AWSTemplateFormatVersion: 2010-09-09 Description: This CloudFormation template sets up AWS Config so that it will start collecting resource information for the region Workload Discovery on AWS will discover. (SO0075c) - Solution - Import Region Template (uksb-1r0720e5f) (version:v2.0.0) Parameters: WorkloadDiscoveryAccountId: Type: String Default: '<>' Description: The Workload Discovery Account Id AggregationRegion: Type: String Default: <> Description: The region where the Workload Discovery account was installed AlreadyHaveConfigSetup: Type: String Default: 'No' Description: 'Is AWS Config already set-up within this region?' AllowedValues: - 'No' - 'Yes' ConstraintDescription: 'Please specify if this region has config set-up (Yes / No)' Conditions: SetUpConfig: !Equals [!Ref AlreadyHaveConfigSetup, 'No'] Resources: ConfigRecorder: Type: AWS::Config::ConfigurationRecorder Condition: SetUpConfig Properties: Name: default RecordingGroup: AllSupported: true IncludeGlobalResourceTypes: true RoleARN: !GetAtt [ConfigRole, Arn] DeliveryChannel: Type: AWS::Config::DeliveryChannel Condition: SetUpConfig Properties: S3BucketName: !Ref ConfigBucket AggregationAuthorization: Type: 'AWS::Config::AggregationAuthorization' Properties: AuthorizedAccountId: !Ref WorkloadDiscoveryAccountId AuthorizedAwsRegion: !Ref AggregationRegion ConfigBucket: Type: AWS::S3::Bucket Metadata: cfn_nag: rules_to_suppress: - id: W35 reason: 'only accessed by config, writes very frequently so will be costly' - id: W41 reason: 'S3 Bucket should have encryption option set' Condition: SetUpConfig Properties: PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true AccessControl: Private VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Condition: SetUpConfig Properties: Bucket: !Ref ConfigBucket PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::${ConfigBucket}" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::${ConfigBucket}" }, { "Sid": " AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/Config/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Sid": "HttpsOnly", "Action": "*", "Effect": "Deny", "Resource": "arn:aws:s3:::${ConfigBucket}/*", "Principal": "*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } ConfigRole: Type: AWS::IAM::Role Condition: SetUpConfig Metadata: ManagedPolicy: 'The use of this policy is advised in the AWS Config docs' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: [config.amazonaws.com] Action: ['sts:AssumeRole'] ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWS_ConfigRole Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetBucketAcl Resource: Fn::Sub: arn:aws:s3:::${ConfigBucket} - Effect: Allow Action: s3:PutObject Resource: Fn::Sub: arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control