AWSTemplateFormatVersion: 2010-09-09 Parameters: CreateConformancePack: Default: "Yes" Type: String AllowedValues: - "Yes" - "No" IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Default: '90' Type: String RedshiftClusterConfigurationCheckParamClusterDbEncrypted: Default: 'TRUE' Type: String RedshiftClusterConfigurationCheckParamLoggingEnabled: Default: 'TRUE' Type: String VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts: Default: '443' Type: String Conditions: CreatingConformancePack: !Equals - !Ref CreateConformancePack - "Yes" Resources: VendorInsightsConformancePackForMarketplace: Type: AWS::Config::ConformancePack Condition: CreatingConformancePack Properties: ConformancePackInputParameters: - ParameterName: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge ParameterValue: !Ref IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - ParameterName: RedshiftClusterConfigurationCheckParamClusterDbEncrypted ParameterValue: !Ref RedshiftClusterConfigurationCheckParamClusterDbEncrypted - ParameterName: RedshiftClusterConfigurationCheckParamLoggingEnabled ParameterValue: !Ref RedshiftClusterConfigurationCheckParamLoggingEnabled - ParameterName: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts ParameterValue: !Ref VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts ConformancePackName: AWSVendorInsightsConformancePackv1 TemplateBody: > AWSTemplateFormatVersion: '2010-09-09' ################################################################################## # # Conformance Pack: # Operational Best Practices for AWS Marketplace # # This conformance pack helps verify compliance with Marketplace requirements. # # See Parameters section for names and descriptions of required parameters. # ################################################################################## Parameters: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Default: '90' Type: String RedshiftClusterConfigurationCheckParamClusterDbEncrypted: Default: 'TRUE' Type: String RedshiftClusterConfigurationCheckParamLoggingEnabled: Default: 'TRUE' Type: String VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts: Default: '443' Type: String Conditions: iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Fn::Not: - Fn::Equals: - '' - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge redshiftClusterConfigurationCheckParamClusterDbEncrypted: Fn::Not: - Fn::Equals: - '' - Ref: RedshiftClusterConfigurationCheckParamClusterDbEncrypted redshiftClusterConfigurationCheckParamLoggingEnabled: Fn::Not: - Fn::Equals: - '' - Ref: RedshiftClusterConfigurationCheckParamLoggingEnabled vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts: Fn::Not: - Fn::Equals: - '' - Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts Resources: AcmCertificateExpirationCheck: Properties: ConfigRuleName: acm-certificate-expiration-check Scope: ComplianceResourceTypes: - AWS::ACM::Certificate Source: Owner: AWS SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK Type: AWS::Config::ConfigRule AlbHttpDropInvalidHeaderEnabled: Properties: ConfigRuleName: alb-http-drop-invalid-header-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ALB_HTTP_DROP_INVALID_HEADER_ENABLED Type: AWS::Config::ConfigRule AlbHttpToHttpsRedirectionCheck: Properties: ConfigRuleName: alb-http-to-https-redirection-check Source: Owner: AWS SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK Type: AWS::Config::ConfigRule AlbWafEnabled: Properties: ConfigRuleName: alb-waf-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ALB_WAF_ENABLED Type: AWS::Config::ConfigRule ApiGwCacheEnabledAndEncrypted: Properties: ConfigRuleName: api-gw-cache-enabled-and-encrypted Scope: ComplianceResourceTypes: - AWS::ApiGateway::Stage Source: Owner: AWS SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED Type: AWS::Config::ConfigRule ApiGwExecutionLoggingEnabled: Properties: ConfigRuleName: api-gw-execution-logging-enabled Scope: ComplianceResourceTypes: - AWS::ApiGateway::Stage - AWS::ApiGatewayV2::Stage Source: Owner: AWS SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED Type: AWS::Config::ConfigRule AuroraResourcesProtectedByBackupPlan: Properties: ConfigRuleName: aurora-resources-protected-by-backup-plan Scope: ComplianceResourceTypes: - AWS::RDS::DBCluster Source: Owner: AWS SourceIdentifier: AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN Type: AWS::Config::ConfigRule AutoscalingGroupElbHealthcheckRequired: Properties: ConfigRuleName: autoscaling-group-elb-healthcheck-required Scope: ComplianceResourceTypes: - AWS::AutoScaling::AutoScalingGroup Source: Owner: AWS SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED Type: AWS::Config::ConfigRule BackupPlanMinFrequencyAndMinRetentionCheck: Properties: ConfigRuleName: backup-plan-min-frequency-and-min-retention-check Scope: ComplianceResourceTypes: - AWS::Backup::BackupPlan Source: Owner: AWS SourceIdentifier: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK Type: AWS::Config::ConfigRule BackupRecoveryPointEncrypted: Properties: ConfigRuleName: backup-recovery-point-encrypted Scope: ComplianceResourceTypes: - AWS::Backup::RecoveryPoint Source: Owner: AWS SourceIdentifier: BACKUP_RECOVERY_POINT_ENCRYPTED Type: AWS::Config::ConfigRule BackupRecoveryPointManualDeletionDisabled: Properties: ConfigRuleName: backup-recovery-point-manual-deletion-disabled Scope: ComplianceResourceTypes: - AWS::Backup::BackupVault Source: Owner: AWS SourceIdentifier: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED Type: AWS::Config::ConfigRule BackupRecoveryPointMinimumRetentionCheck: Properties: ConfigRuleName: backup-recovery-point-minimum-retention-check Scope: ComplianceResourceTypes: - AWS::Backup::RecoveryPoint Source: Owner: AWS SourceIdentifier: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK Type: AWS::Config::ConfigRule CloudTrailCloudWatchLogsEnabled: Properties: ConfigRuleName: cloud-trail-cloud-watch-logs-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Type: AWS::Config::ConfigRule CloudTrailEnabled: Properties: ConfigRuleName: cloudtrail-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule CloudTrailEncryptionEnabled: Properties: ConfigRuleName: cloud-trail-encryption-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED Type: AWS::Config::ConfigRule CloudTrailLogFileValidationEnabled: Properties: ConfigRuleName: cloud-trail-log-file-validation-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED Type: AWS::Config::ConfigRule CloudtrailS3DataeventsEnabled: Properties: ConfigRuleName: cloudtrail-s3-dataevents-enabled Source: Owner: AWS SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED Type: AWS::Config::ConfigRule CloudwatchLogGroupEncrypted: Properties: ConfigRuleName: cloudwatch-log-group-encrypted Source: Owner: AWS SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED Type: AWS::Config::ConfigRule CmkBackingKeyRotationEnabled: Properties: ConfigRuleName: cmk-backing-key-rotation-enabled Source: Owner: AWS SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED Type: AWS::Config::ConfigRule DbInstanceBackupEnabled: Properties: ConfigRuleName: db-instance-backup-enabled Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED Type: AWS::Config::ConfigRule DmsReplicationNotPublic: Properties: ConfigRuleName: dms-replication-not-public Scope: ComplianceResourceTypes: [] Source: Owner: AWS SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC Type: AWS::Config::ConfigRule DynamodbAutoscalingEnabled: Properties: ConfigRuleName: dynamodb-autoscaling-enabled Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED Type: AWS::Config::ConfigRule DynamodbInBackupPlan: Properties: ConfigRuleName: dynamodb-in-backup-plan Source: Owner: AWS SourceIdentifier: DYNAMODB_IN_BACKUP_PLAN Type: AWS::Config::ConfigRule DynamodbPitrEnabled: Properties: ConfigRuleName: dynamodb-pitr-enabled Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_PITR_ENABLED Type: AWS::Config::ConfigRule DynamodbResourcesProtectedByBackupPlan: Properties: ConfigRuleName: dynamodb-resources-protected-by-backup-plan Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN Type: AWS::Config::ConfigRule DynamodbTableEncryptedKms: Properties: ConfigRuleName: dynamodb-table-encrypted-kms Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_TABLE_ENCRYPTED_KMS Type: AWS::Config::ConfigRule EbsInBackupPlan: Properties: ConfigRuleName: ebs-in-backup-plan Source: Owner: AWS SourceIdentifier: EBS_IN_BACKUP_PLAN Type: AWS::Config::ConfigRule EbsOptimizedInstance: Properties: ConfigRuleName: ebs-optimized-instance Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EBS_OPTIMIZED_INSTANCE Type: AWS::Config::ConfigRule EbsResourcesProtectedByBackupPlan: Properties: ConfigRuleName: ebs-resources-protected-by-backup-plan Scope: ComplianceResourceTypes: - AWS::EC2::Volume Source: Owner: AWS SourceIdentifier: EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN Type: AWS::Config::ConfigRule EbsSnapshotPublicRestorableCheck: Properties: ConfigRuleName: ebs-snapshot-public-restorable-check Source: Owner: AWS SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK Type: AWS::Config::ConfigRule Ec2EbsEncryptionByDefault: Properties: ConfigRuleName: ec2-ebs-encryption-by-default Source: Owner: AWS SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT Type: AWS::Config::ConfigRule Ec2InstanceManagedBySsm: Properties: ConfigRuleName: ec2-instance-managed-by-systems-manager Scope: ComplianceResourceTypes: - AWS::EC2::Instance - AWS::SSM::ManagedInstanceInventory Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM Type: AWS::Config::ConfigRule Ec2InstanceNoPublicIp: Properties: ConfigRuleName: ec2-instance-no-public-ip Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP Type: AWS::Config::ConfigRule Ec2ManagedinstanceAssociationComplianceStatusCheck: Properties: ConfigRuleName: ec2-managedinstance-association-compliance-status-check Scope: ComplianceResourceTypes: - AWS::SSM::AssociationCompliance Source: Owner: AWS SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK Type: AWS::Config::ConfigRule Ec2ManagedinstancePatchComplianceStatusCheck: Properties: ConfigRuleName: ec2-managedinstance-patch-compliance-status-check Scope: ComplianceResourceTypes: - AWS::SSM::PatchCompliance Source: Owner: AWS SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK Type: AWS::Config::ConfigRule Ec2ResourcesProtectedByBackupPlan: Properties: ConfigRuleName: ec2-resources-protected-by-backup-plan Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN Type: AWS::Config::ConfigRule EfsEncryptedCheck: Properties: ConfigRuleName: efs-encrypted-check Source: Owner: AWS SourceIdentifier: EFS_ENCRYPTED_CHECK Type: AWS::Config::ConfigRule EfsInBackupPlan: Properties: ConfigRuleName: efs-in-backup-plan Source: Owner: AWS SourceIdentifier: EFS_IN_BACKUP_PLAN Type: AWS::Config::ConfigRule EfsResourcesProtectedByBackupPlan: Properties: ConfigRuleName: efs-resources-protected-by-backup-plan Scope: ComplianceResourceTypes: - AWS::EFS::FileSystem Source: Owner: AWS SourceIdentifier: EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN Type: AWS::Config::ConfigRule EipAttached: Properties: ConfigRuleName: eip-attached Scope: ComplianceResourceTypes: - AWS::EC2::EIP Source: Owner: AWS SourceIdentifier: EIP_ATTACHED Type: AWS::Config::ConfigRule ElasticacheRedisClusterAutomaticBackupCheck: Properties: ConfigRuleName: elasticache-redis-cluster-automatic-backup-check Source: Owner: AWS SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK Type: AWS::Config::ConfigRule ElasticsearchEncryptedAtRest: Properties: ConfigRuleName: elasticsearch-encrypted-at-rest Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST Type: AWS::Config::ConfigRule ElasticsearchInVpcOnly: Properties: ConfigRuleName: elasticsearch-in-vpc-only Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY Type: AWS::Config::ConfigRule ElasticsearchNodeToNodeEncryptionCheck: Properties: ConfigRuleName: elasticsearch-node-to-node-encryption-check Scope: ComplianceResourceTypes: - AWS::Elasticsearch::Domain Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK Type: AWS::Config::ConfigRule ElbAcmCertificateRequired: Properties: ConfigRuleName: elb-acm-certificate-required Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED Type: AWS::Config::ConfigRule ElbCrossZoneLoadBalancingEnabled: Properties: ConfigRuleName: elb-cross-zone-load-balancing-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED Type: AWS::Config::ConfigRule ElbDeletionProtectionEnabled: Properties: ConfigRuleName: elb-deletion-protection-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED Type: AWS::Config::ConfigRule ElbLoggingEnabled: Properties: ConfigRuleName: elb-logging-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_LOGGING_ENABLED Type: AWS::Config::ConfigRule ElbTlsHttpsListenersOnly: Properties: ConfigRuleName: elb-tls-https-listeners-only Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_TLS_HTTPS_LISTENERS_ONLY Type: AWS::Config::ConfigRule EmrKerberosEnabled: Properties: ConfigRuleName: emr-kerberos-enabled Source: Owner: AWS SourceIdentifier: EMR_KERBEROS_ENABLED Type: AWS::Config::ConfigRule EmrMasterNoPublicIp: Properties: ConfigRuleName: emr-master-no-public-ip Scope: ComplianceResourceTypes: [] Source: Owner: AWS SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP Type: AWS::Config::ConfigRule EncryptedVolumes: Properties: ConfigRuleName: encrypted-volumes Scope: ComplianceResourceTypes: - AWS::EC2::Volume Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Type: AWS::Config::ConfigRule FsxResourcesProtectedByBackupPlan: Properties: ConfigRuleName: fsx-resources-protected-by-backup-plan Scope: ComplianceResourceTypes: [] Source: Owner: AWS SourceIdentifier: FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN Type: AWS::Config::ConfigRule GuarddutyEnabledCentralized: Properties: ConfigRuleName: guardduty-enabled-centralized Source: Owner: AWS SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED Type: AWS::Config::ConfigRule IamGroupHasUsersCheck: Properties: ConfigRuleName: iam-group-has-users-check Scope: ComplianceResourceTypes: - AWS::IAM::Group Source: Owner: AWS SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK Type: AWS::Config::ConfigRule IamNoInlinePolicyCheck: Properties: ConfigRuleName: iam-no-inline-policy-check Scope: ComplianceResourceTypes: - AWS::IAM::User - AWS::IAM::Role - AWS::IAM::Group Source: Owner: AWS SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK Type: AWS::Config::ConfigRule IamPasswordPolicy: Properties: ConfigRuleName: iam-password-policy Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule IamPolicyNoStatementsWithAdminAccess: Properties: ConfigRuleName: iam-policy-no-statements-with-admin-access Scope: ComplianceResourceTypes: - AWS::IAM::Policy Source: Owner: AWS SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Type: AWS::Config::ConfigRule IamUserGroupMembershipCheck: Properties: ConfigRuleName: iam-user-group-membership-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK Type: AWS::Config::ConfigRule IamUserNoPoliciesCheck: Properties: ConfigRuleName: iam-user-no-policies-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_NO_POLICIES_CHECK Type: AWS::Config::ConfigRule IamUserUnusedCredentialsCheck: Properties: ConfigRuleName: iam-user-unused-credentials-check InputParameters: maxCredentialUsageAge: Fn::If: - iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule IncomingSshDisabled: Properties: ConfigRuleName: restricted-ssh Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: INCOMING_SSH_DISABLED Type: AWS::Config::ConfigRule MfaEnabledForIamConsoleAccess: Properties: ConfigRuleName: mfa-enabled-for-iam-console-access Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: AWS::Config::ConfigRule MultiRegionCloudTrailEnabled: Properties: ConfigRuleName: multi-region-cloudtrail-enabled Source: Owner: AWS SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule RdsInBackupPlan: Properties: ConfigRuleName: rds-in-backup-plan Source: Owner: AWS SourceIdentifier: RDS_IN_BACKUP_PLAN Type: AWS::Config::ConfigRule RdsInstanceIamAuthenticationEnabled: Properties: ConfigRuleName: rds-instance-iam-authentication-enabled Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED Type: AWS::Config::ConfigRule RdsInstancePublicAccessCheck: Properties: ConfigRuleName: rds-instance-public-access-check Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK Type: AWS::Config::ConfigRule RdsLoggingEnabled: Properties: ConfigRuleName: rds-logging-enabled Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_LOGGING_ENABLED Type: AWS::Config::ConfigRule RdsMultiAzSupport: Properties: ConfigRuleName: rds-multi-az-support Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_MULTI_AZ_SUPPORT Type: AWS::Config::ConfigRule RdsResourcesProtectedByBackupPlan: Properties: ConfigRuleName: rds-resources-protected-by-backup-plan Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN Type: AWS::Config::ConfigRule RdsSnapshotEncrypted: Properties: ConfigRuleName: rds-snapshot-encrypted Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot - AWS::RDS::DBClusterSnapshot Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED Type: AWS::Config::ConfigRule RdsSnapshotsPublicProhibited: Properties: ConfigRuleName: rds-snapshots-public-prohibited Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot - AWS::RDS::DBClusterSnapshot Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED Type: AWS::Config::ConfigRule RdsStorageEncrypted: Properties: ConfigRuleName: rds-storage-encrypted Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Type: AWS::Config::ConfigRule RedshiftBackupEnabled: Properties: ConfigRuleName: redshift-backup-enabled Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_BACKUP_ENABLED Type: AWS::Config::ConfigRule RedshiftClusterConfigurationCheck: Properties: ConfigRuleName: redshift-cluster-configuration-check InputParameters: clusterDbEncrypted: Fn::If: - redshiftClusterConfigurationCheckParamClusterDbEncrypted - Ref: RedshiftClusterConfigurationCheckParamClusterDbEncrypted - Ref: AWS::NoValue loggingEnabled: Fn::If: - redshiftClusterConfigurationCheckParamLoggingEnabled - Ref: RedshiftClusterConfigurationCheckParamLoggingEnabled - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK Type: AWS::Config::ConfigRule RedshiftClusterPublicAccessCheck: Properties: ConfigRuleName: redshift-cluster-public-access-check Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK Type: AWS::Config::ConfigRule RedshiftRequireTlsSsl: Properties: ConfigRuleName: redshift-require-tls-ssl Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL Type: AWS::Config::ConfigRule RestrictedIncomingTraffic: Properties: ConfigRuleName: restricted-common-ports Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC Type: AWS::Config::ConfigRule RootAccountHardwareMfaEnabled: Properties: ConfigRuleName: root-account-hardware-mfa-enabled Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Type: AWS::Config::ConfigRule RootAccountMfaEnabled: Properties: ConfigRuleName: root-account-mfa-enabled Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: AWS::Config::ConfigRule S3AccountLevelPublicAccessBlocksPeriodic: Properties: ConfigRuleName: s3-account-level-public-access-blocks-periodic Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC Type: AWS::Config::ConfigRule S3BucketLoggingEnabled: Properties: ConfigRuleName: s3-bucket-logging-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED Type: AWS::Config::ConfigRule S3BucketPolicyGranteeCheck: Properties: ConfigRuleName: s3-bucket-policy-grantee-check Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK Type: AWS::Config::ConfigRule S3BucketPublicReadProhibited: Properties: ConfigRuleName: s3-bucket-public-read-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Type: AWS::Config::ConfigRule S3BucketPublicWriteProhibited: Properties: ConfigRuleName: s3-bucket-public-write-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Type: AWS::Config::ConfigRule S3BucketReplicationEnabled: Properties: ConfigRuleName: s3-bucket-replication-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED Type: AWS::Config::ConfigRule S3BucketServerSideEncryptionEnabled: Properties: ConfigRuleName: s3-bucket-server-side-encryption-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED Type: AWS::Config::ConfigRule S3BucketSslRequestsOnly: Properties: ConfigRuleName: s3-bucket-ssl-requests-only Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY Type: AWS::Config::ConfigRule S3BucketVersioningEnabled: Properties: ConfigRuleName: s3-bucket-versioning-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED Type: AWS::Config::ConfigRule S3DefaultEncryptionKms: Properties: ConfigRuleName: s3-default-encryption-kms Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_DEFAULT_ENCRYPTION_KMS Type: AWS::Config::ConfigRule SagemakerEndpointConfigurationKmsKeyConfigured: Properties: ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured Source: Owner: AWS SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED Type: AWS::Config::ConfigRule SagemakerNotebookInstanceKmsKeyConfigured: Properties: ConfigRuleName: sagemaker-notebook-instance-kms-key-configured Source: Owner: AWS SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED Type: AWS::Config::ConfigRule SagemakerNotebookNoDirectInternetAccess: Properties: ConfigRuleName: sagemaker-notebook-no-direct-internet-access Source: Owner: AWS SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS Type: AWS::Config::ConfigRule SecretsmanagerRotationEnabledCheck: Properties: ConfigRuleName: secretsmanager-rotation-enabled-check Scope: ComplianceResourceTypes: - AWS::SecretsManager::Secret Source: Owner: AWS SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK Type: AWS::Config::ConfigRule SecretsmanagerScheduledRotationSuccessCheck: Properties: ConfigRuleName: secretsmanager-scheduled-rotation-success-check Scope: ComplianceResourceTypes: - AWS::SecretsManager::Secret Source: Owner: AWS SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK Type: AWS::Config::ConfigRule SecurityhubEnabled: Properties: ConfigRuleName: securityhub-enabled Source: Owner: AWS SourceIdentifier: SECURITYHUB_ENABLED Type: AWS::Config::ConfigRule SnsEncryptedKms: Properties: ConfigRuleName: sns-encrypted-kms Scope: ComplianceResourceTypes: - AWS::SNS::Topic Source: Owner: AWS SourceIdentifier: SNS_ENCRYPTED_KMS Type: AWS::Config::ConfigRule VpcDefaultSecurityGroupClosed: Properties: ConfigRuleName: vpc-default-security-group-closed Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED Type: AWS::Config::ConfigRule VpcFlowLogsEnabled: Properties: ConfigRuleName: vpc-flow-logs-enabled Source: Owner: AWS SourceIdentifier: VPC_FLOW_LOGS_ENABLED Type: AWS::Config::ConfigRule VpcSgOpenOnlyToAuthorizedPorts: Properties: ConfigRuleName: vpc-sg-open-only-to-authorized-ports InputParameters: authorizedTcpPorts: Fn::If: - vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts - Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS Type: AWS::Config::ConfigRule VpcVpn2TunnelsUp: Properties: ConfigRuleName: vpc-vpn-2-tunnels-up Scope: ComplianceResourceTypes: - AWS::EC2::VPNConnection Source: Owner: AWS SourceIdentifier: VPC_VPN_2_TUNNELS_UP Type: AWS::Config::ConfigRule Wafv2LoggingEnabled: Properties: ConfigRuleName: wafv2-logging-enabled Source: Owner: AWS SourceIdentifier: WAFV2_LOGGING_ENABLED Type: AWS::Config::ConfigRule