AWS Config Organization Conformance Pack
This page shows how to write Terraform and CloudFormation for AWS Config Organization Conformance Pack and write them securely.
aws_config_organization_conformance_pack (Terraform)
The Organization Conformance Pack in AWS Config can be configured in Terraform with the resource name aws_config_organization_conformance_pack. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
name- (Required, Forces new resource) The name of the organization conformance pack. Must begin with a letter and contain from 1 to 128 alphanumeric characters and hyphens.delivery_s3_bucket- (Optional) Amazon S3 bucket where AWS Config stores conformance pack templates. Delivery bucket must begin withawsconfigconformsprefix. Maximum length of 63.delivery_s3_key_prefix- (Optional) The prefix for the Amazon S3 bucket. Maximum length of 1024.excluded_accounts- (Optional) Set of AWS accounts to be excluded from an organization conformance pack while deploying a conformance pack. Maximum of 1000 accounts.input_parameter- (Optional) Set of configuration blocks describing input parameters passed to the conformance pack template. Documented below. When configured, the parameters must also be included in thetemplate_bodyor in the template stored in Amazon S3 if usingtemplate_s3_uri.template_body- (Optional, Conflicts withtemplate_s3_uri) A string containing full conformance pack template body. Maximum length of 51200. Drift detection is not possible with this argument.template_s3_uri- (Optional, Conflicts withtemplate_body) Location of file, e.g.,s3://bucketname/prefix, containing the template body. The uri must point to the conformance pack template that is located in an Amazon S3 bucket in the same region as the conformance pack. Maximum length of 1024. Drift detection is not possible with this argument.
input_parameter Argument Reference
The input_parameter configuration block supports the following arguments:
parameter_name- (Required) The input key.parameter_value- (Required) The input value.
In addition to all arguments above, the following attributes are exported:
arn- Amazon Resource Name (ARN) of the organization conformance pack.id- The name of the organization conformance pack.
Explanation in Terraform Registry
Manages a Config Organization Conformance Pack. More information can be found in the Managing Conformance Packs Across all Accounts in Your Organization and AWS Config Managed Rules documentation. Example conformance pack templates may be found in the AWS Config Rules Repository.
NOTE: This resource must be created in the Organization master account or a delegated administrator account, and the Organization must have all features enabled. Every Organization account except those configured in the
excluded_accountsargument must have a Configuration Recorder with proper IAM permissions before the Organization Conformance Pack will successfully create or update. See also theaws_config_configuration_recorderresource.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::OrganizationConformancePack (CloudFormation)
The OrganizationConformancePack in Config can be configured in CloudFormation with the resource name AWS::Config::OrganizationConformancePack. The following sections describe 8 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Config::OrganizationConformancePack
Properties:
OrganizationConformancePackName: !Ref OrganizationConformancePackName
TemplateS3Uri: !Ref TemplateS3Uri
Type: AWS::Config::OrganizationConformancePack
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
Properties:
OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
Type: AWS::Config::OrganizationConformancePack
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
Properties:
OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
Type: AWS::Config::OrganizationConformancePack
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
Properties:
OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
Type: AWS::Config::OrganizationConformancePack
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
Properties:
OrganizationConformancePackName: !Ref 'OrganizationConformancePackName'
DeliveryS3Bucket: !Ref 'DeliveryS3Bucket'
"AWS::Config::OrganizationConformancePack.ConformancePackInputParameter": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconformancepack-conformancepackinputparameter.html",
"Properties": {
"ParameterName": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconformancepack-conformancepackinputparameter.html#cfn-config-organizationconformancepack-conformancepackinputparameter-parametername",
"UpdateType": "Mutable",
"AWS::Config::OrganizationConformancePack": {
"Type": "AWS::Config::OrganizationConformancePack",
"Properties": {}
},
"AWS::KinesisAnalyticsV2::ApplicationOutput": {
"Type": "AWS::KinesisAnalyticsV2::ApplicationOutput",
"resourceType": "AWS::Config::OrganizationConformancePack",
"filePath": null
},
{
"resourceType": "AWS::Config::ConfigRule",
"filePath": null
Parameters
-
OrganizationConformancePackNamerequired - String -
TemplateS3Urioptional - String -
TemplateBodyoptional - String -
DeliveryS3Bucketoptional - String -
DeliveryS3KeyPrefixoptional - String -
ConformancePackInputParametersoptional - List of ConformancePackInputParameter -
ExcludedAccountsoptional - List
Explanation in CloudFormation Registry
OrganizationConformancePack deploys conformance packs across member accounts in an AWS Organizations. OrganizationConformancePack enables organization service access for
config-multiaccountsetup.amazonaws.comthrough theEnableAWSServiceAccessaction and creates a service linked role in the master account of your organization. The service linked role is created only when the role does not exist in the master account.
Frequently asked questions
What is AWS Config Organization Conformance Pack?
AWS Config Organization Conformance Pack is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Organization Conformance Pack?
For CloudFormation, the aws-samples/aws-config-pci-fsbp-ssmremediations, awslabs/aws-service-catalog-products and awslabs/aws-service-catalog-products source code examples are useful. See the CloudFormation Example section for further details.
