Created
March 3, 2025 17:39
-
-
Save syuraj/8ea91a9826005f5d15c11292de23842b to your computer and use it in GitHub Desktop.
Default AWS Config rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aws_config_config_rule" "account_part_of_organizations" { | |
| name = "account-part-of-organizations" | |
| description = "Rule checks whether AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if the AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ACCOUNT_PART_OF_ORGANIZATIONS" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "acm_certificate_expiration_check" { | |
| name = "acm-certificate-expiration-check" | |
| description = "Checks whether ACM Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ACM::Certificate" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ACM_CERTIFICATE_EXPIRATION_CHECK" | |
| } | |
| input_parameters = "{\"daysToExpiration\":\"14\"}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "alb_http_drop_invalid_header_enabled" { | |
| name = "alb-http-drop-invalid-header-enabled" | |
| description = "Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticLoadBalancingV2::LoadBalancer" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ALB_HTTP_DROP_INVALID_HEADER_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "alb_http_to_https_redirection_check" { | |
| name = "alb-http-to-https-redirection-check" | |
| description = "Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "alb_waf_enabled" { | |
| name = "alb-waf-enabled" | |
| description = "Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON_COMPLIANT if key: waf.enabled is set to false." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticLoadBalancingV2::LoadBalancer" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ALB_WAF_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "api_gw_cache_enabled_and_encrypted" { | |
| name = "api-gw-cache-enabled-and-encrypted" | |
| description = "Checks that all methods in Amazon API Gateway stages have cache enabled and cache encrypted. The rule is NON_COMPLIANT if any method in Amazon API Gateway stage is not configured to cache or the cache is not encrypted." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ApiGateway::Stage" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "API_GW_CACHE_ENABLED_AND_ENCRYPTED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "api_gw_execution_logging_enabled" { | |
| name = "api-gw-execution-logging-enabled" | |
| description = " Checks that all methods in Amazon API Gateway stage has logging enabled. The rule is NON_COMPLIANT if logging is not enabled. The rule is NON_COMPLIANT if loggingLevel is neither ERROR nor INFO." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ApiGateway::Stage", | |
| "AWS::ApiGatewayV2::Stage" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "API_GW_EXECUTION_LOGGING_ENABLED" | |
| } | |
| input_parameters = "{\"loggingLevel\":\"ERROR,INFO\"}" | |
| } | |
| resource "aws_config_config_rule" "api_gw_ssl_enabled" { | |
| name = "api-gw-ssl-enabled" | |
| description = "Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if the REST API stage does not have an associated SSL certificate." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ApiGateway::Stage" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "API_GW_SSL_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "api_gw_xray_enabled" { | |
| name = "api-gw-xray-enabled" | |
| description = "Checks if X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule will return COMPLIANT if X-Ray tracing is enabled, NON_COMPLIANT otherwise." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ApiGateway::Stage" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "API_GW_XRAY_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "autoscaling_group_elb_healthcheck_required" { | |
| name = "autoscaling-group-elb-healthcheck-required" | |
| description = "Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::AutoScaling::AutoScalingGroup" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "beanstalk_enhanced_health_reporting_enabled" { | |
| name = "beanstalk-enhanced-health-reporting-enabled" | |
| description = "checks for Elastic Beanstalk environment is configured for 'enhanced' health reporting and NON_COMPLIANT if configured for 'basic' health reporting" | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticBeanstalk::Environment" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "cloud_trail_cloud_watch_logs_enabled" { | |
| name = "cloud-trail-cloud-watch-logs-enabled" | |
| description = "Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs. The trail is non-compliant if the CloudWatchLogsLogGroupArn property of the trail is empty." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "cloud_trail_encryption_enabled" { | |
| name = "cloud-trail-encryption-enabled" | |
| description = "Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is compliant if the KmsKeyId is defined." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUD_TRAIL_ENCRYPTION_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "cloud_trail_log_file_validation_enabled" { | |
| name = "cloud-trail-log-file-validation-enabled" | |
| description = "Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is noncompliant if the validation is not enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "cloudformation_stack_notification_check" { | |
| name = "cloudformation-stack-notification-check" | |
| description = "Checks whether your CloudFormation stacks are sending event notifications to an SNS topic. Optionally checks whether specified SNS topics are used." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFormation::Stack" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFORMATION_STACK_NOTIFICATION_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "cloudfront_accesslogs_enabled" { | |
| name = "cloudfront-accesslogs-enabled" | |
| description = "Checks that CloudFront distributions are configured to capture S3 server access logs. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_ACCESSLOGS_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "cloudfront_associated_with_waf" { | |
| name = "cloudfront-associated-with-waf" | |
| description = "Check if Amazon CloudFront distributions are associated with either WAF or WAFv2 web ACLs. The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a Web ACL." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_ASSOCIATED_WITH_WAF" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "cloudfront_custom_ssl_certificate" { | |
| name = "cloudfront-custom-ssl-certificate" | |
| description = "Checks whether the certificate associated with a Amazon CloudFront distribution is the default certificate. The rule is NON_COMPLIANT if a CloudFront distribution is using the default certificate." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_CUSTOM_SSL_CERTIFICATE" | |
| } | |
| } | |
| resource "aws_config_config_rule" "cloudfront_default_root_object_configured" { | |
| name = "cloudfront-default-root-object-configured" | |
| description = "Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if Amazon CloudFront distribution does not have a default root object configured." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "cloudfront_origin_access_identity_enabled" { | |
| name = "cloudfront-origin-access-identity-enabled" | |
| description = "Checks that Amazon CloudFront distribution with S3 Origin type has Origin Access Identity (OAI) configured. This rule is NON_COMPLIANT if the CloudFront distribution is backed by S3 and any of S3 Origin type is not OAI configured." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "cloudfront_origin_failover_enabled" { | |
| name = "cloudfront-origin-failover-enabled" | |
| description = "Checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_ORIGIN_FAILOVER_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "cloudfront_sni_enabled" { | |
| name = "cloudfront-sni-enabled" | |
| description = "Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_SNI_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "cloudfront_viewer_policy_https" { | |
| name = "cloudfront-viewer-policy-https" | |
| description = "Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the defaultCacheBehavior or for the cacheBehaviors." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CloudFront::Distribution" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDFRONT_VIEWER_POLICY_HTTPS" | |
| } | |
| } | |
| resource "aws_config_config_rule" "cloudtrail_enabled" { | |
| name = "cloudtrail-enabled" | |
| description = "Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUD_TRAIL_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "cloudtrail_s3_dataevents_enabled" { | |
| name = "cloudtrail-s3-dataevents-enabled" | |
| description = "Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails log data events for S3 buckets is not configured." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDTRAIL_S3_DATAEVENTS_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "cloudtrail_security_trail_enabled" { | |
| name = "cloudtrail-security-trail-enabled" | |
| description = "Checks that there is at least one AWS CloudTrail trail defined with security best practices." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDTRAIL_SECURITY_TRAIL_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "cloudwatch_log_group_encrypted" { | |
| name = "cloudwatch-log-group-encrypted" | |
| description = "Checks whether a log group in Amazon CloudWatch Logs is encrypted. The rule is NON_COMPLIANT if CloudWatch Logs has log group without encryption enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CLOUDWATCH_LOG_GROUP_ENCRYPTED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "cmk_backing_key_rotation_enabled" { | |
| name = "cmk-backing-key-rotation-enabled" | |
| description = "Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK). The rule is compliant, if the key rotation is enabled for specific key object." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CMK_BACKING_KEY_ROTATION_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "codepipeline_deployment_count_check" { | |
| name = "codepipeline-deployment-count-check" | |
| description = "Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment. Optionally checks if each of the subsequent remaining stages deploy to more than the specified number of deployments (deploymentLimit)." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CodePipeline::Pipeline" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CODEPIPELINE_DEPLOYMENT_COUNT_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "codepipeline_region_fanout_check" { | |
| name = "codepipeline-region-fanout-check" | |
| description = "Checks whether each stage in the AWS CodePipeline deploys to more regions than N times the number of regions the pipeline has deployed to in all previous stages, where N is regionFanoutFactor. The first deployment stage can deploy to only one region." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::CodePipeline::Pipeline" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CODEPIPELINE_REGION_FANOUT_CHECK" | |
| } | |
| input_parameters = "{\"regionFanoutFactor\":\"3\"}" | |
| } | |
| resource "aws_config_config_rule" "cw_loggroup_retention_period_check" { | |
| name = "cw-loggroup-retention-period-check" | |
| description = "Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is not set or is less than the configured retention period." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "CW_LOGGROUP_RETENTION_PERIOD_CHECK" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "dax_encryption_enabled" { | |
| name = "dax-encryption-enabled" | |
| description = "Checks that Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted" | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DAX_ENCRYPTION_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "db_instance_backup_enabled" { | |
| name = "db-instance-backup-enabled" | |
| description = "Checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DB_INSTANCE_BACKUP_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "dms_replication_not_public" { | |
| name = "dms-replication-not-public" | |
| description = "Checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is true." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DMS_REPLICATION_NOT_PUBLIC" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "dynamodb_autoscaling_enabled" { | |
| name = "dynamodb-autoscaling-enabled" | |
| description = "This rule checks whether Auto Scaling is enabled on your DynamoDB tables. Optionally you can set the read and write capacity units for the table." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::DynamoDB::Table" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DYNAMODB_AUTOSCALING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "dynamodb_in_backup_plan" { | |
| name = "dynamodb-in-backup-plan" | |
| description = "Checks whether Amazon DynamoDB table is present in AWS Backup Plans. The rule is NON_COMPLIANT if Amazon DynamoDB tables are not present in any AWS Backup plan." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DYNAMODB_IN_BACKUP_PLAN" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "dynamodb_pitr_enabled" { | |
| name = "dynamodb-pitr-enabled" | |
| description = "Checks that point in time recovery is enabled for Amazon DynamoDB tables." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::DynamoDB::Table" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DYNAMODB_PITR_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "dynamodb_table_encrypted_kms" { | |
| name = "dynamodb-table-encrypted-kms" | |
| description = "Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if Amazon DynamoDB table is not encrypted with AWS KMS." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::DynamoDB::Table" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DYNAMODB_TABLE_ENCRYPTED_KMS" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "dynamodb_table_encryption_enabled" { | |
| name = "dynamodb-table-encryption-enabled" | |
| description = "Checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is compliant if the status is enabled or enabling." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::DynamoDB::Table" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DYNAMODB_TABLE_ENCRYPTION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "dynamodb_throughput_limit_check" { | |
| name = "dynamodb-throughput-limit-check" | |
| description = "Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80% of your account limits." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "DYNAMODB_THROUGHPUT_LIMIT_CHECK" | |
| } | |
| input_parameters = "{\"accountWCUThresholdPercentage\":\"80\",\"accountRCUThresholdPercentage\":\"80\"}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "ebs_in_backup_plan" { | |
| name = "ebs-in-backup-plan" | |
| description = "Check if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EBS_IN_BACKUP_PLAN" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "ebs_optimized_instance" { | |
| name = "ebs-optimized-instance" | |
| description = "Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Instance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EBS_OPTIMIZED_INSTANCE" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ebs_snapshot_public_restorable_check" { | |
| name = "ebs-snapshot-public-restorable-check" | |
| description = "Checks whether Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "ec2_ebs_encryption_by_default" { | |
| name = "ec2-ebs-encryption-by-default" | |
| description = "Check that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_EBS_ENCRYPTION_BY_DEFAULT" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "ec2_imdsv2_check" { | |
| name = "ec2-imdsv2-check" | |
| description = "Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is NON_COMPLIANT if the HttpTokens is set to optional." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Instance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_IMDSV2_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ec2_instance_detailed_monitoring_enabled" { | |
| name = "ec2-instance-detailed-monitoring-enabled" | |
| description = "Checks whether detailed monitoring is enabled for EC2 instances." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Instance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_INSTANCE_DETAILED_MONITORING_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ec2_instance_managed_by_systems_manager" { | |
| name = "ec2-instance-managed-by-systems-manager" | |
| description = "Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Instance", | |
| "AWS::SSM::ManagedInstanceInventory" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_INSTANCE_MANAGED_BY_SSM" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ec2_instance_no_public_ip" { | |
| name = "ec2-instance-no-public-ip" | |
| description = "Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Instance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_INSTANCE_NO_PUBLIC_IP" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ec2_instances_in_vpc" { | |
| name = "ec2-instances-in-vpc" | |
| description = "Checks whether your EC2 instances belong to a virtual private cloud (VPC). Optionally, you can specify the VPC ID to associate with your instances." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Instance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "INSTANCES_IN_VPC" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "ec2_managedinstance_association_compliance_status_check" { | |
| name = "ec2-managedinstance-association-compliance-status-check" | |
| description = "Checks whether the compliance status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::SSM::AssociationCompliance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ec2_managedinstance_patch_compliance_status_check" { | |
| name = "ec2-managedinstance-patch-compliance-status-check" | |
| description = "Checks whether the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::SSM::PatchCompliance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ec2_security_group_attached_to_eni" { | |
| name = "ec2-security-group-attached-to-eni" | |
| description = "Checks that security groups are attached to Amazon Elastic Compute Cloud (EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an EC2 instance or an ENI." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::SecurityGroup" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_SECURITY_GROUP_ATTACHED_TO_ENI" | |
| } | |
| } | |
| resource "aws_config_config_rule" "ec2_stopped_instance" { | |
| name = "ec2-stopped-instance" | |
| description = "Checks whether there are instances stopped for more than the allowed number of days." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_STOPPED_INSTANCE" | |
| } | |
| input_parameters = "{\"AllowedDays\":\"30\"}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "ec2_volume_inuse_check" { | |
| name = "ec2-volume-inuse-check" | |
| description = "Checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Volume" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EC2_VOLUME_INUSE_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "efs_encrypted_check" { | |
| name = "efs-encrypted-check" | |
| description = "Checks whether Amazon EFS are configured to encrypt file data using AWS KMS. The rule is NON_COMPLIANT if the Encrypted key is set to False on DescribeFileSystems or, if specified, KmsKeyId key on DescribeFileSystems is not matching KmsKeyId parameter." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EFS_ENCRYPTED_CHECK" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "efs_in_backup_plan" { | |
| name = "efs-in-backup-plan" | |
| description = "Checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EFS_IN_BACKUP_PLAN" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "eip_attached" { | |
| name = "eip-attached" | |
| description = "Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or in-use ENIs." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::EIP" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EIP_ATTACHED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "eks_endpoint_no_public_access" { | |
| name = "eks-endpoint-no-public-access" | |
| description = "Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EKS_ENDPOINT_NO_PUBLIC_ACCESS" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "eks_secrets_encrypted" { | |
| name = "eks-secrets-encrypted" | |
| description = "Checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys. This rule is NON_COMPLIANT if an EKS cluster does not have an encryptionConfig." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EKS_SECRETS_ENCRYPTED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "elastic_beanstalk_managed_updates_enabled" { | |
| name = "elastic-beanstalk-managed-updates-enabled" | |
| description = "Rule will evaluate if managed platform updates in Elastic Beanstalk environments are ENABLED. This rule is NON_COMPLIANT if the value for 'ManagedActionsEnabled' is set to 'false'" | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticBeanstalk::Environment" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "elasticache_redis_cluster_automatic_backup_check" { | |
| name = "elasticache-redis-cluster-automatic-backup-check" | |
| description = "The rule is NON_COMPLIANT if SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter, i.e from 0 to 15 as the default is 15." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK" | |
| } | |
| input_parameters = "{\"snapshotRetentionPeriod\":\"15\"}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "elasticsearch_encrypted_at_rest" { | |
| name = "elasticsearch-encrypted-at-rest" | |
| description = "Checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if EncryptionAtRestOptions field is not enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELASTICSEARCH_ENCRYPTED_AT_REST" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "elasticsearch_in_vpc_only" { | |
| name = "elasticsearch-in-vpc-only" | |
| description = "Checks whether Amazon Elasticsearch Service domains are in Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if ElasticSearch Service domain endpoint is public." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELASTICSEARCH_IN_VPC_ONLY" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "elasticsearch_node_to_node_encryption_check" { | |
| name = "elasticsearch-node-to-node-encryption-check" | |
| description = "Check that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Elasticsearch::Domain" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "elb_acm_certificate_required" { | |
| name = "elb-acm-certificate-required" | |
| description = "This rule checks whether the Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager. You must use an SSL or HTTPS listener with your Elastic Load Balancer to use this rule." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticLoadBalancing::LoadBalancer" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELB_ACM_CERTIFICATE_REQUIRED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "elb_cross_zone_load_balancing_enabled" { | |
| name = "elb-cross-zone-load-balancing-enabled" | |
| description = "Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This rule is NON_COMPLIANT if cross-zone load balancing is not enabled for a CLB." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticLoadBalancing::LoadBalancer" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "elb_deletion_protection_enabled" { | |
| name = "elb-deletion-protection-enabled" | |
| description = "Checks whether an Elastic Load Balancer has deletion protection enabled. The rule is NON_COMPLIANT if deletion_protection.enabled is false." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticLoadBalancingV2::LoadBalancer" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELB_DELETION_PROTECTION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "elb_logging_enabled" { | |
| name = "elb-logging-enabled" | |
| description = "Checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::ElasticLoadBalancing::LoadBalancer", | |
| "AWS::ElasticLoadBalancingV2::LoadBalancer" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ELB_LOGGING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "emr_kerberos_enabled" { | |
| name = "emr-kerberos-enabled" | |
| description = "The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EMR_KERBEROS_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "emr_master_no_public_ip" { | |
| name = "emr-master-no-public-ip" | |
| description = "Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP." | |
| scope { | |
| compliance_resource_types = [] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "EMR_MASTER_NO_PUBLIC_IP" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "encrypted_volumes" { | |
| name = "encrypted-volumes" | |
| description = "Checks whether EBS volumes that are in an attached state are encrypted. Optionally, you can specify the ID of a KMS key to use to encrypt the volume." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Volume" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ENCRYPTED_VOLUMES" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "guardduty_enabled_centralized" { | |
| name = "guardduty-enabled-centralized" | |
| description = "Checks whether Amazon GuardDuty is enabled in your AWS account and region. If you provide an AWS account for centralization, the rule evaluates the GuardDuty results in that account. The rule is compliant when GuardDuty is enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "GUARDDUTY_ENABLED_CENTRALIZED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "guardduty_non_archived_findings" { | |
| name = "guardduty-non-archived-findings" | |
| description = "Checks whether Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if Amazon GuardDuty has non archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "GUARDDUTY_NON_ARCHIVED_FINDINGS" | |
| } | |
| input_parameters = "{\"daysMediumSev\":\"7\",\"daysHighSev\":\"1\",\"daysLowSev\":\"30\"}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "iam_no_inline_policy_check" { | |
| name = "iam-no-inline-policy-check" | |
| description = "Checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::IAM::User", | |
| "AWS::IAM::Role", | |
| "AWS::IAM::Group" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "IAM_NO_INLINE_POLICY_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "iam_password_policy" { | |
| name = "iam-password-policy" | |
| description = "Checks whether the account password policy for IAM users meets the specified requirements." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "IAM_PASSWORD_POLICY" | |
| } | |
| input_parameters = "{\"MinimumPasswordLength\":\"14\",\"RequireLowercaseCharacters\":\"true\",\"RequireNumbers\":\"true\",\"PasswordReusePrevention\":\"24\",\"MaxPasswordAge\":\"90\",\"RequireUppercaseCharacters\":\"true\",\"RequireSymbols\":\"true\"}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "iam_policy_no_statements_with_admin_access" { | |
| name = "iam-policy-no-statements-with-admin-access" | |
| description = "Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\", the rule is non-compliant." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::IAM::Policy" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS" | |
| } | |
| } | |
| resource "aws_config_config_rule" "iam_root_access_key_check" { | |
| name = "iam-root-access-key-check" | |
| description = "Checks whether the root user access key is available. The rule is compliant if the user access key does not exist." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "iam_user_group_membership_check" { | |
| name = "iam-user-group-membership-check" | |
| description = "Checks whether IAM users are members of at least one IAM group." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::IAM::User" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "IAM_USER_GROUP_MEMBERSHIP_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "iam_user_mfa_enabled" { | |
| name = "iam-user-mfa-enabled" | |
| description = "Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "IAM_USER_MFA_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "iam_user_no_policies_check" { | |
| name = "iam-user-no-policies-check" | |
| description = "Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::IAM::User" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "IAM_USER_NO_POLICIES_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "internet_gateway_authorized_vpc_only" { | |
| name = "internet-gateway-authorized-vpc-only" | |
| description = "Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::InternetGateway" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "kms_cmk_not_scheduled_for_deletion" { | |
| name = "kms-cmk-not-scheduled-for-deletion" | |
| description = "Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS). The rule is NON_COMPLAINT if CMKs are scheduled for deletion." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::KMS::Key" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "KMS_CMK_NOT_SCHEDULED_FOR_DELETION" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "lambda_concurrency_check" { | |
| name = "lambda-concurrency-check" | |
| description = "Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The rule is NON_COMPLIANT if the Lambda function is not configured with function-level concurrent execution limit." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Lambda::Function" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "LAMBDA_CONCURRENCY_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "lambda_dlq_check" { | |
| name = "lambda-dlq-check" | |
| description = "Checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Lambda::Function" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "LAMBDA_DLQ_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "lambda_function_public_access_prohibited" { | |
| name = "lambda-function-public-access-prohibited" | |
| description = "Checks whether the Lambda function policy prohibits public access. The rule is NON_COMPLIANT if the Lambda function policy allows public access." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Lambda::Function" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "lambda_inside_vpc" { | |
| name = "lambda-inside-vpc" | |
| description = "Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. The rule is NON_COMPLIANT if the Lambda function is not in a VPC." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Lambda::Function" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "LAMBDA_INSIDE_VPC" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "mfa_enabled_for_iam_console_access" { | |
| name = "mfa-enabled-for-iam-console-access" | |
| description = "Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is compliant if MFA is enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "multi_region_cloudtrail_enabled" { | |
| name = "multi-region-cloudtrail-enabled" | |
| description = "Checks that there is at least one multi-region AWS CloudTrail. The rule is non-compliant if the trails do not match input parameters." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "MULTI_REGION_CLOUD_TRAIL_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "rds_cluster_deletion_protection_enabled" { | |
| name = "rds-cluster-deletion-protection-enabled" | |
| description = "Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is NON_COMPLIANT if an RDS cluster does not have deletion protection enabled." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBCluster" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_CLUSTER_DELETION_PROTECTION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_cluster_iam_authentication_enabled" { | |
| name = "rds-cluster-iam-authentication-enabled" | |
| description = "Checks if an Amazon RDS Cluster has IAM authentication enabled. The rule is NON_COMPLIANT if RDS Cluster doesn't have IAM authentication enabled." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBCluster" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_enhanced_monitoring_enabled" { | |
| name = "rds-enhanced-monitoring-enabled" | |
| description = "Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_ENHANCED_MONITORING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "rds_in_backup_plan" { | |
| name = "rds-in-backup-plan" | |
| description = "Checks whether Amazon RDS database is present in back plans of AWS Backup. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_IN_BACKUP_PLAN" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "rds_instance_deletion_protection_enabled" { | |
| name = "rds-instance-deletion-protection-enabled" | |
| description = "Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled i.e deletionProtection is set to false." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_INSTANCE_DELETION_PROTECTION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_instance_iam_authentication_enabled" { | |
| name = "rds-instance-iam-authentication-enabled" | |
| description = "Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have AWS IAM authentication enabled." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_instance_public_access_check" { | |
| name = "rds-instance-public-access-check" | |
| description = "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_INSTANCE_PUBLIC_ACCESS_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_logging_enabled" { | |
| name = "rds-logging-enabled" | |
| description = "Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON_COMPLIANT if any log types are not enabled." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_LOGGING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "rds_multi_az_support" { | |
| name = "rds-multi-az-support" | |
| description = "Checks whether high availability is enabled for your RDS DB instances." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_MULTI_AZ_SUPPORT" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_snapshot_encrypted" { | |
| name = "rds-snapshot-encrypted" | |
| description = "Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is NON_COMPLIANT, if the Amazon RDS DB snapshots are not encrypted." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBSnapshot", | |
| "AWS::RDS::DBClusterSnapshot" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_SNAPSHOT_ENCRYPTED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_snapshots_public_prohibited" { | |
| name = "rds-snapshots-public-prohibited" | |
| description = "Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBSnapshot", | |
| "AWS::RDS::DBClusterSnapshot" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_SNAPSHOTS_PUBLIC_PROHIBITED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "rds_storage_encrypted" { | |
| name = "rds-storage-encrypted" | |
| description = "Checks whether storage encryption is enabled for your RDS DB instances." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::RDS::DBInstance" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "RDS_STORAGE_ENCRYPTED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "redshift_backup_enabled" { | |
| name = "redshift-backup-enabled" | |
| description = "Checks that Amazon Redshift automated snapshots are enabled for clusters." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Redshift::Cluster" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "REDSHIFT_BACKUP_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "redshift_cluster_kms_enabled" { | |
| name = "redshift-cluster-kms-enabled" | |
| description = "This rule enables users to specify an AWS Key Management Service key to check if Amazon RedShift clusters are using a key for encryption." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Redshift::Cluster" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "REDSHIFT_CLUSTER_KMS_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "redshift_cluster_public_access_check" { | |
| name = "redshift-cluster-public-access-check" | |
| description = "Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the cluster configuration item." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Redshift::Cluster" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "redshift_require_tls_ssl" { | |
| name = "redshift-require-tls-ssl" | |
| description = "Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::Redshift::Cluster" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "REDSHIFT_REQUIRE_TLS_SSL" | |
| } | |
| } | |
| resource "aws_config_config_rule" "restricted_ssh" { | |
| name = "restricted-ssh" | |
| description = "Checks whether security groups that are in use disallow unrestricted incoming SSH traffic." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::SecurityGroup" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "INCOMING_SSH_DISABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "root_account_hardware_mfa_enabled" { | |
| name = "root-account-hardware-mfa-enabled" | |
| description = "Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ROOT_ACCOUNT_HARDWARE_MFA_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "root_account_mfa_enabled" { | |
| name = "root-account-mfa-enabled" | |
| description = "Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "ROOT_ACCOUNT_MFA_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "s3_account_level_public_access_blocks" { | |
| name = "s3-account-level-public-access-blocks" | |
| description = "Checks whether the required public access block settings are configured from account level. The rule is NON_COMPLIANT when the public access block settings are not configured from account level." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::AccountPublicAccessBlock" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS" | |
| } | |
| input_parameters = "{\"RestrictPublicBuckets\":\"True\",\"BlockPublicPolicy\":\"True\",\"BlockPublicAcls\":\"True\",\"IgnorePublicAcls\":\"True\"}" | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_default_lock_enabled" { | |
| name = "s3-bucket-default-lock-enabled" | |
| description = "Checks whether Amazon S3 bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_DEFAULT_LOCK_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_level_public_access_prohibited" { | |
| name = "s3-bucket-level-public-access-prohibited" | |
| description = "Checks whether public access is allowed on bucket level. The rule is NON_COMPLIANT when any fields below are set to 'False' in the configuration items (Default is 'True'): ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_logging_enabled" { | |
| name = "s3-bucket-logging-enabled" | |
| description = "Checks whether logging is enabled for your S3 buckets." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_LOGGING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_policy_grantee_check" { | |
| name = "s3-bucket-policy-grantee-check" | |
| description = "Checks that the access granted by the Amazon S3 bucket is restricted to any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_POLICY_GRANTEE_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_public_read_prohibited" { | |
| name = "s3-bucket-public-read-prohibited" | |
| description = "Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_public_write_prohibited" { | |
| name = "s3-bucket-public-write-prohibited" | |
| description = "Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_replication_enabled" { | |
| name = "s3-bucket-replication-enabled" | |
| description = "Checks whether the Amazon S3 buckets have cross-region replication enabled." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_REPLICATION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_server_side_encryption_enabled" { | |
| name = "s3-bucket-server-side-encryption-enabled" | |
| description = "Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_ssl_requests_only" { | |
| name = "s3-bucket-ssl-requests-only" | |
| description = "Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL)." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_SSL_REQUESTS_ONLY" | |
| } | |
| } | |
| resource "aws_config_config_rule" "s3_bucket_versioning_enabled" { | |
| name = "s3-bucket-versioning-enabled" | |
| description = "Checks whether versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_BUCKET_VERSIONING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "s3_default_encryption_kms" { | |
| name = "s3-default-encryption-kms" | |
| description = "Checks whether the Amazon S3 buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is not NON_COMPLIANT if Amazon S3 bucket is not encrypted with AWS KMS key." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::S3::Bucket" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "S3_DEFAULT_ENCRYPTION_KMS" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "sagemaker_endpoint_configuration_kms_key_configured" { | |
| name = "sagemaker-endpoint-configuration-kms-key-configured" | |
| description = "Checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration. The rule is NON_COMPLIANT if 'KmsKeyId' is not specified for the Amazon SageMaker endpoint configuration." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "sagemaker_notebook_instance_kms_key_configured" { | |
| name = "sagemaker-notebook-instance-kms-key-configured" | |
| description = "Check whether an AWS Key Management Service (KMS) key is configured for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if 'KmsKeyId' is not specified for the Amazon SageMaker notebook instance." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "sagemaker_notebook_no_direct_internet_access" { | |
| name = "sagemaker-notebook-no-direct-internet-access" | |
| description = "Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances are internet-enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "secretsmanager_rotation_enabled_check" { | |
| name = "secretsmanager-rotation-enabled-check" | |
| description = "Checks whether AWS Secret Manager secret has rotation enabled. If the maximumAllowedRotationFrequency parameter is specified, the rotation frequency of the secret is compared with the maximum allowed frequency." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::SecretsManager::Secret" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SECRETSMANAGER_ROTATION_ENABLED_CHECK" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "secretsmanager_scheduled_rotation_success_check" { | |
| name = "secretsmanager-scheduled-rotation-success-check" | |
| description = "Checks and verifies whether AWS Secret Manager secret rotation has rotated successfully as per the rotation schedule." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::SecretsManager::Secret" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "securityhub_enabled" { | |
| name = "securityhub-enabled" | |
| description = "Checks that AWS Security Hub is enabled for an AWS Account. The rule is NON_COMPLIANT if AWS Security Hub is not enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SECURITYHUB_ENABLED" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "shield_advanced_enabled_autorenew" { | |
| name = "shield-advanced-enabled-autorenew" | |
| description = "Checks whether AWS Shield Advanced is enabled in your AWS account and this subscription is set to autorenew." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SHIELD_ADVANCED_ENABLED_AUTORENEW" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "shield_drt_access" { | |
| name = "shield-drt-access" | |
| description = "Verify that DDoS response team (DRT) can access AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for DRT access is not configured." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SHIELD_DRT_ACCESS" | |
| } | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "sns_encrypted_kms" { | |
| name = "sns-encrypted-kms" | |
| description = "Checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the Amazon SNS topic is not encrypted with AWS KMS." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::SNS::Topic" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SNS_ENCRYPTED_KMS" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "subnet_auto_assign_public_ip_disabled" { | |
| name = "subnet-auto-assign-public-ip-disabled" | |
| description = "Rule will evaluate if assignment of public IPs in Amazon Virtual Private Cloud (VPC) subnets have the 'MapPublicIpOnLaunch' set to FALSE. Rule will be COMPLIANT if the flag is set to 'FALSE'. Else, NON-COMPLIANT." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::Subnet" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "vpc_default_security_group_closed" { | |
| name = "vpc-default-security-group-closed" | |
| description = "Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant if the default security group has one or more inbound or outbound traffic." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::SecurityGroup" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "VPC_DEFAULT_SECURITY_GROUP_CLOSED" | |
| } | |
| } | |
| resource "aws_config_config_rule" "vpc_flow_logs_enabled" { | |
| name = "vpc-flow-logs-enabled" | |
| description = "Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "VPC_FLOW_LOGS_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "vpc_network_acl_unused_check" { | |
| name = "vpc-network-acl-unused-check" | |
| description = "Checks to see if there are unused Network Access Control List (NACL). The rule is COMPLIANT if NACL is associated with a subnet, NON_COMPLIANT otherwise." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::NetworkAcl" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "VPC_NETWORK_ACL_UNUSED_CHECK" | |
| } | |
| } | |
| resource "aws_config_config_rule" "vpc_sg_open_only_to_authorized_ports" { | |
| name = "vpc-sg-open-only-to-authorized-ports" | |
| description = "Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::SecurityGroup" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" | |
| } | |
| input_parameters = "{}" | |
| } | |
| resource "aws_config_config_rule" "vpc_vpn_2_tunnels_up" { | |
| name = "vpc-vpn-2-tunnels-up" | |
| description = "Checks that both VPN tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status." | |
| scope { | |
| compliance_resource_types = [ | |
| "AWS::EC2::VPNConnection" | |
| ] | |
| } | |
| source { | |
| owner = "AWS" | |
| source_identifier = "VPC_VPN_2_TUNNELS_UP" | |
| } | |
| } | |
| resource "aws_config_config_rule" "waf_classic_logging_enabled" { | |
| name = "waf-classic-logging-enabled" | |
| description = "Checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "WAF_CLASSIC_LOGGING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } | |
| resource "aws_config_config_rule" "r" { | |
| name = "wafv2-logging-enabled" | |
| description = "Checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter." | |
| source { | |
| owner = "AWS" | |
| source_identifier = "WAFV2_LOGGING_ENABLED" | |
| } | |
| input_parameters = "{}" | |
| maximum_execution_frequency = "TwentyFour_Hours" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment