Skip to content

Instantly share code, notes, and snippets.

View gezza-b's full-sized avatar

Gerald Bachlmayr gezza-b

8 followers · 5 following
View GitHub Profile
@gezza-b
gezza-b / gist:6bdd5e2f7baac6be2653e0e96d5e11ad
Last active April 26, 2020 07:14
AWS Config - Remediation Configuration - part 1
InstanceId:
StaticValue:
Values:
- instanceId
MaximumAutomaticAttempts: 2
ResourceType: "AWS::EC2::Instance"
RetryAttemptSeconds: 60
TargetId: "AWS-StopEC2Instance"
TargetType: "SSM_DOCUMENT"
@gezza-b
gezza-b / gist:5c2ca6b02e00205dc0be9e4c3567ad49
Last active April 26, 2020 07:14
AWS Config - Remediation Configuration - part 1
Ec2ApprovedAmiRemediation:
Type: AWS::Config::RemediationConfiguration
Properties:
Automatic: true
ConfigRuleName: !Ref Ec2ApprovedAmiRule
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'
@gezza-b
gezza-b / gist:08c9d7f71f53e32d18c67aca057b8778
Last active April 26, 2020 07:16
Parameters - AWS Config Rule for approved AMIs
Parameters:
AllowedAmi:
Description: Environment type
Type: String
Default: "ami-06fcc1f0bc2c8943f"
@gezza-b
gezza-b / gist:0d9cd1b2a7489508ee672dc4fa3efc18
Last active April 26, 2020 07:15
AWS Config Rule for approved AMIs
Ec2ApprovedAmiRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: Ec2ApprovedAmiRule
InputParameters: !Sub '{ "amiIds" : "${AllowedAmi}" }'
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Instance"
Source:
Owner: AWS
@gezza-b
gezza-b / gist:251f3ba1200f2987babc9296cc4eb7bf
Last active April 26, 2020 07:17
AWS Config Delivery Channel
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
Properties:
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: 'One_Hour'
Name: !Ref ConfigDeliveryChannel
S3BucketName: !Ref ConfigBucketName
@gezza-b
gezza-b / gist:8ff24f828cf462f44f3bb734f57b16d5
Last active April 26, 2020 07:17
AWS Config Recorder
Resources:
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: !Ref RecorderName
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'
@gezza-b
gezza-b / gist:17aa0dd1d8f081be2240bbab6e93df35
Last active April 26, 2020 07:17
AWS Config CloudWatch rule for approved AMIs
{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"messageType": ["ComplianceChangeNotification"],
"configRuleName": [
"approved-amis-by-id"
]
}
}