A configuration package to deploy an Amazon VPC with predefined presets to select: Subnet Tiers (Public and Private), Availability Zones, and Internet Connectivity. Configuration includes Subnets, Routing Tables, Internet Gateway, Nat Gateways, and Security Groups.

A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

A customizable configuration package to deploy configure monitoring for Amazon VPCs using Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups.

Configuration template to deploy a Site-to-Site VPN connection for an existing VPC between a virtual private gateway (VGW) on the AWS side, and a VPN device (customer gateway) on the remote side

Configuration template to set up an AWS Client VPN including the Client VPN Endpoint, VPN Authorization Rules and VPN Routes. The template includes the option to configure authentication, VPC and network settings, and more. 

Configuration to enable Traffic Mirroring from a network interface (ENI) of an Amazon EC2 instance, which can then be used for monitoring and security analysis. Traffic Mirroring supports filters and packet truncation so that only traffic of interest is monitored.

Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.

Configuration template to create a customer managed Prefix List with a set of IPv4 or IPv6 CIDR blocks. A prefix list supports up to 1000 entries, and can be referenced in security groups and in subnet route table entries.

Configuration to create a VPC endpoint in an existing VPC. VPC endpoints allow private connectivity from an VPC to supported AWS services. Both Interface and Gateway endpoints are supported.

Configuration to enable logging the DNS queries that originate in an Amazon VPC using the Route53 Resolver Query Logging feature. Query logs can be sent to CloudWatch logs, S3 Buckets, or Kinesis Data Firehose.

Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.

Configuration templates to deploy an AWS Route53 Resolver Firewall and related settings including firewall rule groups, custom domain lists, and VPC associations. This configuration can be used to block DNS requests for malicious or unwanted domains.

Configuration to create an Application Load Balancer (ALB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or Lambda functions. The ALB also includes health checks to ensure the state of the targets before forwarding traffic.

Configuration to create a Network Load Balancer (NLB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or ALBs. The NLB also includes health checks to ensure the state of the targets before forwarding traffic.

Build a custom security group.

A security group that allows inbound web traffic (TCP ports 80 and 443).

A security group that allows inbound RDP traffic (TCP port 3389).

A security group that allows inbound SSH traffic (TCP port 22).

A security group that allows domain controller services on Microsoft Active Directory servers.

A security group that allows inbound DNS traffic (TCP and UDP port 53).

A security group that allows inbound ICMP traffic.

A security group that allows inbound access to a Maria DB instance.

A security group that allows inbound access to a Microsoft SQL server instance.

A security group that allows inbound access to a MySQL server instance.

A security group that allows inbound access to an Oracle server instance.

A security group that allows inbound access to an PostgreSQL server instance.

A security group for Amazon EFS that allows inbound NFS access from resources (including the mount target) associated with this security group (TCP 2049).

A security group that allows inbound access to an Amazon Redshift cluster (TCP 5439)

A security group that allows inbound access to an Amazon OpenSearch (TCP 443 and 80)

Build a custom network ACL.

A network ACL that blacklist inbound traffic based on IP address(es).

A network ACL that blacklist inbound and outbound traffic based on Port(s).

A network ACL that whitelists inbound and outbound traffic based on Port(s) and blocks all other traffic.

A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.

A CloudWatch Alarm that triggers when the traffic outgoing over a managed AWS VPN tunnel hits a certain threshold (Default: Less than 1,000,000 bytes in 15 minutes).

A CloudWatch Alarm that triggers when the traffic incoming over a managed AWS VPN tunnel hits a certain threshold (Default: Over 5,000,000 bytes in 15 minutes).

A CloudWatch Alarm that triggers when the state of both VPN tunnels in an AWS VPN connection are down.

A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC.

A CloudWatch Alarm that triggers when changes are made to a VPC.

A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table.

A CloudWatch Alarm that triggers when changes are made to a Network ACL (NACL).

Detect changes to network ACLs and publishes change events to an SNS topic for notification.

Detect changes to network configuration and publishes change events to an SNS topic for notification.

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

Check that no EC2 Instances are in Public Subnet.

Check that security groups do not have an inbound rule with protocol of 'All'.

Check that security groups do not have an inbound rule with port range of 'All'.

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

A config rule that checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

A Config rule that checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status.

A config rule that checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.

A Config rule that checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.

A config rule that checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.

A Config rule that checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.

A Config rule that checks if there are public routes in the route table to an Internet Gateway (IGW). The rule is NON_COMPLIANT if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter.

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

This SCP restrict users in your AWS Organizations account to creating VPCs with CIDRs from a specific IPv4 pool and associating CIDRs to the VPCs from the pool. Users in the account will not be able to create VPCs with CIDRs or associate CIDRs to VPCs from any other pools from the one you choose.

This SCP prevents users or roles in any affected account from creating a default VPC or Subnets

A VPC endpoint policy that allows full access to the specified resource Arn

A VPC endpoint policy that restricts access through the endpoint to the specified IAM role in the account

A VPC endpoint policy that restricts access through the endpoint to principals in the specified Organization

An S3 endpoint policy that allows read-only access to a specific S3 bucket only

An S3 endpoint policy that allows full access to a specific S3 bucket only

An S3 endpoint policy that restricts access through the S3 endpoint to the specified IAM role in the account

An S3 endpoint policy that restricts access through the S3 endpoint to users in a specific account

A DynamoDB endpoint policy that restricts access through the endpoint to the specified DynamoDB table