# Example AWS Config conformance pack: detect + auto-remediate S3 public access.
# Conformance packs are immutable YAML bundles of Config rules (+ optional
# remediation) deployed per account/Region or org-wide via Systems Manager
# Quick Setup or StackSets. This is a MINIMAL teaching example - start
# detect-only, confirm findings, THEN enable the RemediationConfiguration block.
# Requires AWS Config recording enabled. Test in a non-prod account first.
# Verify managed-rule identifiers and the SSM document in your Region's docs.

Resources:
  # --- DETECT: flag S3 buckets that allow public read/write ---
  S3BucketPublicReadProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-read-prohibited
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED

  S3BucketPublicWriteProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-write-prohibited
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED

  # --- REMEDIATE (safe + reversible): apply S3 Block Public Access ---
  # Enable this only after you have reviewed detect-only findings.
  # Make remediation idempotent: Config auto-remediation runs off periodic
  # snapshots and can occasionally fire on an already-compliant bucket.
  S3PublicReadRemediation:
    Type: AWS::Config::RemediationConfiguration
    DependsOn: S3BucketPublicReadProhibited
    Properties:
      ConfigRuleName: s3-bucket-public-read-prohibited
      ResourceType: AWS::S3::Bucket
      TargetType: SSM_DOCUMENT
      TargetId: AWS-DisableS3BucketPublicReadWrite
      Automatic: true
      MaximumAutomaticAttempts: 3
      RetryAttemptSeconds: 60
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - "arn:aws:iam::ACCOUNT:role/config-remediation-role"
        S3BucketName:
          ResourceValue:
            Value: RESOURCE_ID