AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Description: Gevernance for Serverless initial setup Parameters: MainRegion: Type: String Default: us-west-2 Description: Main region for the account Conditions: IsMainRegion: !Equals [!Ref MainRegion, !Ref "AWS::Region"] Resources: DataBucket: # Region specific bucket Type: AWS::S3::Bucket NotificationTopic: # Allows subscriptins for config updates Type: AWS::SNS::Topic DeliveryChannel: # Regional delivery channel Type: AWS::Config::DeliveryChannel Properties: S3BucketName: !Ref DataBucket SnsTopicARN: !Ref NotificationTopic ConfigRecorder: # Regional recorder Type: AWS::Config::ConfigurationRecorder Properties: Name: !Sub ${AWS::Region}-Config-Recorder RecordingGroup: IncludeGlobalResourceTypes: !If [IsMainRegion, true, false] AllSupported: true RoleARN: !GetAtt ConfigRole.Arn ConfigRole: # Role for config service, allowing access to S3 bucket and SNS Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "config.amazonaws.com" Action: - "sts:AssumeRole" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSConfigRole Policies: - PolicyName: S3ConfigPolicy PolicyDocument: Version: '2012-10-17' Statement: Action: - s3:PutObject - s3:GetBucketAcl Effect: Allow Resource: - !GetAtt DataBucket.Arn - !Sub - "${BucketArn}/*" - {BucketArn: !GetAtt DataBucket.Arn} - PolicyName: SNSConfigPolicy PolicyDocument: Version: '2012-10-17' Statement: Action: - sns:Publish Effect: Allow Resource: - !Ref NotificationTopic