#!/bin/bash # A script to enable AWS Config, including necessary prerequisites, # and then clean up all resources using AWS CLI. # --- Configuration --- REGION="us-east-1" RANDOM_SUFFIX=$(head /dev/urandom | tr -dc a-z0-9 | head -c 8) CONFIG_BUCKET_NAME="my-cli-config-bucket-${RANDOM_SUFFIX}" CONFIG_RECORDER_NAME="default" # Default recorder name CONFIG_DELIVERY_CHANNEL_NAME="default" # Default delivery channel name IAM_ROLE_NAME="MyCLIConfigRole" # --- 1. Create S3 Bucket for Config Recordings --- echo "--- Creating S3 Bucket for Config Recordings: $CONFIG_BUCKET_NAME ---" aws s3api create-bucket \ --bucket $CONFIG_BUCKET_NAME \ --region $REGION echo "S3 Bucket created." # --- 2. Create IAM Role for AWS Config --- echo -e "\n--- Creating IAM Role: $IAM_ROLE_NAME ---" TRUST_POLICY_JSON=$(cat <<-'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ) CONFIG_ROLE_ARN=$(aws iam create-role \ --role-name $IAM_ROLE_NAME \ --assume-role-policy-document "$TRUST_POLICY_JSON" \ --query 'Role.Arn' --output text) # Attach managed policy for AWS Config aws iam attach-role-policy \ --role-name $IAM_ROLE_NAME \ --policy-arn arn:aws:iam::aws:policy/AWSConfigRole echo "IAM Role created with ARN: $CONFIG_ROLE_ARN" echo "Waiting for IAM role to propagate..." sleep 10 # --- 3. Create Configuration Recorder --- echo -e "\n--- Creating Configuration Recorder: $CONFIG_RECORDER_NAME ---" aws configservice put-configuration-recorder \ --configuration-recorder "name=$CONFIG_RECORDER_NAME,roleARN=$CONFIG_ROLE_ARN" \ --region $REGION echo "Configuration Recorder created." # --- 4. Create Delivery Channel --- echo -e "\n--- Creating Delivery Channel: $CONFIG_DELIVERY_CHANNEL_NAME ---" aws configservice put-delivery-channel \ --delivery-channel "name=$CONFIG_DELIVERY_CHANNEL_NAME,s3BucketName=$CONFIG_BUCKET_NAME,s3KeyPrefix=config" \ --region $REGION echo "Delivery Channel created." # --- 5. Start Recorder --- echo -e "\n--- Starting Configuration Recorder ---" aws configservice start-configuration-recorder \ --configuration-recorder-name $CONFIG_RECORDER_NAME \ --region $REGION echo "Configuration Recorder started." echo -e "\n--- AWS Config Enabled Successfully! ---" echo "Configuration Recorder: $CONFIG_RECORDER_NAME" echo "Configured to deliver to S3 bucket: $CONFIG_BUCKET_NAME" read -p "Press Enter to stop the recorder and clean up resources..." # --- Clean Up --- echo -e "\n--- Cleaning up resources ---" # Stop Recorder echo "Stopping Configuration Recorder '$CONFIG_RECORDER_NAME' நான" aws configservice stop-configuration-recorder \ --configuration-recorder-name $CONFIG_RECORDER_NAME \ --region $REGION echo "Configuration Recorder stopped." # Delete Delivery Channel echo "Deleting Delivery Channel '$CONFIG_DELIVERY_CHANNEL_NAME' நான" aws configservice delete-delivery-channel \ --delivery-channel-name $CONFIG_DELIVERY_CHANNEL_NAME \ --region $REGION echo "Delivery Channel deleted." # Delete Configuration Recorder echo "Deleting Configuration Recorder '$CONFIG_RECORDER_NAME' நான" aws configservice delete-configuration-recorder \ --configuration-recorder-name $CONFIG_RECORDER_NAME \ --region $REGION echo "Configuration Recorder deleted." # Detach and Delete IAM Role echo "Detaching policy from IAM Role '$IAM_ROLE_NAME' நான" aws iam detach-role-policy \ --role-name $IAM_ROLE_NAME \ --policy-arn arn:aws:iam::aws:policy/AWSConfigRole \ --region $REGION echo "Deleting IAM Role '$IAM_ROLE_NAME' நான" aws iam delete-role \ --role-name $IAM_ROLE_NAME \ --region $REGION echo "IAM Role deleted." # Delete S3 Bucket echo "Deleting S3 Bucket '$CONFIG_BUCKET_NAME' நான" aws s3 rb s3://$CONFIG_BUCKET_NAME --force --region $REGION echo "S3 Bucket deleted." echo -e "\n--- AWS Config demonstration and cleanup complete ---"