in source/aws-bootstrap-kit/lib/aws-config-recorder.ts [26:92]
constructor(scope: Construct, id: string) {
super(scope, id);
const configBucket = new s3.Bucket(this, 'ConfigBucket', {blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL});
configBucket.addToResourcePolicy(
new iam.PolicyStatement({
effect: iam.Effect.DENY,
actions: ['*'],
principals: [new iam.AnyPrincipal()],
resources: [configBucket.bucketArn, configBucket.arnForObjects('*')],
conditions: {
Bool: {
'aws:SecureTransport': false,
},
},
}),
);
// Attach AWSConfigBucketPermissionsCheck to config bucket
configBucket.addToResourcePolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('config.amazonaws.com')],
resources: [configBucket.bucketArn],
actions: ['s3:GetBucketAcl'],
}),
);
// Attach AWSConfigBucketDelivery to config bucket
configBucket.addToResourcePolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('config.amazonaws.com')],
resources: [`${configBucket.bucketArn}/*`],
actions: ['s3:PutObject'],
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
},
},
}),
);
new cfg.CfnDeliveryChannel(this, 'ConfigDeliveryChannel', {
s3BucketName: configBucket.bucketName,
name: "ConfigDeliveryChannel"
});
const configRole = new iam.Role(this, 'ConfigRecorderRole', {
assumedBy: new iam.ServicePrincipal('config.amazonaws.com'),
managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfigRole')]
});
new cfg.CfnConfigurationRecorder(this, 'ConfigRecorder', {
name: "BlueprintConfigRecorder",
roleArn: configRole.roleArn,
recordingGroup: {
resourceTypes: [
"AWS::IAM::User"
]
}
});
}