	DiscoveryPolicy:
	Type: AWS::IAM::ManagedPolicy
	Properties:
	Description: AWS Discovery calls as of 2018-05-24.
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action:
	- acm:List*
	- acm-pca:List*
	- alexaforbusiness:Get*
	- alexaforbusiness:List*
	- apigateway:Get*
	- appstream:Describe*
	- appsync:List*
	- athena:List*
	- autoscaling:Describe*
	- autoscaling-plans:Describe*
	- batch:Describe*
	- batch:List*
	- ce:Get*
	- cloud9:Describe*
	- cloud9:List*
	- clouddirectory:List*
	- cloudformation:Describe*
	- cloudformation:List*
	- cloudfront:List*
	- cloudhsm:List*
	- cloudhsmv2:Describe*
	- cloudsearch:Describe*
	- cloudsearch:List*
	- cloudtrail:Describe*
	- cloudwatch:Describe*
	- cloudwatch:List*
	- codebuild:List*
	- codecommit:List*
	- codedeploy:List*
	- codepipeline:List*
	- codestar:List*
	- cognito-sync:List*
	- comprehend:List*
	- config:Describe*
	- config:Get*
	- datapipeline:List*
	- dax:Describe*
	- devicefarm:List*
	- directconnect:Describe*
	- dms:Describe*
	- ds:Describe*
	- dynamodb:List*
	- dynamodbstreams:List*
	- ec2:Describe*
	- ecs:List*
	- efs:Describe*
	- elasticache:Describe*
	- elasticbeanstalk:Describe*
	- elasticbeanstalk:List*
	- elastictranscoder:List*
	- elb:Describe*
	- elbv2:Describe*
	- emr:List*
	- es:Describe*
	- es:List*
	- events:Describe*
	- events:List*
	- firehose:List*
	- fms:Get*
	- gamelift:Describe*
	- gamelift:List*
	- glue:Get*
	- greengrass:Get*
	- greengrass:List*
	- guardduty:Get*
	- guardduty:List*
	- iam:List*
	- importexport:List*
	- inspector:List*
	- iot:Describe*
	- iot:Get*
	- iot:List*
	- iot1click-devices:List*
	- iotanalytics:Describe*
	- iotanalytics:List*
	- kinesis:List*
	- kinesisanalytics:List*
	- kinesisvideo:Describe*
	- kinesisvideo:List*
	- kms:Describe*
	- kms:List*
	- lambda:List*
	- lex-models:Get*
	- lightsail:Get*
	- logs:Describe*
	- machinelearning:Describe*
	- mediaconvert:Describe*
	- mediaconvert:List*
	- medialive:List*
	- mediapackage:List*
	- mediastore:Describe*
	- mediastore:List*
	- mediastore-data:List*
	- mgh:List*
	- mobile:List*
	- mq:List*
	- mturk:Get*
	- mturk:List*
	- opsworks:Describe*
	- opsworkscm:Describe*
	- organizations:Describe*
	- organizations:List*
	- pinpoint:Get*
	- polly:List*
	- pricing:Describe*
	- pricing:Get*
	- rds:Describe*
	- redshift:Describe*
	- rekognition:List*
	- resource-groups:List*
	- resourcegroupstaggingapi:Get*
	- route53:List*
	- route53domains:List*
	- s3:ListBuckets
	- sagemaker:List*
	- sdb:List*
	- secretsmanager:List*
	- serverlessrepo:List*
	- servicecatalog:List*
	- servicediscovery:List*
	- ses:Describe*
	- ses:Get*
	- ses:List*
	- shield:Get*
	- shield:List*
	- sms:Get*
	- snowball:Describe*
	- snowball:List*
	- sns:List*
	- sqs:List*
	- ssm:Describe*
	- ssm:Get*
	- ssm:List*
	- stepfunctions:List*
	- storagegateway:Describe*
	- storagegateway:List*
	- transcribe:List*
	- waf:List*
	- waf-regional:List*
	- workdocs:Describe*
	- workmail:List*
	- workspaces:Describe*
	- xray:Get*
	Resource: '*'

	CloudTrail:
	Type: AWS::CloudTrail::Trail
	Properties:
	IsLogging: true
	EventSelectors:
	- ReadWriteType: WriteOnly
	IncludeGlobalServiceEvents: true
	IsMultiRegionTrail: true
	CloudWatchLogsLogGroupArn: !If
	- CreateCloudWatch
	- !GetAtt CloudTrailLogGroup.Arn
	- !Ref AWS::NoValue
	CloudWatchLogsRoleArn: !If
	- CreateCloudWatch
	- !GetAtt CloudTrailLogRole.Arn
	- !Ref AWS::NoValue
	S3BucketName: !If
	- CreateBucket
	- !Ref Bucket
	- !Ref BucketName
	EnableLogFileValidation: true
	SnsTopicName: !If
	- HasTopic
	- !Ref Topic
	- !Ref AWS::NoValue

	CloudTrailLogGroup:
	Type: AWS::Logs::LogGroup
	Condition: CreateCloudWatch
	Properties:
	LogGroupName: !If
	- CreateBucket
	- !Ref Bucket
	- !Ref BucketName
	RetentionInDays: !Ref CloudWatchRetention

	CloudTrailLogRole:
	Type: AWS::IAM::Role
	Condition: CreateCloudWatch
	Properties:
	Policies:
	- PolicyName: CloudTrailCloudWatchLogs
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action:
	- logs:CreateLogStream
	- logs:PutLogEvents
	Resource: !GetAtt CloudTrailLogGroup.Arn
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action: sts:AssumeRole
	Principal:
	Service: cloudtrail.amazonaws.com

	ConfigAggregator:
	Type: AWS::Config::ConfigurationAggregator
	Properties:
	ConfigurationAggregatorName: !Ref AWS::StackName
	AccountAggregationSources:
	- AllAwsRegions: true
	AccountIds:
	- !Ref AWS::AccountId


	Outputs:

	InventoryBucket:
	Condition: CreateBucket
	Description: S3 Bucket configured for AWS Config and CloudTrail
	Value: !Ref Bucket

	ConfigRole:
	Description: IAM Role ARN for AWS Config recorders
	Value: !GetAtt ConfigRole.Arn

	PolicyArn:
	Description: IAM Policy ARN for inventory discovery
	Value: !Ref DiscoveryPolicy

	CloudTrailLog:
	Condition: CreateCloudWatch
	Description: CloudTrail CloudWatch Log ARN
	Value: !GetAtt CloudTrailLogGroup.Arn
	...
	---
	AWSTemplateFormatVersion: '2010-09-09'


	Description: AWS Config Regional


	Metadata:

	AWS::CloudFormation::Interface:

	ParameterGroups:
	- Label:
	default: AWS Config Service Settings
	Parameters:
	- BucketName
	- ConfigRoleArn
	- DeliveryFrequency
	- Topic

	ParameterLabels:
	BucketName:
	default: S3 Bucket with policy for AWS Config delivery

	ConfigRoleArn:
	default: IAM Role for AWS Config Service

	DeliveryFrequency:
	default: Frequency for snapshot delivery to S3

	Topic:
	default: SNS Topic for snapshot delivery notification


	Parameters:

	BucketName:
	Type: String
	Default: ''

	ConfigRoleArn:
	Type: String
	Description: IAM Role ARN

	DeliveryFrequency:
	Type: String
	Description: hours between snapshots
	AllowedValues:
	- One_Hour
	- Three_Hours
	- Six_Hours
	- Twelve_Hours
	- TwentyFour_Hours
	Default: TwentyFour_Hours

	Topic:
	Type: String
	Description: SNS Arn
	Default: ''


	Conditions:

	HasTopic: !Not
	- !Equals
	- !Ref Topic
	- ''


	Resources:

	DeliveryChannel:
	Type: AWS::Config::DeliveryChannel
	Properties:
	Name: default # only one per region, so here we are
	ConfigSnapshotDeliveryProperties:
	DeliveryFrequency: !Ref DeliveryFrequency
	S3BucketName: !Ref BucketName
	SnsTopicARN: !If
	- HasTopic
	- !Ref Topic
	- !Ref AWS::NoValue

	ConfigurationRecorder:
	Type: AWS::Config::ConfigurationRecorder
	Properties:
	Name: default # only one per region, so here we are
	RoleARN: !Ref ConfigRoleArn
	RecordingGroup:
	IncludeGlobalResourceTypes: true
	AllSupported: true
	# ResourceTypes: (if not Allsupported)
	# http://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources
	...