AWS Config Conformance Pack
This page shows how to write Terraform and CloudFormation for AWS Config Conformance Pack and write them securely.
aws_config_conformance_pack (Terraform)
The Conformance Pack in AWS Config can be configured in Terraform with the resource name aws_config_conformance_pack. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_conformance_pack" "cmmc_level3_conformance_pack" {
name = "operational-best-practices-for-cmmc-level3"
template_body = data.http.conformance_pack.body
depends_on = [aws_config_configuration_recorder.config_recorder]
}
resource "aws_config_conformance_pack" "default" {
name = module.this.name
dynamic "input_parameter" {
for_each = var.parameter_overrides
content {
resource "aws_config_conformance_pack" "this" {
for_each = { for pack in var.conformance_packs : pack.name => pack }
name = each.value.name
dynamic "input_parameter" {
for_each = { for param in each.value.input_parameters : param.name => param }
resource "aws_config_conformance_pack" "organization" {
provider = aws.Tokyo
name = "my-rule"
delivery_s3_bucket = aws_s3_bucket.delivery.bucket
template_body = <<EOT
Parameters
-
arnoptional computed - string -
delivery_s3_bucketoptional - string -
delivery_s3_key_prefixoptional - string -
idoptional computed - string -
namerequired - string -
template_bodyoptional - string -
template_s3_urioptional - string -
input_parameterset block-
parameter_namerequired - string -
parameter_valuerequired - string
-
Explanation in Terraform Registry
Manages a Config Conformance Pack. More information about this collection of Config rules and remediation actions can be found in the Conformance Packs documentation. Sample Conformance Pack templates may be found in the AWS Config Rules Repository.
NOTE: The account must have a Configuration Recorder with proper IAM permissions before the Conformance Pack will successfully create or update. See also the
aws_config_configuration_recorderresource.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::ConformancePack (CloudFormation)
The ConformancePack in Config can be configured in CloudFormation with the resource name AWS::Config::ConformancePack. The following sections describe 9 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Config::ConformancePack
ConfigPacksCPOperationalBestPracticesForAWSIdentityAndAccessManagement7100FE82:
DependsOn:
- ConfigEnabledPromiseConfigRecorder0A75B039
Metadata:
aws:cdk:path: AwsBiotechBlueprint/ConfigPacks/CP-Operational-Best-Practices-For-AWS-Identity-And-Access-Management
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: IAMBestPractices
ConformancePackInputParameters:
-
ParameterName: AccessKeysRotatedParameterMaxAccessKeyAge
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: IAMBestPractices
ConformancePackInputParameters:
-
ParameterName: AccessKeysRotatedParameterMaxAccessKeyAge
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: CustomPCIEC2LambdaConfPack
DeliveryS3Bucket: !Ref DeliveryS3Bucket
TemplateBody: |-
Resources:
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: CustomPCIEC2LambdaConfPack
DeliveryS3Bucket: !Ref DeliveryS3Bucket
TemplateBody: |-
Resources:
"AWS::Config::ConformancePack.ConformancePackInputParameter": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-conformancepack-conformancepackinputparameter.html",
"Properties": {
"ParameterName": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-conformancepack-conformancepackinputparameter.html#cfn-config-conformancepack-conformancepackinputparameter-parametername",
"UpdateType": "Mutable",
"Type": "AWS::Config::ConformancePack",
"Properties": {
"ConformancePackName": "Operational-Best-Practices-For-AWS-Identity-And-Access-Management",
"ConformancePackInputParameters": [],
"DeliveryS3Bucket": {
"Ref": "ConfigEnabledPromiseConfigBucket2F967063"
"AWS::Config::ConformancePack": {
"Type": "AWS::Config::ConformancePack",
"Properties": {}
},
"AWS::Amplify::Domain": {
"Type": "AWS::Amplify::Domain",
"resourceType": "AWS::Config::ConformancePack",
"filePath": null
}
]
},
{
Parameters
-
ConformancePackNamerequired - String -
DeliveryS3Bucketoptional - String -
DeliveryS3KeyPrefixoptional - String -
TemplateBodyoptional - String -
TemplateS3Urioptional - String -
ConformancePackInputParametersoptional - List of ConformancePackInputParameter
Explanation in CloudFormation Registry
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed in an account and a region. ConformancePack creates a service linked role in your account. The service linked role is created only when the role does not exist in your account.
Frequently asked questions
What is AWS Config Conformance Pack?
AWS Config Conformance Pack is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Conformance Pack?
For Terraform, the danielkkelly/iac, cloudposse/terraform-aws-config and marshall7m/terraform-aws-landing-zone source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the aws-quickstart/quickstart-aws-biotech-blueprint-cdk, aws-samples/aws-cloud-compliance-assurance and aws-samples/aws-config-pci-fsbp-ssmremediations source code examples are useful. See the CloudFormation Example section for further details.
