######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template enables AWS Config in the Control Tower Management account and adds the Management account to the AWS Config Aggregator in the Control Tower Audit account. - 'config_management_account' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2s) Metadata: SRA: Version: 1.2 Entry: Parameters for deploying solution without resolving SSM parameters Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pAuditAccountId - pLogArchiveAccountId - pOrganizationId - pHomeRegion - Label: default: Config Recorder Properties Parameters: - pConfigRegionsToEnable - pAllSupported - pIncludeGlobalResourceTypes - pResourceTypes - Label: default: Config Delivery Channel Properties Parameters: - pFrequency - pKmsKeyArn - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pAllSupported: default: All Supported pAuditAccountId: default: Audit Account ID pConfigRegionsToEnable: default: AWS Config Regions to Enable pCreateLambdaLogGroup: default: Create Lambda Log Group pFrequency: default: Frequency pHomeRegion: default: Control Tower Home Region pIncludeGlobalResourceTypes: default: Include Global Resource Types pKmsKeyArn: default: (Optional) KMS Key ARN pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pLogArchiveAccountId: default: Log Archive Account ID pOrganizationId: default: Organization ID pResourceTypes: default: (Optional) Resource Types pSRASolutionName: default: SRA Solution Name pSRASolutionVersion: default: SRA Solution Version pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pAllSupported: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether to record all supported resource types. If set to 'false', then the 'Resource Types' parameter must have a value. Type: String pAuditAccountId: AllowedPattern: '^\d{12}$' ConstraintDescription: Must be 12 digits. Description: AWS Account ID of the Control Tower Audit account. Type: String pConfigRegionsToEnable: AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas without spaces. (e.g. us-east-1,ap-southeast-2) Description: AWS regions to enable AWS Config (2+ regions, separate by commas) Type: String pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pFrequency: AllowedValues: [1hour, 3hours, 6hours, 12hours, 24hours] Default: 1hour Description: The frequency with which AWS Config delivers configuration snapshots. Type: String pHomeRegion: AllowedPattern: '^[a-z0-9-]{1,64}$' ConstraintDescription: AWS Region Example - 'us-east-1' Description: Name of the Control Tower home region Type: String pIncludeGlobalResourceTypes: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether AWS Config records all supported global resource types. Type: String pKmsKeyArn: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*)?:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: Key ARN example - arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab Default: '' Description: (Optional) KMS key ARN to use for encrypting the AWS Config configuration snapshots and history files when storing in the S3 bucket in the Log Archive account. If empty, snapshots and history files will be encrypted based on the Default Encryption setting of the S3 bucket. Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pLogArchiveAccountId: AllowedPattern: '^\d{12}$' ConstraintDescription: Must be 12 digits. Description: AWS Account ID of the Control Tower Log Archive account. Type: String pOrganizationId: AllowedPattern: '^o-[a-z0-9]{10,32}$' ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567) Description: AWS Organizations ID Type: String pResourceTypes: AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$' Default: '' Description: (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is set to 'false', then this parameter becomes required. Type: String pSRASolutionName: AllowedValues: [sra-config-management-account] Default: sra-config-management-account Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRASolutionVersion: AllowedValues: [v1.2] Default: v1.2 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String pSRAStagingS3BucketName: AllowedPattern: '^(?=^.{3,63}$)(?!.*[.-]{2})(?!.*[--]{2})(?!^(?:(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(?!$)|$)){4}$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$)' ConstraintDescription: SRA Staging S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String Rules: ResourceTypesValidation: RuleCondition: !Equals [!Ref pResourceTypes, ''] Assertions: - AssertDescription: "'Resource Types' parameter is required if the 'All Supported' parameter is set to 'true'." Assert: !Equals [!Ref pAllSupported, 'true'] Resources: rConfigRoleStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-config-management-account-role.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName rConfigStackSet: DependsOn: rConfigRoleStack Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-config-management-account AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Enables AWS Config in the Control Tower Management account. ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref AWS::AccountId Regions: !Split [',', !Ref pConfigRegionsToEnable] TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-config-management-account.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: - ParameterKey: pAllSupported ParameterValue: !Ref pAllSupported - ParameterKey: pAuditAccountId ParameterValue: !Ref pAuditAccountId - ParameterKey: pFrequency ParameterValue: !Ref pFrequency - ParameterKey: pHomeRegion ParameterValue: !Ref pHomeRegion - ParameterKey: pIncludeGlobalResourceTypes ParameterValue: !Ref pIncludeGlobalResourceTypes - ParameterKey: pKmsKeyArn ParameterValue: !Ref pKmsKeyArn - ParameterKey: pLogArchiveAccountId ParameterValue: !Ref pLogArchiveAccountId - ParameterKey: pOrganizationId ParameterValue: !Ref pOrganizationId - ParameterKey: pResourceTypes ParameterValue: !Ref pResourceTypes rConfigAggregatorStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete DependsOn: rConfigStackSet UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-config-management-account-update-aggregator.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pAuditAccountId: !Ref pAuditAccountId pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pOrganizationId: !Ref pOrganizationId pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName