SecurityConfig / AwsConfig

AWS Config Recorder and Rules

Example

awsConfig:
enableConfigurationRecorder: false
** enableDeliveryChannel DEPRECATED
enableDeliveryChannel: true
overrideExisting: false
aggregation:
enable: true
delegatedAdminAccount: LogArchive
ruleSets:
- deploymentTargets:
organizationalUnits:
- Root
rules:
- name: accelerator-iam-user-group-membership-check
complianceResourceTypes:
- AWS::IAM::User
identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK

Hierarchy

  • AwsConfig

Implements

Constructors

Properties

aggregation: undefined | AwsConfigAggregation

Config Recorder Aggregation configuration

enableConfigurationRecorder: false = false

Indicates whether AWS Config recorder enabled.

To enable AWS Config, you must create a configuration recorder

ConfigurationRecorder resource describes the AWS resource types for which AWS Config records configuration changes. The configuration recorder stores the configurations of the supported resources in your account as configuration items.

enableDeliveryChannel: undefined | boolean

Indicates whether delivery channel enabled.

AWS Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket. DEPRECATED

overrideExisting: undefined | boolean

Indicates whether or not to override existing config recorder settings Must be enabled if any account and region combination has an existing config recorder, even if config recording is turned off The Landing Zone Accelerator will override the settings in all configured accounts and regions ** Do not enable this setting if you have deployed LZA ** successfully with enableConfigurationRecorder set to true ** and overrideExisting either unset or set to false ** Doing so will cause a resource conflict When the overrideExisting property is enabled ensure that any scp's are not blocking the passRole iam permission for the iam role name {acceleratorPrefix}Config

ruleSets: AwsConfigRuleSet[] = []

AWS Config rule sets

Generated using TypeDoc