3.4

3.4 Run Managed Config Rules using CloudFormation

Review and ensure that you have setup your development environment before going through the steps below.

Create a new template

1. From AWS Cloud9, create a new file.

cd ~/environment/ccoa
touch ccoa-3-config-rules-s3.yml

1. Open the file and paste the template configuration below and save.

AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy AWS Config Rules for S3
Resources:
  AWSConfigRuleForS3PublicRead:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-read-prohibited
      Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED

Launch the CloudFormation stack from the CLI

aws cloudformation create-stack --stack-name ccoa-3-config-rules-s3 --capabilities CAPABILITY_NAMED_IAM --disable-rollback --template-body file:///home/ec2-user/environment/ccoa/ccoa-3-config-rules-s3.yml

Check the status

From your Cloud9 terminal, type the following:

aws cloudformation describe-stacks --stack-name ccoa-3-config-rules-s3

Or, go to the CloudFormation console.

View AWS Config Rules Dashboard

Go to AWS Config Rules Dashboard and view the results.

Additional Resources

Creating AWS Config Managed Rules With AWS CloudFormation Templates

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.