Repository of AWS Config rules examples - both AWS managed and custom Config rules. Each rule includes customizable CloudFormation template and AWS CLI scripts.

EC2
EBS Encrypted Volumes Check

Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key.

CloudFormationTerraformAWS CLI
Security Groups SSH Restricted Check

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI
EC2 Approved AMIs Check (by AMI ID)

Checks whether running instances are using specified AMIs. Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are noncompliant.

CloudFormationTerraformAWS CLI
EC2 Approved AMIs Check (by AMI Tag)

Checks whether running instances are using specified AMIs. Specify the tags that identify the AMIs. Running instances with AMIs that don't have at least one of the specified tags are noncompliant.

CloudFormationTerraformAWS CLI
Security Groups Unrestricted Common Ports Check

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI
EC2 Desired Instance Tenancy Setting Check

A config rule that checks instances for specified tenancy. Specify AMI IDs to check instances that are launched from those AMIs or specify host IDs to check whether instances are launched on those Dedicated Hosts. Separate multiple ID values with commas.

CloudFormationTerraformAWS CLI
No EC2 Instances in Public Subnets Check

Check that no EC2 Instances are in Public Subnet.

CloudFormationTerraformAWS CLI
Security Groups Do Not Allow All Protocols Check

Check that security groups do not have an inbound rule with protocol of 'All'.

CloudFormationTerraformAWS CLI
Security Groups Do Not Allow All Ports Check

Check that security groups do not have an inbound rule with port range of 'All'.

CloudFormationTerraformAWS CLI
Launch Wizard Security Groups are Not Used Check

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

CloudFormationTerraformAWS CLI
EC2 Desired Instance Type Check

A config rule that checks whether your EC2 instances are of the specified instance types.

CloudFormationTerraformAWS CLI
EC2 Instances Managed by Systems Manager (SSM) Check

A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

CloudFormationTerraformAWS CLI
EC2 SSM Association Compliance Status Check

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager (SSM) association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI
EC2 SSM Patch Compliance Status Check

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI
Default Security Group Closed Check

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

CloudFormationTerraformAWS CLI
ec2-instance-detailed-monitoring-enabled

A Config rule that checks whether detailed monitoring is enabled for EC2 instances.

CloudFormationTerraformAWS CLI
EC2 Unused EBS Volumes Check

A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated.

CloudFormationTerraformAWS CLI
Unattached Elastic IPs (EIP) Check

A Config rule that checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).

CloudFormationTerraformAWS CLI
ec2-managedinstance-platform-check

A Config rule that checks whether EC2 managed instances have the desired configurations.

CloudFormationTerraformAWS CLI
EC2 Check Required Applications Check (SSM)

A Config rule that checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI
EC2 Check Blacklisted Applications Check (SSM)

A Config rule that checks that none of the specified applications are installed on the instance. Optionally, specify the application version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI
EC2 Check Blacklisted Inventory (SSM)

A Config rule that checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.

CloudFormationTerraformAWS CLI
EC2 EBS Default Encryption Enabled

A Config rule that checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.

CloudFormationTerraformAWS CLI
Outdated AMI Check

A config rule that checks whether all private AMIs are not older than X days.

CloudFormationTerraformAWS CLI
No Public AMI Check

A config rule that checks whether the Amazon Machine Images are not publicly accessible.

CloudFormationTerraformAWS CLI
EC2 Instances No Public IP Check

A Config rule that checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4

CloudFormationTerraformAWS CLI
Security Groups are Attached to ENIs Check

A Config rule that checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an Amazon EC2 instance or an ENI

CloudFormationTerraformAWS CLI
Security Groups Open to Specific Ports Only

A Config rule that checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPCs) allows only specific inbound TCP or UDP traffic. The rule and any security group with inbound 0.0.0.0/0. is NON_COMPLIANT, if you do not provide any ports in the parameters.

CloudFormationTerraformAWS CLI
EBS Snapshots Not Publicly Restorable Check

A Config rule that checks whether Amazon Elastic Block Store snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with the RestorableByUserIds field is set to all. If this field is set to all, then Amazon EBS snapshots are public.

CloudFormationTerraformAWS CLI
EC2 Stopped Instances Check

A Config rule that checks whether there are instances stopped for more than the allowed number of days. The instance is NON_COMPLIANT if the state of the ec2 instance has been stopped for longer than the allowed number of days.

CloudFormationTerraformAWS CLI
EC2 Instance Metadata Service v2 (IMDSv2) Configured

A Config rule that checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is COMPLIANT if the HttpTokens is set to required and is NON_COMPLIANT if the HttpTokens is set to optional.

CloudFormationTerraformAWS CLI
EBS Volume in AWS Backup Plan Check

A Config rule that checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans.

CloudFormationTerraformAWS CLI
EC2 Auto Scaling Group Capacity Rebalancing is Enabled

A Config rule that checks if capacity rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.

CloudFormationTerraformAWS CLI
Auto Scaling Groups have Public IP disabled in Launch Configurations

A Config rule that checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is NON_COMPLIANT if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to true.

CloudFormationTerraformAWS CLI
Auto Scaling Group Enforces IMDSv2 in Launch Configuration

A Config rule that checks whether only IMDSv2 is enabled. This rule is NON_COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled.

CloudFormationTerraformAWS CLI
Auto Scaling Group Enforces IMDSv2 Hop Limit in Launch Configuration

A Config rule that checks the number of network hops that the metadata token can travel. This rule is NON_COMPLIANT if the Metadata response hop limit is greater than 1.

CloudFormationTerraformAWS CLI
Auto Scaling Group Spans Multiple AZs

A Config rule that checks if the Auto Scaling group spans multiple Availability Zones. The rule is NON_COMPLIANT if the Auto Scaling group does not span multiple Availability Zones.

CloudFormationTerraformAWS CLI
Auto Scaling Groups Use Multiple EC2 Instance Types

A Config rule that checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types. This rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined.

CloudFormationTerraformAWS CLI
EC2 Instance No Multiple ENIs Check

A Config rule that checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs). This rule is NON_COMPLIANT an Amazon EC2 instance use multiple network interfaces.

CloudFormationTerraformAWS CLI
EC2 Instance Profile Attached

A Config rule that checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is NON_COMPLIANT if no IAM profile is attached to the Amazon EC2 instance.

CloudFormationTerraformAWS CLI
EC2 Instance No Amazon Key Pair Check

A Config rule that checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.

CloudFormationTerraformAWS CLI
No EC2 Paravirtual Instances Check

A Config rule that checks if the virtualization type of an EC2 instance is paravirtual. This rule is NON_COMPLIANT for an EC2 instance if virtualizationType is set to paravirtual.

CloudFormationTerraformAWS CLI
EC2 IMDSv2 Token Hop Limit Check

A Config rule that checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit. The rule is NON_COMPLIANT for an instance if it has a hop limit value above the intended limit.

CloudFormationTerraformAWS CLI
Transit Gateway Auto VPC Attach is Disabled

A Config rule that checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have AutoAcceptSharedAttachments enabled. The rule is NON_COMPLIANT for a Transit Gateway if AutoAcceptSharedAttachments is set to enable.

CloudFormationTerraformAWS CLI
EC2 Instance EBS Optimization is Enabled

A Config rule that checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. The rule is NON_COMPLIANT if EBS optimization is not enabled for an EC2 instance that can be EBS-optimized.

CloudFormationTerraformAWS CLI
Check if EC2 Auto Scaling group is created from an EC2 launch template

Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template. The rule is NON_COMPLIANT if the scaling group is not created from an EC2 launch template.

CloudFormationTerraform
Create a rule to check if a recovery point was created for Amazon EC2 instances

Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances. The rule is NON_COMPLIANT if the Amazon EC2 instance does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
EC2 Launch Template Public IP Disabled

Checks if Amazon EC2 Launch Templates are set to assign public IP addresses to Network Interfaces. The rule is NON_COMPLIANT if the default version of an EC2 Launch Template has at least 1 Network Interface with 'AssociatePublicIpAddress' set to 'true'.

CloudFormationTerraform
Check EC2 Managed Instances for Blacklisted Inventory Types

Checks whether instances managed by Amazon EC2 Systems Manager are configured to collect blacklisted inventory types.

CloudFormationTerraform
Check non-default security groups attached to ENIs

Checks if non-default security groups are attached to Elastic network interfaces (ENIs). The rule is NON_COMPLIANT if the security group is not associated with an ENI. Security groups not owned by the calling account evaluate as NOT_APPLICABLE.

CloudFormationTerraform
EC2 Instances in VPC

Checks if your EC2 instances belong to a virtual private cloud (VPC). Optionally, you can specify the VPC ID to associate with your instances.

CloudFormationTerraform
IAM
IAM Password Policy Settings Check

Checks whether the account password policy for IAM users meets the specified requirements.

CloudFormationTerraformAWS CLI
Root Account MFA Enabled Check

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

CloudFormationTerraformAWS CLI
Empty IAM Groups Check

Checks whether IAM groups have at least one IAM user.

CloudFormationTerraformAWS CLI
All IAM Users Belong to IAM Groups Check

Checks whether IAM users are members of at least one IAM group.

CloudFormationTerraformAWS CLI
IAM Policies Not Attached to IAM Users Directly Check

Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.

CloudFormationTerraformAWS CLI
IAM Users MFA Enabled Check

A config rule that checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

CloudFormationTerraformAWS CLI
Required IAM Policies for IAM Roles Check

A config rule that checks that the AWS Identity and Access Management (IAM) role is attached to all AWS managed policies specified in the list of managed policies. The rule is NON_COMPLIANT if the IAM role is not attached to the IAM managed policy.

CloudFormationTerraformAWS CLI
Root Account Hardware MFA Check

A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.

CloudFormationTerraformAWS CLI
IAM Access Keys Rotated Check

A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.

CloudFormationTerraformAWS CLI
IAM Policies don't allow Admin Access Check

A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT.

CloudFormationTerraformAWS CLI
Root Access Keys Does Not Exist Check

A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.

CloudFormationTerraformAWS CLI
IAM Users Unused Credentials Check

A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.

CloudFormationTerraformAWS CLI
Mfa Enabled for IAM Console Access

A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.

CloudFormationTerraformAWS CLI
IAM Blacklisted Policies Check

A Config rule that that none of your IAM users, groups, or roles (excluding exceptionList) have the specified policies attached

CloudFormationTerraformAWS CLI
No Inline IAM Policies Allowed Check

A config rule that checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy.

CloudFormationTerraformAWS CLI
Mandatory IAM Policy In Use Check

A config rule that checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.

CloudFormationTerraformAWS CLI
IAM Customer Policy Blocked KMS Actions

Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS) keys. The rule is NON_COMPLIANT if any blocked action is allowed on AWS KMS keys by the managed IAM policy.

CloudFormationTerraform
Block IAM Inline Policy KMS Actions

Checks if the inline policies attached to your IAM users, roles, and groups do not allow blocked actions on all AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys in an inline policy.

CloudFormationTerraform
IAM Policy No Statements With Full Access

Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources. The rule is NON_COMPLIANT if any customer managed IAM policy allows full access to at least 1 AWS service.

CloudFormationTerraform
S3
S3 Bucket SSL Requests Only

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

CloudFormationTerraformAWS CLI
S3 Bucket Logging Enabled Check

Checks whether logging is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI
S3 Bucket Public Read Disabled Check

Checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI
S3 Bucket Public Write Disabled Check

Checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI
S3 Bucket Server Side Encryption Enabled Check

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.

CloudFormationTerraformAWS CLI
S3 Bucket Versioning Enabled Check

Checks whether versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI
s3-bucket-policy-not-more-permissive

A Config rule that verifies that your Amazon S3 bucket policies do not allow other inter-account permissions that the control S3 bucket policy that you provide.

CloudFormationTerraformAWS CLI
s3-blacklisted-actions-prohibited

A config rule that checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blacklisted actions are allowed by the Amazon S3 bucket policy.

CloudFormationTerraformAWS CLI
S3 Bucket Policy Grantee Check

A Config rule that checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

CloudFormationTerraformAWS CLI
S3 Bucket Replication Enabled

A Config rule that checks whether S3 buckets have cross-region replication enabled.

CloudFormationTerraformAWS CLI
S3 Bucket Default Lock Enabled

A Config rule that checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.

CloudFormationTerraformAWS CLI
S3 Bucket Default Encryption with KMS Enabled

A Config rule that checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is not NON_COMPLIANT if Amazon S3 bucket is not encrypted with AWS KMS key.

CloudFormationTerraformAWS CLI
CloudTrail Data Events are Enabled for S3 Buckets Check

A Config rule that checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails that log data events for S3 buckets are not configured.

CloudFormationTerraformAWS CLI
S3 Block Public Access Enabled (Account-Level)

A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

CloudFormationTerraformAWS CLI
S3 Event Notifications Enabled

A Config rule that checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters.

CloudFormationTerraformAWS CLI
S3 Lifecycle Policy Check

A Config rule that checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values.

CloudFormationTerraformAWS CLI
S3 Version Lifecycle Policy Check

A Config rule that checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. The rule is NON_COMPLIANT if Amazon S3 lifecycle policy is not enabled.

CloudFormationTerraformAWS CLI
Check public access block settings at account level

Checks if the required public access block settings are configured at the account level. The rule is NON_COMPLAINT if the configuration item does not match one or more settings from parameters (or default).

CloudFormationTerraform
Prohibit ACLs in S3 Buckets

Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). The rule is NON_COMPLIANT if ACLs are configured for user access in Amazon S3 Buckets.

CloudFormationTerraform
Prohibit Public Access at S3 Bucket Level

Checks if S3 buckets are publicly accessible. The rule is NON_COMPLIANT if an S3 bucket is not listed in the `excludedPublicBuckets` parameter and bucket level settings are public.

CloudFormationTerraform
Load Balancer
Classic Load Balancer ACM Certificate Required

Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.

CloudFormationTerraformAWS CLI
Classic Load Balancer Custom SSL Security Policy Check

Checks whether your Classic Load Balancer SSL listeners are using a custom policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.

CloudFormationTerraformAWS CLI
elb-predefined-security-policy-ssl-check

Checks whether your Classic Load Balancer SSL listeners are using a predefined policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.

CloudFormationTerraformAWS CLI
ELB Logging Enabled

A Config rule that checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled. The rule is NON_COMPLIANT if the the access_logs.s3.enabled is true and access_logs.S3.bucket is equal to the s3BucketName that you provided.

CloudFormationTerraformAWS CLI
ELB HTTPS Listeners Only Check

A Config rule that checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners. The rule is applicable if a Classic Load Balancer has listeners.

CloudFormationTerraformAWS CLI
ELB Cross AZ Load Balancing Enabled

A Config rule that checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This rule is NON_COMPLIANT if cross-zone load balancing is not enabled for a CLB.

CloudFormationTerraformAWS CLI
ELB Health Checks are Configured for Auto Scaling Groups

A Config rule that checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.

CloudFormationTerraformAWS CLI
ELB Deletion Protection Enabled Check

A Config rule that checks whether Elastic Load Balancing has deletion protection enabled. The rule is NON_COMPLIANT if deletion_protection.enabled is false

CloudFormationTerraformAWS CLI
Load Balancer ACM Certificate Required

A Config rule that checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). This rule is NON_COMPLIANT if at least 1 load balancer has at least 1 listener that is configured without a certificate from ACM or is configured with a certificate different from an ACM certificate.

CloudFormationTerraformAWS CLI
Load Balancer Multiple AZ Check

A Config rule that checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZs). The rule is NON_COMPLIANT if an Elastic Load Balancer V2 has instances registered in less than 2 AZs.

CloudFormationTerraformAWS CLI
RDS
RDS Storage Encrypted Check

Checks whether storage encryption is enabled for your RDS DB instances.

CloudFormationTerraformAWS CLI
RDS Multi-AZ HA Enabled Check

Checks whether high availability is enabled for your RDS DB instances. (Note: This rule does not evaluate Amazon Aurora databases.)

CloudFormationTerraformAWS CLI
No RDS Instances in Public Subnets Check

Check that no RDS Instances are in Public Subnet.

CloudFormationTerraformAWS CLI
RDS Enhanced Monitoring Enabled

A config rule that checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances

CloudFormationTerraformAWS CLI
RDS Public Snapshots Prohibited Check

A Config rule that checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.

CloudFormationTerraformAWS CLI
RDS Backup Enabled Check

A config rule that checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.

CloudFormationTerraformAWS CLI
RDS Instances Public Access Prohibited Check

A config rule that checks whether the Amazon Relational Database Service instances are not publicaly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item.

CloudFormationTerraformAWS CLI
RDS Snapshot Encrypted Check

A config rule that checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is NON_COMPLIANT, if Amazon RDS DB snapshots are not encrypted.

CloudFormationTerraformAWS CLI
RDS Cluster Deletion Protection Enabled

A config rule that checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is NON_COMPLIANT if an RDS cluster does not have deletion protection enabled.

CloudFormationTerraformAWS CLI
RDS Instance Deletion Protection Enabled

A config rule that checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled i.e deletionProtection is set to false.

CloudFormationTerraformAWS CLI
RDS Instance IAM Authentication Enabled Check

A config rule that checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have AWS IAM authentication enabled i.e configuration.iAMDatabaseAuthenticationEnabled is set to false.

CloudFormationTerraformAWS CLI
RDS Instance Logging Enabled Check

A config rule that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON_COMPLIANT if any log types are not enabled.

CloudFormationTerraformAWS CLI
RDS Database in AWS Backup Plan Check

A Config rule that checks whether Amazon RDS database is present in back plans of AWS Backup. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan.

CloudFormationTerraformAWS CLI
RDS DB Security Group Not Allowed

A Config rule that checks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group. The rule is NON_COMPLIANT is there are any DB security groups that are not the default DB security group.

CloudFormationTerraformAWS CLI
RDS Instance Default Admin Check

A Config rule that checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value. This rule will only run on RDS database instances. The rule is NON_COMPLIANT if the admin username is set to the default value.

CloudFormationTerraformAWS CLI
RDS Instance Default Admin Check

A Config rule that checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value. This rule will only run on RDS database instances. The rule is NON_COMPLIANT if the admin username is set to the default value.

CloudFormationTerraformAWS CLI
Aurora MySQL Backtracking Enabled

A Config rule that checks if an Amazon Aurora MySQL cluster has backtracking enabled. This rule is NON_COMPLIANT if the Aurora cluster uses MySQL and it does not have backtracking enabled.

CloudFormationTerraformAWS CLI
RDS Automatic Minor Version Upgrade Enabled

A Config rule that checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON_COMPLIANT if the value of autoMinorVersionUpgrade is false.

CloudFormationTerraformAWS CLI
RDS Cluster IAM Authentication is Enabled

A Config rule that checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an RDS Cluster does not have IAM authentication enabled.

CloudFormationTerraformAWS CLI
Check if RDS cluster has default admin username

Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username is set to the default value.

CloudFormationTerraform
RDS Cluster Encrypted at Rest

Checks if an Amazon Relational Database Service (Amazon RDS) cluster is encrypted at rest. The rule is NON_COMPLIANT if an Amazon RDS cluster is not encrypted at rest.

CloudFormationTerraform
Check if Multi-AZ replication is enabled on Amazon RDS clusters

Checks if Multi-Availability Zone (Multi-AZ) replication is enabled on Amazon Aurora and Hermes clusters managed by Amazon Relational Database Service (Amazon RDS). The rule is NON_COMPLIANT if an Amazon RDS instance is not configured with Multi-AZ.

CloudFormationTerraform
CloudTrail
CloudTrail Enabled Check

Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use.

CloudFormationTerraformAWS CLI
CloudTrail's S3 Bucket Access Logging Enabled Check

Evaluates whether access logging is enabled on the CloudTrail S3 bucket and the S3 bucket is not publicly accessible.

CloudFormationTerraformAWS CLI
CloudTrail Multi-Region Trail Enabled Check

A config rule that checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters.

CloudFormationTerraformAWS CLI
CloudTrail to CloudWatch Logs Enabled Check

A config rule that checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty.

CloudFormationTerraformAWS CLI
CloudTrail Encryption Enabled Check

A config rule that checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined.

CloudFormationTerraformAWS CLI
CloudTrail Log File Validation Enabled Check

A config rule that checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled.

CloudFormationTerraformAWS CLI
CloudTrail Best Practices Configured

A config rule that that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following: records global service events, is a multi-region trail, has Log file validation enabled, encrypted with a KMS key, records events for reads and writes, records management events, and does not exclude any management events.

CloudFormationTerraformAWS CLI
Lambda
Lambda Public Access Prohibited Check

Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is noncompliant.

CloudFormationTerraformAWS CLI
Lambda Function Settings Check

A Config rule that checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.

CloudFormationTerraformAWS CLI
Lambda Code is Versioned Check

A config rule that checks that all the lambda functions have at least one defined version and alias, also ensure that no alias pointing to $LATEST version

CloudFormationTerraformAWS CLI
Lambda Concurrency Limit is Configured Check

A config rule that checks whether the AWS Lambda function is configured for function-level concurrent execution limit.

CloudFormationTerraformAWS CLI
Lambda Inside a VPC Check

A config rule that checks whether the AWS Lambda function is in a VPC or not

CloudFormationTerraformAWS CLI
Lambda Logging Allowed by IAM Role

A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.

CloudFormationTerraformAWS CLI
Lambda Dead Letter Queue (DLQ) Enabled Check

A Config rule that checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue

CloudFormationTerraformAWS CLI
Lambda VPC Multiple AZ Check

A Config rule that checks if Lambda has more than 1 availability zone associated. The rule is NON_COMPLIANT if only 1 availability zone is associated with the Lambda or the number of availability zones associated is less than number specified in the optional parameter.

CloudFormationTerraformAWS CLI
DynamoDB
DynamoDB AutoScaling Enabled Check

A config rule that checks whether Auto Scaling is enabled on your DynamoDB tables and/or global secondary indexes. Optionally you can set the read and write capacity units for the table or global secondary index.

CloudFormationTerraformAWS CLI
DynamoDB Encryption Enabled Check

A config rule that checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling.

CloudFormationTerraformAWS CLI
DynamoDB Throughput Limit Check

A config rule that checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80% of your account limits.

CloudFormationTerraformAWS CLI
DynamoDB Point In Time Recovery (PITR) Enabled

A config rule that checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if point in time recovery is not enabled for Amazon DynamoDB tables.

CloudFormationTerraformAWS CLI
DynamoDB Table Encrypted with KMS

A config rule that checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if DynamoDB DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in kmsKeyArns input parameter.

CloudFormationTerraformAWS CLI
DynamoDB Accelerator (DAX) Encryption Enabled

A config rule that checks that DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted.

CloudFormationTerraformAWS CLI
DynamoDB Table in AWS Backup Plan Check

A Config rule that checks whether Amazon DynamoDB table is present in AWS Backup plans. The rule is NON_COMPLIANT if DynamoDB tables are not present in any AWS Backup plan.

CloudFormationTerraformAWS CLI
Check DynamoDB Table Recovery Point Creation

Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period. The rule is NON_COMPLIANT if the DynamoDB Table does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
DynamoDB Resources Protected by Backup Plan

Checks if Amazon DynamoDB tables are protected by a backup plan. The rule is NON_COMPLIANT if the DynamoDB Table is not covered by a backup plan.

CloudFormationTerraform
WAF
WAF Enabled on ALB Check

A Config rule that checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON_COMPLIANT if key: waf.enabled is set to false.

CloudFormationTerraformAWS CLI
WAF Logging Enabled Check

A Config rule that checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter.

CloudFormationTerraformAWS CLI
WAF Classic Logging Enabled Check

A Config rule that checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.

CloudFormationTerraformAWS CLI
fms-webacl-resource-policy-check

A config rule that checks whether the web ACL is associated with an Application Load Balancer or Amazon CloudFront distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS policy and can optionally enable remediation.

CloudFormationTerraformAWS CLI
fms-webacl-rulegroup-association-check

A config rule that checks that the rule groups associate with the web ACL at the correct priority. The correct priority is decided by the rank of the rule groups in the ruleGroups parameter. When AWS Firewall Manager creates this rule, it assigns the highest priority 0 followed by 1, 2, and so on. The FMS policy owner specifies the ruleGroups rank in the FMS policy and can optionally enable remediation.

CloudFormationTerraformAWS CLI
Check if WAFv2 Rule Groups contain rules

Checks if WAFv2 Rule Groups contain rules. The rule is NON_COMPLIANT if there are no rules in a WAFv2 Rule Group.

CloudFormationTerraform
Check if WAFv2 Web ACL contains any rules or rule groups

Checks if a WAFv2 Web ACL contains any WAF rules or WAF rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rules or WAF rule groups.

CloudFormationTerraform
Check if AWS WAF Classic rule group contains any rules

Checks if an AWS WAF Classic rule group contains any rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.

CloudFormationTerraform
Check if WAF global rule contains conditions

Checks if an AWS WAF global rule contains any conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.

CloudFormationTerraform
Check if WAF Global Web ACL contains any rules or rule groups

Checks whether a WAF Global Web ACL contains any WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.

CloudFormationTerraform
Check if WAF Regional rule groups contain any rules

Checks if WAF Regional rule groups contain any rules. The rule is NON_COMPLIANT if there are no rules present within a WAF Regional rule group.

CloudFormationTerraform
Check if WAF regional rule contains conditions

Checks whether WAF regional rule contains conditions. This rule is COMPLIANT if the regional rule contains at least one condition and NON_COMPLIANT otherwise.

CloudFormationTerraform
Check if WAF regional Web ACL contains any rules or rule groups

Checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is NON_COMPLIANT if there are no WAF rules or rule groups present within a Web ACL.

CloudFormationTerraform
VPC
VPC Flow Logs Enabled Check

A config rule that checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

CloudFormationTerraformAWS CLI
VPC VPN Tunnels Status Check

A Config rule that checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status.

CloudFormationTerraformAWS CLI
Internet Gateways Attached to Authorized VPCs Only Check

A config rule that checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.

CloudFormationTerraformAWS CLI
VPC Endpoints Enabled

A Config rule that checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.

CloudFormationTerraformAWS CLI
Subnet Auto-Assign Public IP Disabled Check

A config rule that checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.

CloudFormationTerraformAWS CLI
NACL Does Not Allow Unrestricted SSH or RDP Check

A Config rule that checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.

CloudFormationTerraformAWS CLI
No Unrestricted Route To IGW Check

A Config rule that checks if there are public routes in the route table to an Internet Gateway (IGW). The rule is NON_COMPLIANT if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter.

CloudFormationTerraformAWS CLI
Check if AWS Client VPN authorization rules authorizes connection access for all clients

Checks if the AWS Client VPN authorization rules authorizes connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.

CloudFormationTerraform
Check for unused network ACLs

Checks if there are unused network access control lists (network ACLs). The rule is COMPLIANT if each network ACL is associated with a subnet. The rule is NON_COMPLIANT if a network ACL is not associated with a subnet.

CloudFormationTerraform
CodeBuild
Codebuild Project Environment Variables AWS CRED Check

A config rule that checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.

CloudFormationTerraformAWS CLI
CodeBuild Project Source Repo Url Check

A config rule that checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password. The rule is COMPLIANT with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket repositories.

CloudFormationTerraformAWS CLI
CodeBuild Project Artifact Encryption Check

A Config rule that checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON_COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ for any primary or secondary (if present) artifact configurations.

CloudFormationTerraformAWS CLI
CodeBuild Project Logging Enabled Check

A Config rule that checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is NON_COMPLIANT if 'logsConfig' is not present or the status of all present log configurations is set to 'DISABLED'.

CloudFormationTerraformAWS CLI
CodeBuild Project S3 Logs Encrypted Check

A Config rule that checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ in a S3LogsConfig of a CodeBuild project.

CloudFormationTerraformAWS CLI
Check if CodeBuild project environment has privileged mode enabled

Checks if an AWS CodeBuild project environment has privileged mode enabled. The rule is NON_COMPLIANT for a CodeBuild project if ‘privilegedMode’ is set to ‘true’.

CloudFormationTerraform
Redshift
Redshift Cluster Configuration Check

A config rule that checks whether Amazon Redshift clusters have the specified settings.

CloudFormationTerraformAWS CLI
Redshift Cluster Maintenance Settings Check

A config rule that checks whether Amazon Redshift clusters have the specified maintenance settings.

CloudFormationTerraformAWS CLI
Redshift No Public Access Check

A Config rule that checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the cluster configuration item.

CloudFormationTerraformAWS CLI
Redshift Cluster Requires TLS Check

A Config rule that checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.

CloudFormationTerraformAWS CLI
Redshift Cluster Backup Enabled Check

A Config rule that checks that Amazon Redshift automated snapshots are enabled for clusters. The rule is NON_COMPLIANT if the value for automatedSnapshotRetentionPeriod is greater than MaxRetentionPeriod or less than MinRetentionPeriod or the value is 0.

CloudFormationTerraformAWS CLI
Redshift Cluster KMS Enabled

A Config rule that checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is COMPLIANT if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is NON_COMPLIANT if the cluster is not encrypted or encrypted with another key.

CloudFormationTerraformAWS CLI
Redshift Default Admin Check

A Config rule that checks if an Amazon Redshift cluster has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username for a Redshift cluster is set to “awsuser” or if the username does not match what is listed in parameter.

CloudFormationTerraformAWS CLI
Redshift Default DB Name Check

A Config rule that checks if a Redshift cluster has changed its database name from the default value. The rule is NON_COMPLIANT if the database name for a Redshift cluster is set to “dev”, or if the optional parameter is provided and the database name does not match.

CloudFormationTerraformAWS CLI
Redshift Enhanced VPC Routing Enabled

A Config rule that checks if Amazon Redshift cluster has enhancedVpcRouting enabled. The rule is NON_COMPLIANT if enhancedVpcRouting is not enabled or if the configuration.enhancedVpcRouting field is false.

CloudFormationTerraformAWS CLI
Check if Redshift clusters are logging audits to a specific bucket

Checks if Amazon Redshift clusters are logging audits to a specific bucket. The rule is NON_COMPLIANT if audit logging is not enabled for a Redshift cluster or if the 'bucketNames' parameter is provided but the audit logging destination does not match.

CloudFormationTerraform
API Gateway
API Gateway Endpoint Type Check

A config rule that checks that Amazon API Gateway APIs are of type as specified (Allowed values are REGIONAL, PRIVATE and EDGE)

CloudFormationTerraformAWS CLI
API Gateway Execution Logging Enabled

A config rule that checks that methods in an Amazon API Gateway stage for deployed APIs have 'loggingLevel' as one of the values specified in the rule parameter 'loggingLevel'.

CloudFormationTerraformAWS CLI
API Gateway Not Edge Optimized

A config rule that checks that all APIs are private or regional, and not edge optimised.

CloudFormationTerraformAWS CLI
API Gateway Restricted to Private VPCs

A config rule that checks that all private APIs uses resource policy restricting to VPC endpoints or VPC in the same AWS account.

CloudFormationTerraformAWS CLI
API Gateway Restricted to Source IPs

A config rule that checks that non-private API GW have a resource based policy which limit their usage based on IP source

CloudFormationTerraformAWS CLI
API Gateway SSL Enabled

A Config rule that checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if the REST API stage does not have an associated SSL certificate.

CloudFormationTerraformAWS CLI
API Gateway X-Ray Tracing Enabled

A Config rule that checks if X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule will return COMPLIANT if X-Ray tracing is enabled, NON_COMPLIANT otherwise.

CloudFormationTerraformAWS CLI
API Gateway Cache Enabled and Encrypted Check

A config rule that checks that Amazon API Gateway APIs are of type as specified (Allowed values are REGIONAL, PRIVATE and EDGE)

CloudFormationTerraformAWS CLI
Check if API Gateway V2 stages have access logging enabled

Checks if Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.

CloudFormationTerraform
Check API Gatewayv2 API routes authorization type

Checks if Amazon API Gatewayv2 API routes have an authorization type set. This rule is NON_COMPLIANT if the authorization type is NONE.

CloudFormationTerraform
Check if API Gateway is associated with WAF

Checks if an Amazon API Gateway API stage is using an AWS WAF web access control list (web ACL). The rule is NON_COMPLIANT if an AWS WAF Web ACL is not used or if a used AWS Web ACL does not match what is listed in the rule parameter.

CloudFormationTerraform
CloudFront
CloudFront Logging Enabled

A config rule that checks whether your CloudFront Distribution has been configured to store logs on an authorized S3 bucket

CloudFormationTerraformAWS CLI
CloudFront Viwer Policy Set to HTTPS

A config rule that checks whether your Amazon CloudFront Distributions use HTTPS (directly or via a redirection).

CloudFormationTerraformAWS CLI
CloudFront Default Root Object Configured

A config rule that checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.

CloudFormationTerraformAWS CLI
CloudFront Origin Access Identity Enabled

A config rule that checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. This rule is NON_COMPLIANT if the CloudFront distribution is backed by Amazon S3 and any of Amazon S3 Origin type is not OAI configured.

CloudFormationTerraformAWS CLI
CloudFront Origin Failover Enabled

A config rule that checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution.

CloudFormationTerraformAWS CLI
CloudFront SNI Enabled

A config rule that checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is using a dedicated IP address.

CloudFormationTerraformAWS CLI
CloudFront Domain Uses Custom SSL Certificates

A Config rule that checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.

CloudFormationTerraformAWS CLI
CloudFront No Deprecated SSL Protocols

A Config rule that checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any ‘OriginSslProtocols’ includes ‘SSLv3’.

CloudFormationTerraformAWS CLI
CloudFront Traffic To Origin is Encrypted

A Config rule that checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if OriginProtocolPolicy is http-only or if OriginProtocolPolicy is match-viewer and ViewerProtocolPolicy is allow-all.

CloudFormationTerraformAWS CLI
Check if CloudFront distributions are configured to deliver access logs to an S3 bucket

Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.

CloudFormationTerraform
Check if CloudFront distributions are associated with WAF

Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.

CloudFormationTerraform
Check if CloudFront distribution with S3 Origin has OAC enabled

Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled.

CloudFormationTerraform
Check if CloudFront distributions point to non-existent S3 bucket

Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if `S3OriginConfig` for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting.

CloudFormationTerraform
Check CloudFront Security Policy

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.

CloudFormationTerraform
SageMaker
SageMaker Notebook No Direct Internet Access Check

A config rule that checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances are internet-enabled.

CloudFormationTerraformAWS CLI
SageMaker Notebook Encryption (KMS) Enabled

A config rule that checks whether an AWS Key Management Service (KMS) key is configured for Amazon SageMaker notebook instance. The rule is not NON_COMPLIANT if kmsKeyId is not specified for the Amazon SageMaker notebook instance.

CloudFormationTerraformAWS CLI
SageMaker Endpoint KMS Encryption Enabled Check

A config rule that checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration. The rule is NON_COMPLIANT if KmsKeyId is not specified for the Amazon SageMaker endpoint configuration.

CloudFormationTerraformAWS CLI
Check if SageMaker notebook instance is launched within a VPC or approved subnets

Checks if an Amazon SageMaker notebook instance is launched within a VPC or within a list of approved subnets. The rule is NON_COMPLIANT if a notebook instance is not launched within a VPC or if its subnet ID is not included in the parameter list.

CloudFormationTerraform
Check SageMaker Notebook Instance Root Access

Checks if the Amazon SageMaker RootAccess setting is enabled for Amazon SageMaker notebook instances. The rule is NON_COMPLIANT if the RootAccess setting is set to ‘Enabled’ for an Amazon SageMaker notebook instance.

CloudFormationTerraform
ElastiCache
ElastiCache Redis Cluster Automatic Backup Enabled Check

A Config rule that checks if the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON_COMPLIANT if the SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter.

CloudFormationTerraformAWS CLI
Check if ElastiCache for Redis clusters have auto minor version upgrades enabled

Checks if Amazon ElastiCache for Redis clusters have auto minor version upgrades enabled. The rule is NON_COMPLIANT for an ElastiCache cluster if it is using the Redis engine and 'AutoMinorVersionUpgrade' is not set to 'true'.

CloudFormationTerraform
Check if ElastiCache replication groups have RBAC authentication enabled

Checks if Amazon ElastiCache replication groups have RBAC authentication enabled. The rule is NON_COMPLIANT if the Redis version is 6 or above and ‘UserGroupIds’ is missing, empty, or does not match an entry provided by the 'allowedUserGroupIDs' parameter.

CloudFormationTerraform
Check if ElastiCache Redis replication groups have automatic failover enabled

Checks if Amazon ElastiCache Redis replication groups have automatic failover enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if ‘AutomaticFailover’ is not set to ‘enabled’.

CloudFormationTerraform
Check if ElastiCache replication groups are encrypted at rest

Checks if Amazon ElastiCache replication groups have encryption-at-rest enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if 'AtRestEncryptionEnabled' is disabled or if the KMS key ARN does not match the approvedKMSKeyArns parameter.

CloudFormationTerraform
Check if ElastiCache replication groups have encryption-in-transit enabled

Checks if Amazon ElastiCache replication groups have encryption-in-transit enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if ‘TransitEncryptionEnabled’ is set to ‘false’.

CloudFormationTerraform
Check if ElastiCache replication groups have Redis AUTH enabled

Checks if Amazon ElastiCache replication groups have Redis AUTH enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if the Redis version of its nodes is below 6 (Version 6+ use Redis ACLs) and ‘AuthToken’ is missing or is empty/null.

CloudFormationTerraform
Check ElastiCache clusters subnet group configuration

Checks if Amazon ElastiCache clusters are configured with a custom subnet group. The rule is NON_COMPLIANT for an ElastiCache cluster if it is using a default subnet group.

CloudFormationTerraform
Check ElastiCache clusters for recommended engine version

Checks if ElastiCache clusters are running a version greater or equal to the recommended engine version. The rule is NON_COMPLIANT if the 'EngineVersion' for an ElastiCache cluster is less than the specified recommended version for its given engine.

CloudFormationTerraform
ECS
ECS Task No Privileged Containers

A Config rule that checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to true The rule is NON_COMPLIANT if the privileged parameter is true.

CloudFormationTerraformAWS CLI
ECS Fargate Latest Platform Version Check

A Config rule that checks if Amazon Elastic Container Service (ECS) Fargate Services is running on the latest Fargate platform version. The rule is NON_COMPLIANT if ECS Service platformVersion not set to LATEST.

CloudFormationTerraformAWS CLI
ECS Task No Environment Secrets

A Config rule that checks if secrets are passed as container environment variables. The rule is NON_COMPLIANT if 1 or more environment variable key matches a key listed in the secretKeys parameter (excluding environmental variables from other locations such as Amazon S3).

CloudFormationTerraformAWS CLI
ECS Task has Memory Hard Limit Defined

A Config rule that checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions. The rule is NON_COMPLIANT for a task definition if the ‘memory’ parameter is absent for one container definition.

CloudFormationTerraformAWS CLI
ECS Task Does Not Use Root User

A Config rule that checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on. The rule is NON_COMPLIANT if the user parameter is not present or set to root.

CloudFormationTerraformAWS CLI
ECS Task Definition PID Mode Check

A Config rule that checks if ECSTaskDefinitions are configured to share a host process namespace with its Amazon Elastic Container Service (Amazon ECS) containers. The rule is NON_COMPLIANT if the pidMode parameter is set to host.

CloudFormationTerraformAWS CLI
ECS Task Networking Mode Check

A Config rule that checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has privileged or user container definitions. The rule is NON_COMPLIANT for task definitions with host network mode and container definitions of privileged=false or empty and user=root or empty.

CloudFormationTerraformAWS CLI
Check if networking mode for active ECSTaskDefinitions is set to ‘awsvpc’

Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’. This rule is NON_COMPLIANT if active ECSTaskDefinitions is not set to ‘awsvpc’. This rule only evaluates the latest active revision of an Amazon ECS task definition.

CloudFormationTerraform
Check if ECS clusters have container insights enabled

Checks if Amazon Elastic Container Service clusters have container insights enabled. The rule is NON_COMPLIANT if container insights are not enabled.

CloudFormationTerraform
Check logConfiguration on active ECS Task Definitions

Checks if logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.

CloudFormationTerraform
Network Firewall
Network Firewall Policy has Default Action for Fragment Packets

A Config rule that checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.

CloudFormationTerraformAWS CLI
Network Firewall Policy has Default Action for Full Packets

A Config rule that checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets. This rule is NON_COMPLIANT if default stateless action for full packets does not match with user defined default stateless action.

CloudFormationTerraformAWS CLI
Network Firewall Policy Associated with a Rule Group

A Config rule to check AWS Network Firewall policy is associated with stateful OR stateless rule groups. This rule is NON_COMPLIANT if no stateful or stateless rule groups are associated with the Network Firewall policy else COMPLIANT if any one of the rule group exists.

CloudFormationTerraformAWS CLI
Network Firewall Stateless Rule Group is Not Empty

A Config rule that checks if a Stateless Network Firewall Rule Group contains rules. The rule is NON_COMPLIANT if there are no rules in a Stateless Network Firewall Rule Group.

CloudFormationTerraformAWS CLI
Check if Network Firewall Logging is Enabled

Checks if AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.

CloudFormationTerraform
Check if Network Firewall is deployed across multiple Availability Zones

Checks if AWS Network Firewall firewalls are deployed across multiple Availability Zones. The rule is NON_COMPLIANT if firewalls are deployed in only one Availability Zone or in fewer zones than the number listed in the optional parameter.

CloudFormationTerraform
Backup
AWS Backup Plan Minimum Frequency and Retention Check

A Config rule that checks if a backup plan has a backup rule that satisfies the required frequency and retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.

CloudFormationTerraformAWS CLI
AWS Backup Recovery Points are Encrypted

A Config rule that checks if a recovery point is encrypted. The rule is NON_COMPLIANT if the recovery point is not encrypted.

CloudFormationTerraformAWS CLI
AWS Backup Recovery Point Manual Deletion is Disabled

A Config rule that checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement.

CloudFormationTerraformAWS CLI
AWS Backup Recovery Point Minimum Retention Check

A Config rule that checks if a recovery point expires no earlier than after the specified period. The rule is NON_COMPLIANT if the recovery point has a retention point that is less than the required retention period.

CloudFormationTerraformAWS CLI
Check if recovery point was created for Amazon Aurora DB clusters

Checks if a recovery point was created for Amazon Aurora DB clusters. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) DB Cluster does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
Aurora Resources Protected by Backup Plan

Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan.

CloudFormationTerraform
EBS Last Backup Recovery Point Created

Checks if a recovery point was created for Amazon Elastic Block Store (Amazon EBS). The rule is NON_COMPLIANT if the Amazon EBS volume does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
EBS Resources Protected by Backup Plan

Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EBS volume is not covered by a backup plan.

CloudFormationTerraform
EC2 Resources Protected by Backup Plan

Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EC2 instance is not covered by a backup plan.

CloudFormationTerraform
Check if a recovery point was created for Amazon EFS File Systems

Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems. The rule is NON_COMPLIANT if the Amazon EFS File System does not have a corresponding Recovery Point created within the specified time period.

CloudFormationTerraform
EFS Resources Protected by Backup Plan

Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the EFS File System is not covered by a backup plan.

CloudFormationTerraform
Check if recovery point was created for Amazon FSx File Systems

Checks if a recovery point was created for Amazon FSx File Systems. The rule is NON_COMPLIANT if the Amazon FSx File System does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
FSx Resources Protected by Backup Plan

Checks if Amazon FSx File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon FSx File System is not covered by a backup plan.

CloudFormationTerraform
Check if a recovery point was created for Amazon RDS

Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS). The rule is NON_COMPLIANT if the Amazon RDS instance does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
Check if RDS instances are protected by a backup plan

Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon RDS Database instance is not covered by a backup plan.

CloudFormationTerraform
Check if a recovery point was created for Amazon S3

Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3). The rule is NON_COMPLIANT if the Amazon S3 bucket does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
S3 Resources Protected by Backup Plan

Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon S3 bucket is not covered by a backup plan.

CloudFormationTerraform
Check if a recovery point was created for AWS Storage Gateway volumes

Checks if a recovery point was created for AWS Storage Gateway volumes. The rule is NON_COMPLIANT if the Storage Gateway volume does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
Check if a recovery point was created for AWS Backup-Gateway VirtualMachines

Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines. The rule is NON_COMPLIANT if an AWS Backup-Gateway VirtualMachines does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
OpenSearch
Check if OpenSearch Service domains send logs to CloudWatch Logs

Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is COMPLIANT if a log is enabled for an Amazon ES domain. This rule is NON_COMPLIANT if logging is not configured.

CloudFormationTerraform
OpenSearch Access Control Enabled

Checks if Amazon OpenSearch Service domains have fine-grained access control enabled. The rule is NON_COMPLIANT if AdvancedSecurityOptions is not enabled for the OpenSearch Service domain.

CloudFormationTerraform
Check if OpenSearch Service domains have audit logging enabled

Checks if Amazon OpenSearch Service domains have audit logging enabled. The rule is NON_COMPLIANT if an OpenSearch Service domain does not have audit logging enabled.

CloudFormationTerraform
OpenSearch Data Node Fault Tolerance

Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON_COMPLIANT for an OpenSearch domain if 'instanceCount' is less than 3 or 'zoneAwarenessEnabled' is set to 'false'.

CloudFormationTerraform
Check if OpenSearch domains have encryption at rest enabled

Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the `EncryptionAtRestOptions` field is not enabled.

CloudFormationTerraform
Check if OpenSearch domains are using HTTPS

Checks whether connections to OpenSearch domains are using HTTPS. The rule is NON_COMPLIANT if the Amazon OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in '`tlsPolicies`'.

CloudFormationTerraform
Check if OpenSearch Service domains are in a VPC

Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public.

CloudFormationTerraform
Check if OpenSearch domains are configured to send logs to CloudWatch

Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if logging is not configured.

CloudFormationTerraform
OpenSearch Node to Node Encryption Check

Check if Amazon OpenSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is not enabled on the domain

CloudFormationTerraform
Neptune
Neptune Cluster Backup Retention Check

Checks if an Amazon Neptune DB cluster retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is less than the value specified by the parameter.

CloudFormationTerraform
Neptune Cluster CloudWatch Log Export Enabled

Checks if an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.

CloudFormationTerraform
Check if Neptune cluster copies tags to snapshots

Checks if an Amazon Neptune cluster is configured to copy all tags to snapshots when the snapshots are created. The rule is NON_COMPLIANT if 'copyTagsToSnapshot' is set to false.

CloudFormationTerraform
Neptune Cluster Deletion Protection Enabled

Checks if an Amazon Neptune DB cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster has the deletionProtection field set to false.

CloudFormationTerraform
Check if storage encryption is enabled for Neptune DB clusters

Checks if storage encryption is enabled for your Amazon Neptune DB clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.

CloudFormationTerraform
Check Neptune Cluster IAM Database Authentication

Checks if an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.

CloudFormationTerraform
Neptune Cluster Snapshot Encryption Check

Checks if an Amazon Neptune DB cluster has snapshots encrypted. The rule is NON_COMPLIANT if a Neptune cluster does not have snapshots encrypted.

CloudFormationTerraform
Prohibit Public Neptune Cluster Snapshot

Checks if an Amazon Neptune manual DB cluster snapshot is public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.

CloudFormationTerraform