{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources" : {
    "ConfigRuleCloudTrail" : {
      "Type" : "AWS::Config::ConfigRule",
      "Properties" : {
        "ConfigRuleName" : "ConfigRuleCloudTrail",
        "Description" : "Validates cloudtrail status",
        "InputParameters" : { "executionRole" : { "Fn::GetAtt" : ["ConfigRuleRole", "Arn"] }},
        "Scope" : {
          "ComplianceResourceTypes": ["AWS::CloudTrail::Trail"]
        },
        "Source": {
          "Owner": "CUSTOM_LAMBDA",
          "SourceDetails": [{
            "EventSource": "aws.config",
            "MessageType": "ConfigurationItemChangeNotification"
          }],
          "SourceIdentifier": "arn:aws:lambda:us-east-1:<admin-account>:function:cloudtrailLogValidationEnabled"
        }
      }
    },
    "ConfigRuleRole": {  
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::<admin-account>:role/lambda_config_role"}, "Action": ["sts:AssumeRole"] }]
        },
        "Path": "/",
        "Policies": [{
          "PolicyName": "ConfigRulePutEvaluation",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{ "Effect": "Allow", "Action": ["config:PutEvaluations"], "Resource": "*" }]
          }
        }]
      }
    }
  },
  "Outputs" : {
  }
}