Last active
October 4, 2023 19:36
-
-
Save atheiman/3dc06afb63b96bfa8a81c8e96f36910c to your computer and use it in GitHub Desktop.
AWS Config Conformance Pack Operational-Best-Practices-for-NIST-800-171 from github.com/awslabs/aws-config-rules with rules not supported in GovCloud regions disabled (`Condition: StandardPartition`). This could become out of date soon as more config rules are added to GovCloud regions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################## | |
| # | |
| # Conformance Pack: | |
| # Operational Best Practices for NIST 800-171 | |
| # | |
| # This conformance pack helps verify compliance with NIST 800-171 requirements. | |
| # | |
| # See Parameters section for names and descriptions of required parameters. | |
| # | |
| ################################################################################## | |
| Parameters: | |
| ConfigRuleNamePrefix: | |
| Default: 'nist-800-171-' | |
| Type: String | |
| AcmCertificateExpirationCheckParamDaysToExpiration: | |
| Default: '90' | |
| Type: String | |
| CloudwatchAlarmActionCheckParamInsufficientDataActionRequired: | |
| Default: 'true' | |
| Type: String | |
| CloudwatchAlarmActionCheckParamOkActionRequired: | |
| Default: 'false' | |
| Type: String | |
| Ec2VolumeInuseCheckParamDeleteOnTermination: | |
| Default: 'true' | |
| Type: String | |
| GuarddutyNonArchivedFindingsParamDaysHighSev: | |
| Default: '1' | |
| Type: String | |
| GuarddutyNonArchivedFindingsParamDaysLowSev: | |
| Default: '30' | |
| Type: String | |
| GuarddutyNonArchivedFindingsParamDaysMediumSev: | |
| Default: '7' | |
| Type: String | |
| IamPasswordPolicyParamMaxPasswordAge: | |
| Default: '90' | |
| Type: String | |
| IamPasswordPolicyParamMinimumPasswordLength: | |
| Default: '14' | |
| Type: String | |
| IamPasswordPolicyParamPasswordReusePrevention: | |
| Default: '24' | |
| Type: String | |
| IamPasswordPolicyParamRequireLowercaseCharacters: | |
| Default: 'true' | |
| Type: String | |
| IamPasswordPolicyParamRequireNumbers: | |
| Default: 'true' | |
| Type: String | |
| IamPasswordPolicyParamRequireSymbols: | |
| Default: 'true' | |
| Type: String | |
| IamPasswordPolicyParamRequireUppercaseCharacters: | |
| Default: 'true' | |
| Type: String | |
| IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: | |
| Default: '90' | |
| Type: String | |
| RedshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade: | |
| Default: 'true' | |
| Type: String | |
| RestrictedIncomingTrafficParamBlockedPort1: | |
| Default: '20' | |
| Type: String | |
| RestrictedIncomingTrafficParamBlockedPort2: | |
| Default: '21' | |
| Type: String | |
| RestrictedIncomingTrafficParamBlockedPort3: | |
| Default: '3389' | |
| Type: String | |
| RestrictedIncomingTrafficParamBlockedPort4: | |
| Default: '3306' | |
| Type: String | |
| RestrictedIncomingTrafficParamBlockedPort5: | |
| Default: '4333' | |
| Type: String | |
| S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls: | |
| Default: 'true' | |
| Type: String | |
| S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy: | |
| Default: 'true' | |
| Type: String | |
| S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls: | |
| Default: 'true' | |
| Type: String | |
| S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets: | |
| Default: 'true' | |
| Type: String | |
| VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts: | |
| Default: '443' | |
| Type: String | |
| VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts: | |
| Default: 1020-1025 | |
| Type: String | |
| Resources: | |
| AcmCertificateExpirationCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}acm-certificate-expiration-check' | |
| InputParameters: | |
| daysToExpiration: | |
| Fn::If: | |
| - acmCertificateExpirationCheckParamDaysToExpiration | |
| - Ref: AcmCertificateExpirationCheckParamDaysToExpiration | |
| - Ref: AWS::NoValue | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ACM::Certificate | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK | |
| Type: AWS::Config::ConfigRule | |
| AlbHttpToHttpsRedirectionCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}alb-http-to-https-redirection-check' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK | |
| Type: AWS::Config::ConfigRule | |
| AlbWafEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}alb-waf-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ElasticLoadBalancingV2::LoadBalancer | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ALB_WAF_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| ApiGwAssociatedWithWaf: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}api-gw-associated-with-waf' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ApiGateway::Stage | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: API_GW_ASSOCIATED_WITH_WAF | |
| Type: AWS::Config::ConfigRule | |
| ApiGwCacheEnabledAndEncrypted: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}api-gw-cache-enabled-and-encrypted' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ApiGateway::Stage | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED | |
| Type: AWS::Config::ConfigRule | |
| ApiGwExecutionLoggingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}api-gw-execution-logging-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ApiGateway::Stage | |
| - AWS::ApiGatewayV2::Stage | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| ApiGwSslEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}api-gw-ssl-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ApiGateway::Stage | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: API_GW_SSL_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| AutoscalingGroupElbHealthcheckRequired: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}autoscaling-group-elb-healthcheck-required' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::AutoScaling::AutoScalingGroup | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED | |
| Type: AWS::Config::ConfigRule | |
| AutoscalingLaunchConfigPublicIpDisabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}autoscaling-launch-config-public-ip-disabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::AutoScaling::LaunchConfiguration | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED | |
| Type: AWS::Config::ConfigRule | |
| CloudTrailCloudWatchLogsEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloud-trail-cloud-watch-logs-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| CloudTrailEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloudtrail-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUD_TRAIL_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| CloudTrailEncryptionEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloud-trail-encryption-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| CloudTrailLogFileValidationEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloud-trail-log-file-validation-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| CloudtrailS3DataeventsEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloudtrail-s3-dataevents-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| CloudtrailSecurityTrailEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloudtrail-security-trail-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| CloudwatchAlarmActionCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloudwatch-alarm-action-check' | |
| InputParameters: | |
| alarmActionRequired: 'TRUE' | |
| insufficientDataActionRequired: | |
| Fn::If: | |
| - cloudwatchAlarmActionCheckParamInsufficientDataActionRequired | |
| - Ref: CloudwatchAlarmActionCheckParamInsufficientDataActionRequired | |
| - Ref: AWS::NoValue | |
| okActionRequired: | |
| Fn::If: | |
| - cloudwatchAlarmActionCheckParamOkActionRequired | |
| - Ref: CloudwatchAlarmActionCheckParamOkActionRequired | |
| - Ref: AWS::NoValue | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::CloudWatch::Alarm | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK | |
| Type: AWS::Config::ConfigRule | |
| CloudwatchLogGroupEncrypted: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cloudwatch-log-group-encrypted' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED | |
| Type: AWS::Config::ConfigRule | |
| CmkBackingKeyRotationEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cmk-backing-key-rotation-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| CodebuildProjectEnvvarAwscredCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}codebuild-project-envvar-awscred-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::CodeBuild::Project | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK | |
| Type: AWS::Config::ConfigRule | |
| CodebuildProjectSourceRepoUrlCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}codebuild-project-source-repo-url-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::CodeBuild::Project | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK | |
| Type: AWS::Config::ConfigRule | |
| CwLoggroupRetentionPeriodCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}cw-loggroup-retention-period-check' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK | |
| Type: AWS::Config::ConfigRule | |
| DbInstanceBackupEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}db-instance-backup-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBInstance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| DmsReplicationNotPublic: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}dms-replication-not-public' | |
| Scope: | |
| ComplianceResourceTypes: [] | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC | |
| Type: AWS::Config::ConfigRule | |
| DynamodbAutoscalingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-autoscaling-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::DynamoDB::Table | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| DynamodbInBackupPlan: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-in-backup-plan' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: DYNAMODB_IN_BACKUP_PLAN | |
| Type: AWS::Config::ConfigRule | |
| DynamodbPitrEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-pitr-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::DynamoDB::Table | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: DYNAMODB_PITR_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| DynamodbTableEncryptedKms: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-table-encrypted-kms' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::DynamoDB::Table | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: DYNAMODB_TABLE_ENCRYPTED_KMS | |
| Type: AWS::Config::ConfigRule | |
| DynamodbThroughputLimitCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}dynamodb-throughput-limit-check' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK | |
| Type: AWS::Config::ConfigRule | |
| EbsInBackupPlan: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ebs-in-backup-plan' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EBS_IN_BACKUP_PLAN | |
| Type: AWS::Config::ConfigRule | |
| EbsOptimizedInstance: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ebs-optimized-instance' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Instance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EBS_OPTIMIZED_INSTANCE | |
| Type: AWS::Config::ConfigRule | |
| EbsSnapshotPublicRestorableCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ebs-snapshot-public-restorable-check' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK | |
| Type: AWS::Config::ConfigRule | |
| Ec2EbsEncryptionByDefault: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-ebs-encryption-by-default' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT | |
| Type: AWS::Config::ConfigRule | |
| Ec2InstanceManagedBySsm: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-instance-managed-by-systems-manager' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Instance | |
| - AWS::SSM::ManagedInstanceInventory | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM | |
| Type: AWS::Config::ConfigRule | |
| Ec2InstanceNoPublicIp: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-instance-no-public-ip' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Instance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP | |
| Type: AWS::Config::ConfigRule | |
| Ec2InstanceProfileAttached: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-instance-profile-attached' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Instance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_INSTANCE_PROFILE_ATTACHED | |
| Type: AWS::Config::ConfigRule | |
| Ec2ManagedinstanceAssociationComplianceStatusCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-managedinstance-association-compliance-status-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::SSM::AssociationCompliance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK | |
| Type: AWS::Config::ConfigRule | |
| Ec2ManagedinstancePatchComplianceStatusCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-managedinstance-patch-compliance-status-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::SSM::PatchCompliance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK | |
| Type: AWS::Config::ConfigRule | |
| Ec2SecurityGroupAttachedToEniPeriodic: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-security-group-attached-to-eni-periodic' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::SecurityGroup | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC | |
| Type: AWS::Config::ConfigRule | |
| Ec2StoppedInstance: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-stopped-instance' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_STOPPED_INSTANCE | |
| Type: AWS::Config::ConfigRule | |
| Ec2VolumeInuseCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-volume-inuse-check' | |
| InputParameters: | |
| deleteOnTermination: | |
| Fn::If: | |
| - ec2VolumeInuseCheckParamDeleteOnTermination | |
| - Ref: Ec2VolumeInuseCheckParamDeleteOnTermination | |
| - Ref: AWS::NoValue | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Volume | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EC2_VOLUME_INUSE_CHECK | |
| Type: AWS::Config::ConfigRule | |
| EcsContainersNonprivileged: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ecs-containers-nonprivileged' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ECS::TaskDefinition | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ECS_CONTAINERS_NONPRIVILEGED | |
| Type: AWS::Config::ConfigRule | |
| EcsContainersReadonlyAccess: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ecs-containers-readonly-access' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ECS::TaskDefinition | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ECS_CONTAINERS_READONLY_ACCESS | |
| Type: AWS::Config::ConfigRule | |
| EcsTaskDefinitionNonrootUser: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ecs-task-definition-nonroot-user' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ECS::TaskDefinition | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ECS_TASK_DEFINITION_NONROOT_USER | |
| Type: AWS::Config::ConfigRule | |
| EcsTaskDefinitionUserForHostModeCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ecs-task-definition-user-for-host-mode-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ECS::TaskDefinition | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK | |
| Type: AWS::Config::ConfigRule | |
| EfsAccessPointEnforceUserIdentity: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}efs-access-point-enforce-user-identity' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EFS::AccessPoint | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY | |
| Type: AWS::Config::ConfigRule | |
| EfsEncryptedCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}efs-encrypted-check' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EFS_ENCRYPTED_CHECK | |
| Type: AWS::Config::ConfigRule | |
| EfsInBackupPlan: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}efs-in-backup-plan' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EFS_IN_BACKUP_PLAN | |
| Type: AWS::Config::ConfigRule | |
| EipAttached: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}eip-attached' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::EIP | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EIP_ATTACHED | |
| Type: AWS::Config::ConfigRule | |
| ElasticBeanstalkManagedUpdatesEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elastic-beanstalk-managed-updates-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ElasticBeanstalk::Environment | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| ElasticacheRedisClusterAutomaticBackupCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elasticache-redis-cluster-automatic-backup-check' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK | |
| Type: AWS::Config::ConfigRule | |
| ElasticsearchEncryptedAtRest: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-encrypted-at-rest' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST | |
| Type: AWS::Config::ConfigRule | |
| ElasticsearchInVpcOnly: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-in-vpc-only' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY | |
| Type: AWS::Config::ConfigRule | |
| ElasticsearchLogsToCloudwatch: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-logs-to-cloudwatch' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Elasticsearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELASTICSEARCH_LOGS_TO_CLOUDWATCH | |
| Type: AWS::Config::ConfigRule | |
| ElasticsearchNodeToNodeEncryptionCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elasticsearch-node-to-node-encryption-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Elasticsearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK | |
| Type: AWS::Config::ConfigRule | |
| ElbAcmCertificateRequired: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elb-acm-certificate-required' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ElasticLoadBalancing::LoadBalancer | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED | |
| Type: AWS::Config::ConfigRule | |
| ElbCrossZoneLoadBalancingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elb-cross-zone-load-balancing-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ElasticLoadBalancing::LoadBalancer | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| ElbDeletionProtectionEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elb-deletion-protection-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ElasticLoadBalancingV2::LoadBalancer | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| ElbLoggingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elb-logging-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ElasticLoadBalancing::LoadBalancer | |
| - AWS::ElasticLoadBalancingV2::LoadBalancer | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELB_LOGGING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| ElbTlsHttpsListenersOnly: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elb-tls-https-listeners-only' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::ElasticLoadBalancing::LoadBalancer | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELB_TLS_HTTPS_LISTENERS_ONLY | |
| Type: AWS::Config::ConfigRule | |
| Elbv2AcmCertificateRequired: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}elbv2-acm-certificate-required' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ELBV2_ACM_CERTIFICATE_REQUIRED | |
| Type: AWS::Config::ConfigRule | |
| EmrKerberosEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}emr-kerberos-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EMR_KERBEROS_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| EmrMasterNoPublicIp: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}emr-master-no-public-ip' | |
| Scope: | |
| ComplianceResourceTypes: [] | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP | |
| Type: AWS::Config::ConfigRule | |
| EncryptedVolumes: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}encrypted-volumes' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Volume | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ENCRYPTED_VOLUMES | |
| Type: AWS::Config::ConfigRule | |
| GuarddutyEnabledCentralized: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}guardduty-enabled-centralized' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED | |
| Type: AWS::Config::ConfigRule | |
| GuarddutyNonArchivedFindings: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}guardduty-non-archived-findings' | |
| InputParameters: | |
| daysHighSev: | |
| Fn::If: | |
| - guarddutyNonArchivedFindingsParamDaysHighSev | |
| - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev | |
| - Ref: AWS::NoValue | |
| daysLowSev: | |
| Fn::If: | |
| - guarddutyNonArchivedFindingsParamDaysLowSev | |
| - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev | |
| - Ref: AWS::NoValue | |
| daysMediumSev: | |
| Fn::If: | |
| - guarddutyNonArchivedFindingsParamDaysMediumSev | |
| - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev | |
| - Ref: AWS::NoValue | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS | |
| Type: AWS::Config::ConfigRule | |
| IamGroupHasUsersCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-group-has-users-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::IAM::Group | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK | |
| Type: AWS::Config::ConfigRule | |
| IamNoInlinePolicyCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-no-inline-policy-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::IAM::User | |
| - AWS::IAM::Role | |
| - AWS::IAM::Group | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK | |
| Type: AWS::Config::ConfigRule | |
| IamPasswordPolicy: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-password-policy' | |
| InputParameters: | |
| MaxPasswordAge: | |
| Fn::If: | |
| - iamPasswordPolicyParamMaxPasswordAge | |
| - Ref: IamPasswordPolicyParamMaxPasswordAge | |
| - Ref: AWS::NoValue | |
| MinimumPasswordLength: | |
| Fn::If: | |
| - iamPasswordPolicyParamMinimumPasswordLength | |
| - Ref: IamPasswordPolicyParamMinimumPasswordLength | |
| - Ref: AWS::NoValue | |
| PasswordReusePrevention: | |
| Fn::If: | |
| - iamPasswordPolicyParamPasswordReusePrevention | |
| - Ref: IamPasswordPolicyParamPasswordReusePrevention | |
| - Ref: AWS::NoValue | |
| RequireLowercaseCharacters: | |
| Fn::If: | |
| - iamPasswordPolicyParamRequireLowercaseCharacters | |
| - Ref: IamPasswordPolicyParamRequireLowercaseCharacters | |
| - Ref: AWS::NoValue | |
| RequireNumbers: | |
| Fn::If: | |
| - iamPasswordPolicyParamRequireNumbers | |
| - Ref: IamPasswordPolicyParamRequireNumbers | |
| - Ref: AWS::NoValue | |
| RequireSymbols: | |
| Fn::If: | |
| - iamPasswordPolicyParamRequireSymbols | |
| - Ref: IamPasswordPolicyParamRequireSymbols | |
| - Ref: AWS::NoValue | |
| RequireUppercaseCharacters: | |
| Fn::If: | |
| - iamPasswordPolicyParamRequireUppercaseCharacters | |
| - Ref: IamPasswordPolicyParamRequireUppercaseCharacters | |
| - Ref: AWS::NoValue | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_PASSWORD_POLICY | |
| Type: AWS::Config::ConfigRule | |
| IamPolicyNoStatementsWithAdminAccess: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-policy-no-statements-with-admin-access' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::IAM::Policy | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS | |
| Type: AWS::Config::ConfigRule | |
| IamPolicyNoStatementsWithFullAccess: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-policy-no-statements-with-full-access' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::IAM::Policy | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS | |
| Type: AWS::Config::ConfigRule | |
| IamRootAccessKeyCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-root-access-key-check' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK | |
| Type: AWS::Config::ConfigRule | |
| IamUserGroupMembershipCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-user-group-membership-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::IAM::User | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK | |
| Type: AWS::Config::ConfigRule | |
| IamUserMfaEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-user-mfa-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_USER_MFA_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| IamUserNoPoliciesCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-user-no-policies-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::IAM::User | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_USER_NO_POLICIES_CHECK | |
| Type: AWS::Config::ConfigRule | |
| IamUserUnusedCredentialsCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}iam-user-unused-credentials-check' | |
| InputParameters: | |
| maxCredentialUsageAge: | |
| Fn::If: | |
| - iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge | |
| - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge | |
| - Ref: AWS::NoValue | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK | |
| Type: AWS::Config::ConfigRule | |
| IncomingSshDisabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}restricted-ssh' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::SecurityGroup | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: INCOMING_SSH_DISABLED | |
| Type: AWS::Config::ConfigRule | |
| InstancesInVpc: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ec2-instances-in-vpc' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Instance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: INSTANCES_IN_VPC | |
| Type: AWS::Config::ConfigRule | |
| InternetGatewayAuthorizedVpcOnly: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}internet-gateway-authorized-vpc-only' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::InternetGateway | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY | |
| Type: AWS::Config::ConfigRule | |
| KmsCmkNotScheduledForDeletion: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}kms-cmk-not-scheduled-for-deletion' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::KMS::Key | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION | |
| Type: AWS::Config::ConfigRule | |
| LambdaFunctionPublicAccessProhibited: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}lambda-function-public-access-prohibited' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Lambda::Function | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED | |
| Type: AWS::Config::ConfigRule | |
| LambdaInsideVpc: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}lambda-inside-vpc' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Lambda::Function | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: LAMBDA_INSIDE_VPC | |
| Type: AWS::Config::ConfigRule | |
| MfaEnabledForIamConsoleAccess: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}mfa-enabled-for-iam-console-access' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS | |
| Type: AWS::Config::ConfigRule | |
| MultiRegionCloudTrailEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}multi-region-cloudtrail-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| NoUnrestrictedRouteToIgw: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}no-unrestricted-route-to-igw' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::RouteTable | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: NO_UNRESTRICTED_ROUTE_TO_IGW | |
| Type: AWS::Config::ConfigRule | |
| OpensearchAccessControlEnabled: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}opensearch-access-control-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::OpenSearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: OPENSEARCH_ACCESS_CONTROL_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| OpensearchEncryptedAtRest: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}opensearch-encrypted-at-rest' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::OpenSearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: OPENSEARCH_ENCRYPTED_AT_REST | |
| Type: AWS::Config::ConfigRule | |
| OpensearchHttpsRequired: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}opensearch-https-required' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::OpenSearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: OPENSEARCH_HTTPS_REQUIRED | |
| Type: AWS::Config::ConfigRule | |
| OpensearchInVpcOnly: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}opensearch-in-vpc-only' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::OpenSearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: OPENSEARCH_IN_VPC_ONLY | |
| Type: AWS::Config::ConfigRule | |
| OpensearchLogsToCloudwatch: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}opensearch-logs-to-cloudwatch' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::OpenSearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: OPENSEARCH_LOGS_TO_CLOUDWATCH | |
| Type: AWS::Config::ConfigRule | |
| OpensearchNodeToNodeEncryptionCheck: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}opensearch-node-to-node-encryption-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::OpenSearch::Domain | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK | |
| Type: AWS::Config::ConfigRule | |
| RdsInBackupPlan: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-in-backup-plan' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_IN_BACKUP_PLAN | |
| Type: AWS::Config::ConfigRule | |
| RdsInstanceDeletionProtectionEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-instance-deletion-protection-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBInstance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_INSTANCE_DELETION_PROTECTION_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| RdsInstancePublicAccessCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-instance-public-access-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBInstance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK | |
| Type: AWS::Config::ConfigRule | |
| RdsLoggingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-logging-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBInstance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_LOGGING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| RdsMultiAzSupport: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-multi-az-support' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBInstance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_MULTI_AZ_SUPPORT | |
| Type: AWS::Config::ConfigRule | |
| RdsSnapshotEncrypted: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-snapshot-encrypted' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBSnapshot | |
| - AWS::RDS::DBClusterSnapshot | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED | |
| Type: AWS::Config::ConfigRule | |
| RdsSnapshotsPublicProhibited: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-snapshots-public-prohibited' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBSnapshot | |
| - AWS::RDS::DBClusterSnapshot | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED | |
| Type: AWS::Config::ConfigRule | |
| RdsStorageEncrypted: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}rds-storage-encrypted' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::RDS::DBInstance | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RDS_STORAGE_ENCRYPTED | |
| Type: AWS::Config::ConfigRule | |
| RedshiftBackupEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}redshift-backup-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Redshift::Cluster | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: REDSHIFT_BACKUP_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| RedshiftClusterConfigurationCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}redshift-cluster-configuration-check' | |
| InputParameters: | |
| clusterDbEncrypted: 'TRUE' | |
| loggingEnabled: 'TRUE' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Redshift::Cluster | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK | |
| Type: AWS::Config::ConfigRule | |
| RedshiftClusterMaintenancesettingsCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}redshift-cluster-maintenancesettings-check' | |
| InputParameters: | |
| allowVersionUpgrade: | |
| Fn::If: | |
| - redshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade | |
| - Ref: RedshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade | |
| - Ref: AWS::NoValue | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Redshift::Cluster | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK | |
| Type: AWS::Config::ConfigRule | |
| RedshiftClusterPublicAccessCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}redshift-cluster-public-access-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Redshift::Cluster | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK | |
| Type: AWS::Config::ConfigRule | |
| RedshiftEnhancedVpcRoutingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}redshift-enhanced-vpc-routing-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Redshift::Cluster | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| RedshiftRequireTlsSsl: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}redshift-require-tls-ssl' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::Redshift::Cluster | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL | |
| Type: AWS::Config::ConfigRule | |
| RestrictedIncomingTraffic: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}restricted-common-ports' | |
| InputParameters: | |
| blockedPort1: | |
| Fn::If: | |
| - restrictedIncomingTrafficParamBlockedPort1 | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort1 | |
| - Ref: AWS::NoValue | |
| blockedPort2: | |
| Fn::If: | |
| - restrictedIncomingTrafficParamBlockedPort2 | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort2 | |
| - Ref: AWS::NoValue | |
| blockedPort3: | |
| Fn::If: | |
| - restrictedIncomingTrafficParamBlockedPort3 | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort3 | |
| - Ref: AWS::NoValue | |
| blockedPort4: | |
| Fn::If: | |
| - restrictedIncomingTrafficParamBlockedPort4 | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort4 | |
| - Ref: AWS::NoValue | |
| blockedPort5: | |
| Fn::If: | |
| - restrictedIncomingTrafficParamBlockedPort5 | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort5 | |
| - Ref: AWS::NoValue | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::SecurityGroup | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC | |
| Type: AWS::Config::ConfigRule | |
| RootAccountHardwareMfaEnabled: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}root-account-hardware-mfa-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| RootAccountMfaEnabled: | |
| Condition: StandardPartition | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}root-account-mfa-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| S3AccountLevelPublicAccessBlocksPeriodic: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-account-level-public-access-blocks-periodic' | |
| InputParameters: | |
| BlockPublicAcls: | |
| Fn::If: | |
| - s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls | |
| - Ref: AWS::NoValue | |
| BlockPublicPolicy: | |
| Fn::If: | |
| - s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy | |
| - Ref: AWS::NoValue | |
| IgnorePublicAcls: | |
| Fn::If: | |
| - s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls | |
| - Ref: AWS::NoValue | |
| RestrictPublicBuckets: | |
| Fn::If: | |
| - s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets | |
| - Ref: AWS::NoValue | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC | |
| Type: AWS::Config::ConfigRule | |
| S3BucketDefaultLockEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-default-lock-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| S3BucketLevelPublicAccessProhibited: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-level-public-access-prohibited' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED | |
| Type: AWS::Config::ConfigRule | |
| S3BucketLoggingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-logging-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_LOGGING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| S3BucketPolicyGranteeCheck: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-policy-grantee-check' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK | |
| Type: AWS::Config::ConfigRule | |
| S3BucketPublicReadProhibited: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-public-read-prohibited' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED | |
| Type: AWS::Config::ConfigRule | |
| S3BucketPublicWriteProhibited: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-public-write-prohibited' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED | |
| Type: AWS::Config::ConfigRule | |
| S3BucketReplicationEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-replication-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| S3BucketServerSideEncryptionEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-server-side-encryption-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| S3BucketSslRequestsOnly: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-ssl-requests-only' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY | |
| Type: AWS::Config::ConfigRule | |
| S3BucketVersioningEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}s3-bucket-versioning-enabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| SagemakerEndpointConfigurationKmsKeyConfigured: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}sagemaker-endpoint-configuration-kms-key-configured' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED | |
| Type: AWS::Config::ConfigRule | |
| SagemakerNotebookInstanceKmsKeyConfigured: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}sagemaker-notebook-instance-kms-key-configured' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED | |
| Type: AWS::Config::ConfigRule | |
| SagemakerNotebookNoDirectInternetAccess: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}sagemaker-notebook-no-direct-internet-access' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS | |
| Type: AWS::Config::ConfigRule | |
| SecurityhubEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}securityhub-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: SECURITYHUB_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| SnsEncryptedKms: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}sns-encrypted-kms' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::SNS::Topic | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: SNS_ENCRYPTED_KMS | |
| Type: AWS::Config::ConfigRule | |
| SsmDocumentNotPublic: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}ssm-document-not-public' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: SSM_DOCUMENT_NOT_PUBLIC | |
| Type: AWS::Config::ConfigRule | |
| SubnetAutoAssignPublicIpDisabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}subnet-auto-assign-public-ip-disabled' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::Subnet | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED | |
| Type: AWS::Config::ConfigRule | |
| VpcDefaultSecurityGroupClosed: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}vpc-default-security-group-closed' | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::SecurityGroup | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED | |
| Type: AWS::Config::ConfigRule | |
| VpcFlowLogsEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}vpc-flow-logs-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: VPC_FLOW_LOGS_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| VpcSgOpenOnlyToAuthorizedPorts: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}vpc-sg-open-only-to-authorized-ports' | |
| InputParameters: | |
| authorizedTcpPorts: | |
| Fn::If: | |
| - vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts | |
| - Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts | |
| - Ref: AWS::NoValue | |
| authorizedUdpPorts: | |
| Fn::If: | |
| - vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts | |
| - Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts | |
| - Ref: AWS::NoValue | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::EC2::SecurityGroup | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS | |
| Type: AWS::Config::ConfigRule | |
| Wafv2LoggingEnabled: | |
| Properties: | |
| ConfigRuleName: | |
| Fn::Sub: '${ConfigRuleNamePrefix}wafv2-logging-enabled' | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: WAFV2_LOGGING_ENABLED | |
| Type: AWS::Config::ConfigRule | |
| Conditions: | |
| # Used to disable config rules in regions (us-gov-west-1, us-gov-east-1) where a given rule is not available | |
| # See: | |
| # - https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html | |
| # - https://gist.github.com/atheiman/f345ea4aa059bf2d2c5dec490547a86f | |
| StandardPartition: | |
| Fn::Equals: | |
| - Ref: AWS::Partition | |
| - aws | |
| acmCertificateExpirationCheckParamDaysToExpiration: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: AcmCertificateExpirationCheckParamDaysToExpiration | |
| cloudwatchAlarmActionCheckParamInsufficientDataActionRequired: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: CloudwatchAlarmActionCheckParamInsufficientDataActionRequired | |
| cloudwatchAlarmActionCheckParamOkActionRequired: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: CloudwatchAlarmActionCheckParamOkActionRequired | |
| ec2VolumeInuseCheckParamDeleteOnTermination: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: Ec2VolumeInuseCheckParamDeleteOnTermination | |
| guarddutyNonArchivedFindingsParamDaysHighSev: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev | |
| guarddutyNonArchivedFindingsParamDaysLowSev: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev | |
| guarddutyNonArchivedFindingsParamDaysMediumSev: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev | |
| iamPasswordPolicyParamMaxPasswordAge: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamPasswordPolicyParamMaxPasswordAge | |
| iamPasswordPolicyParamMinimumPasswordLength: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamPasswordPolicyParamMinimumPasswordLength | |
| iamPasswordPolicyParamPasswordReusePrevention: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamPasswordPolicyParamPasswordReusePrevention | |
| iamPasswordPolicyParamRequireLowercaseCharacters: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamPasswordPolicyParamRequireLowercaseCharacters | |
| iamPasswordPolicyParamRequireNumbers: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamPasswordPolicyParamRequireNumbers | |
| iamPasswordPolicyParamRequireSymbols: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamPasswordPolicyParamRequireSymbols | |
| iamPasswordPolicyParamRequireUppercaseCharacters: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamPasswordPolicyParamRequireUppercaseCharacters | |
| iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge | |
| redshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: RedshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade | |
| restrictedIncomingTrafficParamBlockedPort1: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort1 | |
| restrictedIncomingTrafficParamBlockedPort2: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort2 | |
| restrictedIncomingTrafficParamBlockedPort3: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort3 | |
| restrictedIncomingTrafficParamBlockedPort4: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort4 | |
| restrictedIncomingTrafficParamBlockedPort5: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: RestrictedIncomingTrafficParamBlockedPort5 | |
| s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls | |
| s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy | |
| s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls | |
| s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets | |
| vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts | |
| vpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts: | |
| Fn::Not: | |
| - Fn::Equals: | |
| - '' | |
| - Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedUdpPorts |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment