AWSTemplateFormatVersion: 2010-09-09 Description: > Enable AWS Security Hub and AWS Config. Please note, you will be billed for the AWS resources used if you create a stack from this template. Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 Resources: DevSecOpsHub: Type: AWS::SecurityHub::Hub DependsOn: DeliveryChannel ##### AWS Config rules AWSConfigRecorder: Type: AWS::Config::ConfigurationRecorder Properties: RecordingGroup: AllSupported: true RoleARN: !GetAtt [ConfigRole, Arn] DeliveryChannel: Type: AWS::Config::DeliveryChannel Properties: ConfigSnapshotDeliveryProperties: DeliveryFrequency: One_Hour S3BucketName: !Ref 'ConfigBucket' SnsTopicARN: !Ref 'ConfigTopic' ConfigBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub configbucket-${AWS::AccountId} BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN ConfigTopic: Type: AWS::SNS::Topic ConfigTopicPolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Id: ConfigTopicPolicy Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: config.amazonaws.com Action: SNS:Publish Resource: '*' Topics: [!Ref 'ConfigTopic'] ConfigRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: [config.amazonaws.com] Action: ['sts:AssumeRole'] ManagedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWS_ConfigRole'] Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetBucketAcl Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ConfigBucket']] - Effect: Allow Action: s3:PutObject Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ConfigBucket', /AWSLogs/, !Ref 'AWS::AccountId', /*]] Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control - Effect: Allow Action: config:Put* Resource: '*'