You must be logged in to view saved presets
Conformance Packs
Compliance for FedRAMP (Moderate)
A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack helps verify compliance with FedRAMP(Moderate) requirements and uses the rules and preset values as defined in this AWS template. The conformance pack includes rules to check compliance for the following services: IAM, ACM, ALB, WAF, API Gateway, CloudTrail, KMS, CloudWatch, CodeBuild, RDS, DMS, DynamoDB, EC2, EFS, SSM, ElastiCache, Amazon Elasticsearch, ELB, EMR, GuardDuty, SageMaker, Lambda, Redshift, S3, VPC, SecretsManager, and SNS
A premium subscription is required for this content
Items
1
Size
40.8 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
ConformancePack:
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: conformance-pack-compliance-fedramp-moderate
TemplateBody: |
Resources:
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: access-keys-rotated
Scope:
ComplianceResourceTypes: []
InputParameters:
maxAccessKeyAge: '90'
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule2:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: acm-certificate-expiration-check
Scope:
ComplianceResourceTypes:
- 'AWS::ACM::Certificate'
InputParameters:
daysToExpiration: '90'
Source:
Owner: AWS
SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule3:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: alb-http-drop-invalid-header-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ALB_HTTP_DROP_INVALID_HEADER_ENABLED
ConfigRule4:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: alb-http-to-https-redirection-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule5:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: alb-waf-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ALB_WAF_ENABLED
ConfigRule6:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: api-gw-cache-enabled-and-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::ApiGateway::Stage'
Source:
Owner: AWS
SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
ConfigRule7:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: api-gw-execution-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ApiGateway::Stage'
- 'AWS::ApiGatewayV2::Stage'
InputParameters:
loggingLevel: 'ERROR,INFO'
Source:
Owner: AWS
SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED
ConfigRule8:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: autoscaling-group-elb-healthcheck-required
Scope:
ComplianceResourceTypes:
- 'AWS::AutoScaling::AutoScalingGroup'
Source:
Owner: AWS
SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
ConfigRule9:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-cloud-watch-logs-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule10:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule11:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-encryption-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule12:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-log-file-validation-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule13:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-s3-dataevents-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule14:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-security-trail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule15:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudwatch-alarm-action-check
Scope:
ComplianceResourceTypes:
- 'AWS::CloudWatch::Alarm'
InputParameters:
alarmActionRequired: 'true'
insufficientDataActionRequired: 'true'
okActionRequired: 'true'
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK
ConfigRule16:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudwatch-log-group-encrypted
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule17:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cmk-backing-key-rotation-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule18:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: codebuild-project-envvar-awscred-check
Scope:
ComplianceResourceTypes:
- 'AWS::CodeBuild::Project'
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
ConfigRule19:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: codebuild-project-source-repo-url-check
Scope:
ComplianceResourceTypes:
- 'AWS::CodeBuild::Project'
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
ConfigRule20:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cw-loggroup-retention-period-check
Scope:
ComplianceResourceTypes: []
InputParameters:
MinRetentionTime: '90'
Source:
Owner: AWS
SourceIdentifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule21:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: db-instance-backup-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED
ConfigRule22:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dms-replication-not-public
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule23:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-autoscaling-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule24:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule25:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-pitr-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_PITR_ENABLED
ConfigRule26:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-table-encrypted-kms
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_TABLE_ENCRYPTED_KMS
ConfigRule27:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ebs-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EBS_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule28:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ebs-snapshot-public-restorable-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule29:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-ebs-encryption-by-default
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule30:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-imdsv2-check
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Source:
Owner: AWS
SourceIdentifier: EC2_IMDSV2_CHECK
ConfigRule31:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-detailed-monitoring-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
ConfigRule32:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-managed-by-systems-manager
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
- 'AWS::SSM::ManagedInstanceInventory'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM
ConfigRule33:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-no-public-ip
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
ConfigRule34:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-managedinstance-association-compliance-status-check
Scope:
ComplianceResourceTypes:
- 'AWS::SSM::AssociationCompliance'
Source:
Owner: AWS
SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
ConfigRule35:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-managedinstance-patch-compliance-status-check
Scope:
ComplianceResourceTypes:
- 'AWS::SSM::PatchCompliance'
Source:
Owner: AWS
SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
ConfigRule36:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-stopped-instance
Scope:
ComplianceResourceTypes: []
InputParameters:
AllowedDays: '30'
Source:
Owner: AWS
SourceIdentifier: EC2_STOPPED_INSTANCE
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule37:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-volume-inuse-check
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Volume'
InputParameters:
deleteOnTermination: 'TRUE'
Source:
Owner: AWS
SourceIdentifier: EC2_VOLUME_INUSE_CHECK
ConfigRule38:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: efs-encrypted-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EFS_ENCRYPTED_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule39:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: efs-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EFS_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule40:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticache-redis-cluster-automatic-backup-check
Scope:
ComplianceResourceTypes: []
InputParameters:
snapshotRetentionPeriod: '15'
Source:
Owner: AWS
SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule41:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-encrypted-at-rest
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule42:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-in-vpc-only
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule43:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-node-to-node-encryption-check
Scope:
ComplianceResourceTypes:
- 'AWS::Elasticsearch::Domain'
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
ConfigRule44:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-acm-certificate-required
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED
ConfigRule45:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-cross-zone-load-balancing-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
ConfigRule46:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-deletion-protection-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED
ConfigRule47:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_LOGGING_ENABLED
ConfigRule48:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-tls-https-listeners-only
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_TLS_HTTPS_LISTENERS_ONLY
ConfigRule49:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-kerberos-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_KERBEROS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule50:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-master-no-public-ip
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule51:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: encrypted-volumes
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Volume'
Source:
Owner: AWS
SourceIdentifier: ENCRYPTED_VOLUMES
ConfigRule52:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: guardduty-enabled-centralized
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule53:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: guardduty-non-archived-findings
Scope:
ComplianceResourceTypes: []
InputParameters:
daysLowSev: '180'
daysMediumSev: '90'
daysHighSev: '30'
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule54:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-group-has-users-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Group'
Source:
Owner: AWS
SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
ConfigRule55:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-no-inline-policy-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Role'
- 'AWS::IAM::User'
- 'AWS::IAM::Group'
Source:
Owner: AWS
SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK
ConfigRule56:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-password-policy
Scope:
ComplianceResourceTypes: []
InputParameters:
RequireUppercaseCharacters: 'true'
RequireLowercaseCharacters: 'true'
RequireSymbols: 'true'
RequireNumbers: 'true'
MinimumPasswordLength: '14'
PasswordReusePrevention: '24'
MaxPasswordAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule57:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-policy-no-statements-with-admin-access
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Policy'
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
ConfigRule58:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-root-access-key-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule59:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-group-membership-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
ConfigRule60:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_USER_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule61:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-no-policies-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
ConfigRule62:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-unused-credentials-check
Scope:
ComplianceResourceTypes: []
InputParameters:
maxCredentialUsageAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule63:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: restricted-ssh
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
Source:
Owner: AWS
SourceIdentifier: INCOMING_SSH_DISABLED
ConfigRule64:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: internet-gateway-authorized-vpc-only
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::InternetGateway'
Source:
Owner: AWS
SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
ConfigRule65:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: kms-cmk-not-scheduled-for-deletion
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule66:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda-function-public-access-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Source:
Owner: AWS
SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
ConfigRule67:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda-inside-vpc
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Source:
Owner: AWS
SourceIdentifier: LAMBDA_INSIDE_VPC
ConfigRule68:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: mfa-enabled-for-iam-console-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule69:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: multi-region-cloud-trail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule70:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: RDS_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule71:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-cluster-deletion-protection-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBCluster'
Source:
Owner: AWS
SourceIdentifier: RDS_CLUSTER_DELETION_PROTECTION_ENABLED
ConfigRule72:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-instance-public-access-check
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
ConfigRule73:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_LOGGING_ENABLED
ConfigRule74:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-multi-az-support
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_MULTI_AZ_SUPPORT
ConfigRule75:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-snapshot-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBSnapshot'
- 'AWS::RDS::DBClusterSnapshot'
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED
ConfigRule76:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-snapshots-public-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBSnapshot'
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
ConfigRule77:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-storage-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_STORAGE_ENCRYPTED
ConfigRule78:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-cluster-configuration-check
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
InputParameters:
clusterDbEncrypted: 'true'
loggingEnabled: 'true'
nodeTypes: dc1.large
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
ConfigRule79:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-cluster-public-access-check
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
ConfigRule80:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-require-tls-ssl
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL
ConfigRule81:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: restricted-common-ports
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
InputParameters:
blockedPort1: '20'
blockedPort2: '21'
blockedPort3: '3389'
blockedPort4: '3306'
blockedPort5: '4333'
Source:
Owner: AWS
SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
ConfigRule82:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-hardware-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule83:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule84:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-account-level-public-access-blocks
Scope:
ComplianceResourceTypes:
- 'AWS::S3::AccountPublicAccessBlock'
InputParameters:
IgnorePublicAcls: 'True'
BlockPublicPolicy: 'True'
BlockPublicAcls: 'True'
RestrictPublicBuckets: 'True'
Source:
Owner: AWS
SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
ConfigRule85:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-default-lock-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
ConfigRule86:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
ConfigRule87:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-policy-grantee-check
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
InputParameters:
federatedUsers: '3600'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
ConfigRule88:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
ConfigRule89:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-write-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
ConfigRule90:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-server-side-encryption-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
ConfigRule91:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-ssl-requests-only
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
ConfigRule92:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-versioning-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
ConfigRule93:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-no-direct-internet-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule94:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-kms-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule95:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule96:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: secretsmanager-scheduled-rotation-success-check
Scope:
ComplianceResourceTypes:
- 'AWS::SecretsManager::Secret'
Source:
Owner: AWS
SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK
ConfigRule97:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: securityhub-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SECURITYHUB_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule98:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sns-encrypted-kms
Scope:
ComplianceResourceTypes:
- 'AWS::SNS::Topic'
Source:
Owner: AWS
SourceIdentifier: SNS_ENCRYPTED_KMS
ConfigRule99:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-default-security-group-closed
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
Source:
Owner: AWS
SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
ConfigRule100:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-flow-logs-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: VPC_FLOW_LOGS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule101:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-sg-open-only-to-authorized-ports
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
InputParameters:
authorizedTcpPorts: '443'
authorizedUdpPorts: 1020-1025
Source:
Owner: AWS
SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
ConfigRule102:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-vpn-2-tunnels-up
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::VPNConnection'
Source:
Owner: AWS
SourceIdentifier: VPC_VPN_2_TUNNELS_UP
ConfigRule103:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: wafv2-logging-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: WAFV2_LOGGING_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}
Actions
Customize Template
Resource Settings
© 2024 asecurecloud. All rights reserved.