AWS::IoT::AccountAuditConfiguration - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Use the AWS::IoT::AccountAuditConfiguration resource to configure or reconfigure the Device Defender audit settings for your account. Settings include how audit notifications are sent and which audit checks are enabled or disabled. For API reference, see UpdateAccountAuditConfiguration and for detailed information on all available audit checks, see Audit checks.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::IoT::AccountAuditConfiguration", "Properties" : { "AccountId" : String, "AuditCheckConfigurations" : AuditCheckConfigurations, "AuditNotificationTargetConfigurations" : AuditNotificationTargetConfigurations, "RoleArn" : String } }



The ID of the account. You can use the expression !Sub "${AWS::AccountId}" to use your account ID.

Required: Yes

Type: String

Minimum: 12

Maximum: 12

Update requires: Replacement


Specifies which audit checks are enabled and disabled for this account.

Some data collection might start immediately when certain checks are enabled. When a check is disabled, any data collected so far in relation to the check is deleted. To disable a check, set the value of the Enabled: key to false.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

Required: Yes

Type: AuditCheckConfigurations

Update requires: No interruption


Information about the targets to which audit notifications are sent.

Required: No

Type: AuditNotificationTargetConfigurations

Update requires: No interruption


The Amazon Resource Name (ARN) of the role that grants permission to Amazon IoT to access information about your devices, policies, certificates, and other items as required when performing an audit.

Required: Yes

Type: String

Minimum: 20

Maximum: 2048

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the account ID.



{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon Web Services IoT AccountAuditConfiguration Sample Template", "Resources": { "MyAccountAuditConfiguration": { "Type": "AWS::IoT::AccountAuditConfiguration", "Properties": { "AccountId": "${AWS::AccountId}", "AuditCheckConfigurations": { "AuthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true }, "CaCertificateExpiringCheck": { "Enabled": true }, "CaCertificateKeyQualityCheck": { "Enabled": true }, "ConflictingClientIdsCheck": { "Enabled": true }, "DeviceCertificateExpiringCheck": { "Enabled": true }, "DeviceCertificateKeyQualityCheck": { "Enabled": true }, "DeviceCertificateSharedCheck": { "Enabled": true }, "IotPolicyOverlyPermissiveCheck": { "Enabled": true }, "IotRoleAliasAllowsAccessToUnusedServicesCheck": { "Enabled": true }, "IotRoleAliasOverlyPermissiveCheck": { "Enabled": true }, "LoggingDisabledCheck": { "Enabled": true }, "RevokedCaCertificateStillActiveCheck": { "Enabled": true }, "RevokedDeviceCertificateStillActiveCheck": { "Enabled": true }, "UnauthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true } }, "AuditNotificationTargetConfigurations": { "Sns": { "TargetArn": "arn:aws:sns:us-east-1:123456789012:AuditNotifications", "RoleArn": "arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications", "Enabled": true } }, "RoleArn": "arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit" } } } }


AWSTemplateFormatVersion: 2010-09-09 Description: Amazon Web Services IoT AccountAuditConfiguration Sample Template Resources: MyAccountAuditConfiguration: Type: 'AWS::IoT::AccountAuditConfiguration' Properties: AccountId: !Sub '${AWS::AccountId}' AuditCheckConfigurations: AuthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True CaCertificateExpiringCheck: Enabled: True CaCertificateKeyQualityCheck: Enabled: True ConflictingClientIdsCheck: Enabled: True DeviceCertificateExpiringCheck: Enabled: True DeviceCertificateKeyQualityCheck: Enabled: True DeviceCertificateSharedCheck: Enabled: True IotPolicyOverlyPermissiveCheck: Enabled: True IotRoleAliasAllowsAccessToUnusedServicesCheck: Enabled: True IotRoleAliasOverlyPermissiveCheck: Enabled: True LoggingDisabledCheck: Enabled: True RevokedCaCertificateStillActiveCheck: Enabled: True RevokedDeviceCertificateStillActiveCheck: Enabled: True UnauthenticatedCognitoRoleOverlyPermissiveCheck: Enabled: True AuditNotificationTargetConfigurations: Sns: TargetArn: 'arn:aws:sns:us-east-1:123456789012:AuditNotifications' RoleArn: 'arn:aws:iam::123456789012:role/RoleForIoTAuditNotifications' Enabled: true RoleArn: 'arn:aws:iam::123456789012:role/service-role/AWSIoTDeviceDefenderAudit'

See also

When you use CloudFormation to perform drift detection for AccountAuditConfiguration, it won't compare values that aren't part of the stack template. In AccountAuditConfiguration, specifying a configuration for every check is optional, and skipped checks are interpreted as disabled. To have accurate drift detection with CloudFormation, include configurations (enabled or disabled) for all the 14 audit checks in your template. For more information on the audit checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations.

For more information, see Detecting unmanaged configuration changes to stacks and resources in the user guide.