org-formation/080-aws-config-inventory/config.yaml

AWSTemplateFormatVersion: '2010-09-09'

Metadata:
  cfn-lint:
    config:
      ignore_checks: [W2001]

Parameters:
  bucketName:
    Type: String
    Description: 'Name of the central S3 bucket containing AWS Config audit findings'

Resources:
  ConfigAuditBucket:
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Type: 'AWS::S3::Bucket'
    Metadata:
      cfn-lint:
        config:
          ignore_checks: [E1012, E3001]
    Properties:
      BucketName: !Ref bucketName
      AccessControl: BucketOwnerFullControl
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  ConfigAuditBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Metadata:
      cfn-lint:
        config:
          ignore_checks: [E1012, E3001]
    Properties:
      Bucket: !Ref ConfigAuditBucket
      PolicyDocument: # Taken from https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html#granting-access-in-another-account
        Version: '2012-10-17'
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !GetAtt ConfigAuditBucket.Arn
          - Sid: AWSConfigBucketExistenceCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:ListBucket
            Resource: !GetAtt ConfigAuditBucket.Arn
          - Sid: AWSConfigBucketDelivery
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:PutObject
            Resource: !Sub '${ConfigAuditBucket.Arn}/*'
            Condition:
              StringEquals:
                's3:x-amz-acl': 'bucket-owner-full-control'

  ConfigurationRecorder:
    Type: 'AWS::Config::ConfigurationRecorder'
    Properties:
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
      RoleARN: !GetAtt ConfigurationRecorderRole.Arn

  DeliveryChannel:
    Type: 'AWS::Config::DeliveryChannel'
    Properties:
      ConfigSnapshotDeliveryProperties:
        DeliveryFrequency: One_Hour
      S3BucketName: !Ref ConfigAuditBucket

  ConfigurationRecorderRole:
    Type: 'AWS::IAM::Role'
    Properties:
      ManagedPolicyArns:
      - 'arn:aws:iam::aws:policy/service-role/AWS_ConfigRole'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: ConfigServiceAssumeRole
          Effect: Allow
          Principal:
            Service: 'config.amazonaws.com'
          Action: 'sts:AssumeRole'
      Policies:
      - PolicyName: 's3-policy'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action: 's3:PutObject'
            Resource: !Sub '${ConfigAuditBucket.Arn}/*'
            Condition:
              StringLike:
                's3:x-amz-acl': 'bucket-owner-full-control'
          - Effect: Allow
            Action: 's3:GetBucketAcl'
            Resource: !GetAtt ConfigAuditBucket.Arn

Outputs:
  ConfigAuditBucketName:
    Value: !Ref ConfigAuditBucket
    Export:
      Name: !Sub '${AWS::Region}-${AWS::StackName}-ConfigAuditBucketName'
  ConfigAuditBucketArn:
    Value: !GetAtt ConfigAuditBucket.Arn
    Export:
      Name: !Sub '${AWS::Region}-${AWS::StackName}-ConfigAuditBucketArn'