AWSTemplateFormatVersion: 2010-09-09 Description: Best practice for PCI - DSS (fdp-1r7kea6h0) Outputs: ConformancePackDeployed: Description: Conformance Pack Value: !Ref SCConformancePackPCIDSS ConformancePackConsole: Description: Link to conformance pack console Value: !Sub >- https://${AWS::Region}.console.aws.amazon.com/config/home?region=${AWS::Region}&v2=true#/conformance-packs Parameters: S3BucketBlacklistedActionsProhibitedParameterBlacklistedActionPattern: Description: >- Comma-separated list of blacklisted action patterns, for example, s3:GetBucket* and s3:DeleteObject. Type: String Default: 's3:DeleteObject' S3BucketPolicyNotMorePermissiveParameterControlPolicy: Description: >- Amazon S3 bucket policy that defines an upper bound on the permissions of your S3 buckets. The policy can be a maximum of 1024 characters long. Type: String Default: Test Resources: SCConformancePackPCIDSS: Type: 'AWS::Config::ConformancePack' Properties: ConformancePackInputParameters: - ParameterName: >- S3BucketBlacklistedActionsProhibitedParameterBlacklistedActionPattern ParameterValue: !Ref >- S3BucketBlacklistedActionsProhibitedParameterBlacklistedActionPattern - ParameterName: S3BucketPolicyNotMorePermissiveParameterControlPolicy ParameterValue: !Ref S3BucketPolicyNotMorePermissiveParameterControlPolicy ConformancePackName: !Join - '' - - OperationalBestPracticesPCIDSSS- - !Select - 1 - !Split - '-' - !Select - 2 - !Split - / - !Ref 'AWS::StackId' DeliveryS3Bucket: '{{resolve:ssm:/conformancepack/deliverybucket:1}}' TemplateBody: |- Parameters: S3BucketBlacklistedActionsProhibitedParameterBlacklistedActionPattern: Description: >- Comma-separated list of blacklisted action patterns, for example, s3:GetBucket* and s3:DeleteObject. Type: String S3BucketPolicyNotMorePermissiveParameterControlPolicy: Description: >- Amazon S3 bucket policy that defines an upper bound on the permissions of your S3 buckets. The policy can be a maximum of 1024 characters long. Type: String Resources: DMSReplicationNotPublic: Properties: ConfigRuleName: DMSReplicationNotPublic Description: >- Checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is True. Source: Owner: AWS SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC Type: 'AWS::Config::ConfigRule' EBSSnapshotPublicRestorableCheck: Properties: ConfigRuleName: EBSSnapshotPublicRestorableCheck Description: >- Checks whether Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public. Source: Owner: AWS SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK Type: 'AWS::Config::ConfigRule' EC2InstanceNoPublicIP: Properties: ConfigRuleName: EC2InstanceNoPublicIP Description: >- Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4. Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP Type: 'AWS::Config::ConfigRule' ElasticsearchInVPCOnly: Properties: ConfigRuleName: ElasticsearchInVPCOnly Description: >- Checks whether Amazon Elasticsearch Service domains are in Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if Amazon ElasticSearch Service domain endpoint is public. Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY Type: 'AWS::Config::ConfigRule' IAMRootAccessKeyCheck: Properties: ConfigRuleName: IAMRootAccessKeyCheck Description: >- Checks whether the root user access key is available. The rule is compliant if the user access key does not exist. Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK Type: 'AWS::Config::ConfigRule' IAMUserMFAEnabled: Properties: ConfigRuleName: IAMUserMFAEnabled Description: >- Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED Type: 'AWS::Config::ConfigRule' IncomingSSHDisabled: Properties: ConfigRuleName: IncomingSSHDisabled Description: >- Checks whether security groups that are in use disallow unrestricted incoming SSH traffic. Source: Owner: AWS SourceIdentifier: INCOMING_SSH_DISABLED Type: 'AWS::Config::ConfigRule' InstancesInVPC: Properties: ConfigRuleName: InstancesInVPC Description: >- Checks whether your EC2 instances belong to a virtual private cloud (VPC). Source: Owner: AWS SourceIdentifier: INSTANCES_IN_VPC Type: 'AWS::Config::ConfigRule' LambdaFunctionPublicAccessProhibited: Properties: ConfigRuleName: LambdaFunctionPublicAccessProhibited Description: Checks whether the Lambda function policy prohibits public access. Source: Owner: AWS SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED Type: 'AWS::Config::ConfigRule' LambdaInsideVPC: Properties: ConfigRuleName: LambdaInsideVPC Description: >- Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. The rule is NON_COMPLIANT if the Lambda function is not in a VPC. Source: Owner: AWS SourceIdentifier: LAMBDA_INSIDE_VPC Type: 'AWS::Config::ConfigRule' MFAEnabledForIAMConsoleAccess: Properties: ConfigRuleName: MFAEnabledForIAMConsoleAccess Description: >- Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is compliant if MFA is enabled. Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: 'AWS::Config::ConfigRule' RDSInstancePublicAccessCheck: Properties: ConfigRuleName: RDSInstancePublicAccessCheck Description: >- Checks whether the Amazon Relational Database Service (Amazon RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. Source: Owner: AWS SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK Type: 'AWS::Config::ConfigRule' RDSSnapshotsPublicProhibited: Properties: ConfigRuleName: RDSSnapshotsPublicProhibited Description: >- Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED Type: 'AWS::Config::ConfigRule' RedshiftClusterPublicAccessCheck: Properties: ConfigRuleName: RedshiftClusterPublicAccessCheck Description: >- Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the cluster configuration item. Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK Type: 'AWS::Config::ConfigRule' RestrictedIncomingTraffic: Properties: ConfigRuleName: RestrictedIncomingTraffic Description: >- Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports. Source: Owner: AWS SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC Type: 'AWS::Config::ConfigRule' RootAccountHardwareMFAEnabled: Properties: ConfigRuleName: RootAccountHardwareMFAEnabled Description: >- Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Type: 'AWS::Config::ConfigRule' RootAccountMFAEnabled: Properties: ConfigRuleName: RootAccountMFAEnabled Description: >- Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: 'AWS::Config::ConfigRule' S3BucketBlacklistedActionsProhibited: Properties: ConfigRuleName: S3BucketBlacklistedActionsProhibited Description: >- Checks that the S3 bucket policy does not allow blacklisted bucket-level and object-level actions for principals from other AWS Accounts. The rule is non-compliant if any blacklisted actions are allowed by the S3 bucket policy. InputParameters: blacklistedActionPattern: !Ref S3BucketBlacklistedActionsProhibitedParameterBlacklistedActionPattern Source: Owner: AWS SourceIdentifier: S3_BUCKET_BLACKLISTED_ACTIONS_PROHIBITED Type: 'AWS::Config::ConfigRule' S3BucketPolicyGranteeCheck: Properties: ConfigRuleName: S3BucketPolicyGranteeCheck Description: >- Checks that the access granted by the Amazon S3 bucket is restricted to any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present. Source: Owner: AWS SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK Type: 'AWS::Config::ConfigRule' S3BucketPolicyNotMorePermissive: Properties: ConfigRuleName: S3BucketPolicyNotMorePermissive Description: >- Verifies that your Amazon S3 bucket policies do not allow other inter-account permissions than the control S3 bucket policy that you provide. InputParameters: controlPolicy: !Ref S3BucketPolicyNotMorePermissiveParameterControlPolicy Source: Owner: AWS SourceIdentifier: S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE Type: 'AWS::Config::ConfigRule' S3BucketPublicReadProhibited1: Properties: ConfigRuleName: S3BucketPublicReadProhibited1 Description: >- Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Type: 'AWS::Config::ConfigRule' S3BucketPublicWriteProhibited: Properties: ConfigRuleName: S3BucketPublicWriteProhibited Description: >- Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Type: 'AWS::Config::ConfigRule' S3BucketVersioningEnabled: Properties: ConfigRuleName: S3BucketVersioningEnabled Description: Checks whether versioning is enabled for your S3 buckets. Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED Type: 'AWS::Config::ConfigRule' VPCDefaultSecurityGroupClosed: Properties: ConfigRuleName: VPCDefaultSecurityGroupClosed Description: >- Checks that the default security group of any Amazon Virtual Private Cloud (Amazon VPC) does not allow inbound or outbound traffic. The rule is non-compliant if the default security group has inbound or outbound traffic. Source: Owner: AWS SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED Type: 'AWS::Config::ConfigRule' VPCSGOpenOnlyToAuthorizedPorts: Properties: ConfigRuleName: VPCSGOpenOnlyToAuthorizedPorts Description: >- Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters. Source: Owner: AWS SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS Type: 'AWS::Config::ConfigRule'