├── AWS-Config-optimized-for-AWS-Security-Hub.yaml ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE └── README.md /AWS-Config-optimized-for-AWS-Security-Hub.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | # 4 | # Permission is hereby granted, free of charge, to any person obtaining a copy of 5 | # this software and associated documentation files (the "Software"), to deal in 6 | # the Software without restriction, including without limitation the rights to 7 | # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 8 | # the Software, and to permit persons to whom the Software is furnished to do so. 9 | # 10 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 11 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 12 | # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 13 | # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 14 | # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 15 | # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 16 | Description: 'AWS CloudFormation for optimizing AWS Config for AWS Security Hub' 17 | Metadata: 18 | 'AWS::CloudFormation::Interface': 19 | ParameterGroups: 20 | - Label: 21 | default: Delivery Channel Configuration 22 | Parameters: 23 | - DeliveryChannelName 24 | - Frequency 25 | - Label: 26 | default: Delivery Notifications 27 | Parameters: 28 | - TopicArn 29 | - NotificationEmail 30 | ParameterLabels: 31 | DeliveryChannelName: 32 | default: Configuration delivery channel name 33 | Frequency: 34 | default: Snapshot delivery frequency 35 | TopicArn: 36 | default: SNS topic name 37 | NotificationEmail: 38 | default: Notification Email (optional) 39 | Parameters: 40 | DeliveryChannelName: 41 | Type: String 42 | Default: 43 | Description: The name of the delivery channel. 44 | Frequency: 45 | Type: String 46 | Default: 24hours 47 | Description: The frequency with which AWS Config delivers configuration snapshots. 48 | AllowedValues: 49 | - 1hour 50 | - 3hours 51 | - 6hours 52 | - 12hours 53 | - 24hours 54 | TopicArn: 55 | Type: String 56 | Default: 57 | Description: >- 58 | The Amazon Resource Name (ARN) of the Amazon Simple Notification Service 59 | (Amazon SNS) topic that AWS Config delivers notifications to. Note: 60 | Leaving the default value will result in the generation of a new topic. 61 | NotificationEmail: 62 | Type: String 63 | Default: 64 | Description: Email address for AWS Config notifications (for new topics). 65 | Conditions: 66 | IsGeneratedDeliveryChannelName: !Equals 67 | - !Ref DeliveryChannelName 68 | - 69 | CreateTopic: !Equals 70 | - !Ref TopicArn 71 | - 72 | CreateSubscription: !And 73 | - !Condition CreateTopic 74 | - !Not 75 | - !Equals 76 | - !Ref NotificationEmail 77 | - 78 | Mappings: 79 | Settings: 80 | FrequencyMap: 81 | 1hour: One_Hour 82 | 3hours: Three_Hours 83 | 6hours: Six_Hours 84 | 12hours: Twelve_Hours 85 | 24hours: TwentyFour_Hours 86 | Resources: 87 | ConfigBucket: 88 | DeletionPolicy: Retain 89 | Type: 'AWS::S3::Bucket' 90 | Properties: 91 | BucketEncryption: 92 | ServerSideEncryptionConfiguration: 93 | - ServerSideEncryptionByDefault: 94 | SSEAlgorithm: AES256 95 | ConfigBucketPolicy: 96 | Type: 'AWS::S3::BucketPolicy' 97 | Properties: 98 | Bucket: !Ref ConfigBucket 99 | PolicyDocument: 100 | Version: 2012-10-17 101 | Statement: 102 | - Sid: AWSConfigBucketPermissionsCheck 103 | Effect: Allow 104 | Principal: 105 | Service: 106 | - config.amazonaws.com 107 | Action: 's3:GetBucketAcl' 108 | Resource: 109 | - !Sub 'arn:${AWS::Partition}:s3:::${ConfigBucket}' 110 | - Sid: AWSConfigBucketDelivery 111 | Effect: Allow 112 | Principal: 113 | Service: 114 | - config.amazonaws.com 115 | Action: 's3:PutObject' 116 | Resource: 117 | - !Sub >- 118 | arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/* 119 | - Sid: AWSConfigBucketSecureTransport 120 | Action: 121 | - 's3:*' 122 | Effect: Deny 123 | Resource: 124 | - !Sub 'arn:${AWS::Partition}:s3:::${ConfigBucket}' 125 | - !Sub 'arn:${AWS::Partition}:s3:::${ConfigBucket}/*' 126 | Principal: '*' 127 | Condition: 128 | Bool: 129 | 'aws:SecureTransport': false 130 | ConfigTopic: 131 | Condition: CreateTopic 132 | Type: 'AWS::SNS::Topic' 133 | Properties: 134 | TopicName: !Sub 'config-topic-${AWS::AccountId}' 135 | DisplayName: AWS Config Notification Topic 136 | KmsMasterKeyId: alias/aws/sns 137 | ConfigTopicPolicy: 138 | Condition: CreateTopic 139 | Type: 'AWS::SNS::TopicPolicy' 140 | Properties: 141 | Topics: 142 | - !Ref ConfigTopic 143 | PolicyDocument: 144 | Statement: 145 | - Sid: AWSConfigSNSPolicy 146 | Action: 147 | - 'sns:Publish' 148 | Effect: Allow 149 | Resource: !Ref ConfigTopic 150 | Principal: 151 | Service: 152 | - config.amazonaws.com 153 | EmailNotification: 154 | Condition: CreateSubscription 155 | Type: 'AWS::SNS::Subscription' 156 | Properties: 157 | Endpoint: !Ref NotificationEmail 158 | Protocol: email 159 | TopicArn: !Ref ConfigTopic 160 | ConfigRecorderRole: 161 | Type: 'AWS::IAM::Role' 162 | Properties: 163 | AssumeRolePolicyDocument: 164 | Version: 2012-10-17 165 | Statement: 166 | - Effect: Allow 167 | Principal: 168 | Service: 169 | - config.amazonaws.com 170 | Action: 171 | - 'sts:AssumeRole' 172 | Path: / 173 | ManagedPolicyArns: 174 | - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWS_ConfigRole' 175 | ConfigRecorderForSecurityHub: 176 | Type: 'AWS::Config::ConfigurationRecorder' 177 | DependsOn: 178 | - ConfigBucketPolicy 179 | Properties: 180 | RoleARN: !GetAtt 181 | - ConfigRecorderRole 182 | - Arn 183 | RecordingGroup: 184 | AllSupported: false 185 | IncludeGlobalResourceTypes: false 186 | ResourceTypes: 187 | - 'AWS::ACM::Certificate' 188 | - 'AWS::ApiGateway::Stage' 189 | - 'AWS::ApiGatewayV2::Stage' 190 | - 'AWS::AppSync::GraphQLApi' 191 | - 'AWS::AutoScaling::AutoScalingGroup' 192 | - 'AWS::AutoScaling::LaunchConfiguration' 193 | - 'AWS::CloudFormation::Stack' 194 | - 'AWS::CloudFront::Distribution' 195 | - 'AWS::CloudWatch::Alarm' 196 | - 'AWS::CodeBuild::Project' 197 | - 'AWS::DynamoDB::Table' 198 | - 'AWS::EC2::EIP' 199 | - 'AWS::EC2::Instance' 200 | - 'AWS::EC2::LaunchTemplate' 201 | - 'AWS::EC2::NetworkAcl' 202 | - 'AWS::EC2::NetworkInterface' 203 | - 'AWS::EC2::SecurityGroup' 204 | - 'AWS::EC2::Subnet' 205 | - 'AWS::EC2::TransitGateway' 206 | - 'AWS::EC2::VPNConnection' 207 | - 'AWS::EC2::Volume' 208 | - 'AWS::ECR::Repository' 209 | - 'AWS::ECS::Cluster' 210 | - 'AWS::ECS::Service' 211 | - 'AWS::ECS::TaskDefinition' 212 | - 'AWS::EFS::AccessPoint' 213 | - 'AWS::EKS::Cluster' 214 | - 'AWS::ElasticBeanstalk::Environment' 215 | - 'AWS::ElasticLoadBalancing::LoadBalancer' 216 | - 'AWS::ElasticLoadBalancingV2::LoadBalancer' 217 | - 'AWS::Elasticsearch::Domain' 218 | - 'AWS::IAM::Group' 219 | - 'AWS::IAM::Policy' 220 | - 'AWS::IAM::Role' 221 | - 'AWS::IAM::User' 222 | - 'AWS::KMS::Key' 223 | - 'AWS::Kinesis::Stream' 224 | - 'AWS::Lambda::Function' 225 | - 'AWS::NetworkFirewall::FirewallPolicy' 226 | - 'AWS::NetworkFirewall::RuleGroup' 227 | - 'AWS::OpenSearch::Domain' 228 | - 'AWS::RDS::DBCluster' 229 | - 'AWS::RDS::DBClusterSnapshot' 230 | - 'AWS::RDS::DBInstance' 231 | - 'AWS::RDS::DBSnapshot' 232 | - 'AWS::RDS::EventSubscription' 233 | - 'AWS::Redshift::Cluster' 234 | - 'AWS::S3::Bucket' 235 | - 'AWS::SNS::Topic' 236 | - 'AWS::SQS::Queue' 237 | - 'AWS::SSM::AssociationCompliance' 238 | - 'AWS::SSM::PatchCompliance' 239 | - 'AWS::SageMaker::NotebookInstance' 240 | - 'AWS::SecretsManager::Secret' 241 | - 'AWS::StepFunctions::StateMachine' 242 | - 'AWS::WAF::Rule' 243 | - 'AWS::WAF::RuleGroup' 244 | - 'AWS::WAF::WebACL' 245 | - 'AWS::WAFRegional::Rule' 246 | - 'AWS::WAFRegional::RuleGroup' 247 | - 'AWS::WAFRegional::WebACL' 248 | - 'AWS::WAFv2::WebACL' 249 | ConfigDeliveryChannel: 250 | Type: 'AWS::Config::DeliveryChannel' 251 | DependsOn: 252 | - ConfigBucketPolicy 253 | Properties: 254 | Name: !If 255 | - IsGeneratedDeliveryChannelName 256 | - !Ref 'AWS::NoValue' 257 | - !Ref DeliveryChannelName 258 | ConfigSnapshotDeliveryProperties: 259 | DeliveryFrequency: !FindInMap 260 | - Settings 261 | - FrequencyMap 262 | - !Ref Frequency 263 | S3BucketName: !Ref ConfigBucket 264 | SnsTopicARN: !If 265 | - CreateTopic 266 | - !Ref ConfigTopic 267 | - !Ref TopicArn -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT No Attribution 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so. 10 | 11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 12 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 13 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 14 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 15 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 16 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 17 | 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## AWS CloudFormation for optimizing AWS Config for AWS Security Hub 2 | 3 | This repo contains the CloudFormation template to set up AWS Config to record only what’s needed for Security Hub as detailed in the AWS Security Blog Post: Optimize AWS Config for AWS Security Hub. Check out the blog for more information on how to use this CloudFormation template. 4 | 5 | ### Requirements 6 | 7 | This CloudFormation template only works if AWS Config is not currently enabled in the account/region that you want to run it in. For more information on managing the AWS Config recorder check out the [AWS Config User Guide](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html). 8 | 9 | ### Getting Started 10 | 11 | Download the CloudFormation template (`AWS-Config-optimized-for-AWS-Security-Hub.yaml`) and deploy it from the console. You can also use AWS CloudFormation StackSets to deploy, update, or delete the template across multiple accounts and Regions with a single operation. 12 | 13 | ### Template Parameters 14 | 15 | - DeliveryChannelName 16 | - The name of the delivery channel. 17 | - Frequency 18 | - The frequency with which AWS Config delivers configuration snapshots. 19 | - TopicArn 20 | - The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. Note: Leaving `` as the TopicArn will result in the generation of a new topic. 21 | - NotificationEmail 22 | - Email address for AWS Config notifications (for new topics). 23 | 24 | ## Security 25 | 26 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 27 | 28 | ## License 29 | 30 | This library is licensed under the MIT-0 License. See the LICENSE file. 31 | 32 | --------------------------------------------------------------------------------