diff --git a/rdk/template/configManagedRule.json b/rdk/template/configManagedRule.json index 665aed4..ecdfd4c 100644 --- a/rdk/template/configManagedRule.json +++ b/rdk/template/configManagedRule.json @@ -39,10 +39,14 @@ } }, "Conditions": { - "AllResources": { + "RemoveEventScope": { "Fn::Or": [ { - "Condition": "EventTriggered" + "Fn::Not": [ + { + "Condition": "EventTriggered" + } + ] }, { "Fn::Equals": [ @@ -101,14 +105,14 @@ }, "Scope": { "Fn::If": [ - "AllResources", + "RemoveEventScope", + { + "Ref": "AWS::NoValue" + }, { "ComplianceResourceTypes": { "Ref": "SourceEvents" } - }, - { - "Ref": "AWS::NoValue" } ] }, diff --git a/rdk/template/configManagedRuleOrganization.json b/rdk/template/configManagedRuleOrganization.json index b2a26d9..eeb2c37 100644 --- a/rdk/template/configManagedRuleOrganization.json +++ b/rdk/template/configManagedRuleOrganization.json @@ -44,10 +44,14 @@ } }, "Conditions": { - "AllResources": { + "RemoveEventScope": { "Fn::Or": [ { - "Condition": "EventTriggered" + "Fn::Not": [ + { + "Condition": "EventTriggered" + } + ] }, { "Fn::Equals": [ @@ -68,7 +72,14 @@ "Fn::Not": [ { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "SourceEvents" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "SourceEvents" + } + ] + }, "NONE" ] } @@ -90,7 +101,14 @@ "Fn::Not": [ { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "ExcludedAccounts" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "ExcludedAccounts" + } + ] + }, "" ] } @@ -116,12 +134,12 @@ }, "ResourceTypesScope": { "Fn::If": [ - "AllResources", + "RemoveEventScope", { - "Ref": "SourceEvents" + "Ref": "AWS::NoValue" }, { - "Ref": "AWS::NoValue" + "Ref": "SourceEvents" } ] }, diff --git a/rdk/template/configManagedRuleWithRemediation.json b/rdk/template/configManagedRuleWithRemediation.json index 5d3316c..ecdfd4c 100644 --- a/rdk/template/configManagedRuleWithRemediation.json +++ b/rdk/template/configManagedRuleWithRemediation.json @@ -39,12 +39,25 @@ } }, "Conditions": { - "AllResources": { + "RemoveEventScope": { "Fn::Or": [ - { "Condition": "EventTriggered" }, + { + "Fn::Not": [ + { + "Condition": "EventTriggered" + } + ] + }, { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "SourceEvents" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "SourceEvents" + } + ] + }, "ALL" ] } @@ -92,9 +105,15 @@ }, "Scope": { "Fn::If": [ - "AllResources", - { "ComplianceResourceTypes": { "Ref": "SourceEvents" } }, - { "Ref": "AWS::NoValue" } + "RemoveEventScope", + { + "Ref": "AWS::NoValue" + }, + { + "ComplianceResourceTypes": { + "Ref": "SourceEvents" + } + } ] }, "MaximumExecutionFrequency": { diff --git a/rdk/template/configRule.json b/rdk/template/configRule.json index 346bcb1..fba3655 100644 --- a/rdk/template/configRule.json +++ b/rdk/template/configRule.json @@ -1,7 +1,6 @@ { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation template to create custom AWS Config rules. You will be billed for the AWS resources used if you create a stack from this template.", - "Parameters": { "RuleName": { "Description": "Name of the Rule", @@ -92,41 +91,117 @@ } }, "Conditions": { - "AllResources": { + "RemoveEventScope": { "Fn::Or": [ - { "Condition": "EventTriggered" }, + { + "Fn::Not": [ + { + "Condition": "EventTriggered" + } + ] + }, { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "SourceEvents" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "SourceEvents" + } + ] + }, "ALL" ] } ] }, - "CreateNewLambdaRole": { "Fn::Equals": [{ "Ref": "LambdaRoleArn" }, ""] }, + "CreateNewLambdaRole": { + "Fn::Equals": [ + { + "Ref": "LambdaRoleArn" + }, + "" + ] + }, "UseBoundaryPolicyInRole": { - "Fn::Not": [{ "Fn::Equals": [{ "Ref": "BoundaryPolicyArn" }, ""] }] + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "BoundaryPolicyArn" + }, + "" + ] + } + ] }, "EventTriggered": { "Fn::Not": [ { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "SourceEvents" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "SourceEvents" + } + ] + }, "NONE" ] } ] }, "PeriodicTriggered": { - "Fn::Not": [{ "Fn::Equals": [{ "Ref": "SourcePeriodic" }, "NONE"] }] + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "SourcePeriodic" + }, + "NONE" + ] + } + ] }, "UseAdditionalLayers": { - "Fn::Not": [{ "Fn::Equals": [{ "Ref": "Layers" }, ""] }] + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "Layers" + }, + "" + ] + } + ] }, "UseVpcConfig": { "Fn::And": [ - { "Fn::Not": [{ "Fn::Equals": [{ "Ref": "SecurityGroupIds" }, ""] }] }, - { "Fn::Not": [{ "Fn::Equals": [{ "Ref": "SubnetIds" }, ""] }] } + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "SecurityGroupIds" + }, + "" + ] + } + ] + }, + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "SubnetIds" + }, + "" + ] + } + ] + } ] } }, @@ -134,33 +209,65 @@ "rdkRuleCodeLambda": { "Type": "AWS::Lambda::Function", "Properties": { - "FunctionName": { "Ref": "RuleLambdaName" }, + "FunctionName": { + "Ref": "RuleLambdaName" + }, "Code": { - "S3Bucket": { "Ref": "SourceBucket" }, + "S3Bucket": { + "Ref": "SourceBucket" + }, "S3Key": { "Fn::Join": [ "", - [{ "Ref": "RuleName" }, "/", { "Ref": "RuleName" }, ".zip"] + [ + { + "Ref": "RuleName" + }, + "/", + { + "Ref": "RuleName" + }, + ".zip" + ] ] } }, "Description": "Create a new AWS lambda function for rule code", - "Handler": { "Ref": "SourceHandler" }, + "Handler": { + "Ref": "SourceHandler" + }, "MemorySize": "256", "Role": { "Fn::If": [ "CreateNewLambdaRole", - { "Fn::GetAtt": ["rdkLambdaRole", "Arn"] }, - { "Ref": "LambdaRoleArn" } + { + "Fn::GetAtt": ["rdkLambdaRole", "Arn"] + }, + { + "Ref": "LambdaRoleArn" + } ] }, - "Runtime": { "Ref": "SourceRuntime" }, - "Timeout": { "Ref": "Timeout" }, + "Runtime": { + "Ref": "SourceRuntime" + }, + "Timeout": { + "Ref": "Timeout" + }, "Layers": { "Fn::If": [ "UseAdditionalLayers", - { "Fn::Split": [",", { "Ref": "Layers" }] }, - { "Ref": "AWS::NoValue" } + { + "Fn::Split": [ + ",", + { + "Ref": "Layers" + } + ] + }, + { + "Ref": "AWS::NoValue" + } ] }, "VpcConfig": { @@ -168,11 +275,25 @@ "UseVpcConfig", { "SecurityGroupIds": { - "Fn::Split": [",", { "Ref": "SecurityGroupIds" }] + "Fn::Split": [ + ",", + { + "Ref": "SecurityGroupIds" + } + ] }, - "SubnetIds": { "Fn::Split": [",", { "Ref": "SubnetIds" }] } + "SubnetIds": { + "Fn::Split": [ + ",", + { + "Ref": "SubnetIds" + } + ] + } }, - { "Ref": "AWS::NoValue" } + { + "Ref": "AWS::NoValue" + } ] } } @@ -181,7 +302,9 @@ "Type": "AWS::Lambda::Permission", "DependsOn": "rdkRuleCodeLambda", "Properties": { - "FunctionName": { "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] }, + "FunctionName": { + "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] + }, "Action": "lambda:InvokeFunction", "Principal": "config.amazonaws.com" } @@ -190,18 +313,30 @@ "Type": "AWS::Config::ConfigRule", "DependsOn": ["ConfigPermissionToCallrdkRuleCodeLambda"], "Properties": { - "ConfigRuleName": { "Ref": "RuleName" }, - "Description": { "Ref": "Description" }, + "ConfigRuleName": { + "Ref": "RuleName" + }, + "Description": { + "Ref": "Description" + }, "Scope": { "Fn::If": [ - "AllResources", - { "ComplianceResourceTypes": { "Ref": "SourceEvents" } }, - { "Ref": "AWS::NoValue" } + "RemoveEventScope", + { + "Ref": "AWS::NoValue" + }, + { + "ComplianceResourceTypes": { + "Ref": "SourceEvents" + } + } ] }, "Source": { "Owner": "CUSTOM_LAMBDA", - "SourceIdentifier": { "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] }, + "SourceIdentifier": { + "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] + }, "SourceDetails": [ { "Fn::If": [ @@ -210,7 +345,9 @@ "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" }, - { "Ref": "AWS::NoValue" } + { + "Ref": "AWS::NoValue" + } ] }, { @@ -220,7 +357,9 @@ "EventSource": "aws.config", "MessageType": "OversizedConfigurationItemChangeNotification" }, - { "Ref": "AWS::NoValue" } + { + "Ref": "AWS::NoValue" + } ] }, { @@ -229,14 +368,20 @@ { "EventSource": "aws.config", "MessageType": "ScheduledNotification", - "MaximumExecutionFrequency": { "Ref": "SourcePeriodic" } + "MaximumExecutionFrequency": { + "Ref": "SourcePeriodic" + } }, - { "Ref": "AWS::NoValue" } + { + "Ref": "AWS::NoValue" + } ] } ] }, - "InputParameters": { "Ref": "SourceInputParameters" } + "InputParameters": { + "Ref": "SourceInputParameters" + } } }, "rdkLambdaRole": { @@ -247,8 +392,12 @@ "PermissionsBoundary": { "Fn::If": [ "UseBoundaryPolicyInRole", - { "Ref": "BoundaryPolicyArn" }, - { "Ref": "AWS::NoValue" } + { + "Ref": "BoundaryPolicyArn" + }, + { + "Ref": "AWS::NoValue" + } ] }, "AssumeRolePolicyDocument": { @@ -257,7 +406,9 @@ { "Sid": "AllowLambdaAssumeRole", "Effect": "Allow", - "Principal": { "Service": "lambda.amazonaws.com" }, + "Principal": { + "Service": "lambda.amazonaws.com" + }, "Action": "sts:AssumeRole" } ] @@ -302,16 +453,19 @@ } ], "ManagedPolicyArns": [ - { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess" } + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess" + } ] } } }, - "Outputs": { "RuleCodeLambda": { "Description": "ARN for the Rule Code lambda", - "Value": { "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] } + "Value": { + "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] + } } } } diff --git a/rdk/template/configRuleOrganization.json b/rdk/template/configRuleOrganization.json index b802c26..bb6dad9 100644 --- a/rdk/template/configRuleOrganization.json +++ b/rdk/template/configRuleOrganization.json @@ -1,7 +1,6 @@ { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation template to create custom AWS Config rules. You will be billed for the AWS resources used if you create a stack from this template.", - "Parameters": { "RuleName": { "Description": "Name of the Rule", @@ -97,48 +96,131 @@ } }, "Conditions": { - "AllResources": { + "RemoveEventScope": { "Fn::Or": [ - { "Condition": "EventTriggered" }, + { + "Fn::Not": [ + { + "Condition": "EventTriggered" + } + ] + }, { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "SourceEvents" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "SourceEvents" + } + ] + }, "ALL" ] } ] }, - "CreateNewLambdaRole": { "Fn::Equals": [{ "Ref": "LambdaRoleArn" }, ""] }, + "CreateNewLambdaRole": { + "Fn::Equals": [ + { + "Ref": "LambdaRoleArn" + }, + "" + ] + }, "UseBoundaryPolicyInRole": { - "Fn::Not": [{ "Fn::Equals": [{ "Ref": "BoundaryPolicyArn" }, ""] }] + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "BoundaryPolicyArn" + }, + "" + ] + } + ] }, "EventTriggered": { "Fn::Not": [ { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "SourceEvents" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "SourceEvents" + } + ] + }, "NONE" ] } ] }, "PeriodicTriggered": { - "Fn::Not": [{ "Fn::Equals": [{ "Ref": "SourcePeriodic" }, "NONE"] }] + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "SourcePeriodic" + }, + "NONE" + ] + } + ] }, "UseAdditionalLayers": { - "Fn::Not": [{ "Fn::Equals": [{ "Ref": "Layers" }, ""] }] + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "Layers" + }, + "" + ] + } + ] }, "UseVpcConfig": { "Fn::And": [ - { "Fn::Not": [{ "Fn::Equals": [{ "Ref": "SecurityGroupIds" }, ""] }] }, - { "Fn::Not": [{ "Fn::Equals": [{ "Ref": "SubnetIds" }, ""] }] } + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "SecurityGroupIds" + }, + "" + ] + } + ] + }, + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "SubnetIds" + }, + "" + ] + } + ] + } ] }, "ExcludedAccountsPresent": { "Fn::Not": [ { "Fn::Equals": [ - { "Fn::Join": [",", { "Ref": "ExcludedAccounts" }] }, + { + "Fn::Join": [ + ",", + { + "Ref": "ExcludedAccounts" + } + ] + }, "" ] } @@ -149,33 +231,65 @@ "rdkRuleCodeLambda": { "Type": "AWS::Lambda::Function", "Properties": { - "FunctionName": { "Ref": "RuleLambdaName" }, + "FunctionName": { + "Ref": "RuleLambdaName" + }, "Code": { - "S3Bucket": { "Ref": "SourceBucket" }, + "S3Bucket": { + "Ref": "SourceBucket" + }, "S3Key": { "Fn::Join": [ "", - [{ "Ref": "RuleName" }, "/", { "Ref": "RuleName" }, ".zip"] + [ + { + "Ref": "RuleName" + }, + "/", + { + "Ref": "RuleName" + }, + ".zip" + ] ] } }, "Description": "Create a new AWS lambda function for rule code", - "Handler": { "Ref": "SourceHandler" }, + "Handler": { + "Ref": "SourceHandler" + }, "MemorySize": "256", "Role": { "Fn::If": [ "CreateNewLambdaRole", - { "Fn::GetAtt": ["rdkLambdaRole", "Arn"] }, - { "Ref": "LambdaRoleArn" } + { + "Fn::GetAtt": ["rdkLambdaRole", "Arn"] + }, + { + "Ref": "LambdaRoleArn" + } ] }, - "Runtime": { "Ref": "SourceRuntime" }, - "Timeout": { "Ref": "Timeout" }, + "Runtime": { + "Ref": "SourceRuntime" + }, + "Timeout": { + "Ref": "Timeout" + }, "Layers": { "Fn::If": [ "UseAdditionalLayers", - { "Fn::Split": [",", { "Ref": "Layers" }] }, - { "Ref": "AWS::NoValue" } + { + "Fn::Split": [ + ",", + { + "Ref": "Layers" + } + ] + }, + { + "Ref": "AWS::NoValue" + } ] }, "VpcConfig": { @@ -183,11 +297,25 @@ "UseVpcConfig", { "SecurityGroupIds": { - "Fn::Split": [",", { "Ref": "SecurityGroupIds" }] + "Fn::Split": [ + ",", + { + "Ref": "SecurityGroupIds" + } + ] }, - "SubnetIds": { "Fn::Split": [",", { "Ref": "SubnetIds" }] } + "SubnetIds": { + "Fn::Split": [ + ",", + { + "Ref": "SubnetIds" + } + ] + } }, - { "Ref": "AWS::NoValue" } + { + "Ref": "AWS::NoValue" + } ] } } @@ -196,7 +324,9 @@ "Type": "AWS::Lambda::Permission", "DependsOn": "rdkRuleCodeLambda", "Properties": { - "FunctionName": { "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] }, + "FunctionName": { + "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] + }, "Action": "lambda:InvokeFunction", "Principal": "config.amazonaws.com" } @@ -205,16 +335,28 @@ "Type": "AWS::Config::OrganizationConfigRule", "DependsOn": ["ConfigPermissionToCallrdkRuleCodeLambda"], "Properties": { - "OrganizationConfigRuleName": { "Ref": "RuleName" }, + "OrganizationConfigRuleName": { + "Ref": "RuleName" + }, "OrganizationCustomRuleMetadata": { - "Description": { "Ref": "Description" }, - "InputParameters": { "Ref": "SourceInputParameters" }, - "LambdaFunctionArn": { "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] }, + "Description": { + "Ref": "Description" + }, + "InputParameters": { + "Ref": "SourceInputParameters" + }, + "LambdaFunctionArn": { + "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] + }, "ResourceTypesScope": { "Fn::If": [ - "AllResources", - { "Ref": "SourceEvents" }, - { "Ref": "AWS::NoValue" } + "RemoveEventScope", + { + "Ref": "AWS::NoValue" + }, + { + "Ref": "SourceEvents" + } ] }, "OrganizationConfigRuleTriggerTypes": { @@ -230,16 +372,24 @@ "MaximumExecutionFrequency": { "Fn::If": [ "PeriodicTriggered", - { "Ref": "SourcePeriodic" }, - { "Ref": "AWS::NoValue" } + { + "Ref": "SourcePeriodic" + }, + { + "Ref": "AWS::NoValue" + } ] } }, "ExcludedAccounts": { "Fn::If": [ "ExcludedAccountsPresent", - { "Ref": "ExcludedAccounts" }, - { "Ref": "AWS::NoValue" } + { + "Ref": "ExcludedAccounts" + }, + { + "Ref": "AWS::NoValue" + } ] } } @@ -252,8 +402,12 @@ "PermissionsBoundary": { "Fn::If": [ "UseBoundaryPolicyInRole", - { "Ref": "BoundaryPolicyArn" }, - { "Ref": "AWS::NoValue" } + { + "Ref": "BoundaryPolicyArn" + }, + { + "Ref": "AWS::NoValue" + } ] }, "AssumeRolePolicyDocument": { @@ -262,7 +416,9 @@ { "Sid": "AllowLambdaAssumeRole", "Effect": "Allow", - "Principal": { "Service": "lambda.amazonaws.com" }, + "Principal": { + "Service": "lambda.amazonaws.com" + }, "Action": "sts:AssumeRole" } ] @@ -307,16 +463,19 @@ } ], "ManagedPolicyArns": [ - { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess" } + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess" + } ] } } }, - "Outputs": { "RuleCodeLambda": { "Description": "ARN for the Rule Code lambda", - "Value": { "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] } + "Value": { + "Fn::GetAtt": ["rdkRuleCodeLambda", "Arn"] + } } } }