################################################################################ # # PCI Conformance Pack with Remediations - EC2, Autoscaling, Lambda # # @kmmahaj # # License: # This code is made available under the MIT-0 license. See the LICENSE file. ################################################################################ AWSTemplateFormatVersion: '2010-09-09' Description: PCI Conformance Pack with Remediations - EC2, Autoscaling, Lambda (qs-1t0eilb5g) Parameters: DeliveryS3Bucket: Description: Delivery Bucket from AWS Config settings Type: String Default: 'config-bucket-accountid' Resources: ConformancePack: Type: 'AWS::Config::ConformancePack' Properties: ConformancePackName: CustomPCIEC2LambdaConfPack DeliveryS3Bucket: !Ref DeliveryS3Bucket TemplateBody: |- Resources: AutoScalingELBHealthCheck: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: AutoScalingELBHealthCheck Description: >- [PCI.AutoScaling.1] Auto scaling groups associated with a load balancer should use health checks Scope: ComplianceResourceTypes: - "AWS::AutoScaling::AutoScalingGroup" Source: Owner: AWS SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED AutoScalingELBHealthCheckRemediation: DependsOn: AutoScalingELBHealthCheck Type: 'AWS::Config::RemediationConfiguration' Properties: ConfigRuleName: AutoScalingELBHealthCheck ResourceType: "AWS::AutoScaling::AutoScalingGroup" TargetId: "Custom-AutoScalingELBHealthCheck" TargetType: "SSM_DOCUMENT" TargetVersion: "1" Parameters: AutomationAssumeRole: StaticValue: Values: - arn:aws:iam:::role/pciautomationassumerole- ASGGroupArn: ResourceValue: Value: "RESOURCE_ID" ExecutionControls: SsmControls: ConcurrentExecutionRatePercentage: 10 ErrorPercentage: 10 Automatic: True MaximumAutomaticAttempts: 10 RetryAttemptSeconds: 600 RemoveUnusedEC2SecurityGroups: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: RemoveUnusedEC2SecurityGroups Description: >- PCI.EC2.3 – Unused EC2 Security Groups should be removed Scope: ComplianceResourceTypes: - "AWS::EC2::SecurityGroup" Source: Owner: AWS SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI RemoveUnusedEC2SecurityGroupsRemediation: DependsOn: RemoveUnusedEC2SecurityGroups Type: 'AWS::Config::RemediationConfiguration' Properties: ConfigRuleName: RemoveUnusedEC2SecurityGroups ResourceType: "AWS::EC2::SecurityGroup" TargetId: "Custom-RemoveSecurityGroup" TargetType: "SSM_DOCUMENT" TargetVersion: "1" Parameters: AutomationAssumeRole: StaticValue: Values: - arn:aws:iam:::role/pciautomationassumerole- groupId: ResourceValue: Value: "RESOURCE_ID" ExecutionControls: SsmControls: ConcurrentExecutionRatePercentage: 10 ErrorPercentage: 10 Automatic: True MaximumAutomaticAttempts: 10 RetryAttemptSeconds: 600 RestrictDefaultSecurityGroup: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: RestrictDefaultSecurityGroup Description: >- PCI.EC2.2 VPC default security group should prohibit inbound and outbound traffic Scope: ComplianceResourceTypes: - "AWS::EC2::SecurityGroup" Source: Owner: AWS SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED RestrictDefaultSecurityGroupRemediation: DependsOn: RestrictDefaultSecurityGroup Type: 'AWS::Config::RemediationConfiguration' Properties: ConfigRuleName: RestrictDefaultSecurityGroup ResourceType: "AWS::EC2::SecurityGroup" TargetId: "Custom-RestrictSecurityGroup" TargetType: "SSM_DOCUMENT" TargetVersion: "1" Parameters: AutomationAssumeRole: StaticValue: Values: - arn:aws:iam:::role/pciautomationassumerole- IpAddressToBlock: StaticValue: Values: - '0.0.0.0/0' groupId: ResourceValue: Value: "RESOURCE_ID" ExecutionControls: SsmControls: ConcurrentExecutionRatePercentage: 10 ErrorPercentage: 10 Automatic: True MaximumAutomaticAttempts: 10 RetryAttemptSeconds: 600