I've tried to play around with AWS Conformance Packs via Cloudformation. I created something really simple:
The following stack creates an S3 bucket + Conformance Pack. Then I have stored a template of Conformance Pack to another S3 bucket (the latter script):
AWSTemplateFormatVersion: '2010-09-09'
Description: Conformancepack Stack
Parameters:
ZipBucketParam:
Description: bucket name
Type: String
TemplateBucket:
Description: bucket name
Type: String
Resources:
ZipBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${ZipBucketParam}
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
ZipzapBucketBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: "ZipBucket"
PolicyDocument:
Statement:
-
Sid: "AWSConfigConformsCheckAcls"
Action:
- "s3:GetBucketAcl"
Effect: "Allow"
Resource:
Fn::Join:
- ""
- "arn:aws:s3:::"
-
Ref: "ZipBucket"
Principal:
AWS:
- !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
Condition:
Bool:
aws:SecureTransport: "true"
-
Sid: "AWSConfigConformsWriteBucket"
Action:
- "s3:PutObject"
Effect: "Allow"
Resource:
Fn::Join:
- ""
- "arn:aws:s3:::"
-
Ref: "ZipBucket"
- "/AWSLogs/"
- Fn::Sub: ${AWS::AccountId}
- "/Config/*"
Principal:
AWS:
- !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
Bool:
aws:SecureTransport: "true"
-
Sid: "AWSConfigConformsBucketRead"
Action:
- "s3:GetObject"
Effect: "Allow"
Resource:
Fn::Join:
- ""
- "arn:aws:s3:::"
-
Ref: "ZipBucket"
- "/AWSLogs/"
- Fn::Sub: ${AWS::AccountId}
- "/Config/*"
Principal:
AWS:
- !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
Condition:
Bool:
aws:SecureTransport: "true"
-
Action:
- "*"
Effect: "Deny"
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
-
Ref: "ZipBucket"
- "/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport: "false"
FirstConformancePack:
Type: AWS::Config::ConformancePack
Properties:
ConformancePackName: first-conformance-pack
DeliveryS3Bucket: !Sub s3://${ZipBucket}
TemplateS3Uri: !Sub s3://${TemplateBucket}/conformance.yaml
And the template for conf pack looks like this:
S3BucketSSLRequestsOnly:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: data-in-transit-s3-bucket-ssl-requests-only
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Source:
Owner: AWS
SourceIdentifier: "S3_BUCKET_SSL_REQUESTS_ONLY"
I'm getting error below. Any ideas what I'm doing wrong here? The bucket policies to source S3 are the same as with the one I'm creating in this stack.
"Invalid request provided: Cloud formation template passed in the input parameter is invalid (Service: Config, Status Code: 400"
