By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

VPC Security Controls

A collection of AWS Security controls for Amazon VPC. Controls include IAM policies, security groups, network access lists, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Configuration Packages

A configuration package to deploy an Amazon VPC with predefined presets to select: Subnet Tiers (Public and Private), Availability Zones, and Internet Connectivity. Configuration includes Subnets, Routing Tables, Internet Gateway, Nat Gateways, and Security Groups.

CloudFormationTerraform

A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

CloudFormationTerraform

A customizable configuration package to deploy configure monitoring for Amazon VPCs using Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups.

CloudFormationTerraform
VPC

Configuration to enable Traffic Mirroring from a network interface (ENI) of an Amazon EC2 instance, which can then be used for monitoring and security analysis. Traffic Mirroring supports filters and packet truncation so that only traffic of interest is monitored.

CloudFormationTerraformAWS CLI

Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.

CloudFormationTerraformAWS CLI

Configuration template to create a customer managed Prefix List with a set of IPv4 or IPv6 CIDR blocks. A prefix list supports up to 1000 entries, and can be referenced in security groups and in subnet route table entries.

CloudFormationAWS CLI

Configuration to create a VPC endpoint in an existing VPC. VPC endpoints allow private connectivity from an VPC to supported AWS services. Both Interface and Gateway endpoints are supported.

CloudFormationTerraformAWS CLI

Configuration to enable logging the DNS queries that originate in an Amazon VPC using the Route53 Resolver Query Logging feature. Query logs can be sent to CloudWatch logs, S3 Buckets, or Kinesis Data Firehose.

CloudFormationAWS CLI
Firewall

Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.

CloudFormationTerraformAWS CLI

Configuration templates to deploy an AWS Route53 Resolver Firewall and related settings including firewall rule groups, custom domain lists, and VPC associations. This configuration can be used to block DNS requests for malicious or unwanted domains.

CloudFormationTerraformAWS CLI
Security Group

Build a custom security group.

CloudFormationTerraformAWS CLI

A security group that allows inbound web traffic (TCP ports 80 and 443).

CloudFormationTerraformAWS CLI

A security group that allows inbound RDP traffic (TCP port 3389).

CloudFormationTerraformAWS CLI

A security group that allows inbound SSH traffic (TCP port 22).

CloudFormationTerraformAWS CLI

A security group that allows domain controller services on Microsoft Active Directory servers.

CloudFormationTerraformAWS CLI

A security group that allows inbound DNS traffic (TCP and UDP port 53).

CloudFormationTerraformAWS CLI

A security group that allows inbound ICMP traffic.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a Maria DB instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a Microsoft SQL server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to a MySQL server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Oracle server instance.

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an PostgreSQL server instance.

CloudFormationTerraformAWS CLI

A security group for Amazon EFS that allows inbound NFS access from resources (including the mount target) associated with this security group (TCP 2049).

CloudFormationTerraformAWS CLI

A security group that allows inbound access to an Amazon Redshift cluster (TCP 5439)

CloudFormationTerraformAWS CLI
Network ACL

Build a custom network ACL.

CloudFormationTerraformAWS CLI

A network ACL that blacklist inbound traffic based on IP address(es).

CloudFormationTerraformAWS CLI

A network ACL that blacklist inbound and outbound traffic based on Port(s).

CloudFormationTerraformAWS CLI

A network ACL that whitelists inbound and outbound traffic based on Port(s) and blocks all other traffic.

CloudFormationTerraformAWS CLI
CloudWatch Alarms

A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when the traffic outgoing over a managed AWS VPN tunnel hits a certain threshold (Default: Less than 1,000,000 bytes in 15 minutes).

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when the traffic incoming over a managed AWS VPN tunnel hits a certain threshold (Default: Over 5,000,000 bytes in 15 minutes).

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when the state of both VPN tunnels in an AWS VPN connection are down.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to a VPC.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to a Network ACL (NACL).

CloudFormationTerraformAWS CLI
CloudWatch Events

Detect changes to network ACLs and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI

Detect changes to network configuration and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI
Config Rule

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI

Check that no EC2 Instances are in Public Subnet.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with protocol of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups do not have an inbound rule with port range of 'All'.

CloudFormationTerraformAWS CLI

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

CloudFormationTerraformAWS CLI

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

CloudFormationTerraformAWS CLI

A config rule that checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

CloudFormationTerraformAWS CLI

A Config rule that checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status.

CloudFormationTerraformAWS CLI

A config rule that checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.

CloudFormationTerraformAWS CLI

A config rule that checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.

CloudFormationTerraformAWS CLI
Service Control Policy

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

CloudFormationTerraformAWS CLI
Filter by source
 
Configuration Packages
VPC
Firewall
Security Group
Network ACL
CloudWatch Alarms
CloudWatch Events
Config Rule
Service Control Policy