A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack defines Operational Best Practices for AI and ML and is based on this AWS template. The conformance pack includes the following rules:

A premium subscription is required for this content

Items
1
Size
6.1 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConformancePack:
    Type: 'AWS::Config::ConformancePack'
    Properties:
      ConformancePackName: conformance-pack-ai-ml-best-practices
      TemplateBody: |
        Resources:
          ConfigRule1:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: emr-kerberos-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EMR_KERBEROS_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule2:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: emr-master-no-public-ip
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule3:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-account-level-public-access-blocks
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::AccountPublicAccessBlock'
              InputParameters:
                IgnorePublicAcls: 'True'
                BlockPublicPolicy: 'True'
                BlockPublicAcls: 'True'
                RestrictPublicBuckets: 'True'
              Source:
                Owner: AWS
                SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
          ConfigRule4:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-default-lock-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
          ConfigRule5:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-logging-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
          ConfigRule6:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-policy-grantee-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              InputParameters:
                federatedUsers: '3600'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
          ConfigRule7:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-public-read-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
          ConfigRule8:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-public-write-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
          ConfigRule9:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-replication-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED
          ConfigRule10:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-server-side-encryption-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
          ConfigRule11:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-ssl-requests-only
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
          ConfigRule12:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-versioning-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
          ConfigRule13:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: sagemaker-notebook-no-direct-internet-access
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule14:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule15:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: sagemaker-notebook-kms-configured
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
              MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT