By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

CloudFormation Security

A collection of AWS Security controls for AWS CloudFormation. Controls include AWS Config rules for monitoring compliance, IAM policies, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Monitoring & Compliance Packages

A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after), and optionally alert on these events.

CloudFormation
Config Rule

A config rule that checks whether your CloudFormation stacks are sending event notifications to an SNS topic. Optionally checks whether specified SNS topics are used.

CloudFormationTerraformAWS CLI

A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.

CloudFormationTerraformAWS CLI
CloudWatch Alarms

A CloudWatch Alarm that triggers when a new CloudFormation stack is created

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when an existing CloudFormation stack is updated

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when an existing CloudFormation stack is deleted

CloudFormationTerraformAWS CLI
IAM Policy

An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

An IAM policy that allows users to create new or update existing CloudFormation stacks, as long as the template URL used is allowed. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI
Filter by source
 
Monitoring & Compliance Packages
Config Rule
CloudWatch Alarms
IAM Policy