Guided Walkthroughs

Configuration Packages

Custom Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

VPC Security Controls

A collection of AWS Security controls for Amazon VPC. Controls include IAM policies, security groups, network access lists, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Configuration Packages

A configuration package to deploy an Amazon VPC with predefined presets to select: Subnet Tiers (Public and Private), Availability Zones, and Internet Connectivity. Configuration includes Subnets, Routing Tables, Internet Gateway, Nat Gateways, and Security Groups.

CloudFormationTerraform

A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

CloudFormationTerraform

A customizable configuration package to deploy configure monitoring for Amazon VPCs using Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups.

CloudFormationTerraform
VPN

Configuration template to deploy a Site-to-Site VPN connection for an existing VPC between a virtual private gateway (VGW) on the AWS side, and a VPN device (customer gateway) on the remote side

CloudFormationTerraformAWS CLI

Configuration template to set up an AWS Client VPN including the Client VPN Endpoint, VPN Authorization Rules and VPN Routes. The template includes the option to configure authentication, VPC and network settings, and more. 

CloudFormationTerraformAWS CLI
VPC

Configuration to enable Traffic Mirroring from a network interface (ENI) of an Amazon EC2 instance, which can then be used for monitoring and security analysis. Traffic Mirroring supports filters and packet truncation so that only traffic of interest is monitored.

CloudFormationTerraformAWS CLI

Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.

CloudFormationTerraformAWS CLI

Configuration template to create a customer managed Prefix List with a set of IPv4 or IPv6 CIDR blocks. A prefix list supports up to 1000 entries, and can be referenced in security groups and in subnet route table entries.

CloudFormationAWS CLI

Configuration to create a VPC endpoint in an existing VPC. VPC endpoints allow private connectivity from an VPC to supported AWS services. Both Interface and Gateway endpoints are supported.

CloudFormationTerraformAWS CLI

Configuration to enable logging the DNS queries that originate in an Amazon VPC using the Route53 Resolver Query Logging feature. Query logs can be sent to CloudWatch logs, S3 Buckets, or Kinesis Data Firehose.

CloudFormationTerraformAWS CLI
Firewall

Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.

CloudFormationTerraformAWS CLI

Configuration templates to deploy an AWS Route53 Resolver Firewall and related settings including firewall rule groups, custom domain lists, and VPC associations. This configuration can be used to block DNS requests for malicious or unwanted domains.

CloudFormationTerraformAWS CLI
Load Balancer

Configuration to create an Application Load Balancer (ALB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or Lambda functions. The ALB also includes health checks to ensure the state of the targets before forwarding traffic.

CloudFormationTerraformAWS CLI

Configuration to create a Network Load Balancer (NLB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or ALBs. The NLB also includes health checks to ensure the state of the targets before forwarding traffic.

CloudFormationTerraformAWS CLI
Security Group

Build a custom security group.

CloudFormationTerraformAWS CLI

A security group that allows inbound web traffic (TCP ports 80 and 443).

CloudFormationTerraformAWS CLI

A security group that allows inbound RDP traffic (TCP port 3389).

CloudFormationTerraformAWS CLI

A security group that allows inbound SSH traffic (TCP port 22).

CloudFormationTerraformAWS CLI

A security group that allows domain controller services on Microsoft Active Directory servers.

CloudFormationTerraformAWS CLI

A security group that allows inbound DNS traffic (TCP and UDP port 53).

CloudFormationTerraformAWS CLI

A security group that allows inbound ICMP traffic.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a Maria DB instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a Microsoft SQL server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a MySQL server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Oracle server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an PostgreSQL server instance.

CloudFormationTerraformAWS CLI

A security group for Amazon EFS that allows inbound NFS access from resources (including the mount target) associated with this security group (TCP 2049).

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Amazon Redshift cluster (TCP 5439)

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Amazon OpenSearch (TCP 443 and 80)

CloudFormationTerraformAWS CLI
Network ACL

Build a custom network ACL.

CloudFormationTerraformAWS CLI

A network ACL that blacklist inbound traffic based on IP address(es).

CloudFormationTerraformAWS CLI

A network ACL that blacklist inbound and outbound traffic based on Port(s).

CloudFormationTerraformAWS CLI

A network ACL that whitelists inbound and outbound traffic based on Port(s) and blocks all other traffic.

CloudFormationTerraformAWS CLI
CloudWatch Alarms

A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when the traffic outgoing over a managed AWS VPN tunnel hits a certain threshold (Default: Less than 1,000,000 bytes in 15 minutes).

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when the traffic incoming over a managed AWS VPN tunnel hits a certain threshold (Default: Over 5,000,000 bytes in 15 minutes).

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when the state of both VPN tunnels in an AWS VPN connection are down.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to a VPC.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to a Network ACL (NACL).

CloudFormationTerraformAWS CLI
CloudWatch Events

Detect changes to network ACLs and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI

Detect changes to network configuration and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI
Config Rule

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

Check that no EC2 Instances are in Public Subnet.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with protocol of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with port range of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

CloudFormationTerraformAWS CLI

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

CloudFormationTerraformAWS CLI

A config rule that checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

CloudFormationTerraformAWS CLI

A Config rule that checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status.

CloudFormationTerraformAWS CLI

A config rule that checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.

CloudFormationTerraformAWS CLI

A config rule that checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.

CloudFormationTerraformAWS CLI

A Config rule that checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.

CloudFormationTerraformAWS CLI

A Config rule that checks if there are public routes in the route table to an Internet Gateway (IGW). The rule is NON_COMPLIANT if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter.

CloudFormationTerraformAWS CLI
Service Control Policy

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

CloudFormationTerraformAWS CLI

This SCP restrict users in your AWS Organizations account to creating VPCs with CIDRs from a specific IPv4 pool and associating CIDRs to the VPCs from the pool. Users in the account will not be able to create VPCs with CIDRs or associate CIDRs to VPCs from any other pools from the one you choose.

CloudFormationTerraformAWS CLI
Endpoint Policy

A VPC endpoint policy that allows full access to the specified resource Arn

CloudFormationTerraformAWS CLI

A VPC endpoint policy that restricts access through the endpoint to the specified IAM role in the account

CloudFormationTerraformAWS CLI

A VPC endpoint policy that restricts access through the endpoint to principals in the specified Organization

CloudFormationTerraformAWS CLI

An S3 endpoint policy that allows read-only access to a specific S3 bucket only

CloudFormationTerraformAWS CLI

An S3 endpoint policy that allows full access to a specific S3 bucket only

CloudFormationTerraformAWS CLI

An S3 endpoint policy that restricts access through the S3 endpoint to the specified IAM role in the account

CloudFormationTerraformAWS CLI

An S3 endpoint policy that restricts access through the S3 endpoint to users in a specific account

CloudFormationTerraformAWS CLI

A DynamoDB endpoint policy that restricts access through the endpoint to the specified DynamoDB table

CloudFormationTerraformAWS CLI
Filter by source
 
Configuration Packages
VPN
VPC
Firewall
Load Balancer
Security Group
Network ACL
CloudWatch Alarms
CloudWatch Events
Config Rule
Service Control Policy
Endpoint Policy