AWSTemplateFormatVersion: 2010-09-09 Description: Workload Discovery AWS Config Aggregator Stack Parameters: ExistingConfigInstallation: Type: String ConfigBucket: Type: String Conditions: SetUpConfig: !Equals [!Ref ExistingConfigInstallation, 'No'] Resources: ConfigurationAggregator: Type: AWS::Config::ConfigurationAggregator Properties: AccountAggregationSources: - AccountIds: - !Ref AWS::AccountId AwsRegions: - !Ref 'AWS::Region' AllAwsRegions: false ConfigurationAggregatorName: Fn::Sub: aws-perspective-${AWS::Region}-${AWS::AccountId}-aggregator ConfigRecorder: Type: AWS::Config::ConfigurationRecorder Condition: SetUpConfig Properties: Name: default RecordingGroup: AllSupported: true IncludeGlobalResourceTypes: true RoleARN: Fn::GetAtt: - ConfigRole - Arn DeliveryChannel: Type: AWS::Config::DeliveryChannel Condition: SetUpConfig Properties: S3BucketName: Ref: ConfigBucket ConfigRole: Type: AWS::IAM::Role Condition: SetUpConfig Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - config.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWS_ConfigRole Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: s3:GetBucketAcl Resource: Fn::Sub: arn:aws:s3:::${ConfigBucket} - Effect: Allow Action: s3:PutObject Resource: Fn::Sub: arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control Outputs: ConfigBucket: Condition: SetUpConfig Value: !Ref ConfigBucket PerspectiveConfigurationAggregator: Description: AWS Config aggregator Value: Ref: ConfigurationAggregator