AWSTemplateFormatVersion: 2010-09-09
Description: Config Rules to check resource's compliance status (qs-1r6f0fdcm)
Parameters:
  RequiredTagKey:
    Type: String
    Default: Environment
Resources:

    # 1. Check for IAM PasswordPolicy
    CheckForIamPasswordPolicy:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-for-iam-password-policy
        Description: Checks whether the account password policy for IAM users meets the specified requirements.
        Source:
          Owner: AWS
          SourceIdentifier: IAM_PASSWORD_POLICY
        InputParameters:
          RequireUppercaseCharacters: true
          RequireLowercaseCharacters: true
          RequireSymbols: true
          RequireNumbers: true
          MinimumPasswordLength: 12
          PasswordReusePrevention: 6
          MaxPasswordAge: 90

    # 2. Root Access Key Check
    CheckRootAccessKey:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-root-access-key
        Description: Checks whether the root user access key is available.
        Source:
          Owner: AWS
          SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
          
    # 3. Root MFA Check
    CheckForRootMfa:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-root-mfa-enabled
        Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.
        Source:
          Owner: AWS
          SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
        
    # 4. CloudTrail Enabled
    CheckForCloudTrailEnabled:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-whether-cloudtrail-is-enabled
        Description: Checks whether AWS CloudTrail is enabled in your AWS account.
        Source:
          Owner: AWS
          SourceIdentifier: CLOUD_TRAIL_ENABLED
          
    # 5. Check for unrestricted SSH
    ConfigRuleForSSH:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-for-unrestricted-ssh-access
        Description: Checks whether security groups that are in use disallow unrestricted
          incoming SSH traffic.
        Scope:
          ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup
        Source:
          Owner: AWS
          SourceIdentifier: INCOMING_SSH_DISABLED
          
    # 6. Check unrestrited security group with specific port
    CheckForRestrictedCommonPortsPolicy:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-for-unrestricted-ports
        Description: Checks whether security groups that are in use disallow unrestricted
          incoming TCP traffic to the specified ports.
        InputParameters:
          blockedPort1: 3389
        Scope:
          ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup
        Source:
          Owner: AWS
          SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
    
    # 7. Required Tag
    ConfigRuleForRequiredTags:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-ec2-for-required-tag
        Description: Checks whether EC2 instances and volumes use the required tag.
        InputParameters:
          tag1Key: !Ref RequiredTagKey
        Scope:
          ComplianceResourceTypes:
          - AWS::EC2::Volume
          - AWS::EC2::Instance
        Source:
          Owner: AWS
          SourceIdentifier: REQUIRED_TAGS
          
    # 8. Check for S3 Bucket Public Read
    CheckForS3PublicRead:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-s3-bucket-public-read-prohibited
        Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.
        Source:
          Owner: AWS
          SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
        Scope:
          ComplianceResourceTypes:
            - AWS::S3::Bucket

    # 9. Check For S3 Bucket Public Write
    CheckForS3PublicWrite:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-s3-bucket-public-write-prohibited
        Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.
        Source:
          Owner: AWS
          SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
        Scope:
          ComplianceResourceTypes:
            - AWS::S3::Bucket

    # 10. Check for S3 Bucket Encryption
    CheckForS3ServerSideEncryption:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: check-encrypted-s3-bucket
        Description: Checks for explicit denies on put-object requests without server side encryption.
        Source:
          Owner: AWS
          SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
        Scope:
          ComplianceResourceTypes:
            - AWS::S3::Bucket
            
    # 11. Check for Volume Encryption      
    CheckForEncryptedVolumes:
        Type: AWS::Config::ConfigRule
        Properties:
          ConfigRuleName: check-encrypted-volume
          Description: Checks whether EBS volumes that are in an attached state are encrypted.
          Source:
            Owner: AWS
            SourceIdentifier: ENCRYPTED_VOLUMES
          Scope:
            ComplianceResourceTypes:
              - AWS::EC2::Volume
              
    # 12. Check for RDS Encryption
    CheckForRdsEncryption:
        Type: AWS::Config::ConfigRule
        Properties:
          ConfigRuleName: check-encrypted-rds
          Description: Checks whether storage encryption is enabled for your RDS DB instances.
          Source:
            Owner: AWS
            SourceIdentifier: RDS_STORAGE_ENCRYPTED
          Scope:
            ComplianceResourceTypes:
              - AWS::RDS::DBInstance