Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
519 lines (519 sloc) 16.1 KB
{
"AWSTemplateFormatVersion": "2010-09-09",
"Metadata": {
"AWS::CloudFormation::Designer": {
"2fae6a7c-8deb-409f-80e9-656c9c2af97e": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": -270,
"y": 20
},
"z": 1,
"embeds": [],
"isrelatedto": [
"2fae6a7c-8deb-409f-80e9-656c9c2af97e"
]
},
"e8b213de-9036-40e2-a840-c56b06d9b1bc": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 290,
"y": 150
},
"z": 1,
"embeds": [],
"dependson": [
"2fae6a7c-8deb-409f-80e9-656c9c2af97e",
"3e3ce7aa-4c28-49ce-9b4f-5364e7990624"
],
"isrelatedto": [
"2fae6a7c-8deb-409f-80e9-656c9c2af97e",
"979098a4-a628-4395-9ac7-f43e1bfaa5ae"
]
},
"26a623f6-ca27-4851-bd71-577d56bd9a95": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 410,
"y": 150
},
"z": 1,
"embeds": [],
"dependson": [
"2fae6a7c-8deb-409f-80e9-656c9c2af97e",
"e8b213de-9036-40e2-a840-c56b06d9b1bc"
]
},
"3e3ce7aa-4c28-49ce-9b4f-5364e7990624": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 160,
"y": 150
},
"z": 1,
"embeds": [],
"dependson": [
"2fae6a7c-8deb-409f-80e9-656c9c2af97e",
"979098a4-a628-4395-9ac7-f43e1bfaa5ae"
]
},
"35068c5c-09da-458a-81d6-500395ea7292": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": -270,
"y": 150
},
"z": 1,
"embeds": [],
"isrelatedto": [
"2fae6a7c-8deb-409f-80e9-656c9c2af97e"
]
},
"c75421bc-df03-4964-87b7-b848690b1a7c": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": -140,
"y": 160
},
"z": 1,
"embeds": [],
"isrelatedto": [
"35068c5c-09da-458a-81d6-500395ea7292"
]
},
"979098a4-a628-4395-9ac7-f43e1bfaa5ae": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 20,
"y": 150
},
"z": 1,
"embeds": [],
"isrelatedto": [
"c75421bc-df03-4964-87b7-b848690b1a7c",
"2fae6a7c-8deb-409f-80e9-656c9c2af97e"
]
},
"ed297316-819b-40fe-822a-b77b87dc4a85": {
"source": {
"id": "3e3ce7aa-4c28-49ce-9b4f-5364e7990624",
"selector": "g:nth-child(1) g:nth-child(4) g:nth-child(2) circle:nth-child(1) ",
"port": "AWS::DependencyLink-*"
},
"target": {
"x": 150,
"y": 180
},
"z": 13
},
"d62b14a1-5b06-48cc-8832-2cc84985138b": {
"source": {
"id": "c75421bc-df03-4964-87b7-b848690b1a7c",
"selector": "g:nth-child(1) g:nth-child(4) g:nth-child(1) circle:nth-child(1) ",
"port": "AWS::DependencyLink-*"
},
"target": {
"x": 20,
"y": 290
},
"z": 14
},
"636d3456-9de3-46ed-bb70-99e84079aa64": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 420,
"y": 150
},
"z": 0,
"dependson": [
"e8b213de-9036-40e2-a840-c56b06d9b1bc"
]
},
"a7ec74fb-7746-4bf9-9fad-5c377ad4576b": {
"source": {
"id": "636d3456-9de3-46ed-bb70-99e84079aa64"
},
"target": {
"id": "e8b213de-9036-40e2-a840-c56b06d9b1bc"
},
"z": 2
}
}
},
"Resources": {
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1460475162000",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
{
"Fn::GetAtt": [
"AWSConfigRole",
"Arn"
]
}
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"config:DeleteDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:PutConfigurationRecorder",
"config:StopConfigurationRecorder"
],
"Resource": [
"*"
]
}
]
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "35068c5c-09da-458a-81d6-500395ea7292"
}
}
},
"ConfigurationRecorderSanitiser": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": {
"Fn::Join": [
"\n",
[
"// dependencies",
"var AWS = require('aws-sdk');",
"var response = require('cfn-response');",
"var configservice = new AWS.ConfigService();",
"exports.handler = function(event, context, callback) {",
" ",
" console.log('Checking if a configuration recorder exists')",
" configservice.describeConfigurationRecorders(null, function(err, data) {",
" if (err) console.log(err, err.stack); // an error occurred",
" else{",
" if(data.ConfigurationRecorders.length > 0){",
" // successful response",
" var configurationRecorders = data",
" console.log('Found Configuration Recoder: ' + configurationRecorders.ConfigurationRecorders[0].name);",
" console.log('Checking for the existence of a Delivery Channel')",
" configservice.describeDeliveryChannels(null, function(err, data) {",
" if (err) console.log(err, err.stack); // an error occurred",
" else{",
" if(data.DeliveryChannels.length > 0){",
" console.log('There is a Delivery Channel, let\\'s delete it!')",
" deliveryChannels = data",
" console.log('Making sure the Delivery Recorder is stopped')",
" var params = { ConfigurationRecorderName: configurationRecorders.ConfigurationRecorders[0].name};",
" configservice.stopConfigurationRecorder(params, function(err, data) {",
" if (err) console.log(err, err.stack); // an error occurred",
" else{",
" console.log('Deleting Delivery Channel')",
" params = { DeliveryChannelName: deliveryChannels.DeliveryChannels[0].name }",
" configservice.deleteDeliveryChannel(params, function(err, data) {",
" if (err) console.log(err, err.stack); // an error occurred",
" else console.log('Successfully deleted Delivery Channel') // successful response",
" });",
" } ",
" }); ",
" }else{",
" console.log('No Delivery Channel to Delete')",
" }",
" }",
" })",
" ",
" console.log('Setting the Configuration Recorder\\'s IAM role to the one created by our CFN stack: ' + event.ResourceProperties.RoleARN)",
" var params = {",
" ConfigurationRecorder: {",
" name: configurationRecorders.ConfigurationRecorders[0].name,",
" recordingGroup: configurationRecorders.ConfigurationRecorders[0].recordingGroup,",
" roleARN: event.ResourceProperties.RoleARN",
" }",
" };",
" configservice.putConfigurationRecorder(params, function(err, data) {",
" if (err) console.log(err, err.stack); // an error occurred",
" else console.log('Successfull set the Configuration Recorder\\'s IAM role to the one created by our CFN stack'); // successful response",
" });",
" ",
" // Return the name of the configuration recorder as one exists",
" response.send(event, context, response.SUCCESS, {'ConfigurationRecorder':configurationRecorders.ConfigurationRecorders[0].name});",
" }else{",
" console.log('No Configuration Records exist, returning default recorder name')",
" response.send(event, context, response.SUCCESS, {'ConfigurationRecorder':'ConfigurationRecorder'});",
" }",
" } ",
" });",
"};"
]
]
}
},
"Handler": "index.handler",
"Runtime": "nodejs",
"Timeout": "30",
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "c75421bc-df03-4964-87b7-b848690b1a7c"
}
}
},
"ConfigurationRecorderSanitisationResults": {
"Type": "Custom::ConfigurationRecorderSanitisationResults",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"ConfigurationRecorderSanitiser",
"Arn"
]
},
"RoleARN": {
"Fn::GetAtt": [
"AWSConfigRole",
"Arn"
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "979098a4-a628-4395-9ac7-f43e1bfaa5ae"
}
}
},
"AWSConfigRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSConfigRole"
],
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"",
[
"AWSConfigDeliveryPermissions-",
{
"Ref": "AWS::Region"
}
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1460390265000",
"Effect": "Allow",
"Action": [
"config:Put*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeliveryChannelS3Bucket"
},
"/",
{
"Ref": "DeliveryChannelS3Prefix"
},
"/AWSLogs/*"
]
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeliveryChannelS3Bucket"
}
]
]
}
}
]
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "2fae6a7c-8deb-409f-80e9-656c9c2af97e"
}
}
},
"ConfigurationRecorder": {
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"Name": {
"Fn::GetAtt": [
"ConfigurationRecorderSanitisationResults",
"ConfigurationRecorder"
]
},
"RecordingGroup": {
"AllSupported": true,
"IncludeGlobalResourceTypes": true
},
"RoleARN": {
"Fn::GetAtt": [
"AWSConfigRole",
"Arn"
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "e8b213de-9036-40e2-a840-c56b06d9b1bc"
}
},
"DependsOn": [
"AWSConfigRole"
]
},
"DeliveryChannel": {
"Type": "AWS::Config::DeliveryChannel",
"Properties": {
"Name": "default",
"S3BucketName": {
"Ref": "DeliveryChannelS3Bucket"
},
"S3KeyPrefix": {
"Ref": "DeliveryChannelS3Prefix"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "3e3ce7aa-4c28-49ce-9b4f-5364e7990624"
}
},
"DependsOn": [
"AWSConfigRole",
"ConfigurationRecorderSanitisationResults"
]
}
},
"Parameters": {
"DeliveryChannelS3Bucket": {
"Type": "String",
"Description": "The full ARN of the bucket to which you wish to periodically push config snapshots."
},
"DeliveryChannelS3Prefix": {
"Type": "String",
"Description": "The key prefix ('folder') into which to insert config snapshots"
},
"CloudTrailS3Bucket": {
"Type": "String",
"Description": "The name of the S3 bucket to which you should be pushing CloudTrail logs."
}
}
}
You can’t perform that action at this time.