Guided Walkthroughs

Configuration Packages

AI CloudAdvisor (Beta)

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

EC2 Security Controls

A collection of AWS Security controls for AWS EC2. Controls include IAM policies, security groups, Flow logs, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform.

EC2

Configuration template to deploy an Amazon EC2 instance with customizable settings that include Instance Metadata Service (IMDS) settings, volume and interface settings, name tag, key pairs, and more.

CloudFormationTerraformAWS CLI

Configuration to create an Amazon EC2 Launch Template to be used to provision EC2 Instances. The template includes customizable settings such as configuring instance type, image id, IMDS enforcement, volume and interface settings, and more.

CloudFormationTerraformAWS CLI

Configuration to enable EBS default encryption for all EC2 instances in that region. Includes a CloudFormation custom resource to enable this setting.

CloudFormationTerraformAWS CLI
Auto Scaling Group

Configuration for an Auto Scaling Group which creates a logical grouping of EC2 instances, and enables you to use features such as health check replacements and scaling policies. Auto scaling groups also maintain the number of EC2 instances within the defined limits.

CloudFormationTerraformAWS CLI
Load Balancer

Configuration to create an Application Load Balancer (ALB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or Lambda functions. The ALB also includes health checks to ensure the state of the targets before forwarding traffic.

CloudFormationTerraformAWS CLI

Configuration to create a Network Load Balancer (NLB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or ALBs. The NLB also includes health checks to ensure the state of the targets before forwarding traffic.

CloudFormationTerraformAWS CLI
Patching and Vulnerability Management

A configuration guide for setting up the necessary configuration for AWS Systems Manager Patch Manager to automatically scan and/or apply patches to EC2 instances in an AWS environment.

CloudFormation

Set up Amazon Inspector by creating an Amazon Inspector Assessment Template and specify EC2 Assessment Targets. Select from predefined rule packages: Common Vulnerabilities and Exposures, Center for Internet Security (CIS) Benchmarks, Security Best Practices for Amazon Inspector, Runtime Behavior Analysis, and Network Reachability.

CloudFormationTerraformAWS CLI

Set up Amazon Inspector Assessment Template to scan EC2 instances against the CIS Benchmarks Security Rule Package.

CloudFormationTerraformAWS CLI

Set up Amazon Inspector Assessment Template to scan EC2 instances against the Common Vulnerabilities and Exposures (CVE) Rule Package.

CloudFormationTerraformAWS CLI
Directory Services

Configuration template for AWS Managed Microsoft Active Directory (AD) service. This service is created as a highly available pair of domain controllers connected to your virtual private cloud (VPC). The domain controllers run in different Availability Zones in a Region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are automatically configured and managed for you.

CloudFormationTerraformAWS CLI
Monitoring & Compliance Packages

A configuration package to monitor EC2 related API activity as well as configuration compliance rules to ensure the security of AWS EC2 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

CloudFormationTerraform

A configuration package to monitor Amazon Machine Images (AMIs) creation and modifications as well as ensure the compliance and security of AMIs available in the account

CloudFormationTerraform
Backup

Configuration to create AWS Backup plans and vaults. AWS Backup automates the process of backing up of data across AWS services including EFS, DynamoDB, EC2, EBS, Aurora, RDS, and Storage Gateway, as well as setting custom retention policies, access policies, and encryption

CloudFormationTerraformAWS CLI

Configure a Data Lifecycle Manager (DLM) policy to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.

CloudFormationAWS CLI
Security Group

Build a custom security group.

CloudFormationTerraformAWS CLI

A security group that allows inbound web traffic (TCP ports 80 and 443).

CloudFormationTerraformAWS CLI

A security group that allows inbound RDP traffic (TCP port 3389).

CloudFormationTerraformAWS CLI

A security group that allows inbound SSH traffic (TCP port 22).

CloudFormationTerraformAWS CLI

A security group that allows domain controller services on Microsoft Active Directory servers.

CloudFormationTerraformAWS CLI

A security group that allows inbound DNS traffic (TCP and UDP port 53).

CloudFormationTerraformAWS CLI

A security group that allows inbound ICMP traffic.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a Maria DB instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a Microsoft SQL server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a MySQL server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Oracle server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an PostgreSQL server instance.

CloudFormationTerraformAWS CLI

A security group for Amazon EFS that allows inbound NFS access from resources (including the mount target) associated with this security group (TCP 2049).

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Amazon Redshift cluster (TCP 5439)

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Amazon OpenSearch (TCP 443 and 80)

CloudFormationTerraformAWS CLI
CloudWatch Alarms

A CloudWatch Alarm that triggers when changes are made to Security Groups.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to large size EC2 Instances.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to EC2 Instances.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when new AMIs (Amazon Machine Images) are created or registered in the account.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when existing AMIs (Amazon Machine Images) are modified, deleted, copied or shared with other AWS accounts.

CloudFormationTerraformAWS CLI
CloudWatch Events

Detect changes to security groups and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI

Detect changes to EC2 Instances and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI
Auto Remediation with SSM

Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI

Auto remediation configuration to stop or terminate EC2 instances running unapproved AMIs (by AMI ID). Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI

Auto remediation configuration to stop or terminate EC2 instances running unapproved AMIs (by AMI Tag). Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI

Auto remediation configuration to stop or terminate EC2 instances running unapproved Tenancy Modes (Shared or Dedicated). Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI

Auto remediation configuration to stop or terminate EC2 instances using unapproved instance types. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI

Auto remediation configuration to stop or terminate EC2 instances with public IP addresses. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Config Rule

Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key.

CloudFormationTerraformAWS CLI

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

Checks whether running instances are using specified AMIs. Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are noncompliant.

CloudFormationTerraformAWS CLI

Checks whether running instances are using specified AMIs. Specify the tags that identify the AMIs. Running instances with AMIs that don't have at least one of the specified tags are noncompliant.

CloudFormationTerraformAWS CLI

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

A config rule that checks instances for specified tenancy. Specify AMI IDs to check instances that are launched from those AMIs or specify host IDs to check whether instances are launched on those Dedicated Hosts. Separate multiple ID values with commas.

CloudFormationTerraformAWS CLI

Check that no EC2 Instances are in Public Subnet.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with protocol of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with port range of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

CloudFormationTerraformAWS CLI

A config rule that checks whether your EC2 instances are of the specified instance types.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager (SSM) association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

CloudFormationTerraformAWS CLI

A Config rule that checks whether detailed monitoring is enabled for EC2 instances.

CloudFormationTerraformAWS CLI

A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated.

CloudFormationTerraformAWS CLI

A Config rule that checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).

CloudFormationTerraformAWS CLI

A Config rule that checks whether EC2 managed instances have the desired configurations.

CloudFormationTerraformAWS CLI

A Config rule that checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI

A Config rule that checks that none of the specified applications are installed on the instance. Optionally, specify the application version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI

A Config rule that checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.

CloudFormationTerraformAWS CLI

A Config rule that checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.

CloudFormationTerraformAWS CLI

A config rule that checks whether all private AMIs are not older than X days.

CloudFormationTerraformAWS CLI

A config rule that checks whether the Amazon Machine Images are not publicly accessible.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4

CloudFormationTerraformAWS CLI

A Config rule that checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an Amazon EC2 instance or an ENI

CloudFormationTerraformAWS CLI

A Config rule that checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPCs) allows only specific inbound TCP or UDP traffic. The rule and any security group with inbound 0.0.0.0/0. is NON_COMPLIANT, if you do not provide any ports in the parameters.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Elastic Block Store snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with the RestorableByUserIds field is set to all. If this field is set to all, then Amazon EBS snapshots are public.

CloudFormationTerraformAWS CLI

A Config rule that checks whether there are instances stopped for more than the allowed number of days. The instance is NON_COMPLIANT if the state of the ec2 instance has been stopped for longer than the allowed number of days.

CloudFormationTerraformAWS CLI

A Config rule that checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is COMPLIANT if the HttpTokens is set to required and is NON_COMPLIANT if the HttpTokens is set to optional.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans.

CloudFormationTerraformAWS CLI

A Config rule that checks if capacity rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is NON_COMPLIANT if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to true.

CloudFormationTerraformAWS CLI

A Config rule that checks whether only IMDSv2 is enabled. This rule is NON_COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled.

CloudFormationTerraformAWS CLI

A Config rule that checks the number of network hops that the metadata token can travel. This rule is NON_COMPLIANT if the Metadata response hop limit is greater than 1.

CloudFormationTerraformAWS CLI

A Config rule that checks if the Auto Scaling group spans multiple Availability Zones. The rule is NON_COMPLIANT if the Auto Scaling group does not span multiple Availability Zones.

CloudFormationTerraformAWS CLI

A Config rule that checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types. This rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs). This rule is NON_COMPLIANT an Amazon EC2 instance use multiple network interfaces.

CloudFormationTerraformAWS CLI

A Config rule that checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is NON_COMPLIANT if no IAM profile is attached to the Amazon EC2 instance.

CloudFormationTerraformAWS CLI

A Config rule that checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.

CloudFormationTerraformAWS CLI

A Config rule that checks if the virtualization type of an EC2 instance is paravirtual. This rule is NON_COMPLIANT for an EC2 instance if virtualizationType is set to paravirtual.

CloudFormationTerraformAWS CLI

A Config rule that checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit. The rule is NON_COMPLIANT for an instance if it has a hop limit value above the intended limit.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have AutoAcceptSharedAttachments enabled. The rule is NON_COMPLIANT for a Transit Gateway if AutoAcceptSharedAttachments is set to enable.

CloudFormationTerraformAWS CLI

A Config rule that checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. The rule is NON_COMPLIANT if EBS optimization is not enabled for an EC2 instance that can be EBS-optimized.

CloudFormationTerraformAWS CLI
IAM Policy

A policy that allows starting or stopping a specific EC2 instance and modifying a specific security group (Programmatically and in the Console).

CloudFormationTerraformAWS CLI

A policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

A policy that allows managing Amazon EC2 security groups associated with a specific virtual private cloud (VPC). This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

A policy hat allows full EC2 access within a specific region. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.

CloudFormationTerraformAWS CLI

An IAM policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag Owner has the value of that user's user name. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

An IAM policy that prevents users from terminating EC2 instances when the request does not come from a specified IP range. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only

CloudFormationTerraformAWS CLI

An IAM policy that prevents users from launching new EC2 Instances if they are not configured to use the new Instance Metadata Service (IMDSv2)

CloudFormationTerraformAWS CLI
Service Control Policy

This SCP prevents the launch of any EC2 instance type that is not whitelisted by the policy (default: t3.micro).

CloudFormationTerraformAWS CLI

This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from disabling ebs default encryption

CloudFormationTerraformAWS CLI
Flow Logs

Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.

CloudFormationTerraformAWS CLI
VPC

Configuration to enable Traffic Mirroring from a network interface (ENI) of an Amazon EC2 instance, which can then be used for monitoring and security analysis. Traffic Mirroring supports filters and packet truncation so that only traffic of interest is monitored.

CloudFormationTerraformAWS CLI
Filter by source
 
EC2
Auto Scaling Group
Load Balancer
Patching and Vulnerability Management
Directory Services
Monitoring & Compliance Packages
Backup
Security Group
CloudWatch Alarms
CloudWatch Events
Auto Remediation with SSM
Config Rule
IAM Policy
Service Control Policy
Flow Logs
VPC