Skip to content

Instantly share code, notes, and snippets.

@gregn610

gregn610/cf.template

Created May 29, 2020 07:13
Show Gist options
  • Save gregn610/b162c8b7de3897c6df3b26045b801c70 to your computer and use it in GitHub Desktop.
Save gregn610/b162c8b7de3897c6df3b26045b801c70 to your computer and use it in GitHub Desktop.
Download ZIP
cloudformation template with templatebody sub
Raw
cf.template
---
AWSTemplateFormatVersion: 2010-09-09
Description: "Conformance Pack of Operational Best Practices for Amazon S3 with Remediation."
Resources:
ConformancePackS3Operations:
Type: AWS::Config::ConformancePack
Properties:
ConformancePackName: "CyberOpsS3RemediationOperations"
DeliveryS3Bucket: !Sub "awsconfigconforms-999999999999"
DeliveryS3KeyPrefix: "ConfigRemediationS3Operations"
TemplateBody: !Sub |+
AWSTemplateFormatVersion: 2010-09-09
Description: "ConfigRules and with added Remediations for S3 ConformancePack."
Resources:
<snip>
S3BucketLoggingEnabledRemediation:
DependsOn: S3BucketLoggingEnabled
Type: "AWS::Config::RemediationConfiguration"
Properties:
ConfigRuleName: S3BucketLoggingEnabled
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-ConfigureS3BucketLogging"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- "arn:aws:iam::${AWS::AccountId}:role/S3OperationsAutomationExecutionRole"
BucketName:
ResourceValue:
Value: "RESOURCE_ID"
TargetBucket:
StaticValue:
Values:
- "s3-access-logs-${AWS::AccountId}-${AWS::Region}"
GrantedPermission:
StaticValue:
Values:
- "FULL_CONTROL"
GranteeType:
StaticValue:
Values:
- "Group"
GranteeUri:
StaticValue:
Values:
- "http://acs.amazonaws.com/groups/s3/LogDelivery"
ExecutionControls:
SsmControls:
ConcurrentExecutionRatePercentage: 10
ErrorPercentage: 10
Automatic: True
MaximumAutomaticAttempts: 10
RetryAttemptSeconds: 600
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment