You must be logged in to view saved presets
Conformance Packs
Compliance for HIPAA Security
A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack helps verify compliance with HIPAA Security requirements and uses the rules and preset values as defined in this AWS template. The conformance pack includes rules to check compliance for the following services: IAM, ACM, ALB, API Gateway, CloudTrail, KMS, CloudWatch, CodeBuild, RDS, DMS, DynamoDB, EC2, EFS, SSM, ElastiCache, Amazon Elasticsearch, ELB, EMR, GuardDuty, SageMaker, Lambda, Redshift, S3, VPC, SecretsManager, and SNS
Premium: Get HIPAA compliance reports for your environment
A premium subscription is required for this content
Items
1
Size
31.6 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
ConformancePack:
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: conformance-pack-compliance-fedramp-moderate
TemplateBody: |
Resources:
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: access-keys-rotated
Scope:
ComplianceResourceTypes: []
InputParameters:
maxAccessKeyAge: '90'
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule2:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: alb-http-to-https-redirection-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule3:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: api-gw-cache-enabled-and-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::ApiGateway::Stage'
Source:
Owner: AWS
SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
ConfigRule4:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: api-gw-execution-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ApiGateway::Stage'
- 'AWS::ApiGatewayV2::Stage'
InputParameters:
loggingLevel: 'ERROR,INFO'
Source:
Owner: AWS
SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED
ConfigRule5:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: autoscaling-group-elb-healthcheck-required
Scope:
ComplianceResourceTypes:
- 'AWS::AutoScaling::AutoScalingGroup'
Source:
Owner: AWS
SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
ConfigRule6:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-cloud-watch-logs-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule7:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule8:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-encryption-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule9:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-log-file-validation-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule10:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-s3-dataevents-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule11:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudwatch-alarm-action-check
Scope:
ComplianceResourceTypes:
- 'AWS::CloudWatch::Alarm'
InputParameters:
alarmActionRequired: 'true'
insufficientDataActionRequired: 'true'
okActionRequired: 'false'
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK
ConfigRule12:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudwatch-log-group-encrypted
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule13:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: codebuild-project-envvar-awscred-check
Scope:
ComplianceResourceTypes:
- 'AWS::CodeBuild::Project'
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
ConfigRule14:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: codebuild-project-source-repo-url-check
Scope:
ComplianceResourceTypes:
- 'AWS::CodeBuild::Project'
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
ConfigRule15:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: db-instance-backup-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED
ConfigRule16:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dms-replication-not-public
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule17:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-autoscaling-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule18:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-pitr-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_PITR_ENABLED
ConfigRule19:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-throughput-limit-check
Scope:
ComplianceResourceTypes: []
InputParameters:
accountRCUThresholdPercentage: '80'
accountWCUThresholdPercentage: '80'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule20:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ebs-snapshot-public-restorable-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule21:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-ebs-encryption-by-default
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule22:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-no-public-ip
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
ConfigRule23:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-stopped-instance
Scope:
ComplianceResourceTypes: []
InputParameters:
AllowedDays: '30'
Source:
Owner: AWS
SourceIdentifier: EC2_STOPPED_INSTANCE
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule24:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: efs-encrypted-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EFS_ENCRYPTED_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule25:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticache-redis-cluster-automatic-backup-check
Scope:
ComplianceResourceTypes: []
InputParameters:
snapshotRetentionPeriod: '15'
Source:
Owner: AWS
SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule26:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-encrypted-at-rest
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule27:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-in-vpc-only
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule28:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-acm-certificate-required
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED
ConfigRule29:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-deletion-protection-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED
ConfigRule30:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_LOGGING_ENABLED
ConfigRule31:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-kerberos-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_KERBEROS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule32:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-master-no-public-ip
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule33:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: encrypted-volumes
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Volume'
Source:
Owner: AWS
SourceIdentifier: ENCRYPTED_VOLUMES
ConfigRule34:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: guardduty-enabled-centralized
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule35:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: guardduty-non-archived-findings
Scope:
ComplianceResourceTypes: []
InputParameters:
daysLowSev: '30'
daysMediumSev: '7'
daysHighSev: '1'
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule36:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-group-has-users-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Group'
Source:
Owner: AWS
SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
ConfigRule37:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-password-policy
Scope:
ComplianceResourceTypes: []
InputParameters:
RequireUppercaseCharacters: 'true'
RequireLowercaseCharacters: 'true'
RequireSymbols: 'true'
RequireNumbers: 'true'
MinimumPasswordLength: '14'
PasswordReusePrevention: '24'
MaxPasswordAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule38:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-policy-no-statements-with-admin-access
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Policy'
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
ConfigRule39:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-root-access-key-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule40:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-group-membership-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
ConfigRule41:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_USER_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule42:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-no-policies-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
ConfigRule43:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-unused-credentials-check
Scope:
ComplianceResourceTypes: []
InputParameters:
maxCredentialUsageAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule44:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: restricted-ssh
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
Source:
Owner: AWS
SourceIdentifier: INCOMING_SSH_DISABLED
ConfigRule45:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: internet-gateway-authorized-vpc-only
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::InternetGateway'
Source:
Owner: AWS
SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
ConfigRule46:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: kms-cmk-not-scheduled-for-deletion
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule48:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda-function-public-access-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Source:
Owner: AWS
SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
ConfigRule49:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda-inside-vpc
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Source:
Owner: AWS
SourceIdentifier: LAMBDA_INSIDE_VPC
ConfigRule50:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: mfa-enabled-for-iam-console-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule51:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: multi-region-cloud-trail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule52:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-instance-public-access-check
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
ConfigRule53:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-multi-az-support
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_MULTI_AZ_SUPPORT
ConfigRule54:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-snapshot-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBSnapshot'
- 'AWS::RDS::DBClusterSnapshot'
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED
ConfigRule55:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-snapshots-public-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBSnapshot'
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
ConfigRule56:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-storage-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_STORAGE_ENCRYPTED
ConfigRule57:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-cluster-configuration-check
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
InputParameters:
clusterDbEncrypted: 'true'
loggingEnabled: 'true'
nodeTypes: dc1.large
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
ConfigRule58:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-cluster-public-access-check
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
ConfigRule59:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-require-tls-ssl
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL
ConfigRule60:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: restricted-common-ports
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
InputParameters:
blockedPort1: '20'
blockedPort2: '21'
blockedPort3: '3389'
blockedPort4: '3306'
blockedPort5: '4333'
Source:
Owner: AWS
SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
ConfigRule61:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-hardware-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule62:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule63:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-account-level-public-access-blocks
Scope:
ComplianceResourceTypes:
- 'AWS::S3::AccountPublicAccessBlock'
InputParameters:
IgnorePublicAcls: 'True'
BlockPublicPolicy: 'True'
BlockPublicAcls: 'True'
RestrictPublicBuckets: 'True'
Source:
Owner: AWS
SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
ConfigRule64:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-default-lock-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
ConfigRule65:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
ConfigRule66:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-policy-grantee-check
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
InputParameters:
federatedUsers: '3600'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
ConfigRule67:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
ConfigRule68:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-write-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
ConfigRule69:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-server-side-encryption-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
ConfigRule70:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-ssl-requests-only
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
ConfigRule71:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-versioning-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
ConfigRule72:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-no-direct-internet-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule73:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-kms-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule74:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule75:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: secretsmanager-rotation-enabled-check
Scope:
ComplianceResourceTypes:
- 'AWS::SecretsManager::Secret'
Source:
Owner: AWS
SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK
ConfigRule76:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: securityhub-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SECURITYHUB_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule77:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sns-encrypted-kms
Scope:
ComplianceResourceTypes:
- 'AWS::SNS::Topic'
Source:
Owner: AWS
SourceIdentifier: SNS_ENCRYPTED_KMS
ConfigRule78:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-flow-logs-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: VPC_FLOW_LOGS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule79:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-sg-open-only-to-authorized-ports
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
InputParameters:
authorizedTcpPorts: '443'
authorizedUdpPorts: 1020-1025
Source:
Owner: AWS
SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
ConfigRule80:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-vpn-2-tunnels-up
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::VPNConnection'
Source:
Owner: AWS
SourceIdentifier: VPC_VPN_2_TUNNELS_UP
Parameters: {}
Metadata: {}
Conditions: {}
Actions
Customize Template
Resource Settings
© 2024 asecurecloud. All rights reserved.