From dd600bfff699f7827658756d214a0575a23f03d8 Mon Sep 17 00:00:00 2001 From: Andreas Wittig Date: Fri, 14 Feb 2025 09:16:50 +0100 Subject: [PATCH] fix: Remove unnecessary IAM role for AWS Config --- security/config.yaml | 60 +++++--------------------------------------- 1 file changed, 6 insertions(+), 54 deletions(-) diff --git a/security/config.yaml b/security/config.yaml index f94eaf441..9f40232e9 100644 --- a/security/config.yaml +++ b/security/config.yaml @@ -64,7 +64,6 @@ Parameters: Conditions: HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundary, '']] InternalBucket: !Equals [!Ref ExternalConfigBucket, ''] - ExternalBucket: !Not [!Equals [!Ref ExternalConfigBucket, '']] Resources: ConfigBucket: Condition: InternalBucket @@ -103,64 +102,17 @@ Resources: DeliveryFrequency: !Ref DeliveryFrequency S3BucketName: !If [InternalBucket, !Ref ConfigBucket, !Ref ExternalConfigBucket] SnsTopicARN: !Ref ConfigTopic - ConfigurationRecorderRole: - Condition: InternalBucket - Type: 'AWS::IAM::Role' - Properties: - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWS_ConfigRole' - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Sid: AssumeRole1 - Effect: Allow - Principal: - Service: 'config.amazonaws.com' - Action: 'sts:AssumeRole' - PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundary, !Ref 'AWS::NoValue'] - Policies: - - PolicyName: 's3-policy' - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: 's3:PutObject' - Resource: !Sub 'arn:aws:s3:::${ConfigBucket}/*' - Condition: - StringLike: - 's3:x-amz-acl': 'bucket-owner-full-control' - - Effect: Allow - Action: 's3:GetBucketAcl' - Resource: !Sub 'arn:aws:s3:::${ConfigBucket}' - - PolicyName: 'sns-policy' - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: 'sns:Publish' - Resource: !Ref ConfigTopic - ExternalConfigurationRecorderRole: - Condition: ExternalBucket - Type: 'AWS::IAM::Role' + ConfigServiceRole: + Type: 'AWS::IAM::ServiceLinkedRole' Properties: - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWS_ConfigRole' - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Sid: AssumeRole1 - Effect: Allow - Principal: - Service: 'config.amazonaws.com' - Action: 'sts:AssumeRole' - PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundary, !Ref 'AWS::NoValue'] + AWSServiceName: 'config.amazonaws.com' ConfigurationRecorder: Type: 'AWS::Config::ConfigurationRecorder' Properties: RecordingGroup: AllSupported: true IncludeGlobalResourceTypes: true - RoleARN: !If [InternalBucket, !GetAtt 'ConfigurationRecorderRole.Arn', !GetAtt 'ExternalConfigurationRecorderRole.Arn'] + RoleARN: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig' LambdaRole: Type: 'AWS::IAM::Role' Properties: @@ -227,7 +179,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'LambdaRole.Arn' - Runtime: 'nodejs20.x' + Runtime: 'nodejs22.x' Timeout: 60 LambdaLogGroup: Type: 'AWS::Logs::LogGroup' @@ -252,4 +204,4 @@ Outputs: Value: '__VERSION__' StackName: Description: 'Stack name.' - Value: !Sub '${AWS::StackName}' + Value: !Sub '${AWS::StackName}' \ No newline at end of file