AWS Config Organization Conformance Pack

This page shows how to write Terraform and CloudFormation for AWS Config Organization Conformance Pack and write them securely.

aws_config_organization_conformance_pack (Terraform)

The Organization Conformance Pack in AWS Config can be configured in Terraform with the resource name aws_config_organization_conformance_pack. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • name - (Required, Forces new resource) The name of the organization conformance pack. Must begin with a letter and contain from 1 to 128 alphanumeric characters and hyphens.
  • delivery_s3_bucket - (Optional) Amazon S3 bucket where AWS Config stores conformance pack templates. Delivery bucket must begin with awsconfigconforms prefix. Maximum length of 63.
  • delivery_s3_key_prefix - (Optional) The prefix for the Amazon S3 bucket. Maximum length of 1024.
  • excluded_accounts - (Optional) Set of AWS accounts to be excluded from an organization conformance pack while deploying a conformance pack. Maximum of 1000 accounts.
  • input_parameter - (Optional) Set of configuration blocks describing input parameters passed to the conformance pack template. Documented below. When configured, the parameters must also be included in the template_body or in the template stored in Amazon S3 if using template_s3_uri.
  • template_body - (Optional, Conflicts with template_s3_uri) A string containing full conformance pack template body. Maximum length of 51200. Drift detection is not possible with this argument.
  • template_s3_uri - (Optional, Conflicts with template_body) Location of file, e.g., s3://bucketname/prefix, containing the template body. The uri must point to the conformance pack template that is located in an Amazon S3 bucket in the same region as the conformance pack. Maximum length of 1024. Drift detection is not possible with this argument.

input_parameter Argument Reference

The input_parameter configuration block supports the following arguments:

  • parameter_name - (Required) The input key.
  • parameter_value - (Required) The input value.

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of the organization conformance pack.
  • id - The name of the organization conformance pack.

Explanation in Terraform Registry

Manages a Config Organization Conformance Pack. More information can be found in the Managing Conformance Packs Across all Accounts in Your Organization and AWS Config Managed Rules documentation. Example conformance pack templates may be found in the AWS Config Rules Repository.

NOTE: This resource must be created in the Organization master account or a delegated administrator account, and the Organization must have all features enabled. Every Organization account except those configured in the excluded_accounts argument must have a Configuration Recorder with proper IAM permissions before the Organization Conformance Pack will successfully create or update. See also the aws_config_configuration_recorder resource.

Tips: Best Practices for The Other AWS Config Resources

In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_config_configuration_aggregator

Ensure to enable AWS Config in all Regions

It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.

Review your AWS Config settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Config::OrganizationConformancePack (CloudFormation)

The OrganizationConformancePack in Config can be configured in CloudFormation with the resource name AWS::Config::OrganizationConformancePack. The following sections describe 8 examples of how to use the resource and its parameters.

Example Usage from GitHub

OrgEnableConformancePack.yml#L19
      Type: AWS::Config::OrganizationConformancePack
      Properties:
          OrganizationConformancePackName: !Ref OrganizationConformancePackName
          TemplateS3Uri: !Ref TemplateS3Uri


product.template-ca-central-1.yaml#L12
    Type: AWS::Config::OrganizationConformancePack
    Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
    Properties:
      OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
      DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
product.template-us-west-1.yaml#L12
    Type: AWS::Config::OrganizationConformancePack
    Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
    Properties:
      OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
      DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
product.template-ap-northeast-1.yaml#L12
    Type: AWS::Config::OrganizationConformancePack
    Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
    Properties:
      OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
      DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
product.template-us-west-2.yaml#L12
    Type: AWS::Config::OrganizationConformancePack
    Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
    Properties:
      OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
      DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
ConfigOrganizationConformancePackSpecification.json#L3
    "AWS::Config::OrganizationConformancePack.ConformancePackInputParameter": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconformancepack-conformancepackinputparameter.html",
      "Properties": {
        "ParameterName": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconformancepack-conformancepackinputparameter.html#cfn-config-organizationconformancepack-conformancepackinputparameter-parametername",
          "UpdateType": "Mutable",
template.json#L2407
    "AWS::Config::OrganizationConformancePack": {
      "Type": "AWS::Config::OrganizationConformancePack",
      "Properties": {}
    },
    "AWS::KinesisAnalyticsV2::ApplicationOutput": {
      "Type": "AWS::KinesisAnalyticsV2::ApplicationOutput",
awsResouceIconMatches.json#L2282
        "resourceType": "AWS::Config::OrganizationConformancePack",
        "filePath": null
      },
      {
        "resourceType": "AWS::Config::ConfigRule",
        "filePath": null

Parameters

Explanation in CloudFormation Registry

OrganizationConformancePack deploys conformance packs across member accounts in an AWS Organizations. OrganizationConformancePack enables organization service access for config-multiaccountsetup.amazonaws.com through the EnableAWSServiceAccess action and creates a service linked role in the master account of your organization. The service linked role is created only when the role does not exist in the master account.

Frequently asked questions

What is AWS Config Organization Conformance Pack?

AWS Config Organization Conformance Pack is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Config Organization Conformance Pack?

For CloudFormation, the aws-samples/aws-config-pci-fsbp-ssmremediations, awslabs/aws-service-catalog-products and awslabs/aws-service-catalog-products source code examples are useful. See the CloudFormation Example section for further details.