Turbot Guardrails Hub 
Hub
Mods
AWS
171
Mods
429
Resource Types
6,702
Policies
2,320
Controls
1,637
Quick Actions
524
IAM

Policy: AWS > Config > Configuration Recording > Configuration Recorder > Role

The ARN of the IAM role that AWS Config will assume. The default will use the role created in AWS > Guardrails > Service Roles > AWS Config. If you choose to use a different role, note that it: - must allow the config service to assume the role in its trust policy - requires PutObject, GetBucketAcl on the bucket - requires publish on the SNS topic - Needs describe/get/list access to any resources types being recorded

Resource Types

This policy targets the following resource types:

Primary Policy

This policy is used with the following primary policy:

Controls

Policy Specification

Schema Type
string
Default template
arn:{{ $.region.turbot.custom.aws.partition }}:iam::{{ $.region.turbot.custom.aws.accountId }}:role{{ $.rolePath }}{{ $.roleName }}
Default template input
- |
  {
    account {
      turbot {
        id
      }
    }
    region {
      turbot {
        custom {
          aws {
            accountId
          }
        }
      }
    }
  }
- |
  {
    roleName: policy(uri:"aws#/policy/types/serviceRolesConfigurationRecordingName", resourceId: "{{ $.account.turbot.id }}")
    rolePath: policy(uri:"aws#/policy/types/serviceRolesNamePath", resourceId: "{{ $.account.turbot.id }}")
    region {
      turbot {
        custom {
          aws {
            accountId
            partition
          }
        }
      }
    }
  }
Examples [YAML]
arn:aws:iam::123456789012:role/config-ConfigRole-A1B2C3D4E5F6

Category

In Your Workspace

Developers