diff --git a/cloudformation/AWSConfigAggregator-Template.yaml b/cloudformation/AWSConfigAggregator-Template.yaml deleted file mode 100644 index 6fb892d..0000000 --- a/cloudformation/AWSConfigAggregator-Template.yaml +++ /dev/null @@ -1,113 +0,0 @@ -# Copyright 2021 Chris Farris -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -AWSTemplateFormatVersion: '2010-09-09' -Description: Configure The Organizational Config Service Aggregator and Conformance Pack Infrastructure -# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AWSConfigAggregator-Template.yaml - -Parameters: - - pOrganizationConformancePackBucketSuffix: - Description: Suffix to append to awsconfigconforms when creating the bucket - Type: String - - pOrganizationId: - Description: AWS Organization ID - Type: String - - pCreateBucket: - Description: If true, the ConformancePackResults Bucket is created - Type: String - AllowedValues: - - "true" - - "false" - Default: "true" - -Conditions: - CreateBucket: !Equals [ !Ref pCreateBucket, "true" ] - -Resources: - - ConformancePackDeliveryS3Bucket: - Type: AWS::S3::Bucket - Condition: CreateBucket - Properties: - BucketName: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}" - AccessControl: Private - # LoggingConfiguration: - # DestinationBucketName: - # Ref: pLoggingBucket - # LogFilePrefix: !Join ['', ['S3logs/', !Ref pBucketName, '/']] - # VersioningConfiguration: - # Status: Disabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: AES256 - - ConformancePackDeliveryS3BucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}" - PolicyDocument: - Statement: - - Sid: AllowGetObject - Effect: Allow - Principal: '*' - Action: - - s3:getObject - - s3:PutObject - Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}/*" - Condition: - StringEquals: - aws:PrincipalOrgID: !Ref pOrganizationId - - Sid: AllowGetBucketAcl - Effect: Allow - Principal: '*' - Action: - - s3:GetBucketAcl - Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}" - Condition: - StringEquals: - aws:PrincipalOrgID: !Ref pOrganizationId - - # Why they don't have a service linked role here is beyond me - ConfigAggregatorRole: - Type: AWS::IAM::Role - Properties: - RoleName: !Sub "aws-config-aggregator-role-${AWS::StackName}" - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: config.amazonaws.com - Action: - - sts:AssumeRole - Path: /service-role/ - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations - - # Create the Aggregator - ConfigAggregator: - Type: AWS::Config::ConfigurationAggregator - Properties: - ConfigurationAggregatorName: !Sub "${AWS::StackName}-Aggregator" - OrganizationAggregationSource: - AllAwsRegions: True - RoleArn: !GetAtt ConfigAggregatorRole.Arn - -Outputs: - TemplateVersion: - Value: "1.0.0" diff --git a/cloudformation/AWSConfigBucket-Template.yaml b/cloudformation/AWSConfigBucket-Template.yaml new file mode 100644 index 0000000..76eca92 --- /dev/null +++ b/cloudformation/AWSConfigBucket-Template.yaml @@ -0,0 +1,95 @@ +# Copyright 2021-2023 Chris Farris +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy S3 Bucket for recieving Events from AWS Config Recorder + +# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AWSConfigBucket-Template.yaml + +Parameters: + + pBucketName: + Description: Name of the bucket to create for storing the CloudTrail or Config Events + Type: String + AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" + + pTransitionToIADays: + Description: Days after object creation before the object is transitioned to InfrequentAccess (Must be >= 30) + Type: String + Default: 30 + + +Resources: + + Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: + AccessControl: LogDeliveryWrite + BucketName: !Ref 'pBucketName' + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerPreferred + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + VersioningConfiguration: + Status: Enabled + PublicAccessBlockConfiguration: + BlockPublicAcls: True + BlockPublicPolicy: True + IgnorePublicAcls: True + RestrictPublicBuckets: False # This rule also prohibits Cross-Account bucket access + LifecycleConfiguration: + Rules: + - Id: InfrequentAccessRule + Prefix: AWSLogs + Status: Enabled + Transitions: + - TransitionInDays: !Ref pTransitionToIADays + StorageClass: STANDARD_IA + + EventsS3BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref Bucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AWSServiceAclCheck + Effect: Allow + Principal: + Service: config.amazonaws.com + Action: s3:GetBucketAcl + Resource: !Sub "arn:aws:s3:::${pBucketName}" + - Sid: AWSServiceWrite + Effect: Allow + Principal: + Service: config.amazonaws.com + Action: s3:PutObject + Resource: !Sub "arn:aws:s3:::${pBucketName}/AWSLogs/*" + Condition: + StringEquals: + s3:x-amz-acl: bucket-owner-full-control + + +Outputs: + + LogBucket: + Value: !Ref Bucket + Description: Bucket Name where Config events sent. + + TemplateVersion: + Value: 1.0.0 diff --git a/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml b/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml index 5319fdc..8e45d3a 100644 --- a/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml +++ b/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml @@ -1,4 +1,4 @@ -# Copyright 2021 Chris Farris +# Copyright 2021-2023 Chris Farris # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,6 +32,10 @@ Parameters: Type: String Default: https://s3.amazonaws.com/pht-cloudformation/aws-account-automation/AWSConfigRecorder-Template.yaml + pTemplateObjectVersion: + Description: Version ID of the Template to Deploy + Type: String + pAWSOrgUnit: Description: AWS Organizations OU to deploy this stackset to. Probably should be the root OU Type: String diff --git a/cloudformation/AWSConfigRecorder-Template.yaml b/cloudformation/AWSConfigRecorder-Template.yaml index 9a223de..2328c12 100644 --- a/cloudformation/AWSConfigRecorder-Template.yaml +++ b/cloudformation/AWSConfigRecorder-Template.yaml @@ -1,4 +1,4 @@ -# Copyright 2021 Chris Farris +# Copyright 2021-2023 Chris Farris # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ Parameters: Type: String Conditions: - CreateAggregationAuthorization: !Not [!Equals [ !Ref pAggregationRegion, "NONE"]] + CreateAggregationAuthorization: !Equals [ !Ref "AWS::Region", !Ref pAggregationRegion ] CreateServiceLinkedRole: !Equals [ !Ref "AWS::Region", "us-east-1"] cIncludeGlobalResourceTypes: !Equals [ !Ref "AWS::Region", "us-east-1"] @@ -80,6 +80,34 @@ Resources: Properties: AWSServiceName: config.amazonaws.com + # Why they don't have a service linked role here is beyond me + ConfigAggregatorRole: + Condition: CreateAggregationAuthorization + Type: AWS::IAM::Role + Properties: + # RoleName: !Sub "aws-config-aggregator-role-${AWS::StackName}" + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: config.amazonaws.com + Action: + - sts:AssumeRole + Path: /service-role/ + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations + + # Create the Aggregator + ConfigAggregator: + Type: AWS::Config::ConfigurationAggregator + Condition: CreateAggregationAuthorization + Properties: + ConfigurationAggregatorName: !Sub "${AWS::StackName}-Aggregator" + OrganizationAggregationSource: + AllAwsRegions: True + RoleArn: !GetAtt ConfigAggregatorRole.Arn + Outputs: ConfigTopicArn: