From 245bc530eca45756590b0177827a77441b2958f5 Mon Sep 17 00:00:00 2001 From: Khai Do Date: Wed, 21 Aug 2024 13:39:54 -0700 Subject: [PATCH] Remove unused config template This config template to enable aws config service was moved to org-formation repo in PR https://github.com/Sage-Bionetworks-IT/organizations-infra/pull/1195 it no longer needs to be in shared repository. depends on https://github.com/Sage-Bionetworks-IT/organizations-infra/pull/1195 --- templates/Config/config.yaml | 126 ----------------------------------- 1 file changed, 126 deletions(-) delete mode 100644 templates/Config/config.yaml diff --git a/templates/Config/config.yaml b/templates/Config/config.yaml deleted file mode 100644 index 3c7c44d..0000000 --- a/templates/Config/config.yaml +++ /dev/null @@ -1,126 +0,0 @@ -# From https://github.com/org-formation/org-formation-reference/blob/master/src/templates/080-aws-config-inventory/config.yml -AWSTemplateFormatVersion: '2010-09-09' - -Parameters: - resourcePrefix: - Type: String - - bucketName: - Type: String - Description: 'Name of the central S3 bucket containing AWS Config audit findings' - -Resources: - ConfigAuditBucket: - OrganizationBinding: !Ref LogArchiveBinding - DeletionPolicy: Retain - UpdateReplacePolicy: Retain - Type: 'AWS::S3::Bucket' - Metadata: - cfn-lint: - config: - ignore_checks: [E1012, E3001] - Properties: - BucketName: !Ref bucketName - AccessControl: BucketOwnerFullControl - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - OwnershipControls: - Rules: - - ObjectOwnership: BucketOwnerEnforced - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: AES256 - - ConfigAuditBucketPolicy: - OrganizationBinding: !Ref LogArchiveBinding - Type: AWS::S3::BucketPolicy - Metadata: - cfn-lint: - config: - ignore_checks: [E1012, E3001] - Properties: - Bucket: !Ref ConfigAuditBucket - PolicyDocument: # Taken from https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html#granting-access-in-another-account - Version: '2012-10-17' - Statement: - - Sid: AWSConfigBucketPermissionsCheck - Effect: Allow - Principal: - Service: - - config.amazonaws.com - Action: s3:GetBucketAcl - Resource: !GetAtt ConfigAuditBucket.Arn - - Sid: AWSConfigBucketExistenceCheck - Effect: Allow - Principal: - Service: - - config.amazonaws.com - Action: s3:ListBucket - Resource: !GetAtt ConfigAuditBucket.Arn - - Sid: AWSConfigBucketDelivery - Effect: Allow - Principal: - Service: - - config.amazonaws.com - Action: s3:PutObject - Resource: !Sub '${ConfigAuditBucket.Arn}/*' - Condition: - StringEquals: - 's3:x-amz-acl': 'bucket-owner-full-control' - - ConfigurationRecorder: - Type: 'AWS::Config::ConfigurationRecorder' - Properties: - RecordingGroup: - AllSupported: true - IncludeGlobalResourceTypes: true - RoleARN: !GetAtt ConfigurationRecorderRole.Arn - - DeliveryChannel: - Type: 'AWS::Config::DeliveryChannel' - Properties: - ConfigSnapshotDeliveryProperties: - DeliveryFrequency: One_Hour - S3BucketName: !Ref ConfigAuditBucket - - ConfigurationRecorderRole: - Type: 'AWS::IAM::Role' - Properties: - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWS_ConfigRole' - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Sid: ConfigServiceAssumeRole - Effect: Allow - Principal: - Service: 'config.amazonaws.com' - Action: 'sts:AssumeRole' - Policies: - - PolicyName: 's3-policy' - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: 's3:PutObject' - Resource: !Sub '${ConfigAuditBucket.Arn}/*' - Condition: - StringLike: - 's3:x-amz-acl': 'bucket-owner-full-control' - - Effect: Allow - Action: 's3:GetBucketAcl' - Resource: !GetAtt ConfigAuditBucket.Arn - -Outputs: - ConfigAuditBucketName: - Value: !Ref ConfigAuditBucket - Export: - Name: !Sub '${AWS::Region}-${AWS::StackName}-ConfigAuditBucketName' - ConfigAuditBucketArn: - Value: !GetAtt ConfigAuditBucket.Arn - Export: - Name: !Sub '${AWS::Region}-${AWS::StackName}-ConfigAuditBucketArn'