Last active
February 18, 2024 21:58
-
-
Save tomofuminijo/2ae66e81ef57af6321681743cdf9de6b to your computer and use it in GitHub Desktop.
Enabled Config Recorder for Any Accounts, all regions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: Enable AWS Config | |
| Parameters: | |
| AuditS3BucketName: | |
| Type: String | |
| OrganizationId: | |
| Type: String | |
| Resources: | |
| ServiceLinkedRoleForConfig: | |
| Type: 'AWS::IAM::ServiceLinkedRole' | |
| DeletionPolicy: Retain | |
| Properties: | |
| AWSServiceName: config.amazonaws.com | |
| Description: A service-linked role required for AWS Config to access your resources. | |
| ConfigRecorder: | |
| Type: AWS::Config::ConfigurationRecorder | |
| Properties: | |
| Name: 'default' | |
| RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig | |
| RecordingGroup: | |
| AllSupported: true | |
| IncludeGlobalResourceTypes: true | |
| ConfigDeliveryChannel: | |
| Type: AWS::Config::DeliveryChannel | |
| Properties: | |
| Name: 'default' | |
| S3BucketName: !Ref AuditS3BucketName | |
| S3KeyPrefix: !Ref OrganizationId |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| CONFIG_BUCKET_NAME=<your_config_bucket> | |
| ORGANIZATION_ID=<your_organization_id> | |
| OU_ID=<your_ou_id> # ou_id is such like ou-xxxx-xxxxxxxx | |
| STACK_SET_NAME=<your_stack_set_name> | |
| TEMPLATE_FILE=config-recorder-enabled.yaml | |
| OPERATION_REGION_ID=us-east-1 | |
| # Crete stack set | |
| aws cloudformation create-stack-set --stack-set-name $STACK_SET_NAME \ | |
| --template-body file://$TEMPLATE_FILE \ | |
| --parameters ParameterKey=AuditS3BucketName,ParameterValue=$CONFIG_BUCKET_NAME ParameterKey=OrganizationId,ParameterValue=$ORGANIZATION_ID \ | |
| --region $OPERATION_REGION_ID | |
| # Get target account ids | |
| accounts=$(aws organizations list-children --parent-id $OU_ID --child-type=ACCOUNT --query "Children[].Id" --region $OPERATION_REGION_ID --output text) | |
| # Get all regions does not work fine. eu-north-1 does not support stacksets | |
| #regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --region $OPERATION_REGION_ID --output text) | |
| # Explicitly define the regions (exclude eu-north-1) | |
| regions="ap-south-1 eu-west-3 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2" | |
| # Crete Stack Instances | |
| operationid=$(aws cloudformation create-stack-instances \ | |
| --stack-set-name $STACK_SET_NAME \ | |
| --accounts $accounts \ | |
| --regions $regions \ | |
| --operation-preferences MaxConcurrentCount=10 \ | |
| --region $OPERATION_REGION_ID \ | |
| --query "OperationId" \ | |
| --output text) | |
| aws cloudformation describe-stack-set-operation --stack-set-name $STACK_SET_NAME --operation-id $operationid --region $OPERATION_REGION_ID |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment