By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Conformance Packs

Operational Best Practices for Publicly Accessible Resources

A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack defines Operational Best Practices for Publicly Accessible Resources and is based on this AWS template. The conformance pack includes the following rules:

Items
1
Size
4.6 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConformancePack:
    Type: "AWS::Config::ConformancePack"
    Properties:
      ConformancePackName: "conformance-pack-asset-mgmt-best-practices"
      TemplateBody: "Resources:\n  ConfigRule1:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"dms-replication-not-public\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"DMS_REPLICATION_NOT_PUBLIC\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule2:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ebs-snapshot-public-restorable-check\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule3:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"ec2-instance-no-public-ip\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::Instance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EC2_INSTANCE_NO_PUBLIC_IP\"\n  ConfigRule4:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"elasticsearch-in-vpc-only\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"ELASTICSEARCH_IN_VPC_ONLY\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule5:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"emr-master-no-public-ip\"\n      Scope:\n        ComplianceResourceTypes: []\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"EMR_MASTER_NO_PUBLIC_IP\"\n      MaximumExecutionFrequency: \"TwentyFour_Hours\"\n  ConfigRule6:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"internet-gateway-authorized-vpc-only\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::EC2::InternetGateway\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY\"\n  ConfigRule7:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"lambda-function-public-access-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Lambda::Function\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED\"\n  ConfigRule8:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-instance-public-access-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBInstance\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_INSTANCE_PUBLIC_ACCESS_CHECK\"\n  ConfigRule9:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"rds-snapshots-public-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::RDS::DBSnapshot\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"RDS_SNAPSHOTS_PUBLIC_PROHIBITED\"\n  ConfigRule10:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"redshift-cluster-public-access-check\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::Redshift::Cluster\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK\"\n  ConfigRule11:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-account-level-public-access-blocks\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::AccountPublicAccessBlock\"\n      InputParameters:\n        IgnorePublicAcls: \"True\"\n        BlockPublicPolicy: \"True\"\n        BlockPublicAcls: \"True\"\n        RestrictPublicBuckets: \"True\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS\"\n  ConfigRule12:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-public-read-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_PUBLIC_READ_PROHIBITED\"\n  ConfigRule13:\n    Type: \"AWS::Config::ConfigRule\"\n    Properties:\n      ConfigRuleName: \"s3-bucket-public-write-prohibited\"\n      Scope:\n        ComplianceResourceTypes:\n          - \"AWS::S3::Bucket\"\n      Source:\n        Owner: \"AWS\"\n        SourceIdentifier: \"S3_BUCKET_PUBLIC_WRITE_PROHIBITED\"\n"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT