-
Notifications
You must be signed in to change notification settings - Fork 0
/
sra-config-management-account.yaml
186 lines (178 loc) · 6.85 KB
/
sra-config-management-account.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template enables AWS Config in the Control Tower Management account. - 'config_management_account' solution in the repo,
https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2s)
Metadata:
SRA:
Version: 1.0
Order: 3
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Properties
Parameters:
- pManagedResourcePrefix
- pAuditAccountId
- pLogArchiveAccountId
- pOrganizationId
- pHomeRegion
- Label:
default: Config Recorder Properties
Parameters:
- pAllSupported
- pIncludeGlobalResourceTypes
- pResourceTypes
- Label:
default: Config Delivery Channel Properties
Parameters:
- pFrequency
- pAllConfigTopicName
- pKmsKeyArn
ParameterLabels:
pAllConfigTopicName:
default: All Config SNS Topic Name
pAllSupported:
default: All Supported
pAuditAccountId:
default: Audit Account ID
pFrequency:
default: Frequency
pHomeRegion:
default: Control Tower Home Region
pIncludeGlobalResourceTypes:
default: Include Global Resource Types
pKmsKeyArn:
default: (Optional) KMS Key ARN
pLogArchiveAccountId:
default: Log Archive Account ID
pManagedResourcePrefix:
default: Managed Resource Prefix
pOrganizationId:
default: Organization ID
pResourceTypes:
default: (Optional) Resource Types
Parameters:
pAllConfigTopicName:
AllowedValues: [aws-controltower-AllConfigNotifications]
Default: aws-controltower-AllConfigNotifications
Description: All Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to.
Type: String
pAllSupported:
AllowedValues: ['true', 'false']
Default: 'true'
Description: Indicates whether to record all supported resource types. If set to 'false', then the 'Resource Types' parameter must have a value.
Type: String
pAuditAccountId:
AllowedPattern: '^\d{12}$'
ConstraintDescription: Must be 12 digits.
Description: AWS Account ID of the Control Tower Audit account.
Type: String
pFrequency:
AllowedValues: [1hour, 3hours, 6hours, 12hours, 24hours]
Default: 1hour
Description: The frequency with which AWS Config delivers configuration snapshots.
Type: String
pHomeRegion:
AllowedPattern: '^[a-z0-9-]{1,64}$'
ConstraintDescription: AWS Region Example - 'us-east-1'
Description: Name of the Control Tower home region
Type: String
pIncludeGlobalResourceTypes:
AllowedValues: ['true', 'false']
Default: 'true'
Description: Indicates whether AWS Config records all supported global resource types.
Type: String
pKmsKeyArn:
AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*)?:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$'
ConstraintDescription: Key ARN example - arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Description:
(Optional) KMS key ARN to use for encrypting the AWS Config configuration snapshots and history files when storing in the S3 bucket in the Log
Archive account. If empty, snapshots and history files will be encrypted based on the Default Encryption setting of the S3 bucket.
Type: String
pLogArchiveAccountId:
AllowedPattern: '^\d{12}$'
ConstraintDescription: Must be 12 digits.
Description: AWS Account ID of the Control Tower Log Archive account.
Type: String
pManagedResourcePrefix:
AllowedValues: [aws-controltower]
Default: aws-controltower
Description: Prefix for the managed resources.
Type: String
pOrganizationId:
AllowedPattern: '^o-[a-z0-9]{10,32}$'
ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567)
Description: AWS Organizations ID
Type: String
pResourceTypes:
AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$'
Description:
(Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is
set to 'false', then this parameter becomes required.
Type: String
Rules:
ResourceTypesValidation:
RuleCondition: !Equals [!Ref pResourceTypes, '']
Assertions:
- AssertDescription: "'Resource Types' parameter is required if the 'All Supported' parameter is set to 'true'."
Assert: !Equals [!Ref pAllSupported, 'true']
Conditions:
cIsAllSupported: !Equals [!Ref pAllSupported, 'true']
cIsUsingKmsKey: !Not [!Equals [!Ref pKmsKeyArn, '']]
cIsHomeRegion: !Equals [!Ref 'AWS::Region', !Ref pHomeRegion]
Mappings:
mSettings:
FrequencyMap:
1hour: One_Hour
3hours: Three_Hours
6hours: Six_Hours
12hours: Twelve_Hours
24hours: TwentyFour_Hours
Resources:
rAuthorizer:
Type: AWS::Config::AggregationAuthorization
Properties:
AuthorizedAccountId: !Ref pAuditAccountId
AuthorizedAwsRegion: !Ref pHomeRegion
rConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
Properties:
Name: !Sub ${pManagedResourcePrefix}-BaselineConfigDeliveryChannel
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !FindInMap
- mSettings
- FrequencyMap
- !Ref pFrequency
S3BucketName: !Sub aws-controltower-logs-${pLogArchiveAccountId}-${pHomeRegion}
S3KeyPrefix: !Ref pOrganizationId
S3KmsKeyArn: !If
- cIsUsingKmsKey
- !Ref pKmsKeyArn
- !Ref AWS::NoValue
SnsTopicARN: !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${pAuditAccountId}:${pAllConfigTopicName}
rConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: !Sub ${pManagedResourcePrefix}-BaselineConfigRecorder
RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pManagedResourcePrefix}-ConfigRecorderRole
RecordingGroup:
AllSupported: !Ref pAllSupported
IncludeGlobalResourceTypes: !If
- cIsHomeRegion
- !Ref pIncludeGlobalResourceTypes
- !Ref AWS::NoValue
ResourceTypes: !If
- cIsAllSupported
- !Ref AWS::NoValue
- !Ref pResourceTypes
Outputs:
oConfigDeliveryChannel:
Description: AWS Config Delivery Channel
Value: !Ref rConfigDeliveryChannel
oConfigRecorder:
Description: AWS Config Recorder
Value: !Ref rConfigRecorder