This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS Config **Resource types** + [AWS::Config::AggregationAuthorization](aws-resource-config-aggregationauthorization.md) + [AWS::Config::ConfigRule](aws-resource-config-configrule.md) + [AWS::Config::ConfigurationAggregator](aws-resource-config-configurationaggregator.md) + [AWS::Config::ConfigurationRecorder](aws-resource-config-configurationrecorder.md) + [AWS::Config::ConformancePack](aws-resource-config-conformancepack.md) + [AWS::Config::DeliveryChannel](aws-resource-config-deliverychannel.md) + [AWS::Config::OrganizationConfigRule](aws-resource-config-organizationconfigrule.md) + [AWS::Config::OrganizationConformancePack](aws-resource-config-organizationconformancepack.md) + [AWS::Config::RemediationConfiguration](aws-resource-config-remediationconfiguration.md) + [AWS::Config::StoredQuery](aws-resource-config-storedquery.md) # AWS::Config::AggregationAuthorization An object that represents the authorizations granted to aggregator accounts and regions. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::AggregationAuthorization", "Properties" : { "[AuthorizedAccountId](#cfn-config-aggregationauthorization-authorizedaccountid)" : String, "[AuthorizedAwsRegion](#cfn-config-aggregationauthorization-authorizedawsregion)" : String, "[Tags](#cfn-config-aggregationauthorization-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::Config::AggregationAuthorization Properties: [AuthorizedAccountId](#cfn-config-aggregationauthorization-authorizedaccountid): String [AuthorizedAwsRegion](#cfn-config-aggregationauthorization-authorizedawsregion): String [Tags](#cfn-config-aggregationauthorization-tags): - Tag ``` ## Properties `AuthorizedAccountId` The 12-digit account ID of the account authorized to aggregate data. *Required*: Yes *Type*: String *Pattern*: `^\d{12}$` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `AuthorizedAwsRegion` The region authorized to collect aggregated data. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` An array of tag object. *Required*: No *Type*: Array of [Tag](aws-properties-config-aggregationauthorization-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ARN of the AggregationAuthorization, such as `arn:aws:config:us-east-1:123456789012:aggregation-authorization/987654321012/us-west-2`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt #### `AggregationAuthorizationArn` The Amazon Resource Name (ARN) of the aggregation object. ## Examples **Topics** + [Authorize Another Account](#aws-resource-config-aggregationauthorization--examples--Authorize_Another_Account) + [Aggregation Authorization](#aws-resource-config-aggregationauthorization--examples--Aggregation_Authorization) ### Authorize Another Account The following example creates an AggregationAuthorization that authorizes another account to aggregate your AWS Config data into a specific region. #### JSON ``` "AggregationAuthorization": { "Type": "AWS::Config::AggregationAuthorization", "Properties": { "AuthorizedAccountId": 123456789012, "AuthorizedAwsRegion": "us-west-2" } } ``` #### YAML ``` AggregationAuthorization: Type: "AWS::Config::AggregationAuthorization" Properties: AuthorizedAccountId: 123456789012 AuthorizedAwsRegion: us-west-2 ``` ### Aggregation Authorization The following example enables AWS Config and creates an AWS Config rule, an aggregator, and an authorization. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Enable Config", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Configuration Recorder Configuration" }, "Parameters": [ "GlobalResourceTypesRegion" ] }, { "Label": { "default": "Configuration Aggregator Configuration" }, "Parameters": [ "AggregatorAccount", "AggregatorRegion", "SourceAccounts", "SourceRegions" ] } ], "ParameterLabels": { "GlobalResourceTypesRegion": { "default": "Global resource types region" }, "AggregatorAccount": { "default": "Aggregator account" }, "AggregatorRegion": { "default": "Aggregator region" }, "SourceAccounts": { "default": "Source accounts" }, "SourceRegions": { "default": "Source regions" } } } }, "Parameters": { "GlobalResourceTypesRegion": { "Type": "String", "Default": "us-east-1", "Description": "AWS region used to record global resources types" }, "AggregatorAccount": { "Type": "String", "Description": "Account ID of the aggregator" }, "AggregatorRegion": { "Type": "String", "Default": "us-east-1", "Description": "AWS region of the aggregator" }, "SourceAccounts": { "Type": "CommaDelimitedList", "Description": "List of source accounts to aggregate" }, "SourceRegions": { "Type": "CommaDelimitedList", "Description": "List of regions to aggregate" } }, "Conditions": { "IncludeGlobalResourceTypes": { "Fn::Equals": [ { "Ref": "GlobalResourceTypesRegion" }, { "Ref": "AWS::Region" } ] }, "CreateAggregator": { "Fn::And": [ { "Fn::Equals": [ { "Ref": "AggregatorAccount" }, { "Ref": "AWS::AccountId" } ] }, { "Fn::Equals": [ { "Ref": "AggregatorRegion" }, { "Ref": "AWS::Region" } ] } ] }, "CreateAuthorization": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "AggregatorAccount" }, { "Ref": "AWS::AccountId" } ] } ] } }, "Resources": { "ConfigBucket": { "DeletionPolicy": "Retain", "Type": "AWS::S3::Bucket" }, "ConfigBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "ConfigBucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": [ { "Fn::Sub": "arn:aws:s3:::${ConfigBucket}" } ] }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": [ { "Fn::Sub": "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" } ] } ] } } }, "ConfigRecorderRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSConfigRole" ] } }, "ConfigRecorder": { "Type": "AWS::Config::ConfigurationRecorder", "DependsOn": [ "ConfigRecorderRole", "ConfigBucketPolicy" ], "Properties": { "RoleARN": { "Fn::GetAtt": [ "ConfigRecorderRole", "Arn" ] }, "RecordingGroup": { "AllSupported": true, "IncludeGlobalResourceTypes": { "Fn::If": [ "IncludeGlobalResourceTypes", true, false ] } } } }, "DeliveryChannel": { "Type": "AWS::Config::DeliveryChannel", "DependsOn": [ "ConfigBucketPolicy" ], "Properties": { "Name": "default", "S3BucketName": { "Ref": "ConfigBucket" } } }, "S3BucketPublicReadRule": { "Type": "AWS::Config::ConfigRule", "DependsOn": [ "ConfigRecorder" ], "Properties": { "ConfigRuleName": "stackset-s3-bucket-public-read-prohibited", "Description": "s3-bucket-public-read-prohibited from stackset", "Scope": { "ComplianceResourceTypes": [ "AWS::S3::Bucket" ] }, "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" } } }, "ConfigAggregator": { "Type": "AWS::Config::ConfigurationAggregator", "Condition": "CreateAggregator", "Properties": { "Name": "name", "AccountAggregationSources": [ { "AccountIds": { "Ref": "SourceAccounts" }, "AwsRegions": { "Ref": "SourceRegions" } } ] } }, "AggregationAuthorization": { "Type": "AWS::Config::AggregationAuthorization", "Condition": "CreateAuthorization", "Properties": { "AuthorizedAccountId": { "Ref": "AggregatorAccount" }, "AuthorizedAwsRegion": { "Ref": "AggregatorRegion" } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: Enable Config Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Configuration Recorder Configuration Parameters: - GlobalResourceTypesRegion - Label: default: Configuration Aggregator Configuration Parameters: - AggregatorAccount - AggregatorRegion - SourceAccounts - SourceRegions ParameterLabels: GlobalResourceTypesRegion: default: Global resource types region AggregatorAccount: default: Aggregator account AggregatorRegion: default: Aggregator region SourceAccounts: default: Source accounts SourceRegions: default: Source regions Parameters: GlobalResourceTypesRegion: Type: String Default: us-east-1 Description: AWS region used to record global resources types AggregatorAccount: Type: String Description: Account ID of the aggregator AggregatorRegion: Type: String Default: us-east-1 Description: AWS region of the aggregator SourceAccounts: Type: CommaDelimitedList Description: List of source accounts to aggregate SourceRegions: Type: CommaDelimitedList Description: List of regions to aggregate Conditions: IncludeGlobalResourceTypes: !Equals - !Ref GlobalResourceTypesRegion - !Ref AWS::Region CreateAggregator: !And - !Equals - !Ref AggregatorAccount - !Ref AWS::AccountId - !Equals - !Ref AggregatorRegion - !Ref AWS::Region CreateAuthorization: !Not - !Equals - !Ref AggregatorAccount - !Ref AWS::AccountId Resources: ConfigBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket ConfigBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ConfigBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSConfigBucketPermissionsCheck Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:aws:s3:::${ConfigBucket}" - Sid: AWSConfigBucketDelivery Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - !Sub "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" ConfigRecorderRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - config.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSConfigRole ConfigRecorder: Type: AWS::Config::ConfigurationRecorder DependsOn: - ConfigRecorderRole - ConfigBucketPolicy Properties: RoleARN: !GetAtt ConfigRecorderRole.Arn RecordingGroup: AllSupported: True IncludeGlobalResourceTypes: !If - IncludeGlobalResourceTypes - True - False DeliveryChannel: Type: AWS::Config::DeliveryChannel DependsOn: - ConfigBucketPolicy Properties: Name: default S3BucketName: !Ref ConfigBucket S3BucketPublicReadRule: Type: AWS::Config::ConfigRule DependsOn: - ConfigRecorder Properties: ConfigRuleName: stackset-s3-bucket-public-read-prohibited Description: s3-bucket-public-read-prohibited from stackset Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED ConfigAggregator: Type: AWS::Config::ConfigurationAggregator Condition: CreateAggregator Properties: ConfigurationAggregatorName: name AccountAggregationSources: - AccountIds: !Ref SourceAccounts AwsRegions: !Ref SourceRegions AggregationAuthorization: Type: AWS::Config::AggregationAuthorization Condition: CreateAuthorization Properties: AuthorizedAccountId: !Ref AggregatorAccount AuthorizedAwsRegion: !Ref AggregatorRegion ``` # AWS::Config::AggregationAuthorization Tag The tags for the resource. The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-config-aggregationauthorization-tag-key)" : String, "[Value](#cfn-config-aggregationauthorization-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-config-aggregationauthorization-tag-key): String [Value](#cfn-config-aggregationauthorization-tag-value): String ``` ## Properties `Key` One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key). *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule **Note** You must first create and start the AWS Config configuration recorder in order to create AWS Config managed rules with AWS CloudFormation. For more information, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html). Adds or updates an AWS Config rule to evaluate if your AWS resources comply with your desired configurations. For information on how many AWS Config rules you can have per account, see [https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the *AWS Config Developer Guide*. There are two types of rules: *AWS Config Managed Rules* and *AWS Config Custom Rules*. You can use the `ConfigRule` resource to create both AWS Config Managed Rules and AWS Config Custom Rules. AWS Config Managed Rules are predefined, customizable rules created by AWS Config. For a list of managed rules, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). If you are adding an AWS Config managed rule, you must specify the rule's identifier for the `SourceIdentifier` key. AWS Config Custom Rules are rules that you create from scratch. There are two ways to create AWS Config custom rules: with Lambda functions ([AWS Lambda Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. AWS Config custom rules created with AWS Lambda are called *AWS Config Custom Lambda Rules* and AWS Config custom rules created with Guard are called *AWS Config Custom Policy Rules*. If you are adding a new AWS Config Custom Lambda rule, you first need to create an AWS Lambda function that the rule invokes to evaluate your resources. When you use the `ConfigRule` resource to add a Custom Lambda rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. You specify the ARN in the `SourceIdentifier` key. This key is part of the `Source` object, which is part of the `ConfigRule` object. For any new AWS Config rule that you add, specify the `ConfigRuleName` in the `ConfigRule` object. Do not specify the `ConfigRuleArn` or the `ConfigRuleId`. These values are generated by AWS Config for new rules. If you are updating a rule that you added previously, you can specify the rule by `ConfigRuleName`, `ConfigRuleId`, or `ConfigRuleArn` in the `ConfigRule` data type that you use in this request. For more information about developing and using AWS Config rules, see [Evaluating Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::ConfigRule", "Properties" : { "[Compliance](#cfn-config-configrule-compliance)" : Compliance, "[ConfigRuleName](#cfn-config-configrule-configrulename)" : String, "[Description](#cfn-config-configrule-description)" : String, "[EvaluationModes](#cfn-config-configrule-evaluationmodes)" : [ EvaluationModeConfiguration, ... ], "[InputParameters](#cfn-config-configrule-inputparameters)" : Json, "[MaximumExecutionFrequency](#cfn-config-configrule-maximumexecutionfrequency)" : String, "[Scope](#cfn-config-configrule-scope)" : Scope, "[Source](#cfn-config-configrule-source)" : Source } } ``` ### YAML ``` Type: AWS::Config::ConfigRule Properties: [Compliance](#cfn-config-configrule-compliance): Compliance [ConfigRuleName](#cfn-config-configrule-configrulename): String [Description](#cfn-config-configrule-description): String [EvaluationModes](#cfn-config-configrule-evaluationmodes): - EvaluationModeConfiguration [InputParameters](#cfn-config-configrule-inputparameters): Json [MaximumExecutionFrequency](#cfn-config-configrule-maximumexecutionfrequency): String [Scope](#cfn-config-configrule-scope): Scope [Source](#cfn-config-configrule-source): Source ``` ## Properties `Compliance` Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance. *Required*: No *Type*: [Compliance](aws-properties-config-configrule-compliance.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ConfigRuleName` A name for the AWS Config rule. If you don't specify a name, CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). *Required*: No *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Description` The description that you provide for the AWS Config rule. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EvaluationModes` The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only. *Required*: No *Type*: Array of [EvaluationModeConfiguration](aws-properties-config-configrule-evaluationmodeconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InputParameters` A string, in JSON format, that is passed to the AWS Config rule Lambda function. *Required*: No *Type*: Json *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumExecutionFrequency` The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for `MaximumExecutionFrequency` when: + You are using an AWS managed rule that is triggered at a periodic frequency. + Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html). By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter. *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Scope` Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. *Required*: No *Type*: [Scope](aws-properties-config-configrule-scope.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Source` Provides the rule owner (` AWS ` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. *Required*: Yes *Type*: [Source](aws-properties-config-configrule-source.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the rule name, such as `mystack-MyConfigRule-12ABCFPXHV4OV`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` The Amazon Resource Name (ARN) of the AWS Config rule, such as `arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi`. `Compliance.Type` Property description not available. `ConfigRuleId` The ID of the AWS Config rule, such as `config-rule-a1bzhi`. ## Examples **Topics** + [Config Rule](#aws-resource-config-configrule--examples--Config_Rule) + [Create Rule Using Lambda Function](#aws-resource-config-configrule--examples--Create_Rule_Using_Lambda_Function) ### Config Rule The following example uses an AWS managed rule that checks whether EC2 volumes resource types have a CostCenter tag. #### JSON ``` "ConfigRuleForVolumeTags": { "Type": "AWS::Config::ConfigRule", "Properties": { "InputParameters": {"tag1Key": "CostCenter"}, "Scope": { "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" } } } ``` #### YAML ``` ConfigRuleForVolumeTags: Type: AWS::Config::ConfigRule Properties: InputParameters: | {"tag1Key": "CostCenter"} Scope: ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: AWS SourceIdentifier: "REQUIRED_TAGS" ``` ### Create Rule Using Lambda Function The following example is the AWS Lambda function’s code to check whether an EC2 volume has the AutoEnableIO property set to true. To deploy with AWS CloudFormation, follow the steps in [Deploy Node.js Lambda functions with .zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-package.html). #### ``` import { ConfigServiceClient, PutEvaluationsCommand } from "@aws-sdk/client-config-service"; import { EC2Client, DescribeVolumeAttributeCommand } from "@aws-sdk/client-ec2" const configClient = new ConfigServiceClient({}); const ec2Client = new EC2Client({}); export const handler = async function (event, context) { await evaluateCompliance(event, async function (compliance, annotation, event) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; if (annotation) { var putEvaluationsRequest = { Evaluations: [{ ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime), Annotation: annotation }], ResultToken: event.resultToken }; } else { var putEvaluationsRequest = { Evaluations: [{ ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime) }], ResultToken: event.resultToken }; } await configClient.send(new PutEvaluationsCommand(putEvaluationsRequest)); }); }; async function evaluateCompliance(event, doReturn) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var status = configurationItem.configurationItemStatus; if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered')) { doReturn('NOT_APPLICABLE', '', event); } else { const input = { VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO' }; const command = new DescribeVolumeAttributeCommand(input); const response = await ec2Client.send(command); if (response.AutoEnableIO.Value) doReturn('COMPLIANT', '', event); else doReturn('NON_COMPLIANT', 'Annotation describing why NON_COMPLIANT', event); }; } ``` # AWS::Config::ConfigRule Compliance Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Type](#cfn-config-configrule-compliance-type)" : String } ``` ### YAML ``` [Type](#cfn-config-configrule-compliance-type): String ``` ## Properties `Type` Indicates whether an AWS resource or AWS Config rule is compliant. A resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules. A rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply. AWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule. For the `Compliance` data type, AWS Config supports only `COMPLIANT`, `NON_COMPLIANT`, and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type. *Required*: No *Type*: String *Allowed values*: `COMPLIANT | NON_COMPLIANT | NOT_APPLICABLE | INSUFFICIENT_DATA` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule CustomPolicyDetails Provides the CustomPolicyDetails, the rule owner (` AWS ` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your AWS resources. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EnableDebugLogDelivery](#cfn-config-configrule-custompolicydetails-enabledebuglogdelivery)" : Boolean, "[PolicyRuntime](#cfn-config-configrule-custompolicydetails-policyruntime)" : String, "[PolicyText](#cfn-config-configrule-custompolicydetails-policytext)" : String } ``` ### YAML ``` [EnableDebugLogDelivery](#cfn-config-configrule-custompolicydetails-enabledebuglogdelivery): Boolean [PolicyRuntime](#cfn-config-configrule-custompolicydetails-policyruntime): String [PolicyText](#cfn-config-configrule-custompolicydetails-policytext): String ``` ## Properties `EnableDebugLogDelivery` The boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is `false`. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyRuntime` The runtime system for your AWS Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard). *Required*: No *Type*: String *Pattern*: `guard\-2\.x\.x` *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyText` The policy definition containing the logic for your AWS Config Custom Policy rule. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `10000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule EvaluationModeConfiguration The configuration object for AWS Config rule evaluation mode. The supported valid values are Detective or Proactive. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Mode](#cfn-config-configrule-evaluationmodeconfiguration-mode)" : String } ``` ### YAML ``` [Mode](#cfn-config-configrule-evaluationmodeconfiguration-mode): String ``` ## Properties `Mode` The mode of an evaluation. The valid values are Detective or Proactive. *Required*: No *Type*: String *Allowed values*: `DETECTIVE | PROACTIVE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule Scope Defines which resources trigger an evaluation for an AWS Config rule. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one resource ID. Specify a scope to constrain which resources trigger an evaluation for a rule. Otherwise, evaluations for the rule are triggered when any resource in your recording group changes in configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ComplianceResourceId](#cfn-config-configrule-scope-complianceresourceid)" : String, "[ComplianceResourceTypes](#cfn-config-configrule-scope-complianceresourcetypes)" : [ String, ... ], "[TagKey](#cfn-config-configrule-scope-tagkey)" : String, "[TagValue](#cfn-config-configrule-scope-tagvalue)" : String } ``` ### YAML ``` [ComplianceResourceId](#cfn-config-configrule-scope-complianceresourceid): String [ComplianceResourceTypes](#cfn-config-configrule-scope-complianceresourcetypes): - String [TagKey](#cfn-config-configrule-scope-tagkey): String [TagValue](#cfn-config-configrule-scope-tagvalue): String ``` ## Properties `ComplianceResourceId` The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for `ComplianceResourceTypes`. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `768` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceResourceTypes` The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for `ComplianceResourceId`. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagKey` The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagValue` The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for `TagValue`, you must also specify a value for `TagKey`. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Multiple Resource Types with Tag-Based Scope](#aws-properties-config-configrule-scope--examples--Multiple_Resource_Types_with_Tag-Based_Scope) + [Single Resource Specific Scope](#aws-properties-config-configrule-scope--examples--Single_Resource_Specific_Scope) ### Multiple Resource Types with Tag-Based Scope This example configures AWS Config to evaluate both Amazon EC2 instances and volumes that are tagged with "`Environment`=`Production`". This is useful when you want to monitor compliance for multiple resource types that share specific tags. #### YAML ``` Scope: ComplianceResourceTypes: - "AWS::EC2::Instance" - "AWS::EC2::Volume" TagKey: "Environment" TagValue: "Production" ``` #### JSON ``` { "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance", "AWS::EC2::Volume" ], "TagKey": "Environment", "TagValue": "Production" } } ``` ### Single Resource Specific Scope This example shows how to target a specific Amazon EC2 instance for evaluation using its resource ID. When using `ComplianceResourceId`, you must specify exactly one resource type in `ComplianceResourceTypes`. #### YAML ``` Scope: ComplianceResourceId: "i-1234567890abcdef0" ComplianceResourceTypes: - "AWS::EC2::Instance" ``` #### JSON ``` { "Scope": { "ComplianceResourceId": "i-1234567890abcdef0", "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] } } ``` # AWS::Config::ConfigRule Source Provides the CustomPolicyDetails, the rule owner (` AWS ` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your AWS resources. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CustomPolicyDetails](#cfn-config-configrule-source-custompolicydetails)" : CustomPolicyDetails, "[Owner](#cfn-config-configrule-source-owner)" : String, "[SourceDetails](#cfn-config-configrule-source-sourcedetails)" : [ SourceDetail, ... ], "[SourceIdentifier](#cfn-config-configrule-source-sourceidentifier)" : String } ``` ### YAML ``` [CustomPolicyDetails](#cfn-config-configrule-source-custompolicydetails): CustomPolicyDetails [Owner](#cfn-config-configrule-source-owner): String [SourceDetails](#cfn-config-configrule-source-sourcedetails): - SourceDetail [SourceIdentifier](#cfn-config-configrule-source-sourceidentifier): String ``` ## Properties `CustomPolicyDetails` Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to `CUSTOM_POLICY`. *Required*: No *Type*: [CustomPolicyDetails](aws-properties-config-configrule-custompolicydetails.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Owner` Indicates whether AWS or the customer owns and manages the AWS Config rule. AWS Config Managed Rules are predefined rules owned by AWS. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) in the *AWS Config developer guide*. AWS Config Custom Rules are rules that you can develop either with Guard (`CUSTOM_POLICY`) or AWS Lambda (`CUSTOM_LAMBDA`). For more information, see [AWS Config Custom Rules ](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) in the *AWS Config developer guide*. *Required*: Yes *Type*: String *Allowed values*: `CUSTOM_LAMBDA | AWS | CUSTOM_POLICY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceDetails` Provides the source and the message types that cause AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic. If the owner is set to `CUSTOM_POLICY`, the only acceptable values for the AWS Config rule trigger message type are `ConfigurationItemChangeNotification` and `OversizedConfigurationItemChangeNotification`. *Required*: No *Type*: Array of [SourceDetail](aws-properties-config-configrule-sourcedetail.md) *Minimum*: `0` *Maximum*: `25` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceIdentifier` For AWS Config Managed rules, a predefined identifier from a list. For example, `IAM_PASSWORD_POLICY` is a managed rule. To reference a managed rule, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). For AWS Config Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's AWS Lambda function, such as `arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name`. For AWS Config Custom Policy rules, this field will be ignored. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule SourceDetail Provides the source and the message types that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic. You can specify the parameter values for `SourceDetail` only for custom rules. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EventSource](#cfn-config-configrule-sourcedetail-eventsource)" : String, "[MaximumExecutionFrequency](#cfn-config-configrule-sourcedetail-maximumexecutionfrequency)" : String, "[MessageType](#cfn-config-configrule-sourcedetail-messagetype)" : String } ``` ### YAML ``` [EventSource](#cfn-config-configrule-sourcedetail-eventsource): String [MaximumExecutionFrequency](#cfn-config-configrule-sourcedetail-maximumexecutionfrequency): String [MessageType](#cfn-config-configrule-sourcedetail-messagetype): String ``` ## Properties `EventSource` The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources. *Required*: Yes *Type*: String *Allowed values*: `aws.config` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumExecutionFrequency` The frequency at which you want AWS Config to run evaluations for a custom rule with a periodic trigger. If you specify a value for `MaximumExecutionFrequency`, then `MessageType` must use the `ScheduledNotification` value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter. Based on the valid value you choose, AWS Config runs evaluations once for each valid value. For example, if you choose `Three_Hours`, AWS Config runs evaluations once every three hours. In this case, `Three_Hours` is the frequency of this rule. *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MessageType` The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types: + `ConfigurationItemChangeNotification` - Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change. + `OversizedConfigurationItemChangeNotification` - Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS. + `ScheduledNotification` - Triggers a periodic evaluation at the frequency specified for `MaximumExecutionFrequency`. + `ConfigurationSnapshotDeliveryCompleted` - Triggers a periodic evaluation when AWS Config delivers a configuration snapshot. If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for `ConfigurationItemChangeNotification` and one for `OversizedConfigurationItemChangeNotification`. *Required*: Yes *Type*: String *Allowed values*: `ConfigurationItemChangeNotification | ConfigurationSnapshotDeliveryCompleted | ScheduledNotification | OversizedConfigurationItemChangeNotification` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigurationAggregator The details about the configuration aggregator, including information about source accounts, regions, and metadata of the aggregator. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::ConfigurationAggregator", "Properties" : { "[AccountAggregationSources](#cfn-config-configurationaggregator-accountaggregationsources)" : [ AccountAggregationSource, ... ], "[ConfigurationAggregatorName](#cfn-config-configurationaggregator-configurationaggregatorname)" : String, "[OrganizationAggregationSource](#cfn-config-configurationaggregator-organizationaggregationsource)" : OrganizationAggregationSource, "[Tags](#cfn-config-configurationaggregator-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::Config::ConfigurationAggregator Properties: [AccountAggregationSources](#cfn-config-configurationaggregator-accountaggregationsources): - AccountAggregationSource [ConfigurationAggregatorName](#cfn-config-configurationaggregator-configurationaggregatorname): String [OrganizationAggregationSource](#cfn-config-configurationaggregator-organizationaggregationsource): OrganizationAggregationSource [Tags](#cfn-config-configurationaggregator-tags): - Tag ``` ## Properties `AccountAggregationSources` Provides a list of source accounts and regions to be aggregated. *Required*: No *Type*: Array of [AccountAggregationSource](aws-properties-config-configurationaggregator-accountaggregationsource.md) *Minimum*: `0` *Maximum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ConfigurationAggregatorName` The name of the aggregator. *Required*: No *Type*: String *Pattern*: `[\w\-]+` *Minimum*: `1` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `OrganizationAggregationSource` Provides an organization and list of regions to be aggregated. *Required*: No *Type*: [OrganizationAggregationSource](aws-properties-config-configurationaggregator-organizationaggregationsource.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of tag object. *Required*: No *Type*: Array of [Tag](aws-properties-config-configurationaggregator-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ConfigurationAggregatorName, such as `myConfigurationAggregator`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt #### `ConfigurationAggregatorArn` The Amazon Resource Name (ARN) of the aggregator. ## Examples **Topics** + [Configuration Aggregator With Multiple Accounts Multiple Regions](#aws-resource-config-configurationaggregator--examples--Configuration_Aggregator_With_Multiple_Accounts_Multiple_Regions) + [Configuration Aggregator for an Organization](#aws-resource-config-configurationaggregator--examples--Configuration_Aggregator_for_an_Organization) ### Configuration Aggregator With Multiple Accounts Multiple Regions The following example creates a `ConfigurationAggregator`. #### JSON ``` "ConfigurationAggregator": { "Type": "AWS::Config::ConfigurationAggregator", "Properties": { "AccountAggregationSources": [ { "AccountIds": [ "123456789012", "987654321012" ], "AwsRegions": [ "us-west-2", "us-east-1" ], "AllAwsRegions": false } ], "ConfigurationAggregatorName": "MyConfigurationAggregator" } } ``` #### YAML ``` ConfigurationAggregator: Type: 'AWS::Config::ConfigurationAggregator' Properties: AccountAggregationSources: - AccountIds: - '123456789012' - '987654321012' AwsRegions: - us-west-2 - us-east-1 AllAwsRegions: false ConfigurationAggregatorName: MyConfigurationAggregator ``` ### Configuration Aggregator for an Organization The following example creates a `ConfigurationAggregator` for an organization. **Considerations** + The aggregator account must be the management account or a delegated administrator account in the organization + AWS Config must be enabled with proper service access in the organization + The role must have proper permissions to call AWS Organizations APIs #### JSON ``` "ConfigurationAggregator": { "Type": "AWS::Config::ConfigurationAggregator", "Properties": { "OrganizationAggregationSource": { "RoleArn": { "Fn::GetAtt" : [ "MyRole", "Arn" ] }, "AwsRegions": [ "us-west-2", "us-east-1" ], "AllAwsRegions": false }, "ConfigurationAggregatorName": "MyConfigurationAggregator" } } "MyRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations" ], "Path": "/service-role/", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "OrganizationAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListAccounts" ], "Resource": "*" } ] } } ] } } ``` #### YAML ``` ConfigurationAggregator: Type: 'AWS::Config::ConfigurationAggregator' Properties: OrganizationAggregationSource: RoleArn: !GetAtt MyRole.Arn AwsRegions: - us-west-2 - us-east-1 AllAwsRegions: false ConfigurationAggregatorName: MyConfigurationAggregator MyRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations Path: "/service-role/" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - config.amazonaws.com Action: - 'sts:AssumeRole' Policies: - PolicyName: OrganizationAccess PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - organizations:DescribeOrganization - organizations:ListAWSServiceAccessForOrganization - organizations:ListAccounts Resource: "*" ``` # AWS::Config::ConfigurationAggregator AccountAggregationSource A collection of accounts and regions. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccountIds](#cfn-config-configurationaggregator-accountaggregationsource-accountids)" : [ String, ... ], "[AllAwsRegions](#cfn-config-configurationaggregator-accountaggregationsource-allawsregions)" : Boolean, "[AwsRegions](#cfn-config-configurationaggregator-accountaggregationsource-awsregions)" : [ String, ... ] } ``` ### YAML ``` [AccountIds](#cfn-config-configurationaggregator-accountaggregationsource-accountids): - String [AllAwsRegions](#cfn-config-configurationaggregator-accountaggregationsource-allawsregions): Boolean [AwsRegions](#cfn-config-configurationaggregator-accountaggregationsource-awsregions): - String ``` ## Properties `AccountIds` The 12-digit account ID of the account being aggregated. *Required*: Yes *Type*: Array of String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AllAwsRegions` If true, aggregate existing AWS Config regions and future regions. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AwsRegions` The source regions being aggregated. *Required*: No *Type*: Array of String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigurationAggregator OrganizationAggregationSource This object contains regions to set up the aggregator and an IAM role to retrieve organization details. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AllAwsRegions](#cfn-config-configurationaggregator-organizationaggregationsource-allawsregions)" : Boolean, "[AwsRegions](#cfn-config-configurationaggregator-organizationaggregationsource-awsregions)" : [ String, ... ], "[RoleArn](#cfn-config-configurationaggregator-organizationaggregationsource-rolearn)" : String } ``` ### YAML ``` [AllAwsRegions](#cfn-config-configurationaggregator-organizationaggregationsource-allawsregions): Boolean [AwsRegions](#cfn-config-configurationaggregator-organizationaggregationsource-awsregions): - String [RoleArn](#cfn-config-configurationaggregator-organizationaggregationsource-rolearn): String ``` ## Properties `AllAwsRegions` If true, aggregate existing AWS Config regions and future regions. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AwsRegions` The source regions being aggregated. *Required*: No *Type*: Array of String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoleArn` ARN of the IAM role used to retrieve AWS Organizations details associated with the aggregator account. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigurationAggregator Tag The tags for the resource. The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-config-configurationaggregator-tag-key)" : String, "[Value](#cfn-config-configurationaggregator-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-config-configurationaggregator-tag-key): String [Value](#cfn-config-configurationaggregator-tag-value): String ``` ## Properties `Key` One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key). *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigurationRecorder The `AWS::Config::ConfigurationRecorder` resource type describes the AWS resource types that AWS Config records for configuration changes. The configuration recorder stores the configuration changes of the specified resources in your account as configuration items. **Note** To enable AWS Config, you must create a configuration recorder and a delivery channel. AWS Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket or Amazon SNS topic. For more information, see [AWS::Config::DeliveryChannel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-deliverychannel.html). AWS CloudFormation starts the recorder as soon as the delivery channel is available. To stop the recorder and delete it, delete the configuration recorder from your stack. To stop the recorder without deleting it, call the [StopConfigurationRecorder](https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html) action of the AWS Config API directly. For more information, see [Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-recorder) in the AWS Config Developer Guide. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::ConfigurationRecorder", "Properties" : { "[Name](#cfn-config-configurationrecorder-name)" : String, "[RecordingGroup](#cfn-config-configurationrecorder-recordinggroup)" : RecordingGroup, "[RecordingMode](#cfn-config-configurationrecorder-recordingmode)" : RecordingMode, "[RoleARN](#cfn-config-configurationrecorder-rolearn)" : String } } ``` ### YAML ``` Type: AWS::Config::ConfigurationRecorder Properties: [Name](#cfn-config-configurationrecorder-name): String [RecordingGroup](#cfn-config-configurationrecorder-recordinggroup): RecordingGroup [RecordingMode](#cfn-config-configurationrecorder-recordingmode): RecordingMode [RoleARN](#cfn-config-configurationrecorder-rolearn): String ``` ## Properties `Name` The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder. You cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RecordingGroup` Specifies which resource types AWS Config records for configuration changes. ** High Number of AWS Config Evaluations** You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record. If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling. If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations. *Required*: No *Type*: [RecordingGroup](aws-properties-config-configurationrecorder-recordinggroup.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecordingMode` Specifies the default recording frequency for the configuration recorder. AWS Config supports *Continuous recording* and *Daily recording*. + Continuous recording allows you to record configuration changes continuously whenever a change occurs. + Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. **Some resource types require continuous recording** AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. You can also override the recording frequency for specific resource types. *Required*: No *Type*: [RecordingMode](aws-properties-config-configurationrecorder-recordingmode.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoleARN` Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide. **Pre-existing AWS Config role** If you have used an AWS service that uses AWS Config, such as AWS Security Hub CSPM or AWS Control Tower, and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected. For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service (Amazon S3) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config. Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config, see [https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) in the *AWS Config Developer Guide*. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the configuration recorder name, such as default. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt ## Examples ### Configuration Recorder The following example creates a configuration recorder for EC2 volumes. #### JSON ``` "ConfigRecorder": { "Type": "AWS::Config::ConfigurationRecorder", "Properties": { "Name": "default", "RecordingGroup": { "ResourceTypes": ["AWS::EC2::Volume"] }, "RoleARN": {"Fn::GetAtt": ["ConfigRole", "Arn"]} } } ``` #### YAML ``` ConfigRecorder: Type: AWS::Config::ConfigurationRecorder Properties: Name: default RecordingGroup: ResourceTypes: - "AWS::EC2::Volume" RoleARN: Fn::GetAtt: - ConfigRole - Arn ``` # AWS::Config::ConfigurationRecorder ExclusionByResourceTypes Specifies whether the configuration recorder excludes certain resource types from being recorded. Use the `ResourceTypes` field to enter a comma-separated list of resource types you want to exclude from recording. By default, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. **Note** **How to use the exclusion recording strategy** To use this option, you must set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES`. AWS Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded. **Global resource types and the exclusion recording strategy ** Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions: Asia Pacific (Hyderabad) Asia Pacific (Melbourne) Canada West (Calgary) Europe (Spain) Europe (Zurich) Israel (Tel Aviv) Middle East (UAE) ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ResourceTypes](#cfn-config-configurationrecorder-exclusionbyresourcetypes-resourcetypes)" : [ String, ... ] } ``` ### YAML ``` [ResourceTypes](#cfn-config-configurationrecorder-exclusionbyresourcetypes-resourcetypes): - String ``` ## Properties `ResourceTypes` A comma-separated list of resource types to exclude from recording by the configuration recorder. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Record all current and future supported resource types excluding the types you specify The recordingGroup file specifies which types of resources AWS Config will record. #### JSON ``` { "AllSupported": false, "ExclusionByResourceTypes": { "ResourceTypes": [ "AWS::Redshift::ClusterSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::CloudFront::StreamingDistribution" ] }, "IncludeGlobalResourceTypes": false, "RecordingStrategy": { "UseOnly": "EXCLUSION_BY_RESOURCE_TYPES" } } ``` #### YAML ``` AllSupported: false ExclusionByResourceTypes: ResourceTypes: - AWS::Redshift::ClusterSnapshot - AWS::RDS::DBClusterSnapshot - AWS::CloudFront::StreamingDistribution IncludeGlobalResourceTypes: false RecordingStrategy: UseOnly: EXCLUSION_BY_RESOURCE_TYPES ``` # AWS::Config::ConfigurationRecorder RecordingGroup Specifies which resource types AWS Config records for configuration changes. By default, AWS Config records configuration changes for all current and future supported resource types in the AWS Region where you have enabled AWS Config, excluding the global IAM resource types: IAM users, groups, roles, and customer managed policies. In the recording group, you specify whether you want to record all supported current and future supported resource types or to include or exclude specific resources types. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide*. If you don't want AWS Config to record all current and future supported resource types (excluding the global IAM resource types), use one of the following recording strategies: 1. **Record all current and future resource types with exclusions** (`EXCLUSION_BY_RESOURCE_TYPES`), or 1. **Record specific resource types** (`INCLUSION_BY_RESOURCE_TYPES`). If you use the recording strategy to **Record all current and future resource types** (`ALL_SUPPORTED_RESOURCE_TYPES`), you can use the flag `IncludeGlobalResourceTypes` to include the global IAM resource types in your recording. **Important** **Aurora global clusters are recorded in all enabled Regions** The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled. If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use the `EXCLUSION_BY_RESOURCE_TYPES` or `INCLUSION_BY_RESOURCE_TYPES` recording strategy. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AllSupported](#cfn-config-configurationrecorder-recordinggroup-allsupported)" : Boolean, "[ExclusionByResourceTypes](#cfn-config-configurationrecorder-recordinggroup-exclusionbyresourcetypes)" : ExclusionByResourceTypes, "[IncludeGlobalResourceTypes](#cfn-config-configurationrecorder-recordinggroup-includeglobalresourcetypes)" : Boolean, "[RecordingStrategy](#cfn-config-configurationrecorder-recordinggroup-recordingstrategy)" : RecordingStrategy, "[ResourceTypes](#cfn-config-configurationrecorder-recordinggroup-resourcetypes)" : [ String, ... ] } ``` ### YAML ``` [AllSupported](#cfn-config-configurationrecorder-recordinggroup-allsupported): Boolean [ExclusionByResourceTypes](#cfn-config-configurationrecorder-recordinggroup-exclusionbyresourcetypes): ExclusionByResourceTypes [IncludeGlobalResourceTypes](#cfn-config-configurationrecorder-recordinggroup-includeglobalresourcetypes): Boolean [RecordingStrategy](#cfn-config-configurationrecorder-recordinggroup-recordingstrategy): RecordingStrategy [ResourceTypes](#cfn-config-configurationrecorder-recordinggroup-resourcetypes): - String ``` ## Properties `AllSupported` Specifies whether AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. If you set this field to `true`, when AWS Config adds support for a new resource type, AWS Config starts recording resources of that type automatically. If you set this field to `true`, you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html), or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html). **Region availability** Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExclusionByResourceTypes` An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder. To use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES`. *Required*: No *Type*: [ExclusionByResourceTypes](aws-properties-config-configurationrecorder-exclusionbyresourcetypes.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IncludeGlobalResourceTypes` This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions: + Asia Pacific (Hyderabad) + Asia Pacific (Melbourne) + Canada West (Calgary) + Europe (Spain) + Europe (Zurich) + Israel (Tel Aviv) + Middle East (UAE) **Aurora global clusters are recorded in all enabled Regions** The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `IncludeGlobalResourceTypes` is set to `false`. The `IncludeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies. If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies: 1. **Record all current and future resource types with exclusions** (`EXCLUSION_BY_RESOURCE_TYPES`), or 1. **Record specific resource types** (`INCLUSION_BY_RESOURCE_TYPES`). For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide*. **IncludeGlobalResourceTypes and the exclusion recording strategy** The `IncludeGlobalResourceTypes` field has no impact on the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy. This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will not be automatically added as exclusions for `ExclusionByResourceTypes` when `IncludeGlobalResourceTypes` is set to `false`. The `IncludeGlobalResourceTypes` field should only be used to modify the `AllSupported` field, as the default for the `AllSupported` field is to record configuration changes for all supported resource types excluding the global IAM resource types. To include the global IAM resource types when `AllSupported` is set to `true`, make sure to set `IncludeGlobalResourceTypes` to `true`. To exclude the global IAM resource types for the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, you need to manually add them to the `ResourceTypes` field of `ExclusionByResourceTypes`. **Required and optional fields** Before you set this field to `true`, set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true`. Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES`. **Overriding fields** If you set this field to `false` but list global IAM resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html), AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `IncludeGlobalResourceTypes` field to false. If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `ResourceTypes` field in addition to setting the `IncludeGlobalResourceTypes` field to false. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecordingStrategy` An object that specifies the recording strategy for the configuration recorder. + If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES`, AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true`. When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. + If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES`, AWS Config records configuration changes for only the resource types you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html). + If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES`, AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html). **Required and optional fields** The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true`. The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html). The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html). **Overriding fields** If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request. For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes`. **Global resources types and the resource exclusion recording strategy** By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions: + Asia Pacific (Hyderabad) + Asia Pacific (Melbourne) + Canada West (Calgary) + Europe (Spain) + Europe (Zurich) + Israel (Tel Aviv) + Middle East (UAE) *Required*: No *Type*: [RecordingStrategy](aws-properties-config-configurationrecorder-recordingstrategy.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTypes` A comma-separated list that specifies which resource types AWS Config records. For a list of valid `ResourceTypes` values, see the **Resource Type Value** column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide*. **Required and optional fields** Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES`. To record all configuration changes, set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true`, and either omit this field or don't specify any resource types in this field. If you set the `AllSupported` field to `false` and specify values for `ResourceTypes`, when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. **Region availability** Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config. If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config, even if the specified resource type is not supported in the AWS Region where you set up AWS Config. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Record all current and future supported resource types](#aws-properties-config-configurationrecorder-recordinggroup--examples--Record_all_current_and_future_supported_resource_types) + [Record all current and future supported resource types excluding the types you specify](#aws-properties-config-configurationrecorder-recordinggroup--examples--Record_all_current_and_future_supported_resource_types_excluding_the_types_you_specify) + [Record specific resource types](#aws-properties-config-configurationrecorder-recordinggroup--examples--Record_specific_resource_types) ### Record all current and future supported resource types The recordingGroup file specifies which types of resources AWS Config will record. #### JSON ``` { "AllSupported": true, "RecordingStrategy": { "UseOnly": "ALL_SUPPORTED_RESOURCE_TYPES" }, "IncludeGlobalResourceTypes": true } ``` #### YAML ``` AllSupported: true RecordingStrategy: UseOnly: ALL_SUPPORTED_RESOURCE_TYPES IncludeGlobalResourceTypes: true ``` ### Record all current and future supported resource types excluding the types you specify The recordingGroup file specifies which types of resources AWS Config will record. #### JSON ``` { "AllSupported": false, "ExclusionByResourceTypes": { "ResourceTypes": [ "AWS::Redshift::ClusterSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::CloudFront::StreamingDistribution ] }, "IncludeGlobalResourceTypes": false, "RecordingStrategy": { "UseOnly": "EXCLUSION_BY_RESOURCE_TYPES" } } ``` #### YAML ``` AllSupported: false ExclusionByResourceTypes: ResourceTypes: - AWS::Redshift::ClusterSnapshot - AWS::RDS::DBClusterSnapshot - AWS::CloudFront::StreamingDistribution IncludeGlobalResourceTypes: false RecordingStrategy: UseOnly: EXCLUSION_BY_RESOURCE_TYPES ``` ### Record specific resource types The recordingGroup file specifies which types of resources AWS Config will record. #### JSON ``` { "AllSupported": false, "RecordingStrategy": { "UseOnly": "INCLUSION_BY_RESOURCE_TYPES" }, "IncludeGlobalResourceTypes": false, "ResourceTypes": [ "AWS::EC2::EIP", "AWS::EC2::Instance", "AWS::EC2::NetworkAcl", "AWS::EC2::SecurityGroup", "AWS::CloudTrail::Trail", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::IAM::User", "AWS::IAM::Policy" ] } ``` #### YAML ``` AllSupported: false RecordingStrategy: UseOnly: INCLUSION_BY_RESOURCE_TYPES IncludeGlobalResourceTypes: false ResourceTypes: - AWS::EC2::EIP - AWS::EC2::Instance - AWS::EC2::NetworkAcl - AWS::EC2::SecurityGroup - AWS::CloudTrail::Trail - AWS::EC2::Volume - AWS::EC2::VPC - AWS::IAM::User - AWS::IAM::Policy ``` # AWS::Config::ConfigurationRecorder RecordingMode Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording*. + Continuous recording allows you to record configuration changes continuously whenever a change occurs. + Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. **Note** AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. You can also override the recording frequency for specific resource types. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RecordingFrequency](#cfn-config-configurationrecorder-recordingmode-recordingfrequency)" : String, "[RecordingModeOverrides](#cfn-config-configurationrecorder-recordingmode-recordingmodeoverrides)" : [ RecordingModeOverride, ... ] } ``` ### YAML ``` [RecordingFrequency](#cfn-config-configurationrecorder-recordingmode-recordingfrequency): String [RecordingModeOverrides](#cfn-config-configurationrecorder-recordingmode-recordingmodeoverrides): - RecordingModeOverride ``` ## Properties `RecordingFrequency` The default recording frequency that AWS Config uses to record configuration changes. Daily recording cannot be specified for the following resource types: + `AWS::Config::ResourceCompliance` + `AWS::Config::ConformancePackCompliance` + `AWS::Config::ConfigurationRecorder` For the **allSupported** (`ALL_SUPPORTED_RESOURCE_TYPES`) recording strategy, these resource types will be set to Continuous recording. *Required*: Yes *Type*: String *Allowed values*: `CONTINUOUS | DAILY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecordingModeOverrides` An array of `recordingModeOverride` objects for you to specify your overrides for the recording mode. The `recordingModeOverride` object in the `recordingModeOverrides` array consists of three fields: a `description`, the new `recordingFrequency`, and an array of `resourceTypes` to override. *Required*: No *Type*: Array of [RecordingModeOverride](aws-properties-config-configurationrecorder-recordingmodeoverride.md) *Minimum*: `0` *Maximum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigurationRecorder RecordingModeOverride An object for you to specify your overrides for the recording mode. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Description](#cfn-config-configurationrecorder-recordingmodeoverride-description)" : String, "[RecordingFrequency](#cfn-config-configurationrecorder-recordingmodeoverride-recordingfrequency)" : String, "[ResourceTypes](#cfn-config-configurationrecorder-recordingmodeoverride-resourcetypes)" : [ String, ... ] } ``` ### YAML ``` [Description](#cfn-config-configurationrecorder-recordingmodeoverride-description): String [RecordingFrequency](#cfn-config-configurationrecorder-recordingmodeoverride-recordingfrequency): String [ResourceTypes](#cfn-config-configurationrecorder-recordingmodeoverride-resourcetypes): - String ``` ## Properties `Description` A description that you provide for the override. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecordingFrequency` The recording frequency that will be applied to all the resource types specified in the override. + Continuous recording allows you to record configuration changes continuously whenever a change occurs. + Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. *Required*: Yes *Type*: String *Allowed values*: `CONTINUOUS | DAILY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTypes` A comma-separated list that specifies which resource types AWS Config includes in the override. Daily recording cannot be specified for the following resource types: + `AWS::Config::ResourceCompliance` + `AWS::Config::ConformancePackCompliance` + `AWS::Config::ConfigurationRecorder` *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigurationRecorder RecordingStrategy Specifies the recording strategy of the configuration recorder. Valid values include: `ALL_SUPPORTED_RESOURCE_TYPES`, `INCLUSION_BY_RESOURCE_TYPES`, and `EXCLUSION_BY_RESOURCE_TYPES`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[UseOnly](#cfn-config-configurationrecorder-recordingstrategy-useonly)" : String } ``` ### YAML ``` [UseOnly](#cfn-config-configurationrecorder-recordingstrategy-useonly): String ``` ## Properties `UseOnly` The recording strategy for the configuration recorder. + If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES`, AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true`. When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide*. + If you set this option to `INCLUSION_BY_RESOURCE_TYPES`, AWS Config records configuration changes for only the resource types that you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html). + If you set this option to `EXCLUSION_BY_RESOURCE_TYPES`, AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html). **Required and optional fields** The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true`. The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html). The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html). **Overriding fields** If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request. For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes`. **Global resource types and the exclusion recording strategy** By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions: + Asia Pacific (Hyderabad) + Asia Pacific (Melbourne) + Canada West (Calgary) + Europe (Spain) + Europe (Zurich) + Israel (Tel Aviv) + Middle East (UAE) *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Record all current and future supported resource types](#aws-properties-config-configurationrecorder-recordingstrategy--examples--Record_all_current_and_future_supported_resource_types) + [Record all current and future supported resource types excluding the types you specify](#aws-properties-config-configurationrecorder-recordingstrategy--examples--Record_all_current_and_future_supported_resource_types_excluding_the_types_you_specify) + [Record specific resource types](#aws-properties-config-configurationrecorder-recordingstrategy--examples--Record_specific_resource_types) ### Record all current and future supported resource types The recordingGroup file specifies which types of resources AWS Config will record. #### JSON ``` { "AllSupported": true, "RecordingStrategy": { "UseOnly": "ALL_SUPPORTED_RESOURCE_TYPES" }, "IncludeGlobalResourceTypes": true } ``` #### YAML ``` AllSupported: true RecordingStrategy: UseOnly: ALL_SUPPORTED_RESOURCE_TYPES IncludeGlobalResourceTypes: true ``` ### Record all current and future supported resource types excluding the types you specify The recordingGroup file specifies which types of resources AWS Config will record. #### JSON ``` { "AllSupported": false, "ExclusionByResourceTypes": { "ResourceTypes": [ "AWS::Redshift::ClusterSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::CloudFront::StreamingDistribution" ] }, "IncludeGlobalResourceTypes": false, "RecordingStrategy": { "UseOnly": "EXCLUSION_BY_RESOURCE_TYPES" } } ``` #### YAML ``` AllSupported: false ExclusionByResourceTypes: ResourceTypes: - AWS::Redshift::ClusterSnapshot - AWS::RDS::DBClusterSnapshot - AWS::CloudFront::StreamingDistribution IncludeGlobalResourceTypes: false RecordingStrategy: UseOnly: EXCLUSION_BY_RESOURCE_TYPES ``` ### Record specific resource types The recordingGroup file specifies which types of resources AWS Config will record. #### JSON ``` { "AllSupported": false, "RecordingStrategy": { "UseOnly": "INCLUSION_BY_RESOURCE_TYPES" }, "IncludeGlobalResourceTypes": false, "ResourceTypes": [ "AWS::EC2::EIP", "AWS::EC2::Instance", "AWS::EC2::NetworkAcl", "AWS::EC2::SecurityGroup", "AWS::CloudTrail::Trail", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::IAM::User", "AWS::IAM::Policy" ] } ``` #### YAML ``` AllSupported: false RecordingStrategy: UseOnly: INCLUSION_BY_RESOURCE_TYPES IncludeGlobalResourceTypes: false ResourceTypes: - AWS::EC2::EIP - AWS::EC2::Instance - AWS::EC2::NetworkAcl - AWS::EC2::SecurityGroup - AWS::CloudTrail::Trail - AWS::EC2::Volume - AWS::EC2::VPC - AWS::IAM::User - AWS::IAM::Policy ``` # AWS::Config::ConformancePack A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed in an account and a region. ConformancePack creates a service linked role in your account. The service linked role is created only when the role does not exist in your account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::ConformancePack", "Properties" : { "[ConformancePackInputParameters](#cfn-config-conformancepack-conformancepackinputparameters)" : [ ConformancePackInputParameter, ... ], "[ConformancePackName](#cfn-config-conformancepack-conformancepackname)" : String, "[DeliveryS3Bucket](#cfn-config-conformancepack-deliverys3bucket)" : String, "[DeliveryS3KeyPrefix](#cfn-config-conformancepack-deliverys3keyprefix)" : String, "[TemplateBody](#cfn-config-conformancepack-templatebody)" : String, "[TemplateS3Uri](#cfn-config-conformancepack-templates3uri)" : String, "[TemplateSSMDocumentDetails](#cfn-config-conformancepack-templatessmdocumentdetails)" : TemplateSSMDocumentDetails } } ``` ### YAML ``` Type: AWS::Config::ConformancePack Properties: [ConformancePackInputParameters](#cfn-config-conformancepack-conformancepackinputparameters): - ConformancePackInputParameter [ConformancePackName](#cfn-config-conformancepack-conformancepackname): String [DeliveryS3Bucket](#cfn-config-conformancepack-deliverys3bucket): String [DeliveryS3KeyPrefix](#cfn-config-conformancepack-deliverys3keyprefix): String [TemplateBody](#cfn-config-conformancepack-templatebody): String [TemplateS3Uri](#cfn-config-conformancepack-templates3uri): String [TemplateSSMDocumentDetails](#cfn-config-conformancepack-templatessmdocumentdetails): TemplateSSMDocumentDetails ``` ## Properties `ConformancePackInputParameters` A list of ConformancePackInputParameter objects. *Required*: No *Type*: Array of [ConformancePackInputParameter](aws-properties-config-conformancepack-conformancepackinputparameter.md) *Minimum*: `0` *Maximum*: `60` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ConformancePackName` Name of the conformance pack you want to create. *Required*: Yes *Type*: String *Pattern*: `[a-zA-Z][-a-zA-Z0-9]*` *Minimum*: `1` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DeliveryS3Bucket` The name of the Amazon S3 bucket where AWS Config stores conformance pack templates. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `63` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DeliveryS3KeyPrefix` The prefix for the Amazon S3 bucket. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateBody` A string containing full conformance pack template body. Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes. You can only use a YAML template with two resource types: config rule (`AWS::Config::ConfigRule`) and a remediation action (`AWS::Config::RemediationConfiguration`). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `51200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateS3Uri` Location of file containing the template body (s3://bucketname/prefix). The uri must point to the conformance pack template (max size: 300 KB) that is located in an Amazon S3 bucket. You must have access to read Amazon S3 bucket. *Required*: No *Type*: String *Pattern*: `s3://.*` *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateSSMDocumentDetails` An object that contains the name or Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack. *Required*: No *Type*: [TemplateSSMDocumentDetails](aws-properties-config-conformancepack-templatessmdocumentdetails.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the name of the conformance pack. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Conformance Pack The following example creates a conformance pack. #### JSON ``` { "Resources": { "ConformancePack": { "Type": "AWS::Config::ConformancePack", "Properties": { "ConformancePackName": "ConformancePackName", "DeliveryS3Bucket": "DeliveryS3Bucket", "TemplateS3Uri": "s3://bucketname/prefix" } } } } ``` #### YAML ``` --- AWSTemplateFormatVersion: 2010-09-09 Resources: CloudFormationCanaryPack: Type: AWS::Config::ConformancePack Properties: ConformancePackName: ConformancePackName DeliveryS3Bucket: DeliveryS3Bucket TemplateS3Uri: s3://bucketname/prefix ``` # AWS::Config::ConformancePack ConformancePackInputParameter Input parameters in the form of key-value pairs for the conformance pack, both of which you define. Keys can have a maximum character length of 255 characters, and values can have a maximum length of 4096 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ParameterName](#cfn-config-conformancepack-conformancepackinputparameter-parametername)" : String, "[ParameterValue](#cfn-config-conformancepack-conformancepackinputparameter-parametervalue)" : String } ``` ### YAML ``` [ParameterName](#cfn-config-conformancepack-conformancepackinputparameter-parametername): String [ParameterValue](#cfn-config-conformancepack-conformancepackinputparameter-parametervalue): String ``` ## Properties `ParameterName` One part of a key-value pair. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ParameterValue` Another part of the key-value pair. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `4096` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConformancePack TemplateSSMDocumentDetails This API allows you to create a conformance pack template with an AWS Systems Manager document (SSM document). To deploy a conformance pack using an SSM document, first create an SSM document with conformance pack content, and then provide the `DocumentName` in the [PutConformancePack API](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConformancePack.html). You can also provide the `DocumentVersion`. The `TemplateSSMDocumentDetails` object contains the name of the SSM document and the version of the SSM document. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DocumentName](#cfn-config-conformancepack-templatessmdocumentdetails-documentname)" : String, "[DocumentVersion](#cfn-config-conformancepack-templatessmdocumentdetails-documentversion)" : String } ``` ### YAML ``` [DocumentName](#cfn-config-conformancepack-templatessmdocumentdetails-documentname): String [DocumentVersion](#cfn-config-conformancepack-templatessmdocumentdetails-documentversion): String ``` ## Properties `DocumentName` The name or Amazon Resource Name (ARN) of the SSM document to use to create a conformance pack. If you use the document name, AWS Config checks only your account and AWS Region for the SSM document. *Required*: No *Type*: String *Minimum*: `3` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DocumentVersion` The version of the SSM document to use to create a conformance pack. By default, AWS Config uses the latest version. This field is optional. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::DeliveryChannel Specifies a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic. Before you can create a delivery channel, you must create a configuration recorder. You can use this action to change the Amazon S3 bucket or an Amazon SNS topic of the existing delivery channel. To change the Amazon S3 bucket or an Amazon SNS topic, call this action and specify the changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3 bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed. You can have only one delivery channel per region per AWS account, and the delivery channel is required to use AWS Config. **Note** AWS Config does not support the delivery channel to an Amazon S3 bucket bucket where object lock is enabled. For more information, see [How S3 Object Lock works](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html). When you create the delivery channel, you can specify; how often AWS Config delivers configuration snapshots to your Amazon S3 bucket (for example, 24 hours), the S3 bucket to which AWS Config sends configuration snapshots and configuration history files, and the Amazon SNS topic to which AWS Config sends notifications about configuration changes, such as updated resources, AWS Config rule evaluations, and when AWS Config delivers the configuration snapshot to your S3 bucket. For more information, see [Deliver Configuration Items](https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html#delivery-channel) in the AWS Config Developer Guide. **Note** To enable AWS Config, you must create a configuration recorder and a delivery channel. If you want to create the resources separately, you must create a configuration recorder before you can create a delivery channel. AWS Config uses the configuration recorder to capture configuration changes to your resources. For more information, see [AWS::Config::ConfigurationRecorder](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationrecorder.html). For more information, see [Managing the Delivery Channel](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html) in the AWS Config Developer Guide. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::DeliveryChannel", "Properties" : { "[ConfigSnapshotDeliveryProperties](#cfn-config-deliverychannel-configsnapshotdeliveryproperties)" : ConfigSnapshotDeliveryProperties, "[Name](#cfn-config-deliverychannel-name)" : String, "[S3BucketName](#cfn-config-deliverychannel-s3bucketname)" : String, "[S3KeyPrefix](#cfn-config-deliverychannel-s3keyprefix)" : String, "[S3KmsKeyArn](#cfn-config-deliverychannel-s3kmskeyarn)" : String, "[SnsTopicARN](#cfn-config-deliverychannel-snstopicarn)" : String } } ``` ### YAML ``` Type: AWS::Config::DeliveryChannel Properties: [ConfigSnapshotDeliveryProperties](#cfn-config-deliverychannel-configsnapshotdeliveryproperties): ConfigSnapshotDeliveryProperties [Name](#cfn-config-deliverychannel-name): String [S3BucketName](#cfn-config-deliverychannel-s3bucketname): String [S3KeyPrefix](#cfn-config-deliverychannel-s3keyprefix): String [S3KmsKeyArn](#cfn-config-deliverychannel-s3kmskeyarn): String [SnsTopicARN](#cfn-config-deliverychannel-snstopicarn): String ``` ## Properties `ConfigSnapshotDeliveryProperties` The options for how often AWS Config delivers configuration snapshots to the Amazon S3 bucket. *Required*: No *Type*: [ConfigSnapshotDeliveryProperties](aws-properties-config-deliverychannel-configsnapshotdeliveryproperties.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` A name for the delivery channel. If you don't specify a name, CloudFormation generates a unique physical ID and uses that ID for the delivery channel name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). Updates are not supported. To change the name, you must run two separate updates. In the first update, delete this resource, and then recreate it with a new name in the second update. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `S3BucketName` The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files. If you specify a bucket that belongs to another AWS account, that bucket must have policies that grant access permissions to AWS Config. For more information, see [Permissions for the Amazon S3 Bucket](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html) in the *AWS Config Developer Guide*. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `S3KeyPrefix` The prefix for the specified Amazon S3 bucket. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `S3KmsKeyArn` The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS ) AWS KMS key (KMS key) used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SnsTopicARN` The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes. If you choose a topic from another account, the topic must have policies that grant access permissions to AWS Config. For more information, see [Permissions for the Amazon SNS Topic](https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html) in the *AWS Config Developer Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the delivery channel name, such as default. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt ## Examples ### Delivery Channel The following example creates a delivery channel that sends notifications to the specified Amazon SNS topic. The delivery channel also sends configuration changes and snapshots to the specified S3 bucket. #### JSON ``` "DeliveryChannel": { "Type": "AWS::Config::DeliveryChannel", "Properties": { "ConfigSnapshotDeliveryProperties": { "DeliveryFrequency": "Six_Hours" }, "S3BucketName": {"Ref": "ConfigBucket"}, "SnsTopicARN": {"Ref": "ConfigTopic"} } } ``` #### YAML ``` DeliveryChannel: Type: AWS::Config::DeliveryChannel Properties: ConfigSnapshotDeliveryProperties: DeliveryFrequency: "Six_Hours" S3BucketName: Ref: ConfigBucket SnsTopicARN: Ref: ConfigTopic ``` # AWS::Config::DeliveryChannel ConfigSnapshotDeliveryProperties Provides options for how often AWS Config delivers configuration snapshots to the Amazon S3 bucket in your delivery channel. **Note** If you want to create a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot, see the following: The frequency for a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot is set by one of two values, depending on which is less frequent: + The value for the `deliveryFrequency` parameter within the delivery channel configuration, which sets how often AWS Config delivers configuration snapshots. This value also sets how often AWS Config invokes evaluations for AWS Config rules. + The value for the `MaximumExecutionFrequency` parameter, which sets the maximum frequency with which AWS Config invokes evaluations for the rule. For more information, see [ConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigRule.html). If the `deliveryFrequency` value is less frequent than the `MaximumExecutionFrequency` value for a rule, AWS Config invokes the rule only as often as the `deliveryFrequency` value. 1. For example, you want your rule to run evaluations when AWS Config delivers the configuration snapshot. 1. You specify the `MaximumExecutionFrequency` value for `Six_Hours`. 1. You then specify the delivery channel `deliveryFrequency` value for `TwentyFour_Hours`. 1. Because the value for `deliveryFrequency` is less frequent than `MaximumExecutionFrequency`, AWS Config invokes evaluations for the rule every 24 hours. You should set the `MaximumExecutionFrequency` value to be at least as frequent as the `deliveryFrequency` value. You can view the `deliveryFrequency` value by using the `DescribeDeliveryChannnels` action. To update the `deliveryFrequency` with which AWS Config delivers your configuration snapshots, use the `PutDeliveryChannel` action. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DeliveryFrequency](#cfn-config-deliverychannel-configsnapshotdeliveryproperties-deliveryfrequency)" : String } ``` ### YAML ``` [DeliveryFrequency](#cfn-config-deliverychannel-configsnapshotdeliveryproperties-deliveryfrequency): String ``` ## Properties `DeliveryFrequency` The frequency with which AWS Config delivers configuration snapshots. *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::OrganizationConfigRule Adds or updates an AWS Config rule for your entire organization to evaluate if your AWS resources comply with your desired configurations. For information on how many organization AWS Config rules you can have per account, see [https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the *AWS Config Developer Guide*. Only a management account and a delegated administrator can create or update an organization AWS Config rule. When calling the `OrganizationConfigRule` resource with a delegated administrator, you must ensure AWS Organizations`ListDelegatedAdministrator` permissions are added. An organization can have up to 3 delegated administrators. The `OrganizationConfigRule` resource enables organization service access through the `EnableAWSServiceAccess` action and creates a service-linked role `AWSServiceRoleForConfigMultiAccountSetup` in the management or delegated administrator account of your organization. The service-linked role is created only when the role does not exist in the caller account. AWS Config verifies the existence of role with `GetRole` action. To use the `OrganizationConfigRule` resource with delegated administrator, register a delegated administrator by calling AWS Organization `register-delegated-administrator` for `config-multiaccountsetup.amazonaws.com`. There are two types of rules: *AWS Config Managed Rules* and *AWS Config Custom Rules*. You can use `PutOrganizationConfigRule` to create both AWS Config Managed Rules and AWS Config Custom Rules. AWS Config Managed Rules are predefined, customizable rules created by AWS Config. For a list of managed rules, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). If you are adding an AWS Config managed rule, you must specify the rule's identifier for the `RuleIdentifier` key. AWS Config Custom Rules are rules that you create from scratch. There are two ways to create AWS Config custom rules: with Lambda functions ([AWS Lambda Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. AWS Config custom rules created with AWS Lambda are called *AWS Config Custom Lambda Rules* and AWS Config custom rules created with Guard are called *AWS Config Custom Policy Rules*. If you are adding a new AWS Config Custom Lambda rule, you first need to create an AWS Lambda function in the management account or a delegated administrator that the rule invokes to evaluate your resources. You also need to create an IAM role in the managed account that can be assumed by the Lambda function. When you use `PutOrganizationConfigRule` to add a Custom Lambda rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::OrganizationConfigRule", "Properties" : { "[ExcludedAccounts](#cfn-config-organizationconfigrule-excludedaccounts)" : [ String, ... ], "[OrganizationConfigRuleName](#cfn-config-organizationconfigrule-organizationconfigrulename)" : String, "[OrganizationCustomPolicyRuleMetadata](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata)" : OrganizationCustomPolicyRuleMetadata, "[OrganizationCustomRuleMetadata](#cfn-config-organizationconfigrule-organizationcustomrulemetadata)" : OrganizationCustomRuleMetadata, "[OrganizationManagedRuleMetadata](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata)" : OrganizationManagedRuleMetadata } } ``` ### YAML ``` Type: AWS::Config::OrganizationConfigRule Properties: [ExcludedAccounts](#cfn-config-organizationconfigrule-excludedaccounts): - String [OrganizationConfigRuleName](#cfn-config-organizationconfigrule-organizationconfigrulename): String [OrganizationCustomPolicyRuleMetadata](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata): OrganizationCustomPolicyRuleMetadata [OrganizationCustomRuleMetadata](#cfn-config-organizationconfigrule-organizationcustomrulemetadata): OrganizationCustomRuleMetadata [OrganizationManagedRuleMetadata](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata): OrganizationManagedRuleMetadata ``` ## Properties `ExcludedAccounts` A comma-separated list of accounts excluded from organization AWS Config rule. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OrganizationConfigRuleName` The name that you assign to organization AWS Config rule. *Required*: Yes *Type*: String *Pattern*: `[A-Za-z0-9-_]+` *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `OrganizationCustomPolicyRuleMetadata` An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule. *Required*: No *Type*: [OrganizationCustomPolicyRuleMetadata](aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OrganizationCustomRuleMetadata` An `OrganizationCustomRuleMetadata` object. *Required*: No *Type*: [OrganizationCustomRuleMetadata](aws-properties-config-organizationconfigrule-organizationcustomrulemetadata.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OrganizationManagedRuleMetadata` An `OrganizationManagedRuleMetadata` object. *Required*: No *Type*: [OrganizationManagedRuleMetadata](aws-properties-config-organizationconfigrule-organizationmanagedrulemetadata.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the OrganizationConfigRuleName. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt ## Examples **Topics** + [Managed Rule](#aws-resource-config-organizationconfigrule--examples--Managed_Rule) + [Custom Rule](#aws-resource-config-organizationconfigrule--examples--Custom_Rule) ### Managed Rule The following example creates a managed organization config rule. #### JSON ``` { "BasicOrganizationConfigRule": { "Type": "AWS::Config::OrganizationConfigRule", "Properties": { "OrganizationConfigRuleName": "OrganizationConfigRuleName", "OrganizationManagedRuleMetadata": { "RuleIdentifier": "CLOUD_TRAIL_ENABLED", "Description": "Cloudtrail enabled rule" }, "ExcludedAccounts": [ "accountId" ] } } } ``` #### YAML ``` BasicOrganizationConfigRule: Type: "AWS::Config::OrganizationConfigRule" Properties: OrganizationConfigRuleName: "OrganizationConfigRuleName" OrganizationManagedRuleMetadata: RuleIdentifier: "CLOUD_TRAIL_ENABLED" Description: "Cloudtrail enabled rule" ExcludedAccounts: - "accountId" ``` ### Custom Rule The following example creates a custom organization config rule. #### JSON ``` { "BasicOrganizationConfigRule": { "Type": "AWS::Config::OrganizationConfigRule", "Properties": { "OrganizationConfigRuleName": "OrganizationConfigRuleName", "OrganizationCustomRuleMetadata": { "LambdaFunctionArn": "CustomRuleLambdaArn", "OrganizationConfigRuleTriggerTypes": [ "ScheduledNotification" ] }, "ExcludedAccounts": [ "accountId" ] } } } ``` #### YAML ``` BasicOrganizationConfigRule: Type: "AWS::Config::OrganizationConfigRule" Properties: OrganizationConfigRuleName: "OrganizationConfigRuleName" OrganizationCustomRuleMetadata: LambdaFunctionArn: "CustomRuleLambdaArn" OrganizationConfigRuleTriggerTypes: - "ScheduledNotification" ExcludedAccounts: - "accountId" ``` # AWS::Config::OrganizationConfigRule OrganizationCustomPolicyRuleMetadata An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DebugLogDeliveryAccounts](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-debuglogdeliveryaccounts)" : [ String, ... ], "[Description](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-description)" : String, "[InputParameters](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-inputparameters)" : String, "[MaximumExecutionFrequency](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-maximumexecutionfrequency)" : String, "[OrganizationConfigRuleTriggerTypes](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-organizationconfigruletriggertypes)" : [ String, ... ], "[PolicyText](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-policytext)" : String, "[ResourceIdScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-resourceidscope)" : String, "[ResourceTypesScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-resourcetypesscope)" : [ String, ... ], "[Runtime](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-runtime)" : String, "[TagKeyScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-tagkeyscope)" : String, "[TagValueScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-tagvaluescope)" : String } ``` ### YAML ``` [DebugLogDeliveryAccounts](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-debuglogdeliveryaccounts): - String [Description](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-description): String [InputParameters](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-inputparameters): String [MaximumExecutionFrequency](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-maximumexecutionfrequency): String [OrganizationConfigRuleTriggerTypes](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-organizationconfigruletriggertypes): - String [PolicyText](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-policytext): String [ResourceIdScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-resourceidscope): String [ResourceTypesScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-resourcetypesscope): - String [Runtime](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-runtime): String [TagKeyScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-tagkeyscope): String [TagValueScope](#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-tagvaluescope): String ``` ## Properties `DebugLogDeliveryAccounts` A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` The description that you provide for your organization AWS Config Custom Policy rule. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InputParameters` A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumExecutionFrequency` The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-deliverychannel.html#cfn-config-deliverychannel-configsnapshotdeliveryproperties). *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OrganizationConfigRuleTriggerTypes` The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types: + `ConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change. + `OversizedConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyText` The policy definition containing the logic for your organization AWS Config Custom Policy rule. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `10000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceIdScope` The ID of the AWS resource that was evaluated. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `768` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTypesScope` The type of the AWS resource that was evaluated. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Runtime` The runtime system for your organization AWS Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard). *Required*: Yes *Type*: String *Pattern*: `guard\-2\.x\.x` *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagKeyScope` One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagValueScope` The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata An object that specifies organization custom rule metadata such as resource type, resource ID of AWS resource, Lambda function ARN, and organization trigger types that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Description](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-description)" : String, "[InputParameters](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-inputparameters)" : String, "[LambdaFunctionArn](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-lambdafunctionarn)" : String, "[MaximumExecutionFrequency](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-maximumexecutionfrequency)" : String, "[OrganizationConfigRuleTriggerTypes](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-organizationconfigruletriggertypes)" : [ String, ... ], "[ResourceIdScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-resourceidscope)" : String, "[ResourceTypesScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-resourcetypesscope)" : [ String, ... ], "[TagKeyScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-tagkeyscope)" : String, "[TagValueScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-tagvaluescope)" : String } ``` ### YAML ``` [Description](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-description): String [InputParameters](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-inputparameters): String [LambdaFunctionArn](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-lambdafunctionarn): String [MaximumExecutionFrequency](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-maximumexecutionfrequency): String [OrganizationConfigRuleTriggerTypes](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-organizationconfigruletriggertypes): - String [ResourceIdScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-resourceidscope): String [ResourceTypesScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-resourcetypesscope): - String [TagKeyScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-tagkeyscope): String [TagValueScope](#cfn-config-organizationconfigrule-organizationcustomrulemetadata-tagvaluescope): String ``` ## Properties `Description` The description that you provide for your organization AWS Config rule. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InputParameters` A string, in JSON format, that is passed to your organization AWS Config rule Lambda function. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LambdaFunctionArn` The lambda function ARN. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumExecutionFrequency` The maximum frequency with which AWS Config runs evaluations for a rule. Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-deliverychannel.html#cfn-config-deliverychannel-configsnapshotdeliveryproperties). By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter. *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OrganizationConfigRuleTriggerTypes` The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types: + `ConfigurationItemChangeNotification` - Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change. + `OversizedConfigurationItemChangeNotification` - Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS. + `ScheduledNotification` - Triggers a periodic evaluation at the frequency specified for `MaximumExecutionFrequency`. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceIdScope` The ID of the AWS resource that was evaluated. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `768` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTypesScope` The type of the AWS resource that was evaluated. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagKeyScope` One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagValueScope` The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::OrganizationConfigRule OrganizationManagedRuleMetadata An object that specifies organization managed rule metadata such as resource type and ID of AWS resource along with the rule identifier. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Description](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-description)" : String, "[InputParameters](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-inputparameters)" : String, "[MaximumExecutionFrequency](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-maximumexecutionfrequency)" : String, "[ResourceIdScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-resourceidscope)" : String, "[ResourceTypesScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-resourcetypesscope)" : [ String, ... ], "[RuleIdentifier](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-ruleidentifier)" : String, "[TagKeyScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-tagkeyscope)" : String, "[TagValueScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-tagvaluescope)" : String } ``` ### YAML ``` [Description](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-description): String [InputParameters](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-inputparameters): String [MaximumExecutionFrequency](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-maximumexecutionfrequency): String [ResourceIdScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-resourceidscope): String [ResourceTypesScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-resourcetypesscope): - String [RuleIdentifier](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-ruleidentifier): String [TagKeyScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-tagkeyscope): String [TagValueScope](#cfn-config-organizationconfigrule-organizationmanagedrulemetadata-tagvaluescope): String ``` ## Properties `Description` The description that you provide for your organization AWS Config rule. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InputParameters` A string, in JSON format, that is passed to your organization AWS Config rule Lambda function. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumExecutionFrequency` The maximum frequency with which AWS Config runs evaluations for a rule. This is for an AWS Config managed rule that is triggered at a periodic frequency. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter. *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceIdScope` The ID of the AWS resource that was evaluated. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `768` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTypesScope` The type of the AWS resource that was evaluated. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleIdentifier` For organization config managed rules, a predefined identifier from a list. For example, `IAM_PASSWORD_POLICY` is a managed rule. To reference a managed rule, see [Using AWS Config managed rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html). *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagKeyScope` One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagValueScope` The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::OrganizationConformancePack OrganizationConformancePack deploys conformance packs across member accounts in an AWS Organizations. OrganizationConformancePack enables organization service access for `config-multiaccountsetup.amazonaws.com` through the `EnableAWSServiceAccess` action and creates a service linked role in the master account of your organization. The service linked role is created only when the role does not exist in the master account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::OrganizationConformancePack", "Properties" : { "[ConformancePackInputParameters](#cfn-config-organizationconformancepack-conformancepackinputparameters)" : [ ConformancePackInputParameter, ... ], "[DeliveryS3Bucket](#cfn-config-organizationconformancepack-deliverys3bucket)" : String, "[DeliveryS3KeyPrefix](#cfn-config-organizationconformancepack-deliverys3keyprefix)" : String, "[ExcludedAccounts](#cfn-config-organizationconformancepack-excludedaccounts)" : [ String, ... ], "[OrganizationConformancePackName](#cfn-config-organizationconformancepack-organizationconformancepackname)" : String, "[TemplateBody](#cfn-config-organizationconformancepack-templatebody)" : String, "[TemplateS3Uri](#cfn-config-organizationconformancepack-templates3uri)" : String } } ``` ### YAML ``` Type: AWS::Config::OrganizationConformancePack Properties: [ConformancePackInputParameters](#cfn-config-organizationconformancepack-conformancepackinputparameters): - ConformancePackInputParameter [DeliveryS3Bucket](#cfn-config-organizationconformancepack-deliverys3bucket): String [DeliveryS3KeyPrefix](#cfn-config-organizationconformancepack-deliverys3keyprefix): String [ExcludedAccounts](#cfn-config-organizationconformancepack-excludedaccounts): - String [OrganizationConformancePackName](#cfn-config-organizationconformancepack-organizationconformancepackname): String [TemplateBody](#cfn-config-organizationconformancepack-templatebody): String [TemplateS3Uri](#cfn-config-organizationconformancepack-templates3uri): String ``` ## Properties `ConformancePackInputParameters` A list of `ConformancePackInputParameter` objects. *Required*: No *Type*: Array of [ConformancePackInputParameter](aws-properties-config-organizationconformancepack-conformancepackinputparameter.md) *Minimum*: `0` *Maximum*: `60` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DeliveryS3Bucket` The name of the Amazon S3 bucket where AWS Config stores conformance pack templates. This field is optional. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `63` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DeliveryS3KeyPrefix` Any folder structure you want to add to an Amazon S3 bucket. This field is optional. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExcludedAccounts` A comma-separated list of accounts excluded from organization conformance pack. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OrganizationConformancePackName` The name you assign to an organization conformance pack. *Required*: Yes *Type*: String *Pattern*: `[a-zA-Z][-a-zA-Z0-9]*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TemplateBody` A string containing full conformance pack template body. Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `51200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateS3Uri` Location of file containing the template body. The uri must point to the conformance pack template (max size: 300 KB). *Required*: No *Type*: String *Pattern*: `s3://.*` *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the name of organization conformance pack. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Organization Conformance Pack The following example creates an organization conformance pack. #### JSON ``` { "Resources": { "OrganizationConformancePack": { "Type": "AWS::Config::OrganizationConformancePack", "Properties": { "OrganizationConformancePackName": "OrganizationConformancePackName", "DeliveryS3Bucket": "DeliveryS3Bucket", "TemplateS3Uri": "s3://bucketname/prefix" } } } } ``` #### YAML ``` --- Resources: OrganizationConformancePack: Type: AWS::Config::OrganizationConformancePack Properties: OrganizationConformancePackName: OrganizationConformancePackName DeliveryS3Bucket: DeliveryS3Bucket TemplateS3Uri: s3://bucketname/prefix ``` # AWS::Config::OrganizationConformancePack ConformancePackInputParameter Input parameters in the form of key-value pairs for the conformance pack, both of which you define. Keys can have a maximum character length of 255 characters, and values can have a maximum length of 4096 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ParameterName](#cfn-config-organizationconformancepack-conformancepackinputparameter-parametername)" : String, "[ParameterValue](#cfn-config-organizationconformancepack-conformancepackinputparameter-parametervalue)" : String } ``` ### YAML ``` [ParameterName](#cfn-config-organizationconformancepack-conformancepackinputparameter-parametername): String [ParameterValue](#cfn-config-organizationconformancepack-conformancepackinputparameter-parametervalue): String ``` ## Properties `ParameterName` One part of a key-value pair. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ParameterValue` One part of a key-value pair. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `4096` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::RemediationConfiguration An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::RemediationConfiguration", "Properties" : { "[Automatic](#cfn-config-remediationconfiguration-automatic)" : Boolean, "[ConfigRuleName](#cfn-config-remediationconfiguration-configrulename)" : String, "[ExecutionControls](#cfn-config-remediationconfiguration-executioncontrols)" : ExecutionControls, "[MaximumAutomaticAttempts](#cfn-config-remediationconfiguration-maximumautomaticattempts)" : Integer, "[Parameters](#cfn-config-remediationconfiguration-parameters)" : {Key: Value, ...}, "[ResourceType](#cfn-config-remediationconfiguration-resourcetype)" : String, "[RetryAttemptSeconds](#cfn-config-remediationconfiguration-retryattemptseconds)" : Integer, "[TargetId](#cfn-config-remediationconfiguration-targetid)" : String, "[TargetType](#cfn-config-remediationconfiguration-targettype)" : String, "[TargetVersion](#cfn-config-remediationconfiguration-targetversion)" : String } } ``` ### YAML ``` Type: AWS::Config::RemediationConfiguration Properties: [Automatic](#cfn-config-remediationconfiguration-automatic): Boolean [ConfigRuleName](#cfn-config-remediationconfiguration-configrulename): String [ExecutionControls](#cfn-config-remediationconfiguration-executioncontrols): ExecutionControls [MaximumAutomaticAttempts](#cfn-config-remediationconfiguration-maximumautomaticattempts): Integer [Parameters](#cfn-config-remediationconfiguration-parameters): Key: Value [ResourceType](#cfn-config-remediationconfiguration-resourcetype): String [RetryAttemptSeconds](#cfn-config-remediationconfiguration-retryattemptseconds): Integer [TargetId](#cfn-config-remediationconfiguration-targetid): String [TargetType](#cfn-config-remediationconfiguration-targettype): String [TargetVersion](#cfn-config-remediationconfiguration-targetversion): String ``` ## Properties `Automatic` The remediation is triggered automatically. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ConfigRuleName` The name of the AWS Config rule. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ExecutionControls` An ExecutionControls object. *Required*: No *Type*: [ExecutionControls](aws-properties-config-remediationconfiguration-executioncontrols.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumAutomaticAttempts` The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5. For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, AWS Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds. *Required*: No *Type*: Integer *Minimum*: `1` *Maximum*: `25` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Parameters` An object of the RemediationParameterValue. For more information, see [RemediationParameterValue](https://docs.aws.amazon.com/config/latest/APIReference/API_RemediationParameterValue.html). The type is a map of strings to RemediationParameterValue. *Required*: No *Type*: Object of [RemediationParameterValue](aws-properties-config-remediationconfiguration-remediationparametervalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceType` The type of a resource. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RetryAttemptSeconds` Time window to determine whether or not to add a remediation exception to prevent infinite remediation attempts. If `MaximumAutomaticAttempts` remediation attempts have been made under `RetryAttemptSeconds`, a remediation exception will be added to the resource. If you do not select a number, the default is 60 seconds. For example, if you specify `RetryAttemptSeconds` as 50 seconds and `MaximumAutomaticAttempts` as 5, AWS Config will run auto-remediations 5 times within 50 seconds before adding a remediation exception to the resource. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TargetId` Target ID is the name of the SSM document. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TargetType` The type of the target. Target executes remediation. For example, SSM document. *Required*: Yes *Type*: String *Allowed values*: `SSM_DOCUMENT` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TargetVersion` Version of the target. For example, version of the SSM document. If you make backward incompatible changes to the SSM document, you must call PutRemediationConfiguration API again to ensure the remediations can run. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the remediation action with the associated SSM document. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt ## Examples ### Remeditation Configuration The following example creates a remediation configuration using AWS Systems Manager document. #### JSON ``` { "BasicRemediationConfiguration": { "Type": "AWS::Config::RemediationConfiguration", "Properties": { "ConfigRuleName": "configRuleName", "Parameters": { "AutomationAssumeRole": { "StaticValue": { "Values": [ "automationAssumeRole" ] } }, "InstanceId": { "StaticValue": { "Values": [ "instanceId" ] } } }, "TargetId": "AWS-StartEC2Instance", "TargetType": "SSM_DOCUMENT", "TargetVersion": "1" } } } ``` #### YAML ``` BasicRemediationConfiguration: Type: "AWS::Config::RemediationConfiguration" Properties: ConfigRuleName: configRuleName Parameters: AutomationAssumeRole: StaticValue: Values: - automationAssumeRole InstanceId: StaticValue: Values: - instanceId TargetId: "AWS-StartEC2Instance" TargetType: "SSM_DOCUMENT" TargetVersion: "1" ``` # AWS::Config::RemediationConfiguration ExecutionControls An ExecutionControls object. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[SsmControls](#cfn-config-remediationconfiguration-executioncontrols-ssmcontrols)" : SsmControls } ``` ### YAML ``` [SsmControls](#cfn-config-remediationconfiguration-executioncontrols-ssmcontrols): SsmControls ``` ## Properties `SsmControls` A SsmControls object. *Required*: No *Type*: [SsmControls](aws-properties-config-remediationconfiguration-ssmcontrols.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::RemediationConfiguration RemediationParameterValue The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ResourceValue](#cfn-config-remediationconfiguration-remediationparametervalue-resourcevalue)" : String, "[StaticValue](#cfn-config-remediationconfiguration-remediationparametervalue-staticvalue)" : [ String, ... ] } ``` ### YAML ``` [ResourceValue](#cfn-config-remediationconfiguration-remediationparametervalue-resourcevalue): String [StaticValue](#cfn-config-remediationconfiguration-remediationparametervalue-staticvalue): - String ``` ## Properties `ResourceValue` The value is dynamic and changes at run-time. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StaticValue` The value is static and does not change at run-time. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::RemediationConfiguration SsmControls AWS Systems Manager (SSM) specific remediation controls. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ConcurrentExecutionRatePercentage](#cfn-config-remediationconfiguration-ssmcontrols-concurrentexecutionratepercentage)" : Integer, "[ErrorPercentage](#cfn-config-remediationconfiguration-ssmcontrols-errorpercentage)" : Integer } ``` ### YAML ``` [ConcurrentExecutionRatePercentage](#cfn-config-remediationconfiguration-ssmcontrols-concurrentexecutionratepercentage): Integer [ErrorPercentage](#cfn-config-remediationconfiguration-ssmcontrols-errorpercentage): Integer ``` ## Properties `ConcurrentExecutionRatePercentage` The maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources for that specific rule. You can specify a percentage, such as 10%. The default value is 10. *Required*: No *Type*: Integer *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ErrorPercentage` The percentage of errors that are allowed before SSM stops running automations on non-compliant resources for that specific rule. You can specify a percentage of errors, for example 10%. If you do not specifiy a percentage, the default is 50%. For example, if you set the ErrorPercentage to 40% for 10 non-compliant resources, then SSM stops running the automations when the fifth error is received. *Required*: No *Type*: Integer *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::StoredQuery Provides the details of a stored query. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::StoredQuery", "Properties" : { "[QueryDescription](#cfn-config-storedquery-querydescription)" : String, "[QueryExpression](#cfn-config-storedquery-queryexpression)" : String, "[QueryName](#cfn-config-storedquery-queryname)" : String, "[Tags](#cfn-config-storedquery-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::Config::StoredQuery Properties: [QueryDescription](#cfn-config-storedquery-querydescription): String [QueryExpression](#cfn-config-storedquery-queryexpression): String [QueryName](#cfn-config-storedquery-queryname): String [Tags](#cfn-config-storedquery-tags): - Tag ``` ## Properties `QueryDescription` A unique description for the query. *Required*: No *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `QueryExpression` The expression of the query. For example, `SELECT resourceId, resourceType, supplementaryConfiguration.BucketVersioningConfiguration.status WHERE resourceType = 'AWS::S3::Bucket' AND supplementaryConfiguration.BucketVersioningConfiguration.status = 'Off'.` *Required*: Yes *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `4096` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `QueryName` The name of the query. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-_]+$` *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` An array of key-value pairs to apply to this resource. *Required*: No *Type*: Array of [Tag](aws-properties-config-storedquery-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref ### Fn::GetAtt #### `QueryArn` Amazon Resource Name (ARN) of the query. For example, arn:partition:service:region:account-id:resource-type/resource-name/resource-id. `QueryId` The ID of the query. # AWS::Config::StoredQuery Tag The tags for the resource. The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-config-storedquery-tag-key)" : String, "[Value](#cfn-config-storedquery-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-config-storedquery-tag-key): String [Value](#cfn-config-storedquery-tag-value): String ``` ## Properties `Key` One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key). *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)