Description: Setup AWS Config Service Resources: ConfigBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: AccessControl: BucketOwnerFullControl DeliveryChannel: Type: AWS::Config::DeliveryChannel Properties: ConfigSnapshotDeliveryProperties: DeliveryFrequency: "Six_Hours" S3BucketName: Ref: ConfigBucket SnsTopicARN: Ref: ConfigTopic ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref 'ConfigBucket' PolicyDocument: Version: '2012-10-17' Id: PutObjPolicy Statement: - Sid: DenyUnEncryptedObjects Effect: Deny Principal: '*' Action: s3:PutObject Resource: !Sub arn:aws:s3:::${ConfigBucket}/* Condition: StringNotEquals: s3:x-amz-server-side-encryption: AES256 ConfigTopic: Type: AWS::SNS::Topic Properties: DisplayName: !Sub 'ccoa-5-${AWS::StackName}-sns-topic' TopicName: !Sub 'ccoa-5-${AWS::StackName}-sns-topic' ConfigRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - config.amazonaws.com Version: '2012-10-17' Path: / Policies: - PolicyDocument: Statement: - Effect: Allow Action: sns:Publish Resource: !Ref 'ConfigTopic' - Effect: Allow Action: - s3:PutObject Resource: !Sub arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/* Condition: StringLike: s3:x-amz-acl: bucket-owner-full-control - Effect: Allow Action: - s3:GetBucketAcl Resource: !Sub arn:aws:s3:::${ConfigBucket} PolicyName: root ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSConfigRole ConfigRecorderCcoa5: Type: AWS::Config::ConfigurationRecorder Properties: RecordingGroup: AllSupported: true IncludeGlobalResourceTypes: true RoleARN: !GetAtt 'ConfigRole.Arn' Outputs: StackName: Value: !Ref 'AWS::StackName'