SecurityConfig / AwsConfig

Description

AWS Config Recorder and Rules

Example

awsConfig:
enableConfigurationRecorder: false
** enableDeliveryChannel DEPRECATED
enableDeliveryChannel: true
overrideExisting: false
deploymentTargets:
organizationalUnits:
- Infrastructure
aggregation:
enable: true
delegatedAdminAccount: LogArchive
ruleSets:
- deploymentTargets:
organizationalUnits:
- Root
rules:
- name: accelerator-iam-user-group-membership-check
complianceResourceTypes:
- AWS::IAM::User
identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK

Hierarchy

  • AwsConfig

Implements

Constructors

Properties

aggregation: undefined | AwsConfigAggregation

Config Recorder Aggregation configuration

deploymentTargets: undefined | DeploymentTargets

(OPTIONAL) AWS Config deployment target.

Leaving deploymentTargets undefined will enable AWS Config across all accounts and enabled regions.

We highly recommend enabling AWS Config across all accounts and enabled regions within your organization. deploymentTargets should only be used when more granular control is required, not as a default configuration.

To enable AWS Config into Infrastructure organizational unit, you need to provide below value for this parameter.

Note: The delegated admin account defined in centralSecurityServices will always have AwsConfig enabled

Example

- deploymentTargets:
organizationalUnits:
- Infrastructure
enableConfigurationRecorder: false = false

Indicates whether AWS Config recorder enabled.

To enable AWS Config, you must create a configuration recorder

ConfigurationRecorder resource describes the AWS resource types for which AWS Config records configuration changes. The configuration recorder stores the configurations of the supported resources in your account as configuration items.

enableDeliveryChannel: undefined | boolean

Indicates whether delivery channel enabled.

AWS Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket. DEPRECATED

overrideExisting: undefined | boolean

Indicates whether or not to override existing config recorder settings Must be enabled if any account and region combination has an existing config recorder, even if config recording is turned off The Landing Zone Accelerator will override the settings in all configured accounts and regions ** Do not enable this setting if you have deployed LZA ** successfully with enableConfigurationRecorder set to true ** and overrideExisting either unset or set to false ** Doing so will cause a resource conflict When the overrideExisting property is enabled ensure that any scp's are not blocking the passRole iam permission for the iam role name {acceleratorPrefix}Config

ruleSets: AwsConfigRuleSet[] = []

AWS Config rule sets

Generated using TypeDoc