By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Conformance Packs

Compliance for FedRAMP (Moderate)

A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack helps verify compliance with FedRAMP(Moderate) requirements and uses the rules and preset values as defined in this AWS template.

The conformance pack includes rules to check compliance for the following services: IAM, ACM, ALB, WAF, API Gateway, CloudTrail, KMS, CloudWatch, CodeBuild, RDS, DMS, DynamoDB, EC2, EFS, SSM, ElastiCache, Amazon Elasticsearch, ELB, EMR, GuardDuty, SageMaker, Lambda, Redshift, S3, VPC, SecretsManager, and SNS

Items
1
Size
35.2 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConformancePack:
    Type: "AWS::Config::ConformancePack"
    Properties:
      ConformancePackName: "conformance-pack-compliance-fedramp-moderate"
      TemplateBody: "Resources:\n  ConfigRule1:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"access-keys-rotated\"\n      Scope:\n        ComplianceResourceTypes: []\n      InputParameters:\n        maxAccessKeyAge: \"90\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ACCESS_KEYS_ROTATED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule2:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"acm-certificate-expiration-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ACM::Certificate\"\n      InputParameters:\n        daysToExpiration: \"90\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ACM_CERTIFICATE_EXPIRATION_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule3:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"alb-http-drop-invalid-header-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ElasticLoadBalancingV2::LoadBalancer\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ALB_HTTP_DROP_INVALID_HEADER_ENABLED\"\n  ConfigRule4:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"alb-http-to-https-redirection-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule5:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"alb-waf-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ElasticLoadBalancingV2::LoadBalancer\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ALB_WAF_ENABLED\"\n  ConfigRule6:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"api-gw-cache-enabled-and-encrypted\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ApiGateway::Stage\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"API_GW_CACHE_ENABLED_AND_ENCRYPTED\"\n  ConfigRule7:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"api-gw-execution-logging-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ApiGateway::Stage\"\n          - \"AWS::ApiGatewayV2::Stage\"\n      InputParameters:\n        loggingLevel: \"ERROR,INFO\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"API_GW_EXECUTION_LOGGING_ENABLED\"\n  ConfigRule8:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"autoscaling-group-elb-healthcheck-required\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::AutoScaling::AutoScalingGroup\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED\"\n  ConfigRule9:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloud-trail-cloud-watch-logs-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule10:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloudtrail-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUD_TRAIL_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule11:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloud-trail-encryption-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUD_TRAIL_ENCRYPTION_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule12:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloud-trail-log-file-validation-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule13:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloudtrail-s3-dataevents-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUDTRAIL_S3_DATAEVENTS_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule14:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloudtrail-security-trail-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUDTRAIL_SECURITY_TRAIL_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule15:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloudwatch-alarm-action-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::CloudWatch::Alarm\"\n      InputParameters:\n        alarmActionRequired: \"true\"\n        insufficientDataActionRequired: \"true\"\n        okActionRequired: \"true\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUDWATCH_ALARM_ACTION_CHECK\"\n  ConfigRule16:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cloudwatch-log-group-encrypted\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CLOUDWATCH_LOG_GROUP_ENCRYPTED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule17:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cmk-backing-key-rotation-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CMK_BACKING_KEY_ROTATION_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule18:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"codebuild-project-envvar-awscred-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::CodeBuild::Project\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK\"\n  ConfigRule19:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"codebuild-project-source-repo-url-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::CodeBuild::Project\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK\"\n  ConfigRule20:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"cw-loggroup-retention-period-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      InputParameters:\n        MinRetentionTime: \"90\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"CW_LOGGROUP_RETENTION_PERIOD_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule21:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"db-instance-backup-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBInstance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"DB_INSTANCE_BACKUP_ENABLED\"\n  ConfigRule22:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"dms-replication-not-public\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"DMS_REPLICATION_NOT_PUBLIC\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule23:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"dynamodb-autoscaling-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::DynamoDB::Table\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"DYNAMODB_AUTOSCALING_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule24:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"dynamodb-in-backup-plan\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"DYNAMODB_IN_BACKUP_PLAN\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule25:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"dynamodb-pitr-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::DynamoDB::Table\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"DYNAMODB_PITR_ENABLED\"\n  ConfigRule26:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"dynamodb-table-encrypted-kms\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::DynamoDB::Table\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"DYNAMODB_TABLE_ENCRYPTED_KMS\"\n  ConfigRule27:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ebs-in-backup-plan\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EBS_IN_BACKUP_PLAN\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule28:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ebs-snapshot-public-restorable-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule29:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-ebs-encryption-by-default\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_EBS_ENCRYPTION_BY_DEFAULT\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule30:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-imdsv2-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::Instance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_IMDSV2_CHECK\"\n  ConfigRule31:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-instance-detailed-monitoring-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::Instance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_INSTANCE_DETAILED_MONITORING_ENABLED\"\n  ConfigRule32:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-instance-managed-by-systems-manager\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::Instance\"\n          - \"AWS::SSM::ManagedInstanceInventory\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_INSTANCE_MANAGED_BY_SSM\"\n  ConfigRule33:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-instance-no-public-ip\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::Instance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_INSTANCE_NO_PUBLIC_IP\"\n  ConfigRule34:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-managedinstance-association-compliance-status-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::SSM::AssociationCompliance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK\"\n  ConfigRule35:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-managedinstance-patch-compliance-status-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::SSM::PatchCompliance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK\"\n  ConfigRule36:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-stopped-instance\"\n      Scope:\n        ComplianceResourceTypes: []\n      InputParameters:\n        AllowedDays: \"30\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_STOPPED_INSTANCE\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule37:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-volume-inuse-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::Volume\"\n      InputParameters:\n        deleteOnTermination: \"TRUE\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_VOLUME_INUSE_CHECK\"\n  ConfigRule38:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"efs-encrypted-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EFS_ENCRYPTED_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule39:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"efs-in-backup-plan\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EFS_IN_BACKUP_PLAN\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule40:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elasticache-redis-cluster-automatic-backup-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      InputParameters:\n        snapshotRetentionPeriod: \"15\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule41:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elasticsearch-encrypted-at-rest\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELASTICSEARCH_ENCRYPTED_AT_REST\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule42:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elasticsearch-in-vpc-only\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELASTICSEARCH_IN_VPC_ONLY\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule43:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elasticsearch-node-to-node-encryption-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Elasticsearch::Domain\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK\"\n  ConfigRule44:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elb-acm-certificate-required\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ElasticLoadBalancing::LoadBalancer\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELB_ACM_CERTIFICATE_REQUIRED\"\n  ConfigRule45:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elb-cross-zone-load-balancing-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ElasticLoadBalancing::LoadBalancer\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED\"\n  ConfigRule46:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elb-deletion-protection-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ElasticLoadBalancingV2::LoadBalancer\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELB_DELETION_PROTECTION_ENABLED\"\n  ConfigRule47:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elb-logging-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ElasticLoadBalancing::LoadBalancer\"\n          - \"AWS::ElasticLoadBalancingV2::LoadBalancer\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELB_LOGGING_ENABLED\"\n  ConfigRule48:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elb-tls-https-listeners-only\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::ElasticLoadBalancing::LoadBalancer\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELB_TLS_HTTPS_LISTENERS_ONLY\"\n  ConfigRule49:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"emr-kerberos-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EMR_KERBEROS_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule50:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"emr-master-no-public-ip\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EMR_MASTER_NO_PUBLIC_IP\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule51:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"encrypted-volumes\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::Volume\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ENCRYPTED_VOLUMES\"\n  ConfigRule52:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"guardduty-enabled-centralized\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"GUARDDUTY_ENABLED_CENTRALIZED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule53:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"guardduty-non-archived-findings\"\n      Scope:\n        ComplianceResourceTypes: []\n      InputParameters:\n        daysLowSev: \"180\"\n        daysMediumSev: \"90\"\n        daysHighSev: \"30\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"GUARDDUTY_NON_ARCHIVED_FINDINGS\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule54:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-group-has-users-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::IAM::Group\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_GROUP_HAS_USERS_CHECK\"\n  ConfigRule55:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-no-inline-policy-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::IAM::Role\"\n          - \"AWS::IAM::User\"\n          - \"AWS::IAM::Group\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_NO_INLINE_POLICY_CHECK\"\n  ConfigRule56:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-password-policy\"\n      Scope:\n        ComplianceResourceTypes: []\n      InputParameters:\n        RequireUppercaseCharacters: \"true\"\n        RequireLowercaseCharacters: \"true\"\n        RequireSymbols: \"true\"\n        RequireNumbers: \"true\"\n        MinimumPasswordLength: \"14\"\n        PasswordReusePrevention: \"24\"\n        MaxPasswordAge: \"90\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_PASSWORD_POLICY\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule57:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-policy-no-statements-with-admin-access\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::IAM::Policy\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS\"\n  ConfigRule58:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-root-access-key-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_ROOT_ACCESS_KEY_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule59:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-user-group-membership-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::IAM::User\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_USER_GROUP_MEMBERSHIP_CHECK\"\n  ConfigRule60:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-user-mfa-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_USER_MFA_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule61:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-user-no-policies-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::IAM::User\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_USER_NO_POLICIES_CHECK\"\n  ConfigRule62:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"iam-user-unused-credentials-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      InputParameters:\n        maxCredentialUsageAge: \"90\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"IAM_USER_UNUSED_CREDENTIALS_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule63:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"restricted-ssh\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::SecurityGroup\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"INCOMING_SSH_DISABLED\"\n  ConfigRule64:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"internet-gateway-authorized-vpc-only\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::InternetGateway\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY\"\n  ConfigRule65:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"kms-cmk-not-scheduled-for-deletion\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"KMS_CMK_NOT_SCHEDULED_FOR_DELETION\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule66:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"lambda-function-public-access-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Lambda::Function\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED\"\n  ConfigRule67:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"lambda-inside-vpc\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Lambda::Function\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"LAMBDA_INSIDE_VPC\"\n  ConfigRule68:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"mfa-enabled-for-iam-console-access\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule69:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"multi-region-cloud-trail-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"MULTI_REGION_CLOUD_TRAIL_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule70:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-in-backup-plan\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_IN_BACKUP_PLAN\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule71:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-cluster-deletion-protection-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBCluster\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_CLUSTER_DELETION_PROTECTION_ENABLED\"\n  ConfigRule72:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-instance-public-access-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBInstance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_INSTANCE_PUBLIC_ACCESS_CHECK\"\n  ConfigRule73:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-logging-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBInstance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_LOGGING_ENABLED\"\n  ConfigRule74:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-multi-az-support\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBInstance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_MULTI_AZ_SUPPORT\"\n  ConfigRule75:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-snapshot-encrypted\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBSnapshot\"\n          - \"AWS::RDS::DBClusterSnapshot\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_SNAPSHOT_ENCRYPTED\"\n  ConfigRule76:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-snapshots-public-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBSnapshot\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_SNAPSHOTS_PUBLIC_PROHIBITED\"\n  ConfigRule77:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-storage-encrypted\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBInstance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_STORAGE_ENCRYPTED\"\n  ConfigRule78:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"redshift-cluster-configuration-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Redshift::Cluster\"\n      InputParameters:\n        clusterDbEncrypted: \"true\"\n        loggingEnabled: \"true\"\n        nodeTypes: \"dc1.large\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"REDSHIFT_CLUSTER_CONFIGURATION_CHECK\"\n  ConfigRule79:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"redshift-cluster-public-access-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Redshift::Cluster\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK\"\n  ConfigRule80:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"redshift-require-tls-ssl\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Redshift::Cluster\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"REDSHIFT_REQUIRE_TLS_SSL\"\n  ConfigRule81:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"restricted-common-ports\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::SecurityGroup\"\n      InputParameters:\n        blockedPort1: \"20\"\n        blockedPort2: \"21\"\n        blockedPort3: \"3389\"\n        blockedPort4: \"3306\"\n        blockedPort5: \"4333\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RESTRICTED_INCOMING_TRAFFIC\"\n  ConfigRule82:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"root-account-hardware-mfa-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ROOT_ACCOUNT_HARDWARE_MFA_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule83:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"root-account-mfa-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ROOT_ACCOUNT_MFA_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule84:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-account-level-public-access-blocks\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::AccountPublicAccessBlock\"\n      InputParameters:\n        IgnorePublicAcls: \"True\"\n        BlockPublicPolicy: \"True\"\n        BlockPublicAcls: \"True\"\n        RestrictPublicBuckets: \"True\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS\"\n  ConfigRule85:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-default-lock-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_DEFAULT_LOCK_ENABLED\"\n  ConfigRule86:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-logging-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_LOGGING_ENABLED\"\n  ConfigRule87:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-policy-grantee-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      InputParameters:\n        federatedUsers: \"3600\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_POLICY_GRANTEE_CHECK\"\n  ConfigRule88:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-public-read-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_PUBLIC_READ_PROHIBITED\"\n  ConfigRule89:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-public-write-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_PUBLIC_WRITE_PROHIBITED\"\n  ConfigRule90:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-server-side-encryption-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED\"\n  ConfigRule91:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-ssl-requests-only\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_SSL_REQUESTS_ONLY\"\n  ConfigRule92:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-versioning-enabled\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_VERSIONING_ENABLED\"\n  ConfigRule93:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"sagemaker-notebook-no-direct-internet-access\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule94:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"sagemaker-notebook-kms-configured\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule95:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"sagemaker-endpoint-configuration-kms-key-configured\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule96:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"secretsmanager-scheduled-rotation-success-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::SecretsManager::Secret\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK\"\n  ConfigRule97:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"securityhub-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"SECURITYHUB_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule98:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"sns-encrypted-kms\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::SNS::Topic\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"SNS_ENCRYPTED_KMS\"\n  ConfigRule99:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"vpc-default-security-group-closed\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::SecurityGroup\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"VPC_DEFAULT_SECURITY_GROUP_CLOSED\"\n  ConfigRule100:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"vpc-flow-logs-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"VPC_FLOW_LOGS_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule101:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"vpc-sg-open-only-to-authorized-ports\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::SecurityGroup\"\n      InputParameters:\n        authorizedTcpPorts: \"443\"\n        authorizedUdpPorts: \"1020-1025\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS\"\n  ConfigRule102:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"vpc-vpn-2-tunnels-up\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::VPNConnection\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"VPC_VPN_2_TUNNELS_UP\"\n  ConfigRule103:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"wafv2-logging-enabled\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"WAFV2_LOGGING_ENABLED\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT