You must be logged in to view saved presets
Conformance Packs
Compliance for NIST 800-53 rev 4
A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack helps verify compliance with NIST 800-53 rev 4 Security requirements and uses the rules and preset values as defined in this AWS template. The conformance pack includes rules to check compliance for the following services: IAM, ACM, ALB, WAF, API Gateway, CloudTrail, KMS, CloudWatch, CodeBuild, RDS, DMS, DynamoDB, EC2, EFS, SSM, ElastiCache, Amazon Elasticsearch, ELB, EMR, GuardDuty, SageMaker, Lambda, Redshift, S3, VPC, SecretsManager, and SNS
A premium subscription is required for this content
Items
1
Size
40.8 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
ConformancePack:
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: conformance-pack-compliance-fedramp-moderate
TemplateBody: |
Resources:
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: access-keys-rotated
Scope:
ComplianceResourceTypes: []
InputParameters:
maxAccessKeyAge: '90'
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule2:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: acm-certificate-expiration-check
Scope:
ComplianceResourceTypes:
- 'AWS::ACM::Certificate'
InputParameters:
daysToExpiration: '90'
Source:
Owner: AWS
SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule3:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: alb-http-drop-invalid-header-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ALB_HTTP_DROP_INVALID_HEADER_ENABLED
ConfigRule4:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: alb-http-to-https-redirection-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule5:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: alb-waf-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ALB_WAF_ENABLED
ConfigRule6:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: api-gw-cache-enabled-and-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::ApiGateway::Stage'
Source:
Owner: AWS
SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
ConfigRule7:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: api-gw-execution-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ApiGateway::Stage'
- 'AWS::ApiGatewayV2::Stage'
InputParameters:
loggingLevel: 'ERROR,INFO'
Source:
Owner: AWS
SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED
ConfigRule8:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: autoscaling-group-elb-healthcheck-required
Scope:
ComplianceResourceTypes:
- 'AWS::AutoScaling::AutoScalingGroup'
Source:
Owner: AWS
SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
ConfigRule9:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-cloud-watch-logs-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule10:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule11:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-encryption-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule12:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloud-trail-log-file-validation-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule13:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-s3-dataevents-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule14:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudtrail-security-trail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule15:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudwatch-alarm-action-check
Scope:
ComplianceResourceTypes:
- 'AWS::CloudWatch::Alarm'
InputParameters:
alarmActionRequired: 'true'
insufficientDataActionRequired: 'true'
okActionRequired: 'true'
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK
ConfigRule16:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudwatch-log-group-encrypted
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule17:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cmk-backing-key-rotation-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule18:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: codebuild-project-envvar-awscred-check
Scope:
ComplianceResourceTypes:
- 'AWS::CodeBuild::Project'
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
ConfigRule19:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: codebuild-project-source-repo-url-check
Scope:
ComplianceResourceTypes:
- 'AWS::CodeBuild::Project'
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
ConfigRule20:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cw-loggroup-retention-period-check
Scope:
ComplianceResourceTypes: []
InputParameters:
MinRetentionTime: '90'
Source:
Owner: AWS
SourceIdentifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule21:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: db-instance-backup-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED
ConfigRule22:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dms-replication-not-public
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule23:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-autoscaling-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule24:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule25:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-pitr-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_PITR_ENABLED
ConfigRule26:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: dynamodb-table-encrypted-kms
Scope:
ComplianceResourceTypes:
- 'AWS::DynamoDB::Table'
Source:
Owner: AWS
SourceIdentifier: DYNAMODB_TABLE_ENCRYPTED_KMS
ConfigRule27:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ebs-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EBS_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule28:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ebs-snapshot-public-restorable-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule29:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-ebs-encryption-by-default
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule30:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-imdsv2-check
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Source:
Owner: AWS
SourceIdentifier: EC2_IMDSV2_CHECK
ConfigRule31:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-detailed-monitoring-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
ConfigRule32:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-managed-by-systems-manager
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
- 'AWS::SSM::ManagedInstanceInventory'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM
ConfigRule33:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-no-public-ip
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
ConfigRule34:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-managedinstance-association-compliance-status-check
Scope:
ComplianceResourceTypes:
- 'AWS::SSM::AssociationCompliance'
Source:
Owner: AWS
SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
ConfigRule35:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-managedinstance-patch-compliance-status-check
Scope:
ComplianceResourceTypes:
- 'AWS::SSM::PatchCompliance'
Source:
Owner: AWS
SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
ConfigRule36:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-stopped-instance
Scope:
ComplianceResourceTypes: []
InputParameters:
AllowedDays: '30'
Source:
Owner: AWS
SourceIdentifier: EC2_STOPPED_INSTANCE
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule37:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-volume-inuse-check
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Volume'
InputParameters:
deleteOnTermination: 'TRUE'
Source:
Owner: AWS
SourceIdentifier: EC2_VOLUME_INUSE_CHECK
ConfigRule38:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: efs-encrypted-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EFS_ENCRYPTED_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule39:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: efs-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EFS_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule40:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticache-redis-cluster-automatic-backup-check
Scope:
ComplianceResourceTypes: []
InputParameters:
snapshotRetentionPeriod: '15'
Source:
Owner: AWS
SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule41:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-encrypted-at-rest
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule42:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-in-vpc-only
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule43:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch-node-to-node-encryption-check
Scope:
ComplianceResourceTypes:
- 'AWS::Elasticsearch::Domain'
Source:
Owner: AWS
SourceIdentifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
ConfigRule44:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-acm-certificate-required
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED
ConfigRule45:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-cross-zone-load-balancing-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
ConfigRule46:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-deletion-protection-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED
ConfigRule47:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
- 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_LOGGING_ENABLED
ConfigRule48:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elb-tls-https-listeners-only
Scope:
ComplianceResourceTypes:
- 'AWS::ElasticLoadBalancing::LoadBalancer'
Source:
Owner: AWS
SourceIdentifier: ELB_TLS_HTTPS_LISTENERS_ONLY
ConfigRule49:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-kerberos-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_KERBEROS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule50:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: emr-master-no-public-ip
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule51:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: encrypted-volumes
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Volume'
Source:
Owner: AWS
SourceIdentifier: ENCRYPTED_VOLUMES
ConfigRule52:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: guardduty-enabled-centralized
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule53:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: guardduty-non-archived-findings
Scope:
ComplianceResourceTypes: []
InputParameters:
daysLowSev: '30'
daysMediumSev: '7'
daysHighSev: '1'
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule54:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-group-has-users-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Group'
Source:
Owner: AWS
SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
ConfigRule55:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-no-inline-policy-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Role'
- 'AWS::IAM::User'
- 'AWS::IAM::Group'
Source:
Owner: AWS
SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK
ConfigRule56:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-password-policy
Scope:
ComplianceResourceTypes: []
InputParameters:
RequireUppercaseCharacters: 'true'
RequireLowercaseCharacters: 'true'
RequireSymbols: 'true'
RequireNumbers: 'true'
MinimumPasswordLength: '14'
PasswordReusePrevention: '24'
MaxPasswordAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule57:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-policy-no-statements-with-admin-access
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Policy'
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
ConfigRule58:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-root-access-key-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule59:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-group-membership-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
ConfigRule60:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_USER_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule61:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-no-policies-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
ConfigRule62:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-unused-credentials-check
Scope:
ComplianceResourceTypes: []
InputParameters:
maxCredentialUsageAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule63:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: restricted-ssh
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
Source:
Owner: AWS
SourceIdentifier: INCOMING_SSH_DISABLED
ConfigRule64:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: internet-gateway-authorized-vpc-only
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::InternetGateway'
Source:
Owner: AWS
SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
ConfigRule65:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: kms-cmk-not-scheduled-for-deletion
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule66:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda-function-public-access-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Source:
Owner: AWS
SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
ConfigRule67:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda-inside-vpc
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Source:
Owner: AWS
SourceIdentifier: LAMBDA_INSIDE_VPC
ConfigRule68:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: mfa-enabled-for-iam-console-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule69:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: multi-region-cloud-trail-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule70:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-in-backup-plan
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: RDS_IN_BACKUP_PLAN
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule71:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-cluster-deletion-protection-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBCluster'
Source:
Owner: AWS
SourceIdentifier: RDS_CLUSTER_DELETION_PROTECTION_ENABLED
ConfigRule72:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-instance-public-access-check
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
ConfigRule73:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_LOGGING_ENABLED
ConfigRule74:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-multi-az-support
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_MULTI_AZ_SUPPORT
ConfigRule75:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-snapshot-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBSnapshot'
- 'AWS::RDS::DBClusterSnapshot'
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED
ConfigRule76:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-snapshots-public-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBSnapshot'
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
ConfigRule77:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: rds-storage-encrypted
Scope:
ComplianceResourceTypes:
- 'AWS::RDS::DBInstance'
Source:
Owner: AWS
SourceIdentifier: RDS_STORAGE_ENCRYPTED
ConfigRule78:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-cluster-configuration-check
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
InputParameters:
clusterDbEncrypted: 'true'
loggingEnabled: 'true'
nodeTypes: dc1.large
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
ConfigRule79:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-cluster-public-access-check
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
ConfigRule80:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: redshift-require-tls-ssl
Scope:
ComplianceResourceTypes:
- 'AWS::Redshift::Cluster'
Source:
Owner: AWS
SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL
ConfigRule81:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: restricted-common-ports
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
InputParameters:
blockedPort1: '20'
blockedPort2: '21'
blockedPort3: '3389'
blockedPort4: '3306'
blockedPort5: '4333'
Source:
Owner: AWS
SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
ConfigRule82:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-hardware-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule83:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule84:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-account-level-public-access-blocks
Scope:
ComplianceResourceTypes:
- 'AWS::S3::AccountPublicAccessBlock'
InputParameters:
IgnorePublicAcls: 'True'
BlockPublicPolicy: 'True'
BlockPublicAcls: 'True'
RestrictPublicBuckets: 'True'
Source:
Owner: AWS
SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
ConfigRule85:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-default-lock-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
ConfigRule86:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-logging-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
ConfigRule87:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-policy-grantee-check
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
InputParameters:
federatedUsers: '3600'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
ConfigRule88:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
ConfigRule89:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-write-prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
ConfigRule90:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-server-side-encryption-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
ConfigRule91:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-ssl-requests-only
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
ConfigRule92:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-versioning-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
ConfigRule93:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-no-direct-internet-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule94:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-notebook-kms-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule95:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule96:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: secretsmanager-scheduled-rotation-success-check
Scope:
ComplianceResourceTypes:
- 'AWS::SecretsManager::Secret'
Source:
Owner: AWS
SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK
ConfigRule97:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: securityhub-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: SECURITYHUB_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule98:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: sns-encrypted-kms
Scope:
ComplianceResourceTypes:
- 'AWS::SNS::Topic'
Source:
Owner: AWS
SourceIdentifier: SNS_ENCRYPTED_KMS
ConfigRule99:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-default-security-group-closed
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
Source:
Owner: AWS
SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
ConfigRule100:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-flow-logs-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: VPC_FLOW_LOGS_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule101:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-sg-open-only-to-authorized-ports
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
InputParameters:
authorizedTcpPorts: '443'
authorizedUdpPorts: 1020-1025
Source:
Owner: AWS
SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
ConfigRule102:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: vpc-vpn-2-tunnels-up
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::VPNConnection'
Source:
Owner: AWS
SourceIdentifier: VPC_VPN_2_TUNNELS_UP
ConfigRule103:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: wafv2-logging-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: WAFV2_LOGGING_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}
Actions
Customize Template
Resource Settings
© 2024 asecurecloud. All rights reserved.