我是 AWS 的新手,但已经尝试到处寻找这个,但找不到正确的答案。
我的目标是创建一个形成新堆栈的 CloudFormation 模板,而不假设 AWS Config 已启用。这个模板应该定义更多的项目,其中之一应该是 ConfigRule。
为了实现这一点,我发现这个模板看起来不错,然后尝试将其中一个示例中的 ConfigRule 添加到同一个模板文件中。但是当我尝试从这个组合模板创建一个新堆栈时,我收到了这个错误:
您必须先创建配置记录器,然后才能创建或更新配置规则。(服务:AmazonConfig;状态代码:400;错误代码:NoAvailableConfigurationRecorderException
由于模板文件确实定义了一个配置记录器,我不确定它有什么问题。这基本上是链接模板的副本,我在我添加的位置周围标记了注释,只是为了添加一些应该作为模板的一部分创建的示例配置规则:
AWSTemplateFormatVersion: 2010-09-09
Description: 'The AWS CloudFormation template creates KMS encryption keys for Config and S3, an encrypted S3 bucket, and enables Config for the account'
# added for configRule - start (1)
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Configuration
Parameters:
- Frequency
ParameterLabels:
Frequency:
default: Frequency
Parameters:
Frequency:
Type: String
Default: 24hours
Description: Maximum rule execution frequency.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
# added for configRule - end (#1)
Resources:
# added for configRule - start (2)
CheckForRootMFA:
Type: AWS::Config::ConfigRule
Properties:
Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.
MaximumExecutionFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
# added for configRule - end (2)
# KMS S3 Config Service encryption key
s3configKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-s3config
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action: 'kms:*'
Resource: '*'
s3configKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/s3config
TargetKeyId:
Ref: s3configKey
# Build AWS Config Service S3 Bucket for Storage
AWSConfigS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${s3configKeyAlias}'
SSEAlgorithm: 'aws:kms'
# Build AWS Config Recorder
ConfigRecorder:
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
Name: 'ConfigRecoder'
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
RoleARN: !GetAtt
- AWSIAM
- Arn
# Build IAM Role for Config
AWSIAM:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
Path: /
Policies:
- PolicyName: S3-access
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref AWSConfigS3Bucket
- /AWSLogs/
- !Ref 'AWS::AccountId'
- /*
Condition:
StringLike:
's3:x-amz-acl': bucket-owner-full-control
- Effect: Allow
Action:
- 's3:GetBucketAcl'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref AWSConfigS3Bucket
# Create Config Delivery Channel
DeliveryChannel:
Type: 'AWS::Config::DeliveryChannel'
Properties:
S3BucketName: !Ref AWSConfigS3Bucket
Outputs:
S3KMSKeyAlias:
Description: 'S3 KMS Key Alias'
Value:
Ref: 's3configKeyAlias'
AWSIAM:
Description: 'IAM Role for Config'
Value:
Ref: 'AWSIAM'
AWSConfigS3Bucket:
Description: 'Encrypted S3 Bucket for Config Logs'
Value:
Ref: 'AWSConfigS3Bucket'
ConfigRecorder:
Description: 'Config Recorder'
Value:
Ref: 'ConfigRecorder'
DeliveryChannel:
Description: 'Config Delivery Channel'
Value:
Ref: 'DeliveryChannel'