Skip to content

Instantly share code, notes, and snippets.

@atheiman

atheiman/GovCloud-Config-Conformance-Pack-Operational-Best-Practices-for-NIST-800-171.yaml

Last active October 4, 2023 19:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save atheiman/3dc06afb63b96bfa8a81c8e96f36910c to your computer and use it in GitHub Desktop.
Save atheiman/3dc06afb63b96bfa8a81c8e96f36910c to your computer and use it in GitHub Desktop.
Download ZIP
AWS Config Conformance Pack Operational-Best-Practices-for-NIST-800-171 from github.com/awslabs/aws-config-rules with rules not supported in GovCloud regions disabled (`Condition: StandardPartition`). This could become out of date soon as more config rules are added to GovCloud regions.
Raw
GovCloud-Config-Conformance-Pack-Operational-Best-Practices-for-NIST-800-171.yaml
##################################################################################
#
# Conformance Pack:
# Operational Best Practices for NIST 800-171
#
# This conformance pack helps verify compliance with NIST 800-171 requirements.
#
# See Parameters section for names and descriptions of required parameters.
#
##################################################################################
Parameters:
ConfigRuleNamePrefix:
Default: 'nist-800-171-'
Type: String
AcmCertificateExpirationCheckParamDaysToExpiration:
Default: '90'
Type: String
CloudwatchAlarmActionCheckParamInsufficientDataActionRequired:
Default: 'true'
Type: String
CloudwatchAlarmActionCheckParamOkActionRequired:
Default: 'false'
Type: String
Ec2VolumeInuseCheckParamDeleteOnTermination:
Default: 'true'
Type: String
GuarddutyNonArchivedFindingsParamDaysHighSev:
Default: '1'
Type: String
GuarddutyNonArchivedFindingsParamDaysLowSev:
Default: '30'
Type: String
GuarddutyNonArchivedFindingsParamDaysMediumSev:
Default: '7'
Type: String
IamPasswordPolicyParamMaxPasswordAge:
Default: '90'
Type: String
IamPasswordPolicyParamMinimumPasswordLength:
Default: '14'
Type: String
IamPasswordPolicyParamPasswordReusePrevention:
Default: '24'
Type: String
IamPasswordPolicyParamRequireLowercaseCharacters:
Default: 'true'
Type: String
IamPasswordPolicyParamRequireNumbers:
Default: 'true'
Type: String
IamPasswordPolicyParamRequireSymbols:
Default: 'true'
Type: String
IamPasswordPolicyParamRequireUppercaseCharacters:
Default: 'true'
Type: String
IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:
Default: '90'
Type: String
RedshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade:
Default: 'true'
Type: String
RestrictedIncomingTrafficParamBlockedPort1:
Default: '20'
Type: String
RestrictedIncomingTrafficParamBlockedPort2:
Default: '21'
Type: String
RestrictedIncomingTrafficParamBlockedPort3:
Default: '3389'
Type: String
RestrictedIncomingTrafficParamBlockedPort4:
Default: '3306'
Type: String
RestrictedIncomingTrafficParamBlockedPort5:
Default: '4333'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls:
Default: 'true'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy:
Default: 'true'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls:
Default: 'true'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets:
Default: 'true'
Type: String
VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts:
Default: '443'
Type: String
VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts:
Default: 1020-1025
Type: String
Resources:
AcmCertificateExpirationCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}acm-certificate-expiration-check'
InputParameters:
daysToExpiration:
Fn::If:
- acmCertificateExpirationCheckParamDaysToExpiration
- Ref: AcmCertificateExpirationCheckParamDaysToExpiration
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::ACM::Certificate
Source:
Owner: AWS
SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK
Type: AWS::Config::ConfigRule
AlbHttpToHttpsRedirectionCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}alb-http-to-https-redirection-check'
Source:
Owner: AWS
SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
Type: AWS::Config::ConfigRule
AlbWafEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}alb-waf-enabled'
Scope:
ComplianceResourceTypes:
- AWS::ElasticLoadBalancingV2::LoadBalancer
Source:
Owner: AWS
SourceIdentifier: ALB_WAF_ENABLED
Type: AWS::Config::ConfigRule
ApiGwAssociatedWithWaf:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}api-gw-associated-with-waf'
Scope:
ComplianceResourceTypes:
- AWS::ApiGateway::Stage
Source:
Owner: AWS
SourceIdentifier: API_GW_ASSOCIATED_WITH_WAF
Type: AWS::Config::ConfigRule
ApiGwCacheEnabledAndEncrypted:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}api-gw-cache-enabled-and-encrypted'
Scope:
ComplianceResourceTypes:
- AWS::ApiGateway::Stage
Source:
Owner: AWS
SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
Type: AWS::Config::ConfigRule
ApiGwExecutionLoggingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}api-gw-execution-logging-enabled'
Scope:
ComplianceResourceTypes:
- AWS::ApiGateway::Stage
- AWS::ApiGatewayV2::Stage
Source:
Owner: AWS
SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED
Type: AWS::Config::ConfigRule
ApiGwSslEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}api-gw-ssl-enabled'
Scope:
ComplianceResourceTypes:
- AWS::ApiGateway::Stage
Source:
Owner: AWS
SourceIdentifier: API_GW_SSL_ENABLED
Type: AWS::Config::ConfigRule
AutoscalingGroupElbHealthcheckRequired:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}autoscaling-group-elb-healthcheck-required'
Scope:
ComplianceResourceTypes:
- AWS::AutoScaling::AutoScalingGroup
Source:
Owner: AWS
SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
Type: AWS::Config::ConfigRule
AutoscalingLaunchConfigPublicIpDisabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}autoscaling-launch-config-public-ip-disabled'
Scope:
ComplianceResourceTypes:
- AWS::AutoScaling::LaunchConfiguration
Source:
Owner: AWS
SourceIdentifier: AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
Type: AWS::Config::ConfigRule
CloudTrailCloudWatchLogsEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloud-trail-cloud-watch-logs-enabled'
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
Type: AWS::Config::ConfigRule
CloudTrailEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloudtrail-enabled'
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENABLED
Type: AWS::Config::ConfigRule
CloudTrailEncryptionEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloud-trail-encryption-enabled'
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
Type: AWS::Config::ConfigRule
CloudTrailLogFileValidationEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloud-trail-log-file-validation-enabled'
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
Type: AWS::Config::ConfigRule
CloudtrailS3DataeventsEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloudtrail-s3-dataevents-enabled'
Source:
Owner: AWS
SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
Type: AWS::Config::ConfigRule
CloudtrailSecurityTrailEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloudtrail-security-trail-enabled'
Source:
Owner: AWS
SourceIdentifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
Type: AWS::Config::ConfigRule
CloudwatchAlarmActionCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloudwatch-alarm-action-check'
InputParameters:
alarmActionRequired: 'TRUE'
insufficientDataActionRequired:
Fn::If:
- cloudwatchAlarmActionCheckParamInsufficientDataActionRequired
- Ref: CloudwatchAlarmActionCheckParamInsufficientDataActionRequired
- Ref: AWS::NoValue
okActionRequired:
Fn::If:
- cloudwatchAlarmActionCheckParamOkActionRequired
- Ref: CloudwatchAlarmActionCheckParamOkActionRequired
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::CloudWatch::Alarm
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK
Type: AWS::Config::ConfigRule
CloudwatchLogGroupEncrypted:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cloudwatch-log-group-encrypted'
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
Type: AWS::Config::ConfigRule
CmkBackingKeyRotationEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cmk-backing-key-rotation-enabled'
Source:
Owner: AWS
SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
Type: AWS::Config::ConfigRule
CodebuildProjectEnvvarAwscredCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}codebuild-project-envvar-awscred-check'
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
Type: AWS::Config::ConfigRule
CodebuildProjectSourceRepoUrlCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}codebuild-project-source-repo-url-check'
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
Type: AWS::Config::ConfigRule
CwLoggroupRetentionPeriodCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}cw-loggroup-retention-period-check'
Source:
Owner: AWS
SourceIdentifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
Type: AWS::Config::ConfigRule
DbInstanceBackupEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}db-instance-backup-enabled'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
Source:
Owner: AWS
SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED
Type: AWS::Config::ConfigRule
DmsReplicationNotPublic:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}dms-replication-not-public'
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC
Type: AWS::Config::ConfigRule
DynamodbAutoscalingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-autoscaling-enabled'
Scope:
ComplianceResourceTypes:
- AWS::DynamoDB::Table
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED
Type: AWS::Config::ConfigRule
DynamodbInBackupPlan:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-in-backup-plan'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_IN_BACKUP_PLAN
Type: AWS::Config::ConfigRule
DynamodbPitrEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-pitr-enabled'
Scope:
ComplianceResourceTypes:
- AWS::DynamoDB::Table
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_PITR_ENABLED
Type: AWS::Config::ConfigRule
DynamodbTableEncryptedKms:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-table-encrypted-kms'
Scope:
ComplianceResourceTypes:
- AWS::DynamoDB::Table
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_TABLE_ENCRYPTED_KMS
Type: AWS::Config::ConfigRule
DynamodbThroughputLimitCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-throughput-limit-check'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK
Type: AWS::Config::ConfigRule
EbsInBackupPlan:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ebs-in-backup-plan'
Source:
Owner: AWS
SourceIdentifier: EBS_IN_BACKUP_PLAN
Type: AWS::Config::ConfigRule
EbsOptimizedInstance:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ebs-optimized-instance'
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: AWS
SourceIdentifier: EBS_OPTIMIZED_INSTANCE
Type: AWS::Config::ConfigRule
EbsSnapshotPublicRestorableCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ebs-snapshot-public-restorable-check'
Source:
Owner: AWS
SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
Type: AWS::Config::ConfigRule
Ec2EbsEncryptionByDefault:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-ebs-encryption-by-default'
Source:
Owner: AWS
SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
Type: AWS::Config::ConfigRule
Ec2InstanceManagedBySsm:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-instance-managed-by-systems-manager'
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
- AWS::SSM::ManagedInstanceInventory
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM
Type: AWS::Config::ConfigRule
Ec2InstanceNoPublicIp:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-instance-no-public-ip'
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
Type: AWS::Config::ConfigRule
Ec2InstanceProfileAttached:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-instance-profile-attached'
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_PROFILE_ATTACHED
Type: AWS::Config::ConfigRule
Ec2ManagedinstanceAssociationComplianceStatusCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-managedinstance-association-compliance-status-check'
Scope:
ComplianceResourceTypes:
- AWS::SSM::AssociationCompliance
Source:
Owner: AWS
SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
Type: AWS::Config::ConfigRule
Ec2ManagedinstancePatchComplianceStatusCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-managedinstance-patch-compliance-status-check'
Scope:
ComplianceResourceTypes:
- AWS::SSM::PatchCompliance
Source:
Owner: AWS
SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
Type: AWS::Config::ConfigRule
Ec2SecurityGroupAttachedToEniPeriodic:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-security-group-attached-to-eni-periodic'
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC
Type: AWS::Config::ConfigRule
Ec2StoppedInstance:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-stopped-instance'
Source:
Owner: AWS
SourceIdentifier: EC2_STOPPED_INSTANCE
Type: AWS::Config::ConfigRule
Ec2VolumeInuseCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-volume-inuse-check'
InputParameters:
deleteOnTermination:
Fn::If:
- ec2VolumeInuseCheckParamDeleteOnTermination
- Ref: Ec2VolumeInuseCheckParamDeleteOnTermination
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::EC2::Volume
Source:
Owner: AWS
SourceIdentifier: EC2_VOLUME_INUSE_CHECK
Type: AWS::Config::ConfigRule
EcsContainersNonprivileged:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ecs-containers-nonprivileged'
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINERS_NONPRIVILEGED
Type: AWS::Config::ConfigRule
EcsContainersReadonlyAccess:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ecs-containers-readonly-access'
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINERS_READONLY_ACCESS
Type: AWS::Config::ConfigRule
EcsTaskDefinitionNonrootUser:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ecs-task-definition-nonroot-user'
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_NONROOT_USER
Type: AWS::Config::ConfigRule
EcsTaskDefinitionUserForHostModeCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ecs-task-definition-user-for-host-mode-check'
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK
Type: AWS::Config::ConfigRule
EfsAccessPointEnforceUserIdentity:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}efs-access-point-enforce-user-identity'
Scope:
ComplianceResourceTypes:
- AWS::EFS::AccessPoint
Source:
Owner: AWS
SourceIdentifier: EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY
Type: AWS::Config::ConfigRule
EfsEncryptedCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}efs-encrypted-check'
Source:
Owner: AWS
SourceIdentifier: EFS_ENCRYPTED_CHECK
Type: AWS::Config::ConfigRule
EfsInBackupPlan:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}efs-in-backup-plan'
Source:
Owner: AWS
SourceIdentifier: EFS_IN_BACKUP_PLAN
Type: AWS::Config::ConfigRule
EipAttached:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}eip-attached'
Scope:
ComplianceResourceTypes:
- AWS::EC2::EIP
Source:
Owner: AWS
SourceIdentifier: EIP_ATTACHED
Type: AWS::Config::ConfigRule
ElasticBeanstalkManagedUpdatesEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elastic-beanstalk-managed-updates-enabled'
Scope:
ComplianceResourceTypes:
- AWS::ElasticBeanstalk::Environment
Source:
Owner: AWS
SourceIdentifier: ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED
Type: AWS::Config::ConfigRule
ElasticacheRedisClusterAutomaticBackupCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elasticache-redis-cluster-automatic-backup-check'
Source:
Owner: AWS
SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
Type: AWS::Config::ConfigRule
ElasticsearchEncryptedAtRest:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-encrypted-at-rest'
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST
Type: AWS::Config::ConfigRule
ElasticsearchInVpcOnly:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-in-vpc-only'
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY
Type: AWS::Config::ConfigRule
ElasticsearchLogsToCloudwatch:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-logs-to-cloudwatch'
Scope:
ComplianceResourceTypes:
- AWS::Elasticsearch::Domain
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_LOGS_TO_CLOUDWATCH
Type: AWS::Config::ConfigRule
ElasticsearchNodeToNodeEncryptionCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-node-to-node-encryption-check'
Scope:
ComplianceResourceTypes:
- AWS::Elasticsearch::Domain
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
Type: AWS::Config::ConfigRule
ElbAcmCertificateRequired:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elb-acm-certificate-required'
Scope:
ComplianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
Source:
Owner: AWS
SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED
Type: AWS::Config::ConfigRule
ElbCrossZoneLoadBalancingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elb-cross-zone-load-balancing-enabled'
Scope:
ComplianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
Source:
Owner: AWS
SourceIdentifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
Type: AWS::Config::ConfigRule
ElbDeletionProtectionEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elb-deletion-protection-enabled'
Scope:
ComplianceResourceTypes:
- AWS::ElasticLoadBalancingV2::LoadBalancer
Source:
Owner: AWS
SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED
Type: AWS::Config::ConfigRule
ElbLoggingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elb-logging-enabled'
Scope:
ComplianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
- AWS::ElasticLoadBalancingV2::LoadBalancer
Source:
Owner: AWS
SourceIdentifier: ELB_LOGGING_ENABLED
Type: AWS::Config::ConfigRule
ElbTlsHttpsListenersOnly:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elb-tls-https-listeners-only'
Scope:
ComplianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
Source:
Owner: AWS
SourceIdentifier: ELB_TLS_HTTPS_LISTENERS_ONLY
Type: AWS::Config::ConfigRule
Elbv2AcmCertificateRequired:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}elbv2-acm-certificate-required'
Source:
Owner: AWS
SourceIdentifier: ELBV2_ACM_CERTIFICATE_REQUIRED
Type: AWS::Config::ConfigRule
EmrKerberosEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}emr-kerberos-enabled'
Source:
Owner: AWS
SourceIdentifier: EMR_KERBEROS_ENABLED
Type: AWS::Config::ConfigRule
EmrMasterNoPublicIp:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}emr-master-no-public-ip'
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
Type: AWS::Config::ConfigRule
EncryptedVolumes:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}encrypted-volumes'
Scope:
ComplianceResourceTypes:
- AWS::EC2::Volume
Source:
Owner: AWS
SourceIdentifier: ENCRYPTED_VOLUMES
Type: AWS::Config::ConfigRule
GuarddutyEnabledCentralized:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}guardduty-enabled-centralized'
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED
Type: AWS::Config::ConfigRule
GuarddutyNonArchivedFindings:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}guardduty-non-archived-findings'
InputParameters:
daysHighSev:
Fn::If:
- guarddutyNonArchivedFindingsParamDaysHighSev
- Ref: GuarddutyNonArchivedFindingsParamDaysHighSev
- Ref: AWS::NoValue
daysLowSev:
Fn::If:
- guarddutyNonArchivedFindingsParamDaysLowSev
- Ref: GuarddutyNonArchivedFindingsParamDaysLowSev
- Ref: AWS::NoValue
daysMediumSev:
Fn::If:
- guarddutyNonArchivedFindingsParamDaysMediumSev
- Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
Type: AWS::Config::ConfigRule
IamGroupHasUsersCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-group-has-users-check'
Scope:
ComplianceResourceTypes:
- AWS::IAM::Group
Source:
Owner: AWS
SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
Type: AWS::Config::ConfigRule
IamNoInlinePolicyCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-no-inline-policy-check'
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
- AWS::IAM::Role
- AWS::IAM::Group
Source:
Owner: AWS
SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK
Type: AWS::Config::ConfigRule
IamPasswordPolicy:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-password-policy'
InputParameters:
MaxPasswordAge:
Fn::If:
- iamPasswordPolicyParamMaxPasswordAge
- Ref: IamPasswordPolicyParamMaxPasswordAge
- Ref: AWS::NoValue
MinimumPasswordLength:
Fn::If:
- iamPasswordPolicyParamMinimumPasswordLength
- Ref: IamPasswordPolicyParamMinimumPasswordLength
- Ref: AWS::NoValue
PasswordReusePrevention:
Fn::If:
- iamPasswordPolicyParamPasswordReusePrevention
- Ref: IamPasswordPolicyParamPasswordReusePrevention
- Ref: AWS::NoValue
RequireLowercaseCharacters:
Fn::If:
- iamPasswordPolicyParamRequireLowercaseCharacters
- Ref: IamPasswordPolicyParamRequireLowercaseCharacters
- Ref: AWS::NoValue
RequireNumbers:
Fn::If:
- iamPasswordPolicyParamRequireNumbers
- Ref: IamPasswordPolicyParamRequireNumbers
- Ref: AWS::NoValue
RequireSymbols:
Fn::If:
- iamPasswordPolicyParamRequireSymbols
- Ref: IamPasswordPolicyParamRequireSymbols
- Ref: AWS::NoValue
RequireUppercaseCharacters:
Fn::If:
- iamPasswordPolicyParamRequireUppercaseCharacters
- Ref: IamPasswordPolicyParamRequireUppercaseCharacters
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
Type: AWS::Config::ConfigRule
IamPolicyNoStatementsWithAdminAccess:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-policy-no-statements-with-admin-access'
Scope:
ComplianceResourceTypes:
- AWS::IAM::Policy
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
Type: AWS::Config::ConfigRule
IamPolicyNoStatementsWithFullAccess:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-policy-no-statements-with-full-access'
Scope:
ComplianceResourceTypes:
- AWS::IAM::Policy
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS
Type: AWS::Config::ConfigRule
IamRootAccessKeyCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-root-access-key-check'
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
Type: AWS::Config::ConfigRule
IamUserGroupMembershipCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-user-group-membership-check'
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
Source:
Owner: AWS
SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
Type: AWS::Config::ConfigRule
IamUserMfaEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-user-mfa-enabled'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_MFA_ENABLED
Type: AWS::Config::ConfigRule
IamUserNoPoliciesCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-user-no-policies-check'
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
Type: AWS::Config::ConfigRule
IamUserUnusedCredentialsCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}iam-user-unused-credentials-check'
InputParameters:
maxCredentialUsageAge:
Fn::If:
- iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge
- Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
Type: AWS::Config::ConfigRule
IncomingSshDisabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}restricted-ssh'
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: INCOMING_SSH_DISABLED
Type: AWS::Config::ConfigRule
InstancesInVpc:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ec2-instances-in-vpc'
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: AWS
SourceIdentifier: INSTANCES_IN_VPC
Type: AWS::Config::ConfigRule
InternetGatewayAuthorizedVpcOnly:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}internet-gateway-authorized-vpc-only'
Scope:
ComplianceResourceTypes:
- AWS::EC2::InternetGateway
Source:
Owner: AWS
SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
Type: AWS::Config::ConfigRule
KmsCmkNotScheduledForDeletion:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}kms-cmk-not-scheduled-for-deletion'
Scope:
ComplianceResourceTypes:
- AWS::KMS::Key
Source:
Owner: AWS
SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
Type: AWS::Config::ConfigRule
LambdaFunctionPublicAccessProhibited:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}lambda-function-public-access-prohibited'
Scope:
ComplianceResourceTypes:
- AWS::Lambda::Function
Source:
Owner: AWS
SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
Type: AWS::Config::ConfigRule
LambdaInsideVpc:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}lambda-inside-vpc'
Scope:
ComplianceResourceTypes:
- AWS::Lambda::Function
Source:
Owner: AWS
SourceIdentifier: LAMBDA_INSIDE_VPC
Type: AWS::Config::ConfigRule
MfaEnabledForIamConsoleAccess:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}mfa-enabled-for-iam-console-access'
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
Type: AWS::Config::ConfigRule
MultiRegionCloudTrailEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}multi-region-cloudtrail-enabled'
Source:
Owner: AWS
SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
Type: AWS::Config::ConfigRule
NoUnrestrictedRouteToIgw:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}no-unrestricted-route-to-igw'
Scope:
ComplianceResourceTypes:
- AWS::EC2::RouteTable
Source:
Owner: AWS
SourceIdentifier: NO_UNRESTRICTED_ROUTE_TO_IGW
Type: AWS::Config::ConfigRule
OpensearchAccessControlEnabled:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}opensearch-access-control-enabled'
Scope:
ComplianceResourceTypes:
- AWS::OpenSearch::Domain
Source:
Owner: AWS
SourceIdentifier: OPENSEARCH_ACCESS_CONTROL_ENABLED
Type: AWS::Config::ConfigRule
OpensearchEncryptedAtRest:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}opensearch-encrypted-at-rest'
Scope:
ComplianceResourceTypes:
- AWS::OpenSearch::Domain
Source:
Owner: AWS
SourceIdentifier: OPENSEARCH_ENCRYPTED_AT_REST
Type: AWS::Config::ConfigRule
OpensearchHttpsRequired:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}opensearch-https-required'
Scope:
ComplianceResourceTypes:
- AWS::OpenSearch::Domain
Source:
Owner: AWS
SourceIdentifier: OPENSEARCH_HTTPS_REQUIRED
Type: AWS::Config::ConfigRule
OpensearchInVpcOnly:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}opensearch-in-vpc-only'
Scope:
ComplianceResourceTypes:
- AWS::OpenSearch::Domain
Source:
Owner: AWS
SourceIdentifier: OPENSEARCH_IN_VPC_ONLY
Type: AWS::Config::ConfigRule
OpensearchLogsToCloudwatch:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}opensearch-logs-to-cloudwatch'
Scope:
ComplianceResourceTypes:
- AWS::OpenSearch::Domain
Source:
Owner: AWS
SourceIdentifier: OPENSEARCH_LOGS_TO_CLOUDWATCH
Type: AWS::Config::ConfigRule
OpensearchNodeToNodeEncryptionCheck:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}opensearch-node-to-node-encryption-check'
Scope:
ComplianceResourceTypes:
- AWS::OpenSearch::Domain
Source:
Owner: AWS
SourceIdentifier: OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
Type: AWS::Config::ConfigRule
RdsInBackupPlan:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-in-backup-plan'
Source:
Owner: AWS
SourceIdentifier: RDS_IN_BACKUP_PLAN
Type: AWS::Config::ConfigRule
RdsInstanceDeletionProtectionEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-instance-deletion-protection-enabled'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
Source:
Owner: AWS
SourceIdentifier: RDS_INSTANCE_DELETION_PROTECTION_ENABLED
Type: AWS::Config::ConfigRule
RdsInstancePublicAccessCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-instance-public-access-check'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
Source:
Owner: AWS
SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
Type: AWS::Config::ConfigRule
RdsLoggingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-logging-enabled'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
Source:
Owner: AWS
SourceIdentifier: RDS_LOGGING_ENABLED
Type: AWS::Config::ConfigRule
RdsMultiAzSupport:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-multi-az-support'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
Source:
Owner: AWS
SourceIdentifier: RDS_MULTI_AZ_SUPPORT
Type: AWS::Config::ConfigRule
RdsSnapshotEncrypted:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-snapshot-encrypted'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBSnapshot
- AWS::RDS::DBClusterSnapshot
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED
Type: AWS::Config::ConfigRule
RdsSnapshotsPublicProhibited:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-snapshots-public-prohibited'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBSnapshot
- AWS::RDS::DBClusterSnapshot
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
Type: AWS::Config::ConfigRule
RdsStorageEncrypted:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}rds-storage-encrypted'
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
Source:
Owner: AWS
SourceIdentifier: RDS_STORAGE_ENCRYPTED
Type: AWS::Config::ConfigRule
RedshiftBackupEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}redshift-backup-enabled'
Scope:
ComplianceResourceTypes:
- AWS::Redshift::Cluster
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_BACKUP_ENABLED
Type: AWS::Config::ConfigRule
RedshiftClusterConfigurationCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}redshift-cluster-configuration-check'
InputParameters:
clusterDbEncrypted: 'TRUE'
loggingEnabled: 'TRUE'
Scope:
ComplianceResourceTypes:
- AWS::Redshift::Cluster
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
Type: AWS::Config::ConfigRule
RedshiftClusterMaintenancesettingsCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}redshift-cluster-maintenancesettings-check'
InputParameters:
allowVersionUpgrade:
Fn::If:
- redshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade
- Ref: RedshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::Redshift::Cluster
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK
Type: AWS::Config::ConfigRule
RedshiftClusterPublicAccessCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}redshift-cluster-public-access-check'
Scope:
ComplianceResourceTypes:
- AWS::Redshift::Cluster
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
Type: AWS::Config::ConfigRule
RedshiftEnhancedVpcRoutingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}redshift-enhanced-vpc-routing-enabled'
Scope:
ComplianceResourceTypes:
- AWS::Redshift::Cluster
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED
Type: AWS::Config::ConfigRule
RedshiftRequireTlsSsl:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}redshift-require-tls-ssl'
Scope:
ComplianceResourceTypes:
- AWS::Redshift::Cluster
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL
Type: AWS::Config::ConfigRule
RestrictedIncomingTraffic:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}restricted-common-ports'
InputParameters:
blockedPort1:
Fn::If:
- restrictedIncomingTrafficParamBlockedPort1
- Ref: RestrictedIncomingTrafficParamBlockedPort1
- Ref: AWS::NoValue
blockedPort2:
Fn::If:
- restrictedIncomingTrafficParamBlockedPort2
- Ref: RestrictedIncomingTrafficParamBlockedPort2
- Ref: AWS::NoValue
blockedPort3:
Fn::If:
- restrictedIncomingTrafficParamBlockedPort3
- Ref: RestrictedIncomingTrafficParamBlockedPort3
- Ref: AWS::NoValue
blockedPort4:
Fn::If:
- restrictedIncomingTrafficParamBlockedPort4
- Ref: RestrictedIncomingTrafficParamBlockedPort4
- Ref: AWS::NoValue
blockedPort5:
Fn::If:
- restrictedIncomingTrafficParamBlockedPort5
- Ref: RestrictedIncomingTrafficParamBlockedPort5
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
Type: AWS::Config::ConfigRule
RootAccountHardwareMfaEnabled:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}root-account-hardware-mfa-enabled'
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
Type: AWS::Config::ConfigRule
RootAccountMfaEnabled:
Condition: StandardPartition
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}root-account-mfa-enabled'
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
Type: AWS::Config::ConfigRule
S3AccountLevelPublicAccessBlocksPeriodic:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-account-level-public-access-blocks-periodic'
InputParameters:
BlockPublicAcls:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls
- Ref: AWS::NoValue
BlockPublicPolicy:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy
- Ref: AWS::NoValue
IgnorePublicAcls:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls
- Ref: AWS::NoValue
RestrictPublicBuckets:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
Type: AWS::Config::ConfigRule
S3BucketDefaultLockEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-default-lock-enabled'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
Type: AWS::Config::ConfigRule
S3BucketLevelPublicAccessProhibited:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-level-public-access-prohibited'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED
Type: AWS::Config::ConfigRule
S3BucketLoggingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-logging-enabled'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
Type: AWS::Config::ConfigRule
S3BucketPolicyGranteeCheck:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-policy-grantee-check'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
Type: AWS::Config::ConfigRule
S3BucketPublicReadProhibited:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-public-read-prohibited'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
Type: AWS::Config::ConfigRule
S3BucketPublicWriteProhibited:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-public-write-prohibited'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Type: AWS::Config::ConfigRule
S3BucketReplicationEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-replication-enabled'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED
Type: AWS::Config::ConfigRule
S3BucketServerSideEncryptionEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-server-side-encryption-enabled'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
Type: AWS::Config::ConfigRule
S3BucketSslRequestsOnly:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-ssl-requests-only'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
Type: AWS::Config::ConfigRule
S3BucketVersioningEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-versioning-enabled'
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
Type: AWS::Config::ConfigRule
SagemakerEndpointConfigurationKmsKeyConfigured:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}sagemaker-endpoint-configuration-kms-key-configured'
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
Type: AWS::Config::ConfigRule
SagemakerNotebookInstanceKmsKeyConfigured:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}sagemaker-notebook-instance-kms-key-configured'
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
Type: AWS::Config::ConfigRule
SagemakerNotebookNoDirectInternetAccess:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}sagemaker-notebook-no-direct-internet-access'
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
Type: AWS::Config::ConfigRule
SecurityhubEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}securityhub-enabled'
Source:
Owner: AWS
SourceIdentifier: SECURITYHUB_ENABLED
Type: AWS::Config::ConfigRule
SnsEncryptedKms:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}sns-encrypted-kms'
Scope:
ComplianceResourceTypes:
- AWS::SNS::Topic
Source:
Owner: AWS
SourceIdentifier: SNS_ENCRYPTED_KMS
Type: AWS::Config::ConfigRule
SsmDocumentNotPublic:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}ssm-document-not-public'
Source:
Owner: AWS
SourceIdentifier: SSM_DOCUMENT_NOT_PUBLIC
Type: AWS::Config::ConfigRule
SubnetAutoAssignPublicIpDisabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}subnet-auto-assign-public-ip-disabled'
Scope:
ComplianceResourceTypes:
- AWS::EC2::Subnet
Source:
Owner: AWS
SourceIdentifier: SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
Type: AWS::Config::ConfigRule
VpcDefaultSecurityGroupClosed:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}vpc-default-security-group-closed'
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
Type: AWS::Config::ConfigRule
VpcFlowLogsEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}vpc-flow-logs-enabled'
Source:
Owner: AWS
SourceIdentifier: VPC_FLOW_LOGS_ENABLED
Type: AWS::Config::ConfigRule
VpcSgOpenOnlyToAuthorizedPorts:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}vpc-sg-open-only-to-authorized-ports'
InputParameters:
authorizedTcpPorts:
Fn::If:
- vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts
- Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts
- Ref: AWS::NoValue
authorizedUdpPorts:
Fn::If:
- vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts
- Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
Type: AWS::Config::ConfigRule
Wafv2LoggingEnabled:
Properties:
ConfigRuleName:
Fn::Sub: '${ConfigRuleNamePrefix}wafv2-logging-enabled'
Source:
Owner: AWS
SourceIdentifier: WAFV2_LOGGING_ENABLED
Type: AWS::Config::ConfigRule
Conditions:
# Used to disable config rules in regions (us-gov-west-1, us-gov-east-1) where a given rule is not available
# See:
# - https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html
# - https://gist.github.com/atheiman/f345ea4aa059bf2d2c5dec490547a86f
StandardPartition:
Fn::Equals:
- Ref: AWS::Partition
- aws
acmCertificateExpirationCheckParamDaysToExpiration:
Fn::Not:
- Fn::Equals:
- ''
- Ref: AcmCertificateExpirationCheckParamDaysToExpiration
cloudwatchAlarmActionCheckParamInsufficientDataActionRequired:
Fn::Not:
- Fn::Equals:
- ''
- Ref: CloudwatchAlarmActionCheckParamInsufficientDataActionRequired
cloudwatchAlarmActionCheckParamOkActionRequired:
Fn::Not:
- Fn::Equals:
- ''
- Ref: CloudwatchAlarmActionCheckParamOkActionRequired
ec2VolumeInuseCheckParamDeleteOnTermination:
Fn::Not:
- Fn::Equals:
- ''
- Ref: Ec2VolumeInuseCheckParamDeleteOnTermination
guarddutyNonArchivedFindingsParamDaysHighSev:
Fn::Not:
- Fn::Equals:
- ''
- Ref: GuarddutyNonArchivedFindingsParamDaysHighSev
guarddutyNonArchivedFindingsParamDaysLowSev:
Fn::Not:
- Fn::Equals:
- ''
- Ref: GuarddutyNonArchivedFindingsParamDaysLowSev
guarddutyNonArchivedFindingsParamDaysMediumSev:
Fn::Not:
- Fn::Equals:
- ''
- Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev
iamPasswordPolicyParamMaxPasswordAge:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamMaxPasswordAge
iamPasswordPolicyParamMinimumPasswordLength:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamMinimumPasswordLength
iamPasswordPolicyParamPasswordReusePrevention:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamPasswordReusePrevention
iamPasswordPolicyParamRequireLowercaseCharacters:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireLowercaseCharacters
iamPasswordPolicyParamRequireNumbers:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireNumbers
iamPasswordPolicyParamRequireSymbols:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireSymbols
iamPasswordPolicyParamRequireUppercaseCharacters:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireUppercaseCharacters
iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge
redshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade:
Fn::Not:
- Fn::Equals:
- ''
- Ref: RedshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade
restrictedIncomingTrafficParamBlockedPort1:
Fn::Not:
- Fn::Equals:
- ''
- Ref: RestrictedIncomingTrafficParamBlockedPort1
restrictedIncomingTrafficParamBlockedPort2:
Fn::Not:
- Fn::Equals:
- ''
- Ref: RestrictedIncomingTrafficParamBlockedPort2
restrictedIncomingTrafficParamBlockedPort3:
Fn::Not:
- Fn::Equals:
- ''
- Ref: RestrictedIncomingTrafficParamBlockedPort3
restrictedIncomingTrafficParamBlockedPort4:
Fn::Not:
- Fn::Equals:
- ''
- Ref: RestrictedIncomingTrafficParamBlockedPort4
restrictedIncomingTrafficParamBlockedPort5:
Fn::Not:
- Fn::Equals:
- ''
- Ref: RestrictedIncomingTrafficParamBlockedPort5
s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls
s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy
s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls
s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets
vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts:
Fn::Not:
- Fn::Equals:
- ''
- Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts
vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts:
Fn::Not:
- Fn::Equals:
- ''
- Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment