AWS::IoT::AccountAuditConfiguration - AWS CloudFormation


Use the AWS::IoT::AccountAuditConfiguration resource to configure or reconfigure the Device Defender audit settings for your account. Settings include how audit notifications are sent and which audit checks are enabled or disabled. For API reference, see UpdateAccountAuditConfiguration and for detailed information on all available audit checks, see Audit checks.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::IoT::AccountAuditConfiguration", "Properties" : { "AccountId" : String, "AuditCheckConfigurations" : AuditCheckConfigurations, "AuditNotificationTargetConfigurations" : AuditNotificationTargetConfigurations, "RoleArn" : String } }



The ID of the account. You can use the expression !Sub "${AWS::AccountId}" to use your account ID.

Required: Yes

Type: String

Update requires: Replacement


Specifies which audit checks are enabled and disabled for this account.

Some data collection might start immediately when certain checks are enabled. When a check is disabled, any data collected so far in relation to the check is deleted. To disable a check, set the value of the Enabled: key to false.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

Required: Yes

Type: AuditCheckConfigurations

Update requires: No interruption


Information about the targets to which audit notifications are sent.

Required: No

Type: AuditNotificationTargetConfigurations

Update requires: No interruption


The Amazon Resource Name (ARN) of the role that grants permission to AWS IoT to access information about your devices, policies, certificates, and other items as required when performing an audit.

Required: Yes

Type: String

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the account ID.



{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon Web Services IoT AccountAuditConfiguration Sample Template", "Resources": { "MyAccountAuditConfiguration": { "Type": "AWS::IoT::AccountAuditConfiguration", "Properties": { "AccountId": "${AWS::AccountId}", "AuditCheckConfigurations": { "AuthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true }, "CaCertificateExpiringCheck": { "Enabled": true }, "CaCertificateKeyQualityCheck": { "Enabled": true }, "ConflictingClientIdsCheck": { "Enabled": true }, "DeviceCertificateExpiringCheck": { "Enabled": true }, "DeviceCertificateKeyQualityCheck": { "Enabled": true }, "DeviceCertificateSharedCheck": { "Enabled": true }, "IotPolicyOverlyPermissiveCheck": { "Enabled": true }, "IotRoleAliasAllowsAccessToUnusedServicesCheck": { "Enabled": true }, "IotRoleAliasOverlyPermissiveCheck": { "Enabled": true }, "LoggingDisabledCheck": { "Enabled": true }, "RevokedCaCertificateStillActiveCheck": { "Enabled": true }, "RevokedDeviceCertificateStillActiveCheck": { "Enabled": true }, "UnauthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true } }, "AuditNotificationTargetConfigurations": { "Sns": { "TargetArn": "arn:aws:sns:us-east-1:123456789012:AuditNotifications", "RoleArn": "arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications", "Enabled": true } }, "RoleArn": "arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit" } } } }


AWSTemplateFormatVersion: 2010-09-09 Description: Amazon Web Services IoT AccountAuditConfiguration Sample Template Resources: MyAccountAuditConfiguration: Type: 'AWS::IoT::AccountAuditConfiguration' Properties: AccountId: !Sub '${AWS::AccountId}' AuditCheckConfigurations: AuthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True CaCertificateExpiringCheck: Enabled: True CaCertificateKeyQualityCheck: Enabled: True ConflictingClientIdsCheck: Enabled: True DeviceCertificateExpiringCheck: Enabled: True DeviceCertificateKeyQualityCheck: Enabled: True DeviceCertificateSharedCheck: Enabled: True IotPolicyOverlyPermissiveCheck: Enabled: True IotRoleAliasAllowsAccessToUnusedServicesCheck: Enabled: True IotRoleAliasOverlyPermissiveCheck: Enabled: True LoggingDisabledCheck: Enabled: True RevokedCaCertificateStillActiveCheck: Enabled: True RevokedDeviceCertificateStillActiveCheck: Enabled: True UnauthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True AuditNotificationTargetConfigurations: Sns: TargetArn: 'arn:aws:sns:us-east-1:123456789012:AuditNotifications' RoleArn: 'arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications' Enabled: true RoleArn: 'arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit'

See also

When you use CloudFormation to perform drift detection for AccountAuditConfiguration, it won't compare values that aren't part of the stack template. In AccountAuditConfiguration, specifying a configuration for every check is optional, and skipped checks are interpreted as disabled. To have accurate drift detection with CloudFormation, include configurations (enabled or disabled) for all the 14 audit checks in your template. For more information on the audit checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations.

For more information, see Detecting unmanaged configuration changes to stacks and resources in the user guide.