AWS::IoT::AccountAuditConfiguration
Use the AWS::IoT::AccountAuditConfiguration resource to configure or
reconfigure the Device Defender audit settings for your account. Settings include how audit
notifications are sent and which audit checks are enabled or disabled. For API reference,
see UpdateAccountAuditConfiguration and for detailed information on all available
audit checks, see Audit
checks.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::IoT::AccountAuditConfiguration", "Properties" : { "AccountId" :String, "AuditCheckConfigurations" :AuditCheckConfigurations, "AuditNotificationTargetConfigurations" :AuditNotificationTargetConfigurations, "RoleArn" :String} }
YAML
Type: AWS::IoT::AccountAuditConfiguration Properties: AccountId:StringAuditCheckConfigurations:AuditCheckConfigurationsAuditNotificationTargetConfigurations:AuditNotificationTargetConfigurationsRoleArn:String
Properties
AccountId-
The ID of the account. You can use the expression
!Sub "${AWS::AccountId}"to use your account ID.Required: Yes
Type: String
Minimum:
12Maximum:
12Update requires: Replacement
AuditCheckConfigurations-
Specifies which audit checks are enabled and disabled for this account.
Some data collection might start immediately when certain checks are enabled. When a check is disabled, any data collected so far in relation to the check is deleted. To disable a check, set the value of the
Enabled:key tofalse.If an enabled check is removed from the template, it will also be disabled.
You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.
For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations
Required: Yes
Type: AuditCheckConfigurations
Update requires: No interruption
AuditNotificationTargetConfigurations-
Information about the targets to which audit notifications are sent.
Required: No
Type: AuditNotificationTargetConfigurations
Update requires: No interruption
RoleArn-
The Amazon Resource Name (ARN) of the role that grants permission to AWS IoT to access information about your devices, policies, certificates, and other items as required when performing an audit.
Required: Yes
Type: String
Minimum:
20Maximum:
2048Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the account ID.
Examples
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon Web Services IoT AccountAuditConfiguration Sample Template", "Resources": { "MyAccountAuditConfiguration": { "Type": "AWS::IoT::AccountAuditConfiguration", "Properties": { "AccountId": "${AWS::AccountId}", "AuditCheckConfigurations": { "AuthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true }, "CaCertificateExpiringCheck": { "Enabled": true }, "CaCertificateKeyQualityCheck": { "Enabled": true }, "ConflictingClientIdsCheck": { "Enabled": true }, "DeviceCertificateExpiringCheck": { "Enabled": true }, "DeviceCertificateKeyQualityCheck": { "Enabled": true }, "DeviceCertificateSharedCheck": { "Enabled": true }, "IotPolicyOverlyPermissiveCheck": { "Enabled": true }, "IotRoleAliasAllowsAccessToUnusedServicesCheck": { "Enabled": true }, "IotRoleAliasOverlyPermissiveCheck": { "Enabled": true }, "LoggingDisabledCheck": { "Enabled": true }, "RevokedCaCertificateStillActiveCheck": { "Enabled": true }, "RevokedDeviceCertificateStillActiveCheck": { "Enabled": true }, "UnauthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true } }, "AuditNotificationTargetConfigurations": { "Sns": { "TargetArn": "arn:aws:sns:us-east-1:123456789012:AuditNotifications", "RoleArn": "arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications", "Enabled": true } }, "RoleArn": "arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit" } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: Amazon Web Services IoT AccountAuditConfiguration Sample Template Resources: MyAccountAuditConfiguration: Type: 'AWS::IoT::AccountAuditConfiguration' Properties: AccountId: !Sub '${AWS::AccountId}' AuditCheckConfigurations: AuthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True CaCertificateExpiringCheck: Enabled: True CaCertificateKeyQualityCheck: Enabled: True ConflictingClientIdsCheck: Enabled: True DeviceCertificateExpiringCheck: Enabled: True DeviceCertificateKeyQualityCheck: Enabled: True DeviceCertificateSharedCheck: Enabled: True IotPolicyOverlyPermissiveCheck: Enabled: True IotRoleAliasAllowsAccessToUnusedServicesCheck: Enabled: True IotRoleAliasOverlyPermissiveCheck: Enabled: True LoggingDisabledCheck: Enabled: True RevokedCaCertificateStillActiveCheck: Enabled: True RevokedDeviceCertificateStillActiveCheck: Enabled: True UnauthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True AuditNotificationTargetConfigurations: Sns: TargetArn: 'arn:aws:sns:us-east-1:123456789012:AuditNotifications' RoleArn: 'arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications' Enabled: true RoleArn: 'arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit'
See also
When you use CloudFormation to perform drift detection for
AccountAuditConfiguration, it won't compare values that aren't part of
the stack template. In AccountAuditConfiguration, specifying a
configuration for every check is optional, and skipped checks are interpreted as
disabled. To have accurate drift detection with CloudFormation, include configurations
(enabled or disabled) for all the 14 audit checks in your template. For more information
on the audit checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations.
For more information, see Detecting unmanaged configuration changes to stacks and resources in the user guide.
