Created
March 27, 2023 13:52
-
-
Save houey/d37720b37605ee649541b4c5b9bf4823 to your computer and use it in GitHub Desktop.
AWS Cloudformation template for AWS Config Recorder where cost consciousness is a concern. This template has two lines for ResourceTypes for Opt In to overcome the limits of a single string in cloudformation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: Enable AWS Config with central logging and notification with enhanced cost conciousness using two lines for opt in usage with large numbers of ResourceTypes | |
| Metadata: | |
| AWS::CloudFormation::Interface: | |
| ParameterGroups: | |
| - Label: | |
| default: Recorder Configuration | |
| Parameters: | |
| - AllSupported | |
| - IncludeGlobalResourceTypes | |
| - ResourceTypes1 | |
| - ResourceTypes2 | |
| - Label: | |
| default: Delivery Channel Configuration | |
| Parameters: | |
| - DeliveryChannelName | |
| - S3BucketName | |
| - S3KeyPrefix | |
| - Frequency | |
| - Label: | |
| default: Delivery Notifications | |
| Parameters: | |
| - SNS | |
| - TopicArn | |
| - NotificationEmail | |
| ParameterLabels: | |
| AllSupported: | |
| default: Support all resource types | |
| IncludeGlobalResourceTypes: | |
| default: Include global resource types | |
| ResourceTypes1: | |
| default: List of resource types if not all supported part1 | |
| ResourceTypes2: | |
| default: List of resource types if not all supported part1 | |
| DeliveryChannelName: | |
| default: Configuration delivery channel name | |
| S3BucketName: | |
| default: Central S3 bucket | |
| S3KeyPrefix: | |
| default: Prefix for the specified Amazon S3 bucket | |
| Frequency: | |
| default: Snapshot delivery frequency | |
| SNS: | |
| default: SNS notifications | |
| TopicArn: | |
| default: SNS topic name | |
| NotificationEmail: | |
| default: Notification Email (optional) | |
| Parameters: | |
| AllSupported: | |
| Type: String | |
| Default: False | |
| Description: Indicates whether to record all supported resource types. | |
| AllowedValues: | |
| - True | |
| - False | |
| IncludeGlobalResourceTypes: | |
| Type: String | |
| Default: False | |
| Description: Indicates whether AWS Config records all supported global resource types. | |
| AllowedValues: | |
| - True | |
| - False | |
| ResourceTypes1: | |
| Type: String | |
| Description: First list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. | |
| Default: AWS::ACM::Certificate,AWS::AutoScaling::AutoScalingGroup,AWS::AutoScaling::LaunchConfiguration,AWS::AutoScaling::ScalingPolicy,AWS::AutoScaling::ScheduledAction,AWS::CloudTrail::Trail,AWS::CloudWatch::Alarm,AWS::CodePipeline::Pipeline,AWS::DynamoDB::Table,AWS::EC2::CustomerGateway,AWS::EC2::EIP,AWS::EC2::EgressOnlyInternetGateway,AWS::EC2::FlowLog,AWS::EC2::Host,AWS::EC2::Instance,AWS::EC2::InternetGateway,AWS::EC2::NatGateway,AWS::EC2::NetworkAcl,AWS::EC2::NetworkInterface,AWS::EC2::RouteTable,AWS::EC2::SecurityGroup,AWS::EC2::Subnet,AWS::EC2::VPC,AWS::EC2::VPCEndpoint,AWS::EC2::VPCEndpointService,AWS::EC2::VPCPeeringConnection,AWS::EC2::VPNConnection,AWS::EC2::VPNGateway,AWS::EC2::Volume,AWS::ElasticLoadBalancing::LoadBalancer,AWS::ElasticLoadBalancingV2::LoadBalancer,AWS::Elasticsearch::Domain,AWS::IAM::Group,AWS::IAM::Policy,AWS::IAM::Role,AWS::IAM::User,AWS::KMS::Key,AWS::Lambda::Function,AWS::RDS::DBCluster,AWS::RDS::DBClusterSnapshot,AWS::RDS::DBInstance,AWS::RDS::DBSecurityGroup,AWS::RDS::DBSnapshot,AWS::RDS::DBSubnetGroup,AWS::RDS::EventSubscription,AWS::Redshift::Cluster,AWS::Redshift::ClusterParameterGroup,AWS::Redshift::ClusterSecurityGroup,AWS::Redshift::ClusterSnapshot,AWS::Redshift::ClusterSubnetGroup,AWS::Redshift::EventSubscription,AWS::S3::AccountPublicAccessBlock,AWS::S3::Bucket,AWS::SNS::Topic,AWS::SQS::Queue,AWS::AccessAnalyzer::Analyzer,AWS::AmazonMQ::Broker,AWS::ApiGateway::RestApi,AWS::ApiGateway::Stage,AWS::ApiGatewayV2::Api,AWS::ApiGatewayV2::Stage,AWS::AppConfig::Application,AWS::AppConfig::ConfigurationProfile,AWS::AppConfig::Environment,AWS::AppSync::GraphQLApi,AWS::Athena::DataCatalog,AWS::Athena::WorkGroup,AWS::Backup::BackupPlan,AWS::Backup::BackupSelection,AWS::Backup::BackupVault,AWS::Backup::RecoveryPoint,AWS::Backup::ReportPlan,AWS::Batch::ComputeEnvironment,AWS::Batch::JobQueue,AWS::Cloud9::EnvironmentEC2,AWS::CloudFormation::Stack,AWS::CodeBuild::Project,AWS::CodeDeploy::Application,AWS::CodeDeploy::DeploymentConfig,AWS::CodeDeploy::DeploymentGroup,AWS::Config::ConformancePackCompliance,AWS::DMS::Certificate,AWS::DMS::EventSubscription,AWS::DMS::ReplicationInstance,AWS::DMS::ReplicationSubnetGroup,AWS::DMS::ReplicationTask,AWS::DataSync::LocationEFS,AWS::DataSync::LocationFSxLustre,AWS::DataSync::LocationFSxWindows,AWS::DataSync::LocationHDFS,AWS::DataSync::LocationNFS,AWS::DataSync::LocationObjectStorage,AWS::DataSync::LocationS3,AWS::DataSync::LocationSMB,AWS::DataSync::Task,AWS::EC2::LaunchTemplate,AWS::EC2::NetworkInsightsAccessScopeAnalysis,AWS::EC2::RegisteredHAInstance,AWS::EC2::TransitGateway,AWS::EC2::TransitGatewayAttachment,AWS::EC2::TransitGatewayRouteTable,AWS::ECR::RegistryPolicy,AWS::ECR::Repository | |
| ResourceTypes2: | |
| Type: String | |
| Description: Second list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail. | |
| Default: AWS::ECS::Cluster,AWS::ECS::Service,AWS::ECS::TaskDefinition,AWS::EFS::AccessPoint,AWS::EFS::FileSystem,AWS::EKS::Addon,AWS::EKS::Cluster,AWS::EKS::FargateProfile,AWS::EKS::IdentityProviderConfig,AWS::EMR::SecurityConfiguration,AWS::ElasticBeanstalk::Application,AWS::ElasticBeanstalk::ApplicationVersion,AWS::ElasticBeanstalk::Environment,AWS::ElasticLoadBalancingV2::Listener,AWS::EventSchemas::Discoverer,AWS::EventSchemas::Registry,AWS::EventSchemas::RegistryPolicy,AWS::EventSchemas::Schema,AWS::Events::ApiDestination,AWS::Events::Archive,AWS::Events::Connection,AWS::Events::Endpoint,AWS::Events::EventBus,AWS::Glue::Classifier,AWS::Glue::Job,AWS::Glue::MLTransform,AWS::GuardDuty::Detector,AWS::GuardDuty::Filter,AWS::GuardDuty::IPSet,AWS::GuardDuty::ThreatIntelSet,AWS::ImageBuilder::ContainerRecipe,AWS::ImageBuilder::DistributionConfiguration,AWS::ImageBuilder::InfrastructureConfiguration,AWS::Kinesis::Stream,AWS::Kinesis::StreamConsumer,AWS::KinesisAnalyticsV2::Application,AWS::Lightsail::Bucket,AWS::Lightsail::Certificate,AWS::Lightsail::Disk,AWS::Lightsail::StaticIp,AWS::MSK::Cluster,AWS::NetworkFirewall::Firewall,AWS::NetworkFirewall::FirewallPolicy,AWS::NetworkFirewall::RuleGroup,AWS::OpenSearch::Domain,AWS::QLDB::Ledger,AWS::RDS::GlobalCluster,AWS::RUM::AppMonitor,AWS::ResilienceHub::ResiliencyPolicy,AWS::Route53Resolver::ResolverEndpoint,AWS::Route53Resolver::ResolverRule,AWS::Route53Resolver::ResolverRuleAssociation,AWS::SES::ConfigurationSet,AWS::SES::ContactList,AWS::SES::Template,AWS::SSM::FileData,AWS::SageMaker::CodeRepository,AWS::SageMaker::EndpointConfig,AWS::SageMaker::Model,AWS::SageMaker::NotebookInstance,AWS::SageMaker::NotebookInstanceLifecycleConfig,AWS::SageMaker::Workteam,AWS::SecretsManager::Secret,AWS::ServiceCatalog::CloudFormationProduct,AWS::ServiceCatalog::CloudFormationProvisionedProduct,AWS::ServiceCatalog::Portfolio,AWS::ServiceDiscovery::HttpNamespace,AWS::ServiceDiscovery::PublicDnsNamespace,AWS::ServiceDiscovery::Service,AWS::ShieldRegional::Protection,AWS::StepFunctions::Activity,AWS::StepFunctions::StateMachine,AWS::Transfer::Workflow,AWS::WAFRegional::RateBasedRule,AWS::WAFRegional::Rule,AWS::WAFRegional::RuleGroup,AWS::WAFRegional::WebACL,AWS::WAFv2::IPSet,AWS::WAFv2::ManagedRuleSet,AWS::WAFv2::RegexPatternSet,AWS::WAFv2::RuleGroup,AWS::WAFv2::WebACL,AWS::XRay::EncryptionConfig | |
| DeliveryChannelName: | |
| Type: String | |
| Default: default | |
| Description: The name of the delivery channel. | |
| S3BucketName: | |
| Type: String | |
| Description: Central S3 bucket where AWS Config delivers configuration snapshots and history. | |
| Default: log-archive-aws-config | |
| AllowedPattern: ".+" | |
| S3KeyPrefix: | |
| Type: String | |
| Description: The prefix for the Amazon S3 bucket (optional). | |
| Default: aws-config-logs | |
| Frequency: | |
| Type: String | |
| Default: 24hours | |
| Description: The frequency with which AWS Config delivers configuration snapshots. | |
| AllowedValues: | |
| - Disabled | |
| - 1hour | |
| - 3hours | |
| - 6hours | |
| - 12hours | |
| - 24hours | |
| SNS: | |
| Type: String | |
| Default: False | |
| Description: Describes wether AWS Config sends SNS notifications. | |
| AllowedValues: | |
| - True | |
| - False | |
| TopicArn: | |
| Type: String | |
| Default: <New Topic> | |
| Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. Topic ARN must belong to the same Region where you will be deploying the Stack. | |
| NotificationEmail: | |
| Type: String | |
| Default: <None> | |
| Description: Email address for AWS Config notifications (for new topics). | |
| Conditions: | |
| IsAllSupported: !Equals | |
| - !Ref AllSupported | |
| - True | |
| IsGeneratedDeliveryChannelName: !Equals | |
| - !Ref DeliveryChannelName | |
| - <Generated> | |
| CreateBucket: !Equals | |
| - !Ref S3BucketName | |
| - <New Bucket> | |
| UsePrefix: !Not | |
| - !Equals | |
| - !Ref S3KeyPrefix | |
| - <No Prefix> | |
| DisableSnapshots: !Equals | |
| - !Ref Frequency | |
| - Disabled | |
| UseSNS: !Equals | |
| - !Ref SNS | |
| - True | |
| CreateTopic: !And | |
| - !Equals | |
| - !Ref TopicArn | |
| - <New Topic> | |
| - !Condition UseSNS | |
| CreateSubscription: !And | |
| - !Condition CreateTopic | |
| - !Not | |
| - !Equals | |
| - !Ref NotificationEmail | |
| - <None> | |
| Mappings: | |
| Settings: | |
| FrequencyMap: | |
| Disabled : TwentyFour_Hours | |
| 1hour : One_Hour | |
| 3hours : Three_Hours | |
| 6hours : Six_Hours | |
| 12hours : Twelve_Hours | |
| 24hours : TwentyFour_Hours | |
| Resources: | |
| ConfigBucket: | |
| Condition: CreateBucket | |
| DeletionPolicy: Retain | |
| Type: AWS::S3::Bucket | |
| Properties: | |
| BucketEncryption: | |
| ServerSideEncryptionConfiguration: | |
| - ServerSideEncryptionByDefault: | |
| SSEAlgorithm: AES256 | |
| ConfigBucketPolicy: | |
| Condition: CreateBucket | |
| Type: AWS::S3::BucketPolicy | |
| Properties: | |
| Bucket: !Ref ConfigBucket | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Sid: AWSConfigBucketPermissionsCheck | |
| Effect: Allow | |
| Principal: | |
| Service: | |
| - config.amazonaws.com | |
| Action: s3:GetBucketAcl | |
| Resource: | |
| - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" | |
| - Sid: AWSConfigBucketExistenceCheck | |
| Effect: Allow | |
| Principal: | |
| Service: | |
| - config.amazonaws.com | |
| Action: s3:ListBucket | |
| Resource: | |
| - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}" | |
| - Sid: AWSConfigBucketDelivery | |
| Effect: Allow | |
| Principal: | |
| Service: | |
| - config.amazonaws.com | |
| Action: s3:PutObject | |
| Resource: !If | |
| - UsePrefix | |
| - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/${S3KeyPrefix}/AWSLogs/${AWS::AccountId}/*" | |
| - !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" | |
| Condition: | |
| StringLike: | |
| 's3:x-amz-acl': 'bucket-owner-full-control' | |
| ConfigTopic: | |
| Condition: CreateTopic | |
| Type: AWS::SNS::Topic | |
| Properties: | |
| TopicName: !Sub "config-topic-${AWS::AccountId}" | |
| DisplayName: AWS Config Notification Topic | |
| KmsMasterKeyId: "alias/aws/sns" | |
| ConfigTopicPolicy: | |
| Condition: CreateTopic | |
| Type: AWS::SNS::TopicPolicy | |
| Properties: | |
| Topics: | |
| - !Ref ConfigTopic | |
| PolicyDocument: | |
| Statement: | |
| - Sid: AWSConfigSNSPolicy | |
| Action: | |
| - sns:Publish | |
| Effect: Allow | |
| Resource: !Ref ConfigTopic | |
| Principal: | |
| Service: | |
| - config.amazonaws.com | |
| EmailNotification: | |
| Condition: CreateSubscription | |
| Type: AWS::SNS::Subscription | |
| Properties: | |
| Endpoint: !Ref NotificationEmail | |
| Protocol: email | |
| TopicArn: !Ref ConfigTopic | |
| ConfigRole: | |
| Type: AWS::IAM::ServiceLinkedRole | |
| Properties: | |
| AWSServiceName: config.amazonaws.com | |
| ConfigRecorder: | |
| Type: AWS::Config::ConfigurationRecorder | |
| Properties: | |
| RecordingGroup: | |
| AllSupported: !Ref AllSupported | |
| IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes | |
| ResourceTypes: !Split | |
| - ',' | |
| - !Join | |
| - ',' | |
| - - !Ref ResourceTypes1 | |
| - !Ref ResourceTypes2 | |
| RoleARN: | |
| Fn::Sub: | |
| "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" | |
| ConfigDeliveryChannel: | |
| Type: AWS::Config::DeliveryChannel | |
| Properties: | |
| Name: !If | |
| - IsGeneratedDeliveryChannelName | |
| - !Ref AWS::NoValue | |
| - !Ref DeliveryChannelName | |
| ConfigSnapshotDeliveryProperties: !If | |
| - DisableSnapshots | |
| - !Ref AWS::NoValue | |
| - DeliveryFrequency: !FindInMap | |
| - Settings | |
| - FrequencyMap | |
| - !Ref Frequency | |
| S3BucketName: !If | |
| - CreateBucket | |
| - !Ref ConfigBucket | |
| - !Ref S3BucketName | |
| S3KeyPrefix: !If | |
| - UsePrefix | |
| - !Ref S3KeyPrefix | |
| - !Ref AWS::NoValue | |
| SnsTopicARN: !If | |
| - UseSNS | |
| - !If | |
| - CreateTopic | |
| - !Ref ConfigTopic | |
| - !Ref TopicArn | |
| - !Ref AWS::NoValue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment