account_audit_configurations
Creates, updates, deletes or gets an account_audit_configuration resource or lists account_audit_configurations in a region
Overview
| Name | account_audit_configurations |
| Type | Resource |
| Description | Configures the Device Defender audit settings for this account. Settings include how audit notifications are sent and which audit checks are enabled or disabled. |
| Id | awscc.iot.account_audit_configurations |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
account_id | string | Your 12-digit account ID (used as the primary identifier for the CloudFormation resource). |
audit_check_configurations | object | Specifies which audit checks are enabled and disabled for this account. |
audit_notification_target_configurations | object | Information about the targets to which audit notifications are sent. |
role_arn | string | The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
account_id | string | Your 12-digit account ID (used as the primary identifier for the CloudFormation resource). |
region | string | AWS region. |
For more information, see AWS::IoT::AccountAuditConfiguration.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | account_audit_configurations | INSERT | AccountId, AuditCheckConfigurations, RoleArn, region |
delete_resource | account_audit_configurations | DELETE | Identifier, region |
update_resource | account_audit_configurations | UPDATE | Identifier, PatchDocument, region |
list_resources | account_audit_configurations_list_only | SELECT | region |
get_resource | account_audit_configurations | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual account_audit_configuration.
SELECT
region,
account_id,
audit_check_configurations,
audit_notification_target_configurations,
role_arn
FROM awscc.iot.account_audit_configurations
WHERE
region = 'us-east-1' AND
Identifier = '{{ account_id }}';
Lists all account_audit_configurations in a region.
SELECT
region,
account_id
FROM awscc.iot.account_audit_configurations_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new account_audit_configuration resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.iot.account_audit_configurations (
AccountId,
AuditCheckConfigurations,
RoleArn,
region
)
SELECT
'{{ account_id }}',
'{{ audit_check_configurations }}',
'{{ role_arn }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.iot.account_audit_configurations (
AccountId,
AuditCheckConfigurations,
AuditNotificationTargetConfigurations,
RoleArn,
region
)
SELECT
'{{ account_id }}',
'{{ audit_check_configurations }}',
'{{ audit_notification_target_configurations }}',
'{{ role_arn }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: account_audit_configuration
props:
- name: account_id
value: '{{ account_id }}'
- name: audit_check_configurations
value:
authenticated_cognito_role_overly_permissive_check:
enabled: '{{ enabled }}'
ca_certificate_expiring_check: null
ca_certificate_key_quality_check: null
conflicting_client_ids_check: null
device_certificate_expiring_check:
enabled: '{{ enabled }}'
configuration:
cert_expiration_threshold_in_days: '{{ cert_expiration_threshold_in_days }}'
device_certificate_key_quality_check: null
device_certificate_shared_check: null
iot_policy_overly_permissive_check: null
iot_role_alias_allows_access_to_unused_services_check: null
iot_role_alias_overly_permissive_check: null
logging_disabled_check: null
revoked_ca_certificate_still_active_check: null
revoked_device_certificate_still_active_check: null
unauthenticated_cognito_role_overly_permissive_check: null
intermediate_ca_revoked_for_active_device_certificates_check: null
io_tpolicy_potential_mis_configuration_check: null
device_certificate_age_check:
enabled: '{{ enabled }}'
configuration:
cert_age_threshold_in_days: null
- name: audit_notification_target_configurations
value:
sns:
target_arn: '{{ target_arn }}'
role_arn: '{{ role_arn }}'
enabled: '{{ enabled }}'
- name: role_arn
value: '{{ role_arn }}'
UPDATE example
Use the following StackQL query and manifest file to update a account_audit_configuration resource, using stack-deploy.
/*+ update */
UPDATE awscc.iot.account_audit_configurations
SET PatchDocument = string('{{ {
"AuditCheckConfigurations": audit_check_configurations,
"AuditNotificationTargetConfigurations": audit_notification_target_configurations,
"RoleArn": role_arn
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ account_id }}';
DELETE example
/*+ delete */
DELETE FROM awscc.iot.account_audit_configurations
WHERE
Identifier = '{{ account_id }}' AND
region = 'us-east-1';
Permissions
To operate on the account_audit_configurations resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
iot:UpdateAccountAuditConfiguration,
iot:DescribeAccountAuditConfiguration,
iam:PassRole
iot:DescribeAccountAuditConfiguration
iot:UpdateAccountAuditConfiguration,
iot:DescribeAccountAuditConfiguration,
iam:PassRole
iot:DescribeAccountAuditConfiguration,
iot:DeleteAccountAuditConfiguration
iot:DescribeAccountAuditConfiguration