AWS::IoT::AccountAuditConfiguration - AWS CloudFormation

AWS::IoT::AccountAuditConfiguration

Use the AWS::IoT::AccountAuditConfiguration resource to configure or reconfigure the Device Defender audit settings for your account. Settings include how audit notifications are sent and which audit checks are enabled or disabled. For API reference, see UpdateAccountAuditConfiguration and for detailed information on all available audit checks, see Audit checks.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::IoT::AccountAuditConfiguration", "Properties" : { "AccountId" : String, "AuditCheckConfigurations" : AuditCheckConfigurations, "AuditNotificationTargetConfigurations" : AuditNotificationTargetConfigurations, "RoleArn" : String } }

Properties

AccountId

The ID of the account. You can use the expression !Sub "${AWS::AccountId}" to use your account ID.

Required: Yes

Type: String

Minimum: 12

Maximum: 12

Update requires: Replacement

AuditCheckConfigurations

Specifies which audit checks are enabled and disabled for this account.

Some data collection might start immediately when certain checks are enabled. When a check is disabled, any data collected so far in relation to the check is deleted. To disable a check, set the value of the Enabled: key to false.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

Required: Yes

Type: AuditCheckConfigurations

Update requires: No interruption

AuditNotificationTargetConfigurations

Information about the targets to which audit notifications are sent.

Required: No

Type: AuditNotificationTargetConfigurations

Update requires: No interruption

RoleArn

The Amazon Resource Name (ARN) of the role that grants permission to AWS IoT to access information about your devices, policies, certificates, and other items as required when performing an audit.

Required: Yes

Type: String

Minimum: 20

Maximum: 2048

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the account ID.

Examples

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon Web Services IoT AccountAuditConfiguration Sample Template", "Resources": { "MyAccountAuditConfiguration": { "Type": "AWS::IoT::AccountAuditConfiguration", "Properties": { "AccountId": "${AWS::AccountId}", "AuditCheckConfigurations": { "AuthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true }, "CaCertificateExpiringCheck": { "Enabled": true }, "CaCertificateKeyQualityCheck": { "Enabled": true }, "ConflictingClientIdsCheck": { "Enabled": true }, "DeviceCertificateExpiringCheck": { "Enabled": true }, "DeviceCertificateKeyQualityCheck": { "Enabled": true }, "DeviceCertificateSharedCheck": { "Enabled": true }, "IotPolicyOverlyPermissiveCheck": { "Enabled": true }, "IotRoleAliasAllowsAccessToUnusedServicesCheck": { "Enabled": true }, "IotRoleAliasOverlyPermissiveCheck": { "Enabled": true }, "LoggingDisabledCheck": { "Enabled": true }, "RevokedCaCertificateStillActiveCheck": { "Enabled": true }, "RevokedDeviceCertificateStillActiveCheck": { "Enabled": true }, "UnauthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true } }, "AuditNotificationTargetConfigurations": { "Sns": { "TargetArn": "arn:aws:sns:us-east-1:123456789012:AuditNotifications", "RoleArn": "arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications", "Enabled": true } }, "RoleArn": "arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit" } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Description: Amazon Web Services IoT AccountAuditConfiguration Sample Template Resources: MyAccountAuditConfiguration: Type: 'AWS::IoT::AccountAuditConfiguration' Properties: AccountId: !Sub '${AWS::AccountId}' AuditCheckConfigurations: AuthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True CaCertificateExpiringCheck: Enabled: True CaCertificateKeyQualityCheck: Enabled: True ConflictingClientIdsCheck: Enabled: True DeviceCertificateExpiringCheck: Enabled: True DeviceCertificateKeyQualityCheck: Enabled: True DeviceCertificateSharedCheck: Enabled: True IotPolicyOverlyPermissiveCheck: Enabled: True IotRoleAliasAllowsAccessToUnusedServicesCheck: Enabled: True IotRoleAliasOverlyPermissiveCheck: Enabled: True LoggingDisabledCheck: Enabled: True RevokedCaCertificateStillActiveCheck: Enabled: True RevokedDeviceCertificateStillActiveCheck: Enabled: True UnauthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True AuditNotificationTargetConfigurations: Sns: TargetArn: 'arn:aws:sns:us-east-1:123456789012:AuditNotifications' RoleArn: 'arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications' Enabled: true RoleArn: 'arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit'

See also

When you use CloudFormation to perform drift detection for AccountAuditConfiguration, it won't compare values that aren't part of the stack template. In AccountAuditConfiguration, specifying a configuration for every check is optional, and skipped checks are interpreted as disabled. To have accurate drift detection with CloudFormation, include configurations (enabled or disabled) for all the 14 audit checks in your template. For more information on the audit checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations.

For more information, see Detecting unmanaged configuration changes to stacks and resources in the user guide.