AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Config Baseline
Parameters:
  BucketName:
    AllowedPattern: '[a-z0-9.-]*'
    Default: mybucketname
    Description: Enter the bucket name to store your Config data in.
    Type: String
Conditions:
    IsUSEast: !Equals [ us-east-1, !Ref 'AWS::Region' ]
Resources:
  ConfigChannel:
    Properties:
      ConfigSnapshotDeliveryProperties:
        DeliveryFrequency: One_Hour
      S3BucketName:
        Ref: BucketName
      S3KeyPrefix: AWSConfig
    Type: AWS::Config::DeliveryChannel
  ConfigRecorder:
    Properties:
      Name:
        Fn::Sub: ${AWS::Region}-${AWS::AccountId}-config-recorder
      RecordingGroup:
        AllSupported: True
        IncludeGlobalResourceTypes: !If [ IsUSEast, True, False ]
      RoleARN:
        Fn::GetAtt:
        - ConfigRole
        - Arn
    Type: AWS::Config::ConfigurationRecorder
  ConfigRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action:
          - sts:AssumeRole
          Effect: Allow
          Principal:
            Service:
            - config.amazonaws.com
        Version: '2012-10-17'
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AWSConfigRole
      Path: /
      Policies:
      - PolicyDocument:
          Statement:
          - Action:
            - s3:PutObject*
            Condition:
              StringLike:
                s3:x-amz-acl: bucket-owner-full-control
            Effect: Allow
            Resource:
              Fn::Sub: arn:aws:s3:::${BucketName}/AWSConfig/AWSLogs/${AWS::AccountId}/*
          - Action:
            - s3:GetBucketAcl
            Effect: Allow
            Resource:
              Fn::Sub: arn:aws:s3:::${BucketName}
          Version: '2012-10-17'
        PolicyName: S3Policy
      RoleName: ConfigRole
    Type: AWS::IAM::Role