AWSTemplateFormatVersion: 2010-09-09 Description: Enable AWS Config (qs-1t0eilb5g) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Recorder Configuration Parameters: - AllSupported - IncludeGlobalResourceTypes - ResourceTypes - Label: default: Delivery Channel Configuration Parameters: - DeliveryChannelName - Frequency - Label: default: Delivery Notifications Parameters: - TopicArn - NotificationEmail ParameterLabels: AllSupported: default: Support all resource types IncludeGlobalResourceTypes: default: Include global resource types ResourceTypes: default: List of resource types if not all supported DeliveryChannelName: default: Configuration delivery channel name Frequency: default: Snapshot delivery frequency TopicArn: default: SNS topic name NotificationEmail: default: Notification Email (optional) Parameters: AllSupported: Type: String Default: True Description: Indicates whether to record all supported resource types. AllowedValues: - True - False IncludeGlobalResourceTypes: Type: String Default: True Description: Indicates whether AWS Config records all supported global resource types. AllowedValues: - True - False ResourceTypes: Type: List Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. Default: DeliveryChannelName: Type: String Default: Description: The name of the delivery channel. Frequency: Type: String Default: 24hours Description: The frequency with which AWS Config delivers configuration snapshots. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours TopicArn: Type: String Default: Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. NotificationEmail: Type: String Default: Description: Email address for AWS Config notifications (for new topics). Conditions: IsAllSupported: !Equals - !Ref AllSupported - True IsGeneratedDeliveryChannelName: !Equals - !Ref DeliveryChannelName - CreateTopic: !Equals - !Ref TopicArn - CreateSubscription: !And - !Condition CreateTopic - !Not - !Equals - !Ref NotificationEmail - Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: ConfigBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket Properties: BucketName: !Sub "s3-configbucket-${AWS::AccountId}-${AWS::Region}" BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ConfigBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSConfigBucketPermissionsCheck Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" - Sid: DisallowHTTP Effect: Deny Principal: '*' Action: 's3:*' Resource: - !Sub "arn:aws:s3:::${ConfigBucket}" Condition: Bool: 'aws:SecureTransport': false - Sid: AWSConfigBucketDelivery Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" ConfigTopic: Condition: CreateTopic Type: AWS::SNS::Topic Properties: TopicName: !Sub "config-topic-${AWS::AccountId}" DisplayName: AWS Config Notification Topic ConfigTopicPolicy: Condition: CreateTopic Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref ConfigTopic PolicyDocument: Statement: - Sid: AWSConfigSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref ConfigTopic Principal: Service: - config.amazonaws.com EmailNotification: Condition: CreateSubscription Type: AWS::SNS::Subscription Properties: Endpoint: !Ref NotificationEmail Protocol: email TopicArn: !Ref ConfigTopic ConfigRecorderRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - config.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWS_ConfigRole" ConfigRecorder: Type: AWS::Config::ConfigurationRecorder DependsOn: - ConfigBucketPolicy Properties: RoleARN: !GetAtt ConfigRecorderRole.Arn RecordingGroup: AllSupported: !Ref AllSupported IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes ResourceTypes: !If - IsAllSupported - !Ref AWS::NoValue - !Ref ResourceTypes ConfigDeliveryChannel: Type: AWS::Config::DeliveryChannel DependsOn: - ConfigBucketPolicy Properties: Name: !If - IsGeneratedDeliveryChannelName - !Ref AWS::NoValue - !Ref DeliveryChannelName ConfigSnapshotDeliveryProperties: DeliveryFrequency: !FindInMap - Settings - FrequencyMap - !Ref Frequency S3BucketName: !Ref ConfigBucket SnsTopicARN: !If - CreateTopic - !Ref ConfigTopic - !Ref TopicArn