A policy that allows starting or stopping a specific EC2 instance and modifying a specific security group (Programmatically and in the Console).

A policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet. This policy also provides the permissions necessary to complete this action on the console.

A policy that allows managing Amazon EC2 security groups associated with a specific virtual private cloud (VPC). This policy also provides the permissions necessary to complete this action on the console.

A policy hat allows full EC2 access within a specific region. This policy also provides the permissions necessary to complete this action on the console.

An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approv...

An IAM policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag Owner has the value of that user's user name. This policy also provides the permissions necessary to complete thi...

An IAM policy that prevents users from terminating EC2 instances when the request does not come from a specified IP range. This policy provides the permissions necessary to complete this action using the AWS API ...

Build a custom security group.

A security group that allows inbound web traffic (TCP ports 80 and 443).

A security group that allows inbound RDP traffic (TCP port 3389).

A security group that allows inbound SSH traffic (TCP port 22).

A security group that allows domain controller services on Microsoft Active Directory servers.

A security group that allows inbound DNS traffic (TCP and UDP port 53).

A security group that allows inbound ICMP traffic.

A security group that allows inbound access to a Maria DB instance.

A security group that allows inbound access to a Microsoft SQL server instance.

A security group that allows inbound access to a MySQL server instance.

A security group that allows inbound access to an Oracle server instance.

A security group that allows inbound access to an PostgreSQL server instance.

A CloudWatch Alarm that triggers when changes are made to Security Groups.

A CloudWatch Alarm that triggers when changes are made to large size EC2 Instances.

A CloudWatch Alarm that triggers when changes are made to EC2 Instances.

Detect changes to security groups and publishes change events to an SNS topic for notification.

Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are...

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

Checks whether running instances are using specified AMIs. Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are noncompliant.

Checks whether running instances are using specified AMIs. Specify the tags that identify the AMIs. Running instances with AMIs that don't have at least one of the specified tags are noncompliant.

Checks whether security groups in use do not allow restricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

Checks that EC2 Instances have desired tenancy.

Check that no EC2 Instances are in Public Subnet.

Check that security groups do not have an inbound rule with protocol of 'All'.

Check that security groups do not have an inbound rule with port range of 'All'.

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

Checks that all EC2 instances are of the type specified.

A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is complian...

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the ...

Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.