A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack helps verify compliance with NIST 800-53 rev 4 Security requirements and uses the rules and preset values as defined in this AWS template.

The conformance pack includes rules to check compliance for the following services: IAM, ACM, ALB, WAF, API Gateway, CloudTrail, KMS, CloudWatch, CodeBuild, RDS, DMS, DynamoDB, EC2, EFS, SSM, ElastiCache, Amazon Elasticsearch, ELB, EMR, GuardDuty, SageMaker, Lambda, Redshift, S3, VPC, SecretsManager, and SNS

A premium subscription is required for this content

Items
1
Size
40.8 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConformancePack:
    Type: 'AWS::Config::ConformancePack'
    Properties:
      ConformancePackName: conformance-pack-compliance-fedramp-moderate
      TemplateBody: |
        Resources:
          ConfigRule1:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: access-keys-rotated
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                maxAccessKeyAge: '90'
              Source:
                Owner: AWS
                SourceIdentifier: ACCESS_KEYS_ROTATED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule2:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: acm-certificate-expiration-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ACM::Certificate'
              InputParameters:
                daysToExpiration: '90'
              Source:
                Owner: AWS
                SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule3:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: alb-http-drop-invalid-header-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ElasticLoadBalancingV2::LoadBalancer'
              Source:
                Owner: AWS
                SourceIdentifier: ALB_HTTP_DROP_INVALID_HEADER_ENABLED
          ConfigRule4:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: alb-http-to-https-redirection-check
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule5:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: alb-waf-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ElasticLoadBalancingV2::LoadBalancer'
              Source:
                Owner: AWS
                SourceIdentifier: ALB_WAF_ENABLED
          ConfigRule6:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: api-gw-cache-enabled-and-encrypted
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ApiGateway::Stage'
              Source:
                Owner: AWS
                SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
          ConfigRule7:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: api-gw-execution-logging-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ApiGateway::Stage'
                  - 'AWS::ApiGatewayV2::Stage'
              InputParameters:
                loggingLevel: 'ERROR,INFO'
              Source:
                Owner: AWS
                SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED
          ConfigRule8:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: autoscaling-group-elb-healthcheck-required
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::AutoScaling::AutoScalingGroup'
              Source:
                Owner: AWS
                SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
          ConfigRule9:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloud-trail-cloud-watch-logs-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule10:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloudtrail-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CLOUD_TRAIL_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule11:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloud-trail-encryption-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule12:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloud-trail-log-file-validation-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule13:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloudtrail-s3-dataevents-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule14:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloudtrail-security-trail-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule15:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloudwatch-alarm-action-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::CloudWatch::Alarm'
              InputParameters:
                alarmActionRequired: 'true'
                insufficientDataActionRequired: 'true'
                okActionRequired: 'true'
              Source:
                Owner: AWS
                SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK
          ConfigRule16:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cloudwatch-log-group-encrypted
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule17:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cmk-backing-key-rotation-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule18:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: codebuild-project-envvar-awscred-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::CodeBuild::Project'
              Source:
                Owner: AWS
                SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
          ConfigRule19:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: codebuild-project-source-repo-url-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::CodeBuild::Project'
              Source:
                Owner: AWS
                SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
          ConfigRule20:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: cw-loggroup-retention-period-check
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                MinRetentionTime: '90'
              Source:
                Owner: AWS
                SourceIdentifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule21:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: db-instance-backup-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBInstance'
              Source:
                Owner: AWS
                SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED
          ConfigRule22:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: dms-replication-not-public
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule23:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: dynamodb-autoscaling-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::DynamoDB::Table'
              Source:
                Owner: AWS
                SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule24:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: dynamodb-in-backup-plan
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: DYNAMODB_IN_BACKUP_PLAN
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule25:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: dynamodb-pitr-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::DynamoDB::Table'
              Source:
                Owner: AWS
                SourceIdentifier: DYNAMODB_PITR_ENABLED
          ConfigRule26:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: dynamodb-table-encrypted-kms
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::DynamoDB::Table'
              Source:
                Owner: AWS
                SourceIdentifier: DYNAMODB_TABLE_ENCRYPTED_KMS
          ConfigRule27:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ebs-in-backup-plan
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EBS_IN_BACKUP_PLAN
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule28:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ebs-snapshot-public-restorable-check
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule29:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-ebs-encryption-by-default
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule30:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-imdsv2-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::Instance'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_IMDSV2_CHECK
          ConfigRule31:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-instance-detailed-monitoring-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::Instance'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
          ConfigRule32:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-instance-managed-by-systems-manager
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::Instance'
                  - 'AWS::SSM::ManagedInstanceInventory'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM
          ConfigRule33:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-instance-no-public-ip
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::Instance'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
          ConfigRule34:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-managedinstance-association-compliance-status-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::SSM::AssociationCompliance'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
          ConfigRule35:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-managedinstance-patch-compliance-status-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::SSM::PatchCompliance'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
          ConfigRule36:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-stopped-instance
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                AllowedDays: '30'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_STOPPED_INSTANCE
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule37:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-volume-inuse-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::Volume'
              InputParameters:
                deleteOnTermination: 'TRUE'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_VOLUME_INUSE_CHECK
          ConfigRule38:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: efs-encrypted-check
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EFS_ENCRYPTED_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule39:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: efs-in-backup-plan
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EFS_IN_BACKUP_PLAN
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule40:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elasticache-redis-cluster-automatic-backup-check
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                snapshotRetentionPeriod: '15'
              Source:
                Owner: AWS
                SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule41:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elasticsearch-encrypted-at-rest
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule42:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elasticsearch-in-vpc-only
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule43:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elasticsearch-node-to-node-encryption-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Elasticsearch::Domain'
              Source:
                Owner: AWS
                SourceIdentifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
          ConfigRule44:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elb-acm-certificate-required
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ElasticLoadBalancing::LoadBalancer'
              Source:
                Owner: AWS
                SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED
          ConfigRule45:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elb-cross-zone-load-balancing-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ElasticLoadBalancing::LoadBalancer'
              Source:
                Owner: AWS
                SourceIdentifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
          ConfigRule46:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elb-deletion-protection-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ElasticLoadBalancingV2::LoadBalancer'
              Source:
                Owner: AWS
                SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED
          ConfigRule47:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elb-logging-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ElasticLoadBalancing::LoadBalancer'
                  - 'AWS::ElasticLoadBalancingV2::LoadBalancer'
              Source:
                Owner: AWS
                SourceIdentifier: ELB_LOGGING_ENABLED
          ConfigRule48:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elb-tls-https-listeners-only
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::ElasticLoadBalancing::LoadBalancer'
              Source:
                Owner: AWS
                SourceIdentifier: ELB_TLS_HTTPS_LISTENERS_ONLY
          ConfigRule49:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: emr-kerberos-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EMR_KERBEROS_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule50:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: emr-master-no-public-ip
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule51:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: encrypted-volumes
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::Volume'
              Source:
                Owner: AWS
                SourceIdentifier: ENCRYPTED_VOLUMES
          ConfigRule52:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: guardduty-enabled-centralized
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule53:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: guardduty-non-archived-findings
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                daysLowSev: '30'
                daysMediumSev: '7'
                daysHighSev: '1'
              Source:
                Owner: AWS
                SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule54:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-group-has-users-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::Group'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
          ConfigRule55:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-no-inline-policy-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::Role'
                  - 'AWS::IAM::User'
                  - 'AWS::IAM::Group'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK
          ConfigRule56:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-password-policy
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                RequireUppercaseCharacters: 'true'
                RequireLowercaseCharacters: 'true'
                RequireSymbols: 'true'
                RequireNumbers: 'true'
                MinimumPasswordLength: '14'
                PasswordReusePrevention: '24'
                MaxPasswordAge: '90'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_PASSWORD_POLICY
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule57:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-policy-no-statements-with-admin-access
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::Policy'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
          ConfigRule58:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-root-access-key-check
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule59:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-group-membership-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::User'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
          ConfigRule60:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-mfa-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_MFA_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule61:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-no-policies-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::User'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
          ConfigRule62:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-unused-credentials-check
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                maxCredentialUsageAge: '90'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule63:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: restricted-ssh
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::SecurityGroup'
              Source:
                Owner: AWS
                SourceIdentifier: INCOMING_SSH_DISABLED
          ConfigRule64:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: internet-gateway-authorized-vpc-only
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::InternetGateway'
              Source:
                Owner: AWS
                SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
          ConfigRule65:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: kms-cmk-not-scheduled-for-deletion
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule66:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: lambda-function-public-access-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Lambda::Function'
              Source:
                Owner: AWS
                SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
          ConfigRule67:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: lambda-inside-vpc
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Lambda::Function'
              Source:
                Owner: AWS
                SourceIdentifier: LAMBDA_INSIDE_VPC
          ConfigRule68:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: mfa-enabled-for-iam-console-access
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule69:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: multi-region-cloud-trail-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule70:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-in-backup-plan
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: RDS_IN_BACKUP_PLAN
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule71:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-cluster-deletion-protection-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBCluster'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_CLUSTER_DELETION_PROTECTION_ENABLED
          ConfigRule72:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-instance-public-access-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBInstance'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
          ConfigRule73:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-logging-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBInstance'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_LOGGING_ENABLED
          ConfigRule74:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-multi-az-support
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBInstance'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_MULTI_AZ_SUPPORT
          ConfigRule75:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-snapshot-encrypted
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBSnapshot'
                  - 'AWS::RDS::DBClusterSnapshot'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED
          ConfigRule76:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-snapshots-public-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBSnapshot'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
          ConfigRule77:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-storage-encrypted
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBInstance'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_STORAGE_ENCRYPTED
          ConfigRule78:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: redshift-cluster-configuration-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Redshift::Cluster'
              InputParameters:
                clusterDbEncrypted: 'true'
                loggingEnabled: 'true'
                nodeTypes: dc1.large
              Source:
                Owner: AWS
                SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
          ConfigRule79:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: redshift-cluster-public-access-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Redshift::Cluster'
              Source:
                Owner: AWS
                SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
          ConfigRule80:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: redshift-require-tls-ssl
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Redshift::Cluster'
              Source:
                Owner: AWS
                SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL
          ConfigRule81:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: restricted-common-ports
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::SecurityGroup'
              InputParameters:
                blockedPort1: '20'
                blockedPort2: '21'
                blockedPort3: '3389'
                blockedPort4: '3306'
                blockedPort5: '4333'
              Source:
                Owner: AWS
                SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
          ConfigRule82:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: root-account-hardware-mfa-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule83:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: root-account-mfa-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule84:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-account-level-public-access-blocks
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::AccountPublicAccessBlock'
              InputParameters:
                IgnorePublicAcls: 'True'
                BlockPublicPolicy: 'True'
                BlockPublicAcls: 'True'
                RestrictPublicBuckets: 'True'
              Source:
                Owner: AWS
                SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
          ConfigRule85:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-default-lock-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
          ConfigRule86:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-logging-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
          ConfigRule87:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-policy-grantee-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              InputParameters:
                federatedUsers: '3600'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
          ConfigRule88:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-public-read-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
          ConfigRule89:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-public-write-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
          ConfigRule90:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-server-side-encryption-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
          ConfigRule91:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-ssl-requests-only
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
          ConfigRule92:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-versioning-enabled
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
          ConfigRule93:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: sagemaker-notebook-no-direct-internet-access
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule94:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: sagemaker-notebook-kms-configured
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule95:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule96:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: secretsmanager-scheduled-rotation-success-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::SecretsManager::Secret'
              Source:
                Owner: AWS
                SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK
          ConfigRule97:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: securityhub-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: SECURITYHUB_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule98:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: sns-encrypted-kms
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::SNS::Topic'
              Source:
                Owner: AWS
                SourceIdentifier: SNS_ENCRYPTED_KMS
          ConfigRule99:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: vpc-default-security-group-closed
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::SecurityGroup'
              Source:
                Owner: AWS
                SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
          ConfigRule100:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: vpc-flow-logs-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: VPC_FLOW_LOGS_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule101:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: vpc-sg-open-only-to-authorized-ports
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::SecurityGroup'
              InputParameters:
                authorizedTcpPorts: '443'
                authorizedUdpPorts: 1020-1025
              Source:
                Owner: AWS
                SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
          ConfigRule102:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: vpc-vpn-2-tunnels-up
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::VPNConnection'
              Source:
                Owner: AWS
                SourceIdentifier: VPC_VPN_2_TUNNELS_UP
          ConfigRule103:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: wafv2-logging-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: WAFV2_LOGGING_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT