Operational Best Practices for Publicly Accessible Resources

Items
Size
5.3 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConformancePack:
    Type: 'AWS::Config::ConformancePack'
    Properties:
      ConformancePackName: conformance-pack-asset-mgmt-best-practices
      TemplateBody: |
        Resources:
          ConfigRule1:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: dms-replication-not-public
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule2:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ebs-snapshot-public-restorable-check
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule3:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: ec2-instance-no-public-ip
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::Instance'
              Source:
                Owner: AWS
                SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
          ConfigRule4:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: elasticsearch-in-vpc-only
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule5:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: emr-master-no-public-ip
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule6:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: internet-gateway-authorized-vpc-only
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::EC2::InternetGateway'
              Source:
                Owner: AWS
                SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
          ConfigRule7:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: lambda-function-public-access-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Lambda::Function'
              Source:
                Owner: AWS
                SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
          ConfigRule8:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-instance-public-access-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBInstance'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
          ConfigRule9:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: rds-snapshots-public-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::RDS::DBSnapshot'
              Source:
                Owner: AWS
                SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
          ConfigRule10:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: redshift-cluster-public-access-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::Redshift::Cluster'
              Source:
                Owner: AWS
                SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
          ConfigRule11:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-account-level-public-access-blocks
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::AccountPublicAccessBlock'
              InputParameters:
                IgnorePublicAcls: 'True'
                BlockPublicPolicy: 'True'
                BlockPublicAcls: 'True'
                RestrictPublicBuckets: 'True'
              Source:
                Owner: AWS
                SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
          ConfigRule12:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-public-read-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
          ConfigRule13:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: s3-bucket-public-write-prohibited
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::S3::Bucket'
              Source:
                Owner: AWS
                SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Parameters: {}
Metadata: {}
Conditions: {}
Loading Library ...

Operational Best Practices for Publicly Accessible Resources

A premium subscription is required for this content

Actions

Customize Template

Resource Settings

Loading Library ...

Operational Best Practices for Publicly Accessible Resources

A premium subscription is required for this contentSign up for premiumLearn More

Actions

Customize Template

Resource Settings

A premium subscription is required for this content
