#1. 概要
- CloudFormation で AWS Config を設定する。
- 作成するリソース
- S3 Bucket + Bucket Policy
- SNS Topic + Subscription
- IAM Role + Inline Policy
- ConfigurationRecorder
- DeliveryChannel
- 参考
https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSConfig.yml
#2. 各リソースメモ
- S3 Bucket
- バッケット名:awsconfig-AWSアカウントID
- 参考
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/s3-bucket-policy.html - SNS Topic + Subscription
- トピック名:awsconfig
- プロトコル:email
- エンドポイント:test@example.com
- 参考
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-sns-subscription.html - IAM Role + Inline Policy
- ロール名:awsconfig
- インラインポリシー名:awsconfig
- 参考
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/iamrole-permissions.html
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/sns-topic-policy.html
- ConfigurationRecorder
- 名前:awsconfig-AWSアカウントID
- DeliveryChannel
- 名前:awsconfig-AWSアカウントID
#3. JSONテンプレート
AWSConfig.json
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS Config",
"Resources" : {
"S3Bucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : { "Fn::Join" : [ "", [ "awsconfig-", { "Ref" : "AWS::AccountId" } ] ] }
}
},
"S3BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : { "Ref": "S3Bucket"},
"PolicyDocument" : {
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AWSConfigBucketPermissionsCheck",
"Effect" : "Allow",
"Principal" : {
"Service" : [
"config.amazonaws.com"
]
},
"Action" : "s3:GetBucketAcl",
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::awsconfig-", { "Ref" : "AWS::AccountId" } ] ] }
},
{
"Sid" : " AWSConfigBucketDelivery",
"Effect" : "Allow",
"Principal" : {
"Service" : [
"config.amazonaws.com"
]
},
"Action" : "s3:PutObject",
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::awsconfig-", { "Ref" : "AWS::AccountId" }, "/AWSLogs/", { "Ref" : "AWS::AccountId" }, "/Config/*" ] ] },
"Condition" : {
"StringEquals" : {
"s3:x-amz-acl" : "bucket-owner-full-control"
}
}
}
]
}
}
},
"SNSTopic" : {
"Type" : "AWS::SNS::Topic",
"Properties" : {
"DisplayName" : "AWS Config Notification Topic",
"TopicName" : "awsconfig"
}
},
"SNSSubscription" : {
"Type" : "AWS::SNS::Subscription",
"Properties" : {
"Endpoint" : "test@example.com",
"Protocol" : "email",
"TopicArn" : { "Ref" : "SNSTopic"}
}
},
"IAMRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "",
"Effect" : "Allow",
"Principal" : {
"Service" : "config.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
},
"ManagedPolicyArns" : [ "arn:aws:iam::aws:policy/service-role/AWSConfigRole" ],
"Path" : "/",
"Policies" : [
{
"PolicyName" : "awsconfig",
"PolicyDocument" : {
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"s3:PutObject*"
],
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::awsconfig-", { "Ref" : "AWS::AccountId" }, "/AWSLogs/", { "Ref" : "AWS::AccountId" }, "/*" ] ] },
"Condition" : {
"StringLike" : {
"s3:x-amz-acl" : "bucket-owner-full-control"
}
}
},
{
"Effect" : "Allow",
"Action" : [ "s3:GetBucketAcl" ],
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::awsconfig-", { "Ref" : "AWS::AccountId" } ] ] }
},
{
"Effect" : "Allow",
"Action" : "sns:Publish",
"Resource" : "arn:aws:sns:ap-northeast-1:777813037810:awsconfig",
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:sns:ap-northeast-1:", { "Ref" : "AWS::AccountId" }, ":", { "Fn::GetAtt" : [ "SNSTopic", "TopicName" ] } ] ] }
}
]
}
}
],
"RoleName" : "awsconfig"
}
},
"ConfigConfigurationRecorder" : {
"Type" : "AWS::Config::ConfigurationRecorder",
"DependsOn" : [ "S3Bucket", "SNSTopic" ],
"Properties" : {
"Name" : { "Fn::Join" : [ "", [ "awsconfig-", { "Ref" : "AWS::AccountId" } ] ] },
"RecordingGroup" : {
"AllSupported" : true,
"ResourceTypes" : [],
"IncludeGlobalResourceTypes" : true
},
"RoleARN" : { "Fn::GetAtt" : [ "IAMRole", "Arn" ] }
}
},
"ConfigDeliveryChannel" : {
"Type" : "AWS::Config::DeliveryChannel",
"DependsOn" : [ "S3Bucket", "SNSTopic" ],
"Properties" : {
"Name" : { "Fn::Join" : [ "", [ "awsconfig-", { "Ref" : "AWS::AccountId" } ] ] },
"S3BucketName" : { "Ref" : "S3Bucket" },
"SnsTopicARN" : { "Ref" : "SNSTopic" }
}
}
},
"Outputs" : {
"S3Bucket" : {
"Description" : "S3 Bucket Name",
"Value" : { "Ref" : S3Bucket }
},
"SNSTopic" : {
"Description" : "SNS Topic Name",
"Value" : { "Fn::GetAtt" : [ "SNSTopic", "TopicName" ] }
},
"IAMRole" : {
"Description" : "IAM Role Name",
"Value" : { "Ref" : IAMRole }
},
"ConfigConfigurationRecorder" : {
"Description" : "Config ConfigurationRecorder Name",
"Value" : { "Ref" : ConfigConfigurationRecorder }
},
"ConfigDeliveryChannel" : {
"Description" : "Config DeliveryChannel Name",
"Value" : { "Ref" : ConfigDeliveryChannel }
}
}
}