tomofuminijo · February 11, 2020 07:18
diff --git a/config-s3-bucket.yaml b/config-s3-bucket.yaml
 WSTemplateFormatVersion: 2010-09-09
 Description: Create S3 Bucket for Config

 Parameters:
  AuditS3BucketName:
    Type: String
  OrganizationId:
    Type: String

 Resources:

  ConfigBucket:
    DeletionPolicy: Retain
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration: 
          - ServerSideEncryptionByDefault: 
              SSEAlgorithm: aws:kms
      BucketName: !Ref AuditS3BucketName

  ConfigBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ConfigBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:GetBucketAcl
            Resource:
              - !Sub "arn:aws:s3:::${ConfigBucket}"
          - Sid: AWSConfigBucketDelivery
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:PutObject
            Resource:
              - !Sub "arn:aws:s3:::${ConfigBucket}/${OrganizationId}/AWSLogs/*/Config/*"
diff --git a/create_s3bucket_for_awsconfig.sh b/create_s3bucket_for_awsconfig.sh
 #!/bin/bash
 CONFIG_BUCKET_NAME=<your_bucket_name>
 ORGANIZATION_ID=<your_organization_id>

 STACK_NAME=<your_stack_name>
 TEMPLATE_FILE=config-s3-bucket.yaml

 aws cloudformation create-stack --stack-name $STACK_NAME \
  --template-body file://$TEMPLATE_FILE \
  --parameters ParameterKey=AuditS3BucketName,ParameterValue=$CONFIG_BUCKET_NAME ParameterKey=OrganizationId,ParameterValue=$ORGANIZATION_ID \
  --region us-east-1
 
 aws cloudformation wait stack-create-complete --stack-name $STACK_NAME --region us-east-1
	WSTemplateFormatVersion: 2010-09-09
	Description: Create S3 Bucket for Config

	Parameters:
	AuditS3BucketName:
	Type: String
	OrganizationId:
	Type: String

	Resources:

	ConfigBucket:
	DeletionPolicy: Retain
	Type: AWS::S3::Bucket
	Properties:
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: aws:kms
	BucketName: !Ref AuditS3BucketName

	ConfigBucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Ref ConfigBucket
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Sid: AWSConfigBucketPermissionsCheck
	Effect: Allow
	Principal:
	Service:
	- config.amazonaws.com
	Action: s3:GetBucketAcl
	Resource:
	- !Sub "arn:aws:s3:::${ConfigBucket}"
	- Sid: AWSConfigBucketDelivery
	Effect: Allow
	Principal:
	Service:
	- config.amazonaws.com
	Action: s3:PutObject
	Resource:
	- !Sub "arn:aws:s3:::${ConfigBucket}/${OrganizationId}/AWSLogs//Config/"
	#!/bin/bash
	CONFIG_BUCKET_NAME=<your_bucket_name>
	ORGANIZATION_ID=<your_organization_id>

	STACK_NAME=<your_stack_name>
	TEMPLATE_FILE=config-s3-bucket.yaml

	aws cloudformation create-stack --stack-name $STACK_NAME \
	--template-body file://$TEMPLATE_FILE \
	--parameters ParameterKey=AuditS3BucketName,ParameterValue=$CONFIG_BUCKET_NAME ParameterKey=OrganizationId,ParameterValue=$ORGANIZATION_ID \
	--region us-east-1

	aws cloudformation wait stack-create-complete --stack-name $STACK_NAME --region us-east-1