By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubNetwork FirewallAmazon MacieBilling and Cost ManagementS3 Bucket PoliciesCloudWatch Alarms and Event RulesLogging & Monitoring ConfigurationsAWS WAFBackups & DRAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

VPC Security ControlsEC2 Security ControlsIAM Security ControlsS3 Security ControlsRDS Security ControlsDynamoDB Security ControlsEMR SecurityLambda SecurityCloudFormation Security

Configuration Packages

Strategy Guides

CloudFormation Security

A collection of AWS Security controls for AWS CloudFormation. Controls include AWS Config rules for monitoring compliance, IAM policies, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Monitoring & Compliance Packages

A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after), and optionally alert on these events.

CloudFormation
Config Rule

A config rule that checks whether your CloudFormation stacks are sending event notifications to an SNS topic. Optionally checks whether specified SNS topics are used.

CloudFormationTerraformAWS CLI

A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.

CloudFormationTerraformAWS CLI
CloudWatch Alarms

A CloudWatch Alarm that triggers when a new CloudFormation stack is created

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when an existing CloudFormation stack is updated

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when an existing CloudFormation stack is deleted

CloudFormationTerraformAWS CLI
IAM Policy

An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

An IAM policy that allows users to create new or update existing CloudFormation stacks, as long as the template URL used is allowed. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI