Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Config Custom Conformance Pack Keep Getting Error When Deploying

0

Hi all,

I am creating this custom conformance pack for my client to adhere to local regulatory requirements but when i m deploying the conformance pack i got an error saying Template passed in the input parameter is invalid. Enter image description here

Below is the parameter i wrote and the rules.

Parameter for backup rules

  BackupPlanMinFrequencyAndMinRetentionCheckParamRequiredFrequencyUnit:
    Default: 'days'
    Type: String
  BackupPlanMinFrequencyAndMinRetentionCheckParamRequiredFrequencyValue:
    Default: '1'
    Type: String
  BackupPlanMinFrequencyAndMinRetentionCheckParamRequiredRetentionDays:
    Default: '35'
    Type: String

The rule fields

  BackupPlanMinFrequencyAndMinRetentionCheck:
    Properties:
      ConfigRuleName: backup-plan-min-frequency-and-min-retention-check
      InputParameters:
        requiredFrequencyUnit: BackupPlanMinFrequencyAndMinRetentionCheckParamRequiredFrequencyUnit
        requiredFrequencyValue: BackupPlanMinFrequencyAndMinRetentionCheckParamRequiredFrequencyValue
        requiredRetentionDays: BackupPlanMinFrequencyAndMinRetentionCheckParamRequiredRetentionDays
      Scope:
        ComplianceResourceTypes:
          - AWS::Backup::BackupPlan
      Source:
        Owner: AWS
        SourceIdentifier: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
    Type: AWS::Config::ConfigRule

Parameter for iam password policy

  IamPasswordPolicyParamMaxPasswordAge:
    Default: '90'
    Type: String
  IamPasswordPolicyParamMinimumPasswordLength:
    Default: '14'
    Type: String
  IamPasswordPolicyParamPasswordReusePrevention:
    Default: '24'
    Type: String
  IamPasswordPolicyParamRequireLowercaseCharacters:
    Default: 'true'
    Type: String
  IamPasswordPolicyParamRequireNumbers:
    Default: 'true'
    Type: String
  IamPasswordPolicyParamRequireSymbols:
    Default: 'true'
    Type: String
  IamPasswordPolicyParamRequireUppercaseCharacters:
    Default: 'true'
    Type: String

The rule fields

  IamPasswordPolicy:
    Properties:
      ConfigRuleName: iam-password-policy
      InputParameters:
        MaxPasswordAge: IamPasswordPolicyParamMaxPasswordAge
        MinimumPasswordLength: IamPasswordPolicyParamMinimumPasswordLength
        PasswordReusePrevention: IamPasswordPolicyParamPasswordReusePrevention
        RequireLowercaseCharacters: IamPasswordPolicyParamRequireLowercaseCharacters
        RequireNumbers: IamPasswordPolicyParamRequireNumbers
        RequireSymbols: IamPasswordPolicyParamRequireSymbols
        RequireUppercaseCharacters: IamPasswordPolicyParamRequireUppercaseCharacters
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule

Parameter for Ec2 resources protected by backup plan

  Ec2ResourcesProtectedByBackupPlanParamBackupVaultLockCheck:
    Default: 'True'
    Type: String

The rules fields

  Ec2ResourcesProtectedByBackupPlan:
    Properties:
      ConfigRuleName: ec2-resources-protected-by-backup-plan
      InputParameters:
        backupVaultLockCheck: Ec2ResourcesProtectedByBackupPlanParamBackupVaultLockCheck
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Instance
      Source:
        Owner: AWS
        SourceIdentifier: EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN
    Type: AWS::Config::ConfigRule

Parameter for S3 resources protected by backup plan

  S3ResourcesProtectedByBackupPlanParamBackupVaultLockCheck:
    Default: 'True'
    Type: String

The rule fields

  S3ResourcesProtectedByBackupPlan:
    Properties:
      ConfigRuleName: s3-resources-protected-by-backup-plan
      InputParameters:
        backupVaultLockCheck: S3ResourcesProtectedByBackupPlanParamBackupVaultLockCheck
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
      Source:
        Owner: AWS
        SourceIdentifier: S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN
    Type: AWS::Config::ConfigRule

Parameters for s3 account level public access blocks periodic

  S3ResourcesProtectedByBackupPlanParamBackupVaultLockCheck:
    Default: 'True'
    Type: String
  S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls:
    Default: 'True'
    Type: String
  S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy:
    Default: 'True'
    Type: String
  S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls:
    Default: 'True'
    Type: String
  S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets:
    Default: 'True'
    Type: String

The rule fields

  S3AccountLevelPublicAccessBlocksPeriodic:
    Properties:
      ConfigRuleName: s3-account-level-public-access-blocks-periodic
      InputParameters:
        BlockPublicAcls: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls
        BlockPublicPolicy: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy
        IgnorePublicAcls: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls
        RestrictPublicBuckets: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets
      Source:
        Owner: AWS
        SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
    Type: AWS::Config::ConfigRule

These are the only rules that need the parameters

Topics
Management & Governance
Tags
AWS Config
Language
English
asked 2 years ago433 views
1 Answer
0

Hi,

It may probably be a simple syntax error in your CFN template.

So, I'd suggest that you run it through cfn-lint that will heck it. See https://github.com/aws-cloudformation/cfn-lint to get and install it.

Then, this article will show you how to use it

Best,

Didier

EXPERT
answered 2 years ago
  • rePost-User-6393891
    2 years ago

    Hi, I m not using Cloudformation template. This is the conformance pack in .yaml format.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content