You must be logged in to view saved presets
Conformance Packs
Operational Best Practices for AI and ML
A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack defines Operational Best Practices for AI and ML and is based on this AWS template. The conformance pack includes the following rules:
A premium subscription is required for this content
Items
1
Size
6.1 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
ConformancePack:
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: conformance-pack-ai-ml-best-practices
TemplateBody: |
Resources:
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-kerberos-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_KERBEROS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule2:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-master-no-public-ip
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule3:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-account-level-public-access-blocks
Scope:
ComplianceResourceTypes:
- 'AWS::S3::AccountPublicAccessBlock'
InputParameters:
IgnorePublicAcls: 'True'
BlockPublicPolicy: 'True'
BlockPublicAcls: 'True'
RestrictPublicBuckets: 'True'
Source:
Owner: AWS
SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
ConfigRule4:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-default-lock-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
ConfigRule5:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
ConfigRule6:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-policy-grantee-check
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
InputParameters:
federatedUsers: '3600'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
ConfigRule7:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
ConfigRule8:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-write-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
ConfigRule9:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-replication-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED
ConfigRule10:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-server-side-encryption-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
ConfigRule11:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-ssl-requests-only
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
ConfigRule12:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-versioning-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
ConfigRule13:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-no-direct-internet-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule14:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule15:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-kms-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}
© 2024 asecurecloud. All rights reserved.