By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

Config Rules

Repository of AWS Config rules examples - both AWS managed and custom Config rules. Each rule includes customizable CloudFormation template and AWS CLI scripts.

Tagging

Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key.

CloudFormationTerraformAWS CLI
EC2

Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key.

CloudFormationTerraformAWS CLI

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

Checks whether running instances are using specified AMIs. Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are noncompliant.

CloudFormationTerraformAWS CLI

Checks whether running instances are using specified AMIs. Specify the tags that identify the AMIs. Running instances with AMIs that don't have at least one of the specified tags are noncompliant.

CloudFormationTerraformAWS CLI

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

A config rule that checks instances for specified tenancy. Specify AMI IDs to check instances that are launched from those AMIs or specify host IDs to check whether instances are launched on those Dedicated Hosts. Separate multiple ID values with commas.

CloudFormationTerraformAWS CLI

Check that no EC2 Instances are in Public Subnet.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with protocol of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with port range of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

CloudFormationTerraformAWS CLI

A config rule that checks whether your EC2 instances are of the specified instance types.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager (SSM) association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

CloudFormationTerraformAWS CLI

A Config rule that checks whether detailed monitoring is enabled for EC2 instances.

CloudFormationTerraformAWS CLI

A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated.

CloudFormationTerraformAWS CLI

A Config rule that checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).

CloudFormationTerraformAWS CLI

A Config rule that checks whether EC2 managed instances have the desired configurations.

CloudFormationTerraformAWS CLI

A Config rule that checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI

A Config rule that checks that none of the specified applications are installed on the instance. Optionally, specify the application version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI

A Config rule that checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.

CloudFormationTerraformAWS CLI

A Config rule that checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.

CloudFormationTerraformAWS CLI

A config rule that checks whether all private AMIs are not older than X days.

CloudFormationTerraformAWS CLI

A config rule that checks whether the Amazon Machine Images are not publicly accessible.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4

CloudFormationTerraformAWS CLI

A Config rule that checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an Amazon EC2 instance or an ENI

CloudFormationTerraformAWS CLI

A Config rule that checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPCs) allows only specific inbound TCP or UDP traffic. The rule and any security group with inbound 0.0.0.0/0. is NON_COMPLIANT, if you do not provide any ports in the parameters.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Elastic Block Store snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with the RestorableByUserIds field is set to all. If this field is set to all, then Amazon EBS snapshots are public.

CloudFormationTerraformAWS CLI

A Config rule that checks whether there are instances stopped for more than the allowed number of days. The instance is NON_COMPLIANT if the state of the ec2 instance has been stopped for longer than the allowed number of days.

CloudFormationTerraformAWS CLI

A Config rule that checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is COMPLIANT if the HttpTokens is set to required and is NON_COMPLIANT if the HttpTokens is set to optional.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans.

CloudFormationTerraformAWS CLI
IAM

Checks whether the account password policy for IAM users meets the specified requirements.

CloudFormationTerraformAWS CLI

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

CloudFormationTerraformAWS CLI

Checks whether IAM groups have at least one IAM user.

CloudFormationTerraformAWS CLI

Checks whether IAM users are members of at least one IAM group.

CloudFormationTerraformAWS CLI

Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

CloudFormationTerraformAWS CLI

A config rule that checks that the AWS Identity and Access Management (IAM) role is attached to all AWS managed policies specified in the list of managed policies. The rule is NON_COMPLIANT if the IAM role is not attached to the IAM managed policy.

CloudFormationTerraformAWS CLI

A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.

CloudFormationTerraformAWS CLI

A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.

CloudFormationTerraformAWS CLI

A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT.

CloudFormationTerraformAWS CLI

A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.

CloudFormationTerraformAWS CLI

A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.

CloudFormationTerraformAWS CLI

A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.

CloudFormationTerraformAWS CLI

A Config rule that that none of your IAM users, groups, or roles (excluding exceptionList) have the specified policies attached

CloudFormationTerraformAWS CLI

A config rule that checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy.

CloudFormationTerraformAWS CLI

A config rule that checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.

CloudFormationTerraformAWS CLI
S3

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

CloudFormationTerraformAWS CLI

Checks whether logging is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI

Checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI

Checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.

CloudFormationTerraformAWS CLI

Checks whether versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI

A Config rule that verifies that your Amazon S3 bucket policies do not allow other inter-account permissions that the control S3 bucket policy that you provide.

CloudFormationTerraformAWS CLI

A config rule that checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blacklisted actions are allowed by the Amazon S3 bucket policy.

CloudFormationTerraformAWS CLI

A Config rule that checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

CloudFormationTerraformAWS CLI

A Config rule that checks whether S3 buckets have cross-region replication enabled.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is not NON_COMPLIANT if Amazon S3 bucket is not encrypted with AWS KMS key.

CloudFormationTerraformAWS CLI

A Config rule that checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails that log data events for S3 buckets are not configured.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

CloudFormationTerraformAWS CLI
ELB

Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.

CloudFormationTerraformAWS CLI

Checks whether your Classic Load Balancer SSL listeners are using a custom policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.

CloudFormationTerraformAWS CLI

Checks whether your Classic Load Balancer SSL listeners are using a predefined policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled. The rule is NON_COMPLIANT if the the access_logs.s3.enabled is true and access_logs.S3.bucket is equal to the s3BucketName that you provided.

CloudFormationTerraformAWS CLI

A Config rule that checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners. The rule is applicable if a Classic Load Balancer has listeners.

CloudFormationTerraformAWS CLI

A Config rule that checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This rule is NON_COMPLIANT if cross-zone load balancing is not enabled for a CLB.

CloudFormationTerraformAWS CLI

A Config rule that checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Elastic Load Balancing has deletion protection enabled. The rule is NON_COMPLIANT if deletion_protection.enabled is false

CloudFormationTerraformAWS CLI
RDS

Checks whether storage encryption is enabled for your RDS DB instances.

CloudFormationTerraformAWS CLI

Checks whether high availability is enabled for your RDS DB instances. (Note: This rule does not evaluate Amazon Aurora databases.)

CloudFormationTerraformAWS CLI

Check that no RDS Instances are in Public Subnet.

CloudFormationTerraformAWS CLI

A config rule that checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.

CloudFormationTerraformAWS CLI

A config rule that checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.

CloudFormationTerraformAWS CLI

A config rule that checks whether the Amazon Relational Database Service instances are not publicaly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item.

CloudFormationTerraformAWS CLI

A config rule that checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is NON_COMPLIANT, if Amazon RDS DB snapshots are not encrypted.

CloudFormationTerraformAWS CLI

A config rule that checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is NON_COMPLIANT if an RDS cluster does not have deletion protection enabled.

CloudFormationTerraformAWS CLI

A config rule that checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled i.e deletionProtection is set to false.

CloudFormationTerraformAWS CLI

A config rule that checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have AWS IAM authentication enabled i.e configuration.iAMDatabaseAuthenticationEnabled is set to false.

CloudFormationTerraformAWS CLI

A config rule that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON_COMPLIANT if any log types are not enabled.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon RDS database is present in back plans of AWS Backup. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan.

CloudFormationTerraformAWS CLI
CloudTrail

Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use.

CloudFormationTerraformAWS CLI

Evaluates whether access logging is enabled on the CloudTrail S3 bucket and the S3 bucket is not publicly accessible.

CloudFormationTerraformAWS CLI

A config rule that checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters.

CloudFormationTerraformAWS CLI

A config rule that checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty.

CloudFormationTerraformAWS CLI

A config rule that checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined.

CloudFormationTerraformAWS CLI

A config rule that checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled.

CloudFormationTerraformAWS CLI

A config rule that that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following: records global service events, is a multi-region trail, has Log file validation enabled, encrypted with a KMS key, records events for reads and writes, records management events, and does not exclude any management events.

CloudFormationTerraformAWS CLI
ACM

Checks whether ACM Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.

CloudFormationTerraformAWS CLI
Lambda

Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is noncompliant.

CloudFormationTerraformAWS CLI

A Config rule that checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.

CloudFormationTerraformAWS CLI

A config rule that checks that all the lambda functions have at least one defined version and alias, also ensure that no alias pointing to $LATEST version

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Lambda function is configured for function-level concurrent execution limit.

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Lambda function is in a VPC or not

CloudFormationTerraformAWS CLI

A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.

CloudFormationTerraformAWS CLI

A Config rule that checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue

CloudFormationTerraformAWS CLI
GuardDuty

A Config rule that checks whether Amazon GuardDuty is enabled in your AWS account and region. If you provide an AWS account for centralization, the rule evaluates the Amazon GuardDuty results in the centralized account. The rule is compliant when Amazon GuardDuty is enabled.

CloudFormationTerraformAWS CLI

A config rule that checks whether GuardDuty has untreated findings.

CloudFormationTerraformAWS CLI
EKS

A config rule that checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.

CloudFormationTerraformAWS CLI

A config rule that checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.

CloudFormationTerraformAWS CLI
DynamoDB

A config rule that checks whether Auto Scaling is enabled on your DynamoDB tables and/or global secondary indexes. Optionally you can set the read and write capacity units for the table or global secondary index.

CloudFormationTerraformAWS CLI

A config rule that checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling.

CloudFormationTerraformAWS CLI

A config rule that checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80% of your account limits.

CloudFormationTerraformAWS CLI

A config rule that checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if point in time recovery is not enabled for Amazon DynamoDB tables.

CloudFormationTerraformAWS CLI

A config rule that checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if DynamoDB DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in kmsKeyArns input parameter.

CloudFormationTerraformAWS CLI

A config rule that checks that DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon DynamoDB table is present in AWS Backup plans. The rule is NON_COMPLIANT if DynamoDB tables are not present in any AWS Backup plan.

CloudFormationTerraformAWS CLI
WAF

A Config rule that checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON_COMPLIANT if key: waf.enabled is set to false.

CloudFormationTerraformAWS CLI

A Config rule that checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter.

CloudFormationTerraformAWS CLI

A Config rule that checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.

CloudFormationTerraformAWS CLI

A config rule that checks whether the web ACL is associated with an Application Load Balancer or Amazon CloudFront distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS policy and can optionally enable remediation.

CloudFormationTerraformAWS CLI

A config rule that checks that the rule groups associate with the web ACL at the correct priority. The correct priority is decided by the rank of the rule groups in the ruleGroups parameter. When AWS Firewall Manager creates this rule, it assigns the highest priority 0 followed by 1, 2, and so on. The FMS policy owner specifies the ruleGroups rank in the FMS policy and can optionally enable remediation.

CloudFormationTerraformAWS CLI
VPC

A config rule that checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

CloudFormationTerraformAWS CLI

A Config rule that checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status.

CloudFormationTerraformAWS CLI

A config rule that checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.

CloudFormationTerraformAWS CLI

A config rule that checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.

CloudFormationTerraformAWS CLI
KMS

A config rule that checks that key rotation is enabled for each customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material.

CloudFormationTerraformAWS CLI

A config rule that checks that Customer Managed keys are not scheduled for deletion

CloudFormationTerraformAWS CLI
CloudWatch

A Config rule that checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. Optionally, checks whether any of the actions matches one of the specified ARNs.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the specified resource type has a CloudWatch alarm for the specified metric. For resource type, you can specify EBS volumes, EC2 instances, RDS clusters, or S3 buckets.

CloudFormationTerraformAWS CLI

A Config rule that checks whether CloudWatch alarms with the given metric name have the specified settings.

CloudFormationTerraformAWS CLI

A Config rule that checks whether a log group in Amazon CloudWatch Logs is encrypted. The rule is NON_COMPLIANT if CloudWatch Logs has a log group without encryption enabled

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is not set or is less than the configured retention period.

CloudFormationTerraformAWS CLI
Security Hub

A config rule that checks that AWS Security Hub is enabled for an AWS account. The rule is NON_COMPLIANT if Security Hub is not enabled.

CloudFormationTerraformAWS CLI
CodeBuild

A config rule that checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.

CloudFormationTerraformAWS CLI

A config rule that checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password. The rule is COMPLIANT with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket repositories.

CloudFormationTerraformAWS CLI
CloudFormation

A config rule that checks whether your CloudFormation stacks are sending event notifications to an SNS topic. Optionally checks whether specified SNS topics are used.

CloudFormationTerraformAWS CLI

A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.

CloudFormationTerraformAWS CLI
Redshift

A config rule that checks whether Amazon Redshift clusters have the specified settings.

CloudFormationTerraformAWS CLI

A config rule that checks whether Amazon Redshift clusters have the specified maintenance settings.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the cluster configuration item.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.

CloudFormationTerraformAWS CLI

A Config rule that checks that Amazon Redshift automated snapshots are enabled for clusters. The rule is NON_COMPLIANT if the value for automatedSnapshotRetentionPeriod is greater than MaxRetentionPeriod or less than MinRetentionPeriod or the value is 0.

CloudFormationTerraformAWS CLI
API Gateway

A config rule that checks that Amazon API Gateway APIs are of type as specified (Allowed values are REGIONAL, PRIVATE and EDGE)

CloudFormationTerraformAWS CLI

A config rule that checks that methods in an Amazon API Gateway stage for deployed APIs have 'loggingLevel' as one of the values specified in the rule parameter 'loggingLevel'.

CloudFormationTerraformAWS CLI

A config rule that checks that all APIs are private or regional, and not edge optimised.

CloudFormationTerraformAWS CLI

A config rule that checks that all private APIs uses resource policy restricting to VPC endpoints or VPC in the same AWS account.

CloudFormationTerraformAWS CLI

A config rule that checks that non-private API GW have a resource based policy which limit their usage based on IP source

CloudFormationTerraformAWS CLI

A Config rule that checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if the REST API stage does not have an associated SSL certificate.

CloudFormationTerraformAWS CLI

A Config rule that checks if X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule will return COMPLIANT if X-Ray tracing is enabled, NON_COMPLIANT otherwise.

CloudFormationTerraformAWS CLI

A config rule that checks that Amazon API Gateway APIs are of type as specified (Allowed values are REGIONAL, PRIVATE and EDGE)

CloudFormationTerraformAWS CLI
CloudFront

A config rule that checks whether your CloudFront Distribution has been configured to store logs on an authorized S3 bucket

CloudFormationTerraformAWS CLI

A config rule that checks whether your Amazon CloudFront Distributions use HTTPS (directly or via a redirection).

CloudFormationTerraformAWS CLI

A config rule that checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.

CloudFormationTerraformAWS CLI

A config rule that checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. This rule is NON_COMPLIANT if the CloudFront distribution is backed by Amazon S3 and any of Amazon S3 Origin type is not OAI configured.

CloudFormationTerraformAWS CLI

A config rule that checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution.

CloudFormationTerraformAWS CLI

A config rule that checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is using a dedicated IP address.

CloudFormationTerraformAWS CLI
Elasticsearch

A config rule that checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled

CloudFormationTerraformAWS CLI

A config rule that checks whether whether the ElasticSearch Domains are in VPC and not as a public endpoint

CloudFormationTerraformAWS CLI

A Config rule that checks that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.

CloudFormationTerraformAWS CLI
Support

A config rule that checks whether the Enterprise Support Plan is enabled for an AWS Account.

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Account is subscribed to the AWS Business Support Plan or above (i.e. Enterprise).

CloudFormationTerraformAWS CLI
EFS

A Config rule that checks whether Amazon Elastic File System (Amazon EFS) are configured to encrypt the file data using AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the Encrypted key is set to False on DescribeFileSystems or, if specified, KmsKeyId key on DescribeFileSystems is not matching KmsKeyId parameter

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans.

CloudFormationTerraformAWS CLI
ALB

A Config rule that checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured.

CloudFormationTerraformAWS CLI

A Config rule that evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false.

CloudFormationTerraformAWS CLI
Shield

A Config rule that checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection. This rule also checks if they have web ACL associated for Application Load Balancer and Amazon CloudFront distributions.

CloudFormationTerraformAWS CLI

A Config rule that checks whether AWS Shield Advanced is enabled in your AWS account and this subscription is set to automatically renew.

CloudFormationTerraformAWS CLI

A config rule that checks that that DDoS response team (DRT) can access AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for DRT access is not configured.

CloudFormationTerraformAWS CLI
EMR

A config rule that checks that Amazon EMR clusters' security groups are not open to the world. This rule only checks clusters in RUNNING or WAITING state.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP.

CloudFormationTerraformAWS CLI

A config rule that checks that EMR clusters have Kerberos Enabled

CloudFormationTerraformAWS CLI
SageMaker

A config rule that checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances are internet-enabled.

CloudFormationTerraformAWS CLI

A config rule that checks whether an AWS Key Management Service (KMS) key is configured for Amazon SageMaker notebook instance. The rule is not NON_COMPLIANT if kmsKeyId is not specified for the Amazon SageMaker notebook instance.

CloudFormationTerraformAWS CLI

A config rule that checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration. The rule is NON_COMPLIANT if KmsKeyId is not specified for the Amazon SageMaker endpoint configuration.

CloudFormationTerraformAWS CLI
DMS

A config rule that checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is true.

CloudFormationTerraformAWS CLI
ElastiCache

A Config rule that checks if the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON_COMPLIANT if the SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter.

CloudFormationTerraformAWS CLI
Secrets Manager

A config rule that checks whether AWS Secrets Manager secret has rotation enabled. The rule also checks an optional maximumAllowedRotationFrequency parameter.

CloudFormationTerraformAWS CLI

A config rule that checks and verifies whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.

CloudFormationTerraformAWS CLI

A config rule that checks if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in ‘unusedForDays’ number of days. The default value is 90 days.

CloudFormationTerraformAWS CLI

A config rule that if all secrets in AWS Secrets Manager are encrypted using an AWS Key Management Service (AWS KMS) customer master key (CMK). This rule is COMPLIANT if a secret is encrypted using an AWS KMS CMK. This rule is NON_COMPLIANT if a secret is encrypted using the default AWS KMS key.

CloudFormationTerraformAWS CLI
SNS

A config rule that checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the Amazon SNS topic is not encrypted with AWS KMS. The rule is also NON_COMPLIANT when encrypted KMS key is not present in kmsKeyIds input parameter.

CloudFormationTerraformAWS CLI
Organizations

A Config rule that checks whether AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId.

CloudFormationTerraformAWS CLI
Elastic Beanstalk

A Config rule that checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting. The rule is COMPLIANT if the environment is configured for enhanced health reporting. The rule is NON_COMPLIANT if the environment is configured for basic health reporting.

CloudFormationTerraformAWS CLI

A Config rule that checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true. The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a parameter is provided and its value does not match the existing configurations.

CloudFormationTerraformAWS CLI
CodePipeline

A Config rule that checks whether the first deployment stage of the AWS Codepipeline performs more than one deployment. Optionally checks if each of the subsequent remaining stages deploy to more than the specified number of deployments (deploymentLimit).

CloudFormationTerraformAWS CLI

A Config rule that checks if each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. The first deployment stage can deploy to a maximum of one region and the second deployment stage can deploy to a maximum number specified in the regionFanoutFactor. If you do not provide a regionFanoutFactor, by default the value is three. For example: If 1st deployment stage deploys to one region and 2nd deployment stage deploys to three regions, 3rd deployment stage can deploy to 12 regions, that is, sum of previous stages multiplied by the region fanout (three) number. The rule is NON_COMPLIANT if the deployment is in more than one region in 1st stage or three regions in 2nd stage or 12 regions in 3rd stage.

CloudFormationTerraformAWS CLI
Filter by source
 
Tagging
EC2
IAM
S3
ELB
RDS
CloudTrail
ACM
Lambda
GuardDuty
EKS
DynamoDB
WAF
VPC
KMS
CloudWatch
Security Hub
CodeBuild
CloudFormation
Redshift
API Gateway
CloudFront
Elasticsearch
Support
EFS
ALB
Shield
EMR
SageMaker
DMS
ElastiCache
Secrets Manager
SNS
Organizations
Elastic Beanstalk
CodePipeline