From 39c791efc130a956d61dcb89a1da47bdf52d3da1 Mon Sep 17 00:00:00 2001 From: Javi Meneses Date: Fri, 25 Jul 2025 13:37:42 +0200 Subject: [PATCH 1/2] Add support per-account exclusions for Config Recorder via environment parameters --- ct_configrecorder_override_consumer.py | 12 ++++++++++-- template.yaml | 12 ++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/ct_configrecorder_override_consumer.py b/ct_configrecorder_override_consumer.py index 7e99f8b..554b912 100644 --- a/ct_configrecorder_override_consumer.py +++ b/ct_configrecorder_override_consumer.py @@ -102,8 +102,16 @@ def assume_role(account_id, role='AWSControlTowerExecution'): CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_OVERRIDE_EXCLUDED_RESOURCE_LIST') - CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING.split( - ',') if CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING != '' else [] + CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING.split(',') if CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING else [] + + SPECIAL_EXCLUDED_ACCOUNTS_STRING = os.getenv('CONFIG_RECORDER_SPECIAL_EXCLUDED_ACCOUNTS', '') + SPECIAL_EXCLUDED_ACCOUNTS = [x.strip() for x in SPECIAL_EXCLUDED_ACCOUNTS_STRING.split(',') if x.strip()] + + SPECIAL_EXCLUSION_RESOURCE_LIST = os.getenv('CONFIG_RECORDER_OVERRIDE_SPECIAL_EXCLUDED_RESOURCE_LIST') + + if account_id in SPECIAL_EXCLUDED_ACCOUNTS: + CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = SPECIAL_EXCLUSION_RESOURCE_LIST + CONFIG_RECORDER_DEFAULT_RECORDING_FREQUENCY = os.getenv('CONFIG_RECORDER_DEFAULT_RECORDING_FREQUENCY') #remove any resource type from daily list that are in exclision list diff --git a/template.yaml b/template.yaml index 7a257f6..bef014a 100644 --- a/template.yaml +++ b/template.yaml @@ -32,6 +32,16 @@ Parameters: - CONTINUOUS - DAILY + ConfigRecorderSpecialExcludedAccounts: + Description: Comma-separated list of accounts to apply special exclusions + Default: "111111111111,222222222222,333333333333,444444444444,555555555555" + Type: String + + ConfigRecorderOverrideSpecialExcludedResourceList: + Description: Comma-separated list of resource types to exclude for the special accounts + Default: "AWS::EC2::Volume,AWS::EC2::NetworkInterface" + Type: String + CloudFormationVersion: Type: String Default: 1 @@ -118,6 +128,8 @@ Resources: CONFIG_RECORDER_OVERRIDE_EXCLUDED_RESOURCE_LIST: !Ref ConfigRecorderExcludedResourceTypes CONFIG_RECORDER_DEFAULT_RECORDING_FREQUENCY: !Ref ConfigRecorderDefaultRecordingFrequency CONTROL_TOWER_HOME_REGION: !Ref 'AWS::Region' + CONFIG_RECORDER_SPECIAL_EXCLUDED_ACCOUNTS: !Ref ConfigRecorderSpecialExcludedAccounts + CONFIG_RECORDER_OVERRIDE_SPECIAL_EXCLUDED_RESOURCE_LIST: !Ref ConfigRecorderOverrideSpecialExcludedResourceList ConsumerLambdaEventSourceMapping: Type: AWS::Lambda::EventSourceMapping From 0ebcca10352b6878a050b1c26c8bf7fb67708f45 Mon Sep 17 00:00:00 2001 From: Javi Meneses Date: Fri, 25 Jul 2025 14:30:28 +0200 Subject: [PATCH 2/2] Update SPECIAL_EXCLUSION_RESOURCE_LIST to admit exclusion resource list --- ct_configrecorder_override_consumer.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ct_configrecorder_override_consumer.py b/ct_configrecorder_override_consumer.py index 554b912..c0aa7c4 100644 --- a/ct_configrecorder_override_consumer.py +++ b/ct_configrecorder_override_consumer.py @@ -107,7 +107,8 @@ def assume_role(account_id, role='AWSControlTowerExecution'): SPECIAL_EXCLUDED_ACCOUNTS_STRING = os.getenv('CONFIG_RECORDER_SPECIAL_EXCLUDED_ACCOUNTS', '') SPECIAL_EXCLUDED_ACCOUNTS = [x.strip() for x in SPECIAL_EXCLUDED_ACCOUNTS_STRING.split(',') if x.strip()] - SPECIAL_EXCLUSION_RESOURCE_LIST = os.getenv('CONFIG_RECORDER_OVERRIDE_SPECIAL_EXCLUDED_RESOURCE_LIST') + SPECIAL_EXCLUSION_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_OVERRIDE_SPECIAL_EXCLUDED_RESOURCE_LIST', '') + SPECIAL_EXCLUSION_RESOURCE_LIST = SPECIAL_EXCLUSION_RESOURCE_STRING.split(',') if SPECIAL_EXCLUSION_RESOURCE_STRING else [] if account_id in SPECIAL_EXCLUDED_ACCOUNTS: CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = SPECIAL_EXCLUSION_RESOURCE_LIST