aws-cdk-lib.aws_config.ManagedRuleIdentifiers

class ManagedRuleIdentifiers

LanguageType name
.NETAmazon.CDK.AWS.Config.ManagedRuleIdentifiers
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsconfig#ManagedRuleIdentifiers
Javasoftware.amazon.awscdk.services.config.ManagedRuleIdentifiers
Pythonaws_cdk.aws_config.ManagedRuleIdentifiers
TypeScript (source)aws-cdk-lib » aws_config » ManagedRuleIdentifiers

Managed rules that are supported by AWS Config.

See also: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

Example

// https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
new config.ManagedRule(this, 'AccessKeysRotated', {
  identifier: config.ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
  inputParameters: {
    maxAccessKeyAge: 60, // default is 90 days
  },

  // default is 24 hours
  maximumExecutionFrequency: config.MaximumExecutionFrequency.TWELVE_HOURS,
});

Properties

NameTypeDescription
static ACCESS_KEYS_ROTATEDstringChecks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge.
static ACCOUNT_PART_OF_ORGANIZATIONSstringChecks whether AWS account is part of AWS Organizations.
static ACM_CERTIFICATE_EXPIRATION_CHECKstringChecks whether ACM Certificates in your account are marked for expiration within the specified number of days.
static ALB_DESYNC_MODE_CHECKstringChecks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode.
static ALB_HTTP_DROP_INVALID_HEADER_ENABLEDstringChecks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers.
static ALB_HTTP_TO_HTTPS_REDIRECTION_CHECKstringChecks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer.
static ALB_WAF_ENABLEDstringChecks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs).
static API_GWV2_ACCESS_LOGS_ENABLEDstringChecks if Amazon API Gateway V2 stages have access logging enabled.
static API_GWV2_AUTHORIZATION_TYPE_CONFIGUREDstringChecks if Amazon API Gatewayv2 API routes have an authorization type set.
static API_GW_ASSOCIATED_WITH_WAFstringChecks if an Amazon API Gateway API stage is using an AWS WAF Web ACL.
static API_GW_CACHE_ENABLED_AND_ENCRYPTEDstringChecks that all methods in Amazon API Gateway stages have caching enabled and encrypted.
static API_GW_ENDPOINT_TYPE_CHECKstringChecks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType.
static API_GW_EXECUTION_LOGGING_ENABLEDstringChecks that all methods in Amazon API Gateway stage has logging enabled.
static API_GW_SSL_ENABLEDstringChecks if a REST API stage uses an Secure Sockets Layer (SSL) certificate.
static API_GW_XRAY_ENABLEDstringChecks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs.
static APPROVED_AMIS_BY_IDstringChecks whether running instances are using specified AMIs.
static APPROVED_AMIS_BY_TAGstringChecks whether running instances are using specified AMIs.
static AURORA_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for Amazon Aurora DB clusters.
static AURORA_MYSQL_BACKTRACKING_ENABLEDstringChecks if an Amazon Aurora MySQL cluster has backtracking enabled.
static AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon Aurora DB clusters are protected by a backup plan.
static AUTOSCALING_CAPACITY_REBALANCINGstringChecks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.
static AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIREDstringChecks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
static AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2stringChecks whether only IMDSv2 is enabled.
static AUTOSCALING_LAUNCH_CONFIG_HOP_LIMITstringChecks the number of network hops that the metadata token can travel.
static AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLEDstringChecks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations.
static AUTOSCALING_LAUNCH_TEMPLATEstringChecks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template.
static AUTOSCALING_MULTIPLE_AZstringChecks if the Auto Scaling group spans multiple Availability Zones.
static AUTOSCALING_MULTIPLE_INSTANCE_TYPESstringChecks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types.
static BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECKstringChecks if a backup plan has a backup rule that satisfies the required frequency and retention period.
static BACKUP_RECOVERY_POINT_ENCRYPTEDstringChecks if a recovery point is encrypted.
static BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLEDstringChecks if a backup vault has an attached resource-based policy which prevents deletion of recovery points.
static BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECKstringChecks if a recovery point expires no earlier than after the specified period.
static BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLEDstringChecks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.
static CLB_DESYNC_MODE_CHECKstringChecks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode.
static CLB_MULTIPLE_AZstringChecks if a Classic Load Balancer spans multiple Availability Zones (AZs).
static CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECKstringChecks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.
static CLOUDFORMATION_STACK_NOTIFICATION_CHECKstringChecks whether your CloudFormation stacks are sending event notifications to an SNS topic.
static CLOUDFRONT_ACCESSLOGS_ENABLEDstringChecks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs.
static CLOUDFRONT_ASSOCIATED_WITH_WAFstringChecks if Amazon CloudFront distributions are associated with either WAF or WAFv2 web access control lists (ACLs).
static CLOUDFRONT_CUSTOM_SSL_CERTIFICATEstringChecks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate.
static CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGUREDstringChecks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object.
static CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLSstringChecks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins.
static CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLEDstringChecks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.
static CLOUDFRONT_ORIGIN_FAILOVER_ENABLEDstringChecks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront.
static CLOUDFRONT_SECURITY_POLICY_CHECKstringChecks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections.
static CLOUDFRONT_SNI_ENABLEDstringChecks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests.
static CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTEDstringChecks if Amazon CloudFront distributions are encrypting traffic to custom origins.
static CLOUDFRONT_VIEWER_POLICY_HTTPSstringChecks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection).
static CLOUDTRAIL_MULTI_REGION_ENABLEDstringChecks that there is at least one multi-region AWS CloudTrail.
static CLOUDTRAIL_S3_DATAEVENTS_ENABLEDstringChecks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.
static CLOUDTRAIL_SECURITY_TRAIL_ENABLEDstringChecks that there is at least one AWS CloudTrail trail defined with security best practices.
static CLOUDWATCH_ALARM_ACTION_CHECKstringChecks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.
static CLOUDWATCH_ALARM_ACTION_ENABLED_CHECKstringChecks if Amazon CloudWatch alarms actions are in enabled state.
static CLOUDWATCH_ALARM_RESOURCE_CHECKstringChecks whether the specified resource type has a CloudWatch alarm for the specified metric.
static CLOUDWATCH_ALARM_SETTINGS_CHECKstringChecks whether CloudWatch alarms with the given metric name have the specified settings.
static CLOUDWATCH_LOG_GROUP_ENCRYPTEDstringChecks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).
static CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLEDstringChecks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.
static CLOUD_TRAIL_ENABLEDstringChecks whether AWS CloudTrail is enabled in your AWS account.
static CLOUD_TRAIL_ENCRYPTION_ENABLEDstringChecks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.
static CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLEDstringChecks whether AWS CloudTrail creates a signed digest file with logs.
static CMK_BACKING_KEY_ROTATION_ENABLEDstringChecks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK).
static CODEBUILD_PROJECT_ARTIFACT_ENCRYPTIONstringChecks if an AWS CodeBuild project has encryption enabled for all of its artifacts.
static CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECKstringChecks if an AWS CodeBuild project environment has privileged mode enabled.
static CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECKstringChecks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
static CODEBUILD_PROJECT_LOGGING_ENABLEDstringChecks if an AWS CodeBuild project environment has at least one log option enabled.
static CODEBUILD_PROJECT_S3_LOGS_ENCRYPTEDstringChecks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.
static CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECKstringChecks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.
static CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLEDstringChecks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached.
static CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGUREDstringChecks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold.
static CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLEDstringChecks if the deployment group for Lambda Compute Platform is not using the default deployment configuration.
static CODEPIPELINE_DEPLOYMENT_COUNT_CHECKstringChecks whether the first deployment stage of the AWS CodePipeline performs more than one deployment.
static CODEPIPELINE_REGION_FANOUT_CHECKstringChecks whether each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number.
static CW_LOGGROUP_RETENTION_PERIOD_CHECKstringChecks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.
static DAX_ENCRYPTION_ENABLEDstringChecks that DynamoDB Accelerator (DAX) clusters are encrypted.
static DMS_REPLICATION_NOT_PUBLICstringChecks whether AWS Database Migration Service replication instances are public.
static DYNAMODB_AUTOSCALING_ENABLEDstringChecks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.
static DYNAMODB_IN_BACKUP_PLANstringChecks whether Amazon DynamoDB table is present in AWS Backup plans.
static DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for Amazon DynamoDB Tables within the specified period.
static DYNAMODB_PITR_ENABLEDstringChecks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables.
static DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon DynamoDB tables are protected by a backup plan.
static DYNAMODB_TABLE_ENCRYPTED_KMSstringChecks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).
static DYNAMODB_TABLE_ENCRYPTION_ENABLEDstringChecks whether the Amazon DynamoDB tables are encrypted and checks their status.
static DYNAMODB_THROUGHPUT_LIMIT_CHECKstringChecks whether provisioned DynamoDB throughput is approaching the maximum limit for your account.
static EBS_ENCRYPTED_VOLUMESstringChecks whether the EBS volumes that are in an attached state are encrypted.
static EBS_IN_BACKUP_PLANstringChecks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup.
static EBS_OPTIMIZED_INSTANCEstringChecks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized.
static EBS_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan.
static EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECKstringChecks whether Amazon Elastic Block Store snapshots are not publicly restorable.
static EC2_DESIRED_INSTANCE_TENANCYstringChecks instances for specified tenancy.
static EC2_DESIRED_INSTANCE_TYPEstringChecks whether your EC2 instances are of the specified instance types.
static EC2_EBS_ENCRYPTION_BY_DEFAULTstringCheck that Amazon Elastic Block Store (EBS) encryption is enabled by default.
static EC2_IMDSV2_CHECKstringChecks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2).
static EC2_INSTANCES_IN_VPCstringChecks whether your EC2 instances belong to a virtual private cloud (VPC).
static EC2_INSTANCE_DETAILED_MONITORING_ENABLEDstringChecks whether detailed monitoring is enabled for EC2 instances.
static EC2_INSTANCE_MANAGED_BY_SSMstringChecks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.
static EC2_INSTANCE_MULTIPLE_ENI_CHECKstringChecks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs).
static EC2_INSTANCE_NO_PUBLIC_IPstringChecks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association.
static EC2_INSTANCE_PROFILE_ATTACHEDstringChecks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it.
static EC2_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances.
static EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKEDstringChecks that none of the specified applications are installed on the instance.
static EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIREDstringChecks whether all of the specified applications are installed on the instance.
static EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECKstringChecks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance.
static EC2_MANAGED_INSTANCE_INVENTORY_BLOCKEDstringChecks whether instances managed by AWS Systems Manager are configured to collect blocked inventory types.
static EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECKstringChecks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
static EC2_MANAGED_INSTANCE_PLATFORM_CHECKstringChecks whether EC2 managed instances have the desired configurations.
static EC2_NO_AMAZON_KEY_PAIRstringChecks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs.
static EC2_PARAVIRTUAL_INSTANCE_CHECKstringChecks if the virtualization type of an EC2 instance is paravirtual.
static EC2_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan.
static EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLEDstringChecks whether the incoming SSH traffic for the security groups is accessible.
static EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFICstringChecks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports.
static EC2_SECURITY_GROUP_ATTACHED_TO_ENIstringChecks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface.
static EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODICstringChecks if non-default security groups are attached to Elastic network interfaces (ENIs).
static EC2_STOPPED_INSTANCEstringChecks whether there are instances stopped for more than the allowed number of days.
static EC2_TOKEN_HOP_LIMIT_CHECKstringChecks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit.
static EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLEDstringChecks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled.
static EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECKstringChecks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.
static EC2_VOLUME_INUSE_CHECKstringChecks whether EBS volumes are attached to EC2 instances.
static ECR_PRIVATE_IMAGE_SCANNING_ENABLEDstringChecks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled.
static ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGUREDstringChecks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured.
static ECR_PRIVATE_TAG_IMMUTABILITY_ENABLEDstringChecks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled.
static ECS_AWSVPC_NETWORKING_ENABLEDstringChecks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’.
static ECS_CONTAINERS_NONPRIVILEGEDstringChecks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’.
static ECS_CONTAINERS_READONLY_ACCESSstringChecks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems.
static ECS_CONTAINER_INSIGHTS_ENABLEDstringChecks if Amazon Elastic Container Service clusters have container insights enabled.
static ECS_FARGATE_LATEST_PLATFORM_VERSIONstringChecks if Amazon Elastic Container Service (ECS) Fargate Services is running on the latest Fargate platform version.
static ECS_NO_ENVIRONMENT_SECRETSstringChecks if secrets are passed as container environment variables.
static ECS_TASK_DEFINITION_LOG_CONFIGURATIONstringChecks if logConfiguration is set on active ECS Task Definitions.
static ECS_TASK_DEFINITION_MEMORY_HARD_LIMITstringChecks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions.
static ECS_TASK_DEFINITION_NONROOT_USERstringChecks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on.
static ECS_TASK_DEFINITION_PID_MODE_CHECKstringChecks if ECSTaskDefinitions are configured to share a host’s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers.
static EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORYstringChecks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory.
static EFS_ACCESS_POINT_ENFORCE_USER_IDENTITYstringChecks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity.
static EFS_ENCRYPTED_CHECKstringhecks whether Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS).
static EFS_IN_BACKUP_PLANstringChecks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup.
static EFS_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems.
static EFS_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan.
static EIP_ATTACHEDstringChecks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).
static EKS_CLUSTER_OLDEST_SUPPORTED_VERSIONstringChecks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version.
static EKS_CLUSTER_SUPPORTED_VERSIONstringChecks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version.
static EKS_ENDPOINT_NO_PUBLIC_ACCESSstringChecks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.
static EKS_SECRETS_ENCRYPTEDstringChecks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.
static ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECKstringCheck if the Amazon ElastiCache Redis clusters have automatic backup turned on.
static ELASTICSEARCH_ENCRYPTED_AT_RESTstringChecks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled.
static ELASTICSEARCH_IN_VPC_ONLYstringChecks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC).
static ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECKstringCheck that Amazon ElasticSearch Service nodes are encrypted end to end.
static ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLEDstringChecks if managed platform updates in an AWS Elastic Beanstalk environment is enabled.
static ELBV2_ACM_CERTIFICATE_REQUIREDstringChecks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM).
static ELBV2_MULTIPLE_AZstringChecks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZ's).
static ELB_ACM_CERTIFICATE_REQUIREDstringChecks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager.
static ELB_CROSS_ZONE_LOAD_BALANCING_ENABLEDstringChecks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs).
static ELB_CUSTOM_SECURITY_POLICY_SSL_CHECKstringChecks whether your Classic Load Balancer SSL listeners are using a custom policy.
static ELB_DELETION_PROTECTION_ENABLEDstringChecks whether Elastic Load Balancing has deletion protection enabled.
static ELB_LOGGING_ENABLEDstringChecks whether the Application Load Balancer and the Classic Load Balancer have logging enabled.
static ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECKstringChecks whether your Classic Load Balancer SSL listeners are using a predefined policy.
static ELB_TLS_HTTPS_LISTENERS_ONLYstringChecks whether your Classic Load Balancer is configured with SSL or HTTPS listeners.
static EMR_KERBEROS_ENABLEDstringChecks that Amazon EMR clusters have Kerberos enabled.
static EMR_MASTER_NO_PUBLIC_IPstringChecks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs.
static FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK⚠️stringChecks whether the security groups associated inScope resources are compliant with the master security groups at each rule level based on allowSecurityGroup and denySecurityGroup flag.
static FMS_SECURITY_GROUP_CONTENT_CHECK⚠️stringChecks whether AWS Firewall Manager created security groups content is the same as the master security groups.
static FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK⚠️stringChecks whether Amazon EC2 or an elastic network interface is associated with AWS Firewall Manager security groups.
static FMS_SHIELD_RESOURCE_POLICY_CHECKstringChecks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection.
static FMS_WEBACL_RESOURCE_POLICY_CHECKstringChecks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions.
static FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECKstringChecks that the rule groups associate with the web ACL at the correct priority.
static FSX_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for Amazon FSx File Systems.
static FSX_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon FSx File Systems are protected by a backup plan.
static GUARDDUTY_ENABLED_CENTRALIZEDstringChecks whether Amazon GuardDuty is enabled in your AWS account and region.
static GUARDDUTY_NON_ARCHIVED_FINDINGSstringChecks whether the Amazon GuardDuty has findings that are non archived.
static IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONSstringChecks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on all AWS AWS KMS keys.
static IAM_GROUP_HAS_USERS_CHECKstringChecks whether IAM groups have at least one IAM user.
static IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONSstringChecks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not allow blocked actions on all AWS Key Management Service keys.
static IAM_NO_INLINE_POLICY_CHECKstringChecks that inline policy feature is not in use.
static IAM_PASSWORD_POLICYstringChecks whether the account password policy for IAM users meets the specified requirements indicated in the parameters.
static IAM_POLICY_BLOCKED_CHECKstringChecks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource.
static IAM_POLICY_IN_USEstringChecks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.
static IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESSstringChecks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.
static IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESSstringChecks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources.
static IAM_ROLE_MANAGED_POLICY_CHECKstringChecks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles.
static IAM_ROOT_ACCESS_KEY_CHECKstringChecks whether the root user access key is available.
static IAM_USER_GROUP_MEMBERSHIP_CHECKstringChecks whether IAM users are members of at least one IAM group.
static IAM_USER_MFA_ENABLEDstringChecks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.
static IAM_USER_NO_POLICIES_CHECKstringChecks that none of your IAM users have policies attached.
static IAM_USER_UNUSED_CREDENTIALS_CHECKstringChecks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.
static INTERNET_GATEWAY_AUTHORIZED_VPC_ONLYstringChecks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs).
static KINESIS_STREAM_ENCRYPTEDstringChecks if Amazon Kinesis streams are encrypted at rest with server-side encryption.
static KMS_CMK_NOT_SCHEDULED_FOR_DELETIONstringChecks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS).
static LAMBDA_CONCURRENCY_CHECKstringChecks whether the AWS Lambda function is configured with function-level concurrent execution limit.
static LAMBDA_DLQ_CHECKstringChecks whether an AWS Lambda function is configured with a dead-letter queue.
static LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITEDstringChecks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access.
static LAMBDA_FUNCTION_SETTINGS_CHECKstringChecks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.
static LAMBDA_INSIDE_VPCstringChecks whether an AWS Lambda function is in an Amazon Virtual Private Cloud.
static LAMBDA_VPC_MULTI_AZ_CHECKstringChecks if Lambda has more than 1 availability zone associated.
static MFA_ENABLED_FOR_IAM_CONSOLE_ACCESSstringChecks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password.
static NACL_NO_UNRESTRICTED_SSH_RDPstringChecks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted.
static NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETSstringChecks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets.
static NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETSstringChecks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets.
static NETFW_POLICY_RULE_GROUP_ASSOCIATEDstringCheck AWS Network Firewall policy is associated with stateful OR stateless rule groups.
static NETFW_STATELESS_RULE_GROUP_NOT_EMPTYstringChecks if a Stateless Network Firewall Rule Group contains rules.
static NLB_CROSS_ZONE_LOAD_BALANCING_ENABLEDstringChecks if cross-zone load balancing is enabled on Network Load Balancers (NLBs).
static OPENSEARCH_ACCESS_CONTROL_ENABLEDstringChecks if Amazon OpenSearch Service domains have fine-grained access control enabled.
static OPENSEARCH_AUDIT_LOGGING_ENABLEDstringChecks if Amazon OpenSearch Service domains have audit logging enabled.
static OPENSEARCH_DATA_NODE_FAULT_TOLERANCEstringChecks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
static OPENSEARCH_ENCRYPTED_AT_RESTstringChecks if Amazon OpenSearch Service domains have encryption at rest configuration enabled.
static OPENSEARCH_HTTPS_REQUIREDstringChecks whether connections to OpenSearch domains are using HTTPS.
static OPENSEARCH_IN_VPC_ONLYstringChecks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).
static OPENSEARCH_LOGS_TO_CLOUDWATCHstringChecks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs.
static OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECKstringCheck if Amazon OpenSearch Service nodes are encrypted end to end.
static RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLEDstringChecks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades.
static RDS_CLUSTER_DEFAULT_ADMIN_CHECKstringChecks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value.
static RDS_CLUSTER_DELETION_PROTECTION_ENABLEDstringChecks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled.
static RDS_CLUSTER_IAM_AUTHENTICATION_ENABLEDstringChecks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled.
static RDS_CLUSTER_MULTI_AZ_ENABLEDstringChecks if Multi-AZ replication is enabled on Amazon Aurora and Hermes clusters managed by Amazon Relational Database Service (Amazon RDS).
static RDS_DB_INSTANCE_BACKUP_ENABLEDstringChecks whether RDS DB instances have backups enabled.
static RDS_DB_SECURITY_GROUP_NOT_ALLOWEDstringChecks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group.
static RDS_ENHANCED_MONITORING_ENABLEDstringChecks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.
static RDS_INSTANCE_DEFAULT_ADMIN_CHECKstringChecks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value.
static RDS_INSTANCE_DELETION_PROTECTION_ENABLEDstringChecks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled.
static RDS_INSTANCE_IAM_AUTHENTICATION_ENABLEDstringChecks if an Amazon RDS instance has AWS Identity and Access Management (IAM) authentication enabled.
static RDS_INSTANCE_PUBLIC_ACCESS_CHECKstringCheck whether the Amazon Relational Database Service instances are not publicly accessible.
static RDS_IN_BACKUP_PLANstringChecks whether Amazon RDS database is present in back plans of AWS Backup.
static RDS_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for Amazon Relational Database Service (Amazon RDS).
static RDS_LOGGING_ENABLEDstringChecks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled.
static RDS_MULTI_AZ_SUPPORTstringChecks whether high availability is enabled for your RDS DB instances.
static RDS_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan.
static RDS_SNAPSHOTS_PUBLIC_PROHIBITEDstringChecks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
static RDS_SNAPSHOT_ENCRYPTEDstringChecks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.
static RDS_STORAGE_ENCRYPTEDstringChecks whether storage encryption is enabled for your RDS DB instances.
static REDSHIFT_AUDIT_LOGGING_ENABLEDstringChecks if Amazon Redshift clusters are logging audits to a specific bucket.
static REDSHIFT_BACKUP_ENABLEDstringChecks that Amazon Redshift automated snapshots are enabled for clusters.
static REDSHIFT_CLUSTER_CONFIGURATION_CHECKstringChecks whether Amazon Redshift clusters have the specified settings.
static REDSHIFT_CLUSTER_KMS_ENABLEDstringChecks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption.
static REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECKstringChecks whether Amazon Redshift clusters have the specified maintenance settings.
static REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECKstringChecks whether Amazon Redshift clusters are not publicly accessible.
static REDSHIFT_DEFAULT_ADMIN_CHECKstringChecks if an Amazon Redshift cluster has changed the admin username from its default value.
static REDSHIFT_DEFAULT_DB_NAME_CHECKstringChecks if a Redshift cluster has changed its database name from the default value.
static REDSHIFT_ENHANCED_VPC_ROUTING_ENABLEDstringChecks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled.
static REDSHIFT_REQUIRE_TLS_SSLstringChecks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients.
static REQUIRED_TAGSstringChecks whether your resources have the tags that you specify.
static ROOT_ACCOUNT_HARDWARE_MFA_ENABLEDstringChecks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials.
static ROOT_ACCOUNT_MFA_ENABLEDstringChecks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.
static S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKSstringChecks whether the required public access block settings are configured from account level.
static S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODICstringChecks if the required public access block settings are configured from account level.
static S3_BUCKET_ACL_PROHIBITEDstringChecks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs).
static S3_BUCKET_BLOCKED_ACTIONS_PROHIBITEDstringChecks if the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.
static S3_BUCKET_DEFAULT_LOCK_ENABLEDstringChecks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.
static S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITEDstringChecks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible.
static S3_BUCKET_LOGGING_ENABLEDstringChecks whether logging is enabled for your S3 buckets.
static S3_BUCKET_POLICY_GRANTEE_CHECKstringChecks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide.
static S3_BUCKET_POLICY_NOT_MORE_PERMISSIVEstringChecks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
static S3_BUCKET_PUBLIC_READ_PROHIBITEDstringChecks if your Amazon S3 buckets do not allow public read access.
static S3_BUCKET_PUBLIC_WRITE_PROHIBITEDstringChecks that your Amazon S3 buckets do not allow public write access.
static S3_BUCKET_REPLICATION_ENABLEDstringChecks whether S3 buckets have cross-region replication enabled.
static S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLEDstringChecks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.
static S3_BUCKET_SSL_REQUESTS_ONLYstringChecks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
static S3_BUCKET_VERSIONING_ENABLEDstringChecks whether versioning is enabled for your S3 buckets.
static S3_DEFAULT_ENCRYPTION_KMSstringChecks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS).
static S3_EVENT_NOTIFICATIONS_ENABLEDstringChecks if Amazon S3 Events Notifications are enabled on an S3 bucket.
static S3_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for Amazon Simple Storage Service (Amazon S3).
static S3_LIFECYCLE_POLICY_CHECKstringChecks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket.
static S3_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan.
static S3_VERSION_LIFECYCLE_POLICY_CHECKstringChecks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured.
static SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGUREDstringChecks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration.
static SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGUREDstringCheck whether an AWS Key Management Service (KMS) key is configured for SageMaker notebook instance.
static SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESSstringChecks whether direct internet access is disabled for an Amazon SageMaker notebook instance.
static SECRETSMANAGER_ROTATION_ENABLED_CHECKstringChecks whether AWS Secrets Manager secret has rotation enabled.
static SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECKstringChecks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.
static SECRETSMANAGER_SECRET_PERIODIC_ROTATIONstringChecks if AWS Secrets Manager secrets have been rotated in the past specified number of days.
static SECRETSMANAGER_SECRET_UNUSEDstringChecks if AWS Secrets Manager secrets have been accessed within a specified number of days.
static SECRETSMANAGER_USING_CMKstringChecks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS).
static SECURITYHUB_ENABLEDstringChecks that AWS Security Hub is enabled for an AWS account.
static SERVICE_VPC_ENDPOINT_ENABLEDstringChecks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC.
static SHIELD_ADVANCED_ENABLED_AUTO_RENEWstringChecks whether EBS volumes are attached to EC2 instances.
static SHIELD_DRT_ACCESSstringVerify that DDoS response team (DRT) can access AWS account.
static SNS_ENCRYPTED_KMSstringChecks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS).
static SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLEDstringChecks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints.
static SSM_DOCUMENT_NOT_PUBLICstringChecks if AWS Systems Manager documents owned by the account are public.
static STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for AWS Storage Gateway volumes.
static SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLEDstringhecks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address.
static VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATEDstringChecks if a recovery point was created for AWS Backup-Gateway VirtualMachines.
static VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLANstringChecks if AWS Backup-Gateway VirtualMachines are protected by a backup plan.
static VPC_DEFAULT_SECURITY_GROUP_CLOSEDstringChecks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.
static VPC_FLOW_LOGS_ENABLEDstringChecks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.
static VPC_NETWORK_ACL_UNUSED_CHECKstringChecks if there are unused network access control lists (network ACLs).
static VPC_PEERING_DNS_RESOLUTION_CHECKstringChecks if DNS resolution from accepter/requester VPC to private IP is enabled.
static VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTSstringChecks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic.
static VPC_VPN_2_TUNNELS_UPstringChecks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status.
static WAFV2_LOGGING_ENABLEDstringChecks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs).
static WAF_CLASSIC_LOGGING_ENABLEDstringChecks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs.
static WAF_GLOBAL_RULEGROUP_NOT_EMPTYstringChecks if an AWS WAF Classic rule group contains any rules.
static WAF_GLOBAL_RULE_NOT_EMPTYstringChecks if an AWS WAF global rule contains any conditions.
static WAF_GLOBAL_WEBACL_NOT_EMPTYstringChecks whether a WAF Global Web ACL contains any WAF rules or rule groups.
static WAF_REGIONAL_RULEGROUP_NOT_EMPTYstringChecks if WAF Regional rule groups contain any rules.
static WAF_REGIONAL_RULE_NOT_EMPTYstringChecks whether WAF regional rule contains conditions.
static WAF_REGIONAL_WEBACL_NOT_EMPTYstringChecks if a WAF regional Web ACL contains any WAF rules or rule groups.

static ACCESS_KEYS_ROTATED

Type: string

Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge.

See also: https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html


static ACCOUNT_PART_OF_ORGANIZATIONS

Type: string

Checks whether AWS account is part of AWS Organizations.

See also: https://docs.aws.amazon.com/config/latest/developerguide/account-part-of-organizations.html


static ACM_CERTIFICATE_EXPIRATION_CHECK

Type: string

Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.

See also: https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html


static ALB_DESYNC_MODE_CHECK

Type: string

Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode.

See also: https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html


static ALB_HTTP_DROP_INVALID_HEADER_ENABLED

Type: string

Checks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers.

See also: https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html


static ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK

Type: string

Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer.

See also: https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html


static ALB_WAF_ENABLED

Type: string

Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html


static API_GWV2_ACCESS_LOGS_ENABLED

Type: string

Checks if Amazon API Gateway V2 stages have access logging enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-access-logs-enabled.html


static API_GWV2_AUTHORIZATION_TYPE_CONFIGURED

Type: string

Checks if Amazon API Gatewayv2 API routes have an authorization type set.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-authorization-type-configured.html


static API_GW_ASSOCIATED_WITH_WAF

Type: string

Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-associated-with-waf.html


static API_GW_CACHE_ENABLED_AND_ENCRYPTED

Type: string

Checks that all methods in Amazon API Gateway stages have caching enabled and encrypted.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html


static API_GW_ENDPOINT_TYPE_CHECK

Type: string

Checks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-endpoint-type-check.html


static API_GW_EXECUTION_LOGGING_ENABLED

Type: string

Checks that all methods in Amazon API Gateway stage has logging enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html


static API_GW_SSL_ENABLED

Type: string

Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-ssl-enabled.html


static API_GW_XRAY_ENABLED

Type: string

Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-xray-enabled.html


static APPROVED_AMIS_BY_ID

Type: string

Checks whether running instances are using specified AMIs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-id.html


static APPROVED_AMIS_BY_TAG

Type: string

Checks whether running instances are using specified AMIs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-tag.html


static AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for Amazon Aurora DB clusters.

See also: https://docs.aws.amazon.com/config/latest/developerguide/aurora-last-backup-recovery-point-created.html


static AURORA_MYSQL_BACKTRACKING_ENABLED

Type: string

Checks if an Amazon Aurora MySQL cluster has backtracking enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-backtracking-enabled.html


static AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon Aurora DB clusters are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-protected-by-backup-plan.html


static AUTOSCALING_CAPACITY_REBALANCING

Type: string

Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-capacity-rebalancing.html


static AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED

Type: string

Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html


static AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2

Type: string

Checks whether only IMDSv2 is enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launchconfig-requires-imdsv2.html


static AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT

Type: string

Checks the number of network hops that the metadata token can travel.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-hop-limit.html


static AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

Type: string

Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html


static AUTOSCALING_LAUNCH_TEMPLATE

Type: string

Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-template.html


static AUTOSCALING_MULTIPLE_AZ

Type: string

Checks if the Auto Scaling group spans multiple Availability Zones.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-az.html


static AUTOSCALING_MULTIPLE_INSTANCE_TYPES

Type: string

Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types.

See also: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-instance-types.html


static BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK

Type: string

Checks if a backup plan has a backup rule that satisfies the required frequency and retention period.

See also: https://docs.aws.amazon.com/config/latest/developerguide/backup-plan-min-frequency-and-min-retention-check.html


static BACKUP_RECOVERY_POINT_ENCRYPTED

Type: string

Checks if a recovery point is encrypted.

See also: https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-encrypted.html


static BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED

Type: string

Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points.

See also: https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-manual-deletion-disabled.html


static BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK

Type: string

Checks if a recovery point expires no earlier than after the specified period.

See also: https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-minimum-retention-check.html


static BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED

Type: string

Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.

See also: https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html


static CLB_DESYNC_MODE_CHECK

Type: string

Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode.

See also: https://docs.aws.amazon.com/config/latest/developerguide/clb-desync-mode-check.html


static CLB_MULTIPLE_AZ

Type: string

Checks if a Classic Load Balancer spans multiple Availability Zones (AZs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/clb-multiple-az.html


static CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK

Type: string

Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html


static CLOUDFORMATION_STACK_NOTIFICATION_CHECK

Type: string

Checks whether your CloudFormation stacks are sending event notifications to an SNS topic.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-notification-check.html


static CLOUDFRONT_ACCESSLOGS_ENABLED

Type: string

Checks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-accesslogs-enabled.html


static CLOUDFRONT_ASSOCIATED_WITH_WAF

Type: string

Checks if Amazon CloudFront distributions are associated with either WAF or WAFv2 web access control lists (ACLs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-associated-with-waf.html


static CLOUDFRONT_CUSTOM_SSL_CERTIFICATE

Type: string

Checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-custom-ssl-certificate.html


static CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED

Type: string

Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-default-root-object-configured.html


static CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS

Type: string

Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html


static CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED

Type: string

Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-access-identity-enabled.html


static CLOUDFRONT_ORIGIN_FAILOVER_ENABLED

Type: string

Checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-failover-enabled.html


static CLOUDFRONT_SECURITY_POLICY_CHECK

Type: string

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-security-policy-check.html


static CLOUDFRONT_SNI_ENABLED

Type: string

Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-sni-enabled.html


static CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED

Type: string

Checks if Amazon CloudFront distributions are encrypting traffic to custom origins.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html


static CLOUDFRONT_VIEWER_POLICY_HTTPS

Type: string

Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection).

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-viewer-policy-https.html


static CLOUDTRAIL_MULTI_REGION_ENABLED

Type: string

Checks that there is at least one multi-region AWS CloudTrail.

See also: https://docs.aws.amazon.com/config/latest/developerguide/multi-region-cloudtrail-enabled.html


static CLOUDTRAIL_S3_DATAEVENTS_ENABLED

Type: string

Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html


static CLOUDTRAIL_SECURITY_TRAIL_ENABLED

Type: string

Checks that there is at least one AWS CloudTrail trail defined with security best practices.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-security-trail-enabled.html


static CLOUDWATCH_ALARM_ACTION_CHECK

Type: string

Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-check.html


static CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK

Type: string

Checks if Amazon CloudWatch alarms actions are in enabled state.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-enabled-check.html


static CLOUDWATCH_ALARM_RESOURCE_CHECK

Type: string

Checks whether the specified resource type has a CloudWatch alarm for the specified metric.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-resource-check.html


static CLOUDWATCH_ALARM_SETTINGS_CHECK

Type: string

Checks whether CloudWatch alarms with the given metric name have the specified settings.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-settings-check.html


static CLOUDWATCH_LOG_GROUP_ENCRYPTED

Type: string

Checks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html


static CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED

Type: string

Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html


static CLOUD_TRAIL_ENABLED

Type: string

Checks whether AWS CloudTrail is enabled in your AWS account.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html


static CLOUD_TRAIL_ENCRYPTION_ENABLED

Type: string

Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html


static CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED

Type: string

Checks whether AWS CloudTrail creates a signed digest file with logs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html


static CMK_BACKING_KEY_ROTATION_ENABLED

Type: string

Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK).

See also: https://docs.aws.amazon.com/config/latest/developerguide/cmk-backing-key-rotation-enabled.html


static CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION

Type: string

Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-artifact-encryption.html


static CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK

Type: string

Checks if an AWS CodeBuild project environment has privileged mode enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-environment-privileged-check.html


static CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK

Type: string

Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-envvar-awscred-check.html


static CODEBUILD_PROJECT_LOGGING_ENABLED

Type: string

Checks if an AWS CodeBuild project environment has at least one log option enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-logging-enabled.html


static CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED

Type: string

Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-s3-logs-encrypted.html


static CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK

Type: string

Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html


static CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED

Type: string

Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-auto-rollback-monitor-enabled.html


static CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED

Type: string

Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-ec2-minimum-healthy-hosts-configured.html


static CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED

Type: string

Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-lambda-allatonce-traffic-shift-disabled.html


static CODEPIPELINE_DEPLOYMENT_COUNT_CHECK

Type: string

Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-deployment-count-check.html


static CODEPIPELINE_REGION_FANOUT_CHECK

Type: string

Checks whether each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number.

See also: https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-region-fanout-check.html


static CW_LOGGROUP_RETENTION_PERIOD_CHECK

Type: string

Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.

See also: https://docs.aws.amazon.com/config/latest/developerguide/cw-loggroup-retention-period-check.html


static DAX_ENCRYPTION_ENABLED

Type: string

Checks that DynamoDB Accelerator (DAX) clusters are encrypted.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dax-encryption-enabled.html


static DMS_REPLICATION_NOT_PUBLIC

Type: string

Checks whether AWS Database Migration Service replication instances are public.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-not-public.html


static DYNAMODB_AUTOSCALING_ENABLED

Type: string

Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-autoscaling-enabled.html


static DYNAMODB_IN_BACKUP_PLAN

Type: string

Checks whether Amazon DynamoDB table is present in AWS Backup plans.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-in-backup-plan.html


static DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-last-backup-recovery-point-created.html


static DYNAMODB_PITR_ENABLED

Type: string

Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-pitr-enabled.html


static DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon DynamoDB tables are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-resources-protected-by-backup-plan.html


static DYNAMODB_TABLE_ENCRYPTED_KMS

Type: string

Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encrypted-kms.html


static DYNAMODB_TABLE_ENCRYPTION_ENABLED

Type: string

Checks whether the Amazon DynamoDB tables are encrypted and checks their status.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encryption-enabled.html


static DYNAMODB_THROUGHPUT_LIMIT_CHECK

Type: string

Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account.

See also: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-throughput-limit-check.html


static EBS_ENCRYPTED_VOLUMES

Type: string

Checks whether the EBS volumes that are in an attached state are encrypted.

See also: https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html


static EBS_IN_BACKUP_PLAN

Type: string

Checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ebs-in-backup-plan.html


static EBS_OPTIMIZED_INSTANCE

Type: string

Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ebs-optimized-instance.html


static EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ebs-resources-protected-by-backup-plan.html


static EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK

Type: string

Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html


static EC2_DESIRED_INSTANCE_TENANCY

Type: string

Checks instances for specified tenancy.

See also: https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-tenancy.html


static EC2_DESIRED_INSTANCE_TYPE

Type: string

Checks whether your EC2 instances are of the specified instance types.

See also: https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-type.html


static EC2_EBS_ENCRYPTION_BY_DEFAULT

Type: string

Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-ebs-encryption-by-default.html


static EC2_IMDSV2_CHECK

Type: string

Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2).

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-imdsv2-check.html


static EC2_INSTANCES_IN_VPC

Type: string

Checks whether your EC2 instances belong to a virtual private cloud (VPC).

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html


static EC2_INSTANCE_DETAILED_MONITORING_ENABLED

Type: string

Checks whether detailed monitoring is enabled for EC2 instances.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-detailed-monitoring-enabled.html


static EC2_INSTANCE_MANAGED_BY_SSM

Type: string

Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html


static EC2_INSTANCE_MULTIPLE_ENI_CHECK

Type: string

Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-multiple-eni-check.html


static EC2_INSTANCE_NO_PUBLIC_IP

Type: string

Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-no-public-ip.html


static EC2_INSTANCE_PROFILE_ATTACHED

Type: string

Checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it.

This rule is NON_COMPLIANT if no IAM profile is attached to the Amazon EC2 instance.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html


static EC2_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-last-backup-recovery-point-created.html


static EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED

Type: string

Checks that none of the specified applications are installed on the instance.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-blacklisted.html


static EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED

Type: string

Checks whether all of the specified applications are installed on the instance.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-required.html


static EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK

Type: string

Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html


static EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED

Type: string

Checks whether instances managed by AWS Systems Manager are configured to collect blocked inventory types.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-inventory-blacklisted.html


static EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK

Type: string

Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html


static EC2_MANAGED_INSTANCE_PLATFORM_CHECK

Type: string

Checks whether EC2 managed instances have the desired configurations.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-platform-check.html


static EC2_NO_AMAZON_KEY_PAIR

Type: string

Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-no-amazon-key-pair.html


static EC2_PARAVIRTUAL_INSTANCE_CHECK

Type: string

Checks if the virtualization type of an EC2 instance is paravirtual.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-paravirtual-instance-check.html


static EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-resources-protected-by-backup-plan.html


static EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED

Type: string

Checks whether the incoming SSH traffic for the security groups is accessible.

See also: https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html


static EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFIC

Type: string

Checks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports.

See also: https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html


static EC2_SECURITY_GROUP_ATTACHED_TO_ENI

Type: string

Checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni.html


static EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC

Type: string

Checks if non-default security groups are attached to Elastic network interfaces (ENIs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni-periodic.html


static EC2_STOPPED_INSTANCE

Type: string

Checks whether there are instances stopped for more than the allowed number of days.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-stopped-instance.html


static EC2_TOKEN_HOP_LIMIT_CHECK

Type: string

Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-token-hop-limit-check.html


static EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED

Type: string

Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-transit-gateway-auto-vpc-attach-disabled.html


static EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECK

Type: string

Checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html


static EC2_VOLUME_INUSE_CHECK

Type: string

Checks whether EBS volumes are attached to EC2 instances.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html


static ECR_PRIVATE_IMAGE_SCANNING_ENABLED

Type: string

Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-image-scanning-enabled.html


static ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED

Type: string

Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html


static ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED

Type: string

Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html


static ECS_AWSVPC_NETWORKING_ENABLED

Type: string

Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-awsvpc-networking-enabled.html


static ECS_CONTAINERS_NONPRIVILEGED

Type: string

Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html


static ECS_CONTAINERS_READONLY_ACCESS

Type: string

Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-readonly-access.html


static ECS_CONTAINER_INSIGHTS_ENABLED

Type: string

Checks if Amazon Elastic Container Service clusters have container insights enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html


static ECS_FARGATE_LATEST_PLATFORM_VERSION

Type: string

Checks if Amazon Elastic Container Service (ECS) Fargate Services is running on the latest Fargate platform version.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html


static ECS_NO_ENVIRONMENT_SECRETS

Type: string

Checks if secrets are passed as container environment variables.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-no-environment-secrets.html


static ECS_TASK_DEFINITION_LOG_CONFIGURATION

Type: string

Checks if logConfiguration is set on active ECS Task Definitions.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html


static ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT

Type: string

Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-memory-hard-limit.html


static ECS_TASK_DEFINITION_NONROOT_USER

Type: string

Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-nonroot-user.html


static ECS_TASK_DEFINITION_PID_MODE_CHECK

Type: string

Checks if ECSTaskDefinitions are configured to share a host’s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-stopped-instance.html


static EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY

Type: string

Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory.

See also: https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-root-directory.html


static EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY

Type: string

Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html


static EFS_ENCRYPTED_CHECK

Type: string

hecks whether Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/efs-encrypted-check.html


static EFS_IN_BACKUP_PLAN

Type: string

Checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup.

See also: https://docs.aws.amazon.com/config/latest/developerguide/efs-in-backup-plan.html


static EFS_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems.

See also: https://docs.aws.amazon.com/config/latest/developerguide/efs-last-backup-recovery-point-created.html


static EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/efs-resources-protected-by-backup-plan.html


static EIP_ATTACHED

Type: string

Checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/eip-attached.html


static EKS_CLUSTER_OLDEST_SUPPORTED_VERSION

Type: string

Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version.

See also: https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-oldest-supported-version.html


static EKS_CLUSTER_SUPPORTED_VERSION

Type: string

Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version.

See also: https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-supported-version.html


static EKS_ENDPOINT_NO_PUBLIC_ACCESS

Type: string

Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.

See also: https://docs.aws.amazon.com/config/latest/developerguide/eks-endpoint-no-public-access.html


static EKS_SECRETS_ENCRYPTED

Type: string

Checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.

See also: https://docs.aws.amazon.com/config/latest/developerguide/eks-secrets-encrypted.html


static ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK

Type: string

Check if the Amazon ElastiCache Redis clusters have automatic backup turned on.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elasticache-redis-cluster-automatic-backup-check.html


static ELASTICSEARCH_ENCRYPTED_AT_REST

Type: string

Checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-encrypted-at-rest.html


static ELASTICSEARCH_IN_VPC_ONLY

Type: string

Checks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC).

See also: https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-in-vpc-only.html


static ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK

Type: string

Check that Amazon ElasticSearch Service nodes are encrypted end to end.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-node-to-node-encryption-check.html


static ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED

Type: string

Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elastic-beanstalk-managed-updates-enabled.html


static ELBV2_ACM_CERTIFICATE_REQUIRED

Type: string

Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM).

See also: https://docs.aws.amazon.com/config/latest/developerguide/elbv2-acm-certificate-required.html


static ELBV2_MULTIPLE_AZ

Type: string

Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZ's).

See also: https://docs.aws.amazon.com/config/latest/developerguide/elbv2-multiple-az.html


static ELB_ACM_CERTIFICATE_REQUIRED

Type: string

Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html


static ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED

Type: string

Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html


static ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK

Type: string

Checks whether your Classic Load Balancer SSL listeners are using a custom policy.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elb-custom-security-policy-ssl-check.html


static ELB_DELETION_PROTECTION_ENABLED

Type: string

Checks whether Elastic Load Balancing has deletion protection enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elb-deletion-protection-enabled.html


static ELB_LOGGING_ENABLED

Type: string

Checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html


static ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK

Type: string

Checks whether your Classic Load Balancer SSL listeners are using a predefined policy.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html


static ELB_TLS_HTTPS_LISTENERS_ONLY

Type: string

Checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners.

See also: https://docs.aws.amazon.com/config/latest/developerguide/elb-tls-https-listeners-only.html


static EMR_KERBEROS_ENABLED

Type: string

Checks that Amazon EMR clusters have Kerberos enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/emr-kerberos-enabled.html


static EMR_MASTER_NO_PUBLIC_IP

Type: string

Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/emr-master-no-public-ip.html


static FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK⚠️

⚠️ Deprecated: Inactive managed rule

Type: string

Checks whether the security groups associated inScope resources are compliant with the master security groups at each rule level based on allowSecurityGroup and denySecurityGroup flag.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-audit-policy-check.html


static FMS_SECURITY_GROUP_CONTENT_CHECK⚠️

⚠️ Deprecated: Inactive managed rule

Type: string

Checks whether AWS Firewall Manager created security groups content is the same as the master security groups.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-content-check.html


static FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK⚠️

⚠️ Deprecated: Inactive managed rule

Type: string

Checks whether Amazon EC2 or an elastic network interface is associated with AWS Firewall Manager security groups.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-resource-association-check.html


static FMS_SHIELD_RESOURCE_POLICY_CHECK

Type: string

Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html


static FMS_WEBACL_RESOURCE_POLICY_CHECK

Type: string

Checks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-resource-policy-check.html


static FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK

Type: string

Checks that the rule groups associate with the web ACL at the correct priority.

The correct priority is decided by the rank of the rule groups in the ruleGroups parameter.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-rulegroup-association-check.html


static FSX_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for Amazon FSx File Systems.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fsx-last-backup-recovery-point-created.html


static FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon FSx File Systems are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/fsx-resources-protected-by-backup-plan.html


static GUARDDUTY_ENABLED_CENTRALIZED

Type: string

Checks whether Amazon GuardDuty is enabled in your AWS account and region.

If you provide an AWS account for centralization, the rule evaluates the Amazon GuardDuty results in the centralized account.

See also: https://docs.aws.amazon.com/config/latest/developerguide/guardduty-enabled-centralized.html


static GUARDDUTY_NON_ARCHIVED_FINDINGS

Type: string

Checks whether the Amazon GuardDuty has findings that are non archived.

See also: https://docs.aws.amazon.com/config/latest/developerguide/guardduty-non-archived-findings.html


static IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS

Type: string

Checks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on all AWS AWS KMS keys.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.html


static IAM_GROUP_HAS_USERS_CHECK

Type: string

Checks whether IAM groups have at least one IAM user.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-group-has-users-check.html


static IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS

Type: string

Checks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not allow blocked actions on all AWS Key Management Service keys.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-inline-policy-blocked-kms-actions.html


static IAM_NO_INLINE_POLICY_CHECK

Type: string

Checks that inline policy feature is not in use.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-no-inline-policy-check.html


static IAM_PASSWORD_POLICY

Type: string

Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html


static IAM_POLICY_BLOCKED_CHECK

Type: string

Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-blacklisted-check.html


static IAM_POLICY_IN_USE

Type: string

Checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-in-use.html


static IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS

Type: string

Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html


static IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS

Type: string

Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-full-access.html


static IAM_ROLE_MANAGED_POLICY_CHECK

Type: string

Checks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-role-managed-policy-check.html


static IAM_ROOT_ACCESS_KEY_CHECK

Type: string

Checks whether the root user access key is available.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html


static IAM_USER_GROUP_MEMBERSHIP_CHECK

Type: string

Checks whether IAM users are members of at least one IAM group.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-user-group-membership-check.html


static IAM_USER_MFA_ENABLED

Type: string

Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-user-mfa-enabled.html


static IAM_USER_NO_POLICIES_CHECK

Type: string

Checks that none of your IAM users have policies attached.

IAM users must inherit permissions from IAM groups or roles.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html


static IAM_USER_UNUSED_CREDENTIALS_CHECK

Type: string

Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.

See also: https://docs.aws.amazon.com/config/latest/developerguide/iam-user-unused-credentials-check.html


static INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY

Type: string

Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/internet-gateway-authorized-vpc-only.html


static KINESIS_STREAM_ENCRYPTED

Type: string

Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption.

See also: https://docs.aws.amazon.com/config/latest/developerguide/kinesis-stream-encrypted.html


static KMS_CMK_NOT_SCHEDULED_FOR_DELETION

Type: string

Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/kms-cmk-not-scheduled-for-deletion.html


static LAMBDA_CONCURRENCY_CHECK

Type: string

Checks whether the AWS Lambda function is configured with function-level concurrent execution limit.

See also: https://docs.aws.amazon.com/config/latest/developerguide/lambda-concurrency-check.html


static LAMBDA_DLQ_CHECK

Type: string

Checks whether an AWS Lambda function is configured with a dead-letter queue.

See also: https://docs.aws.amazon.com/config/latest/developerguide/lambda-dlq-check.html


static LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

Type: string

Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access.

See also: https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-public-access-prohibited.html


static LAMBDA_FUNCTION_SETTINGS_CHECK

Type: string

Checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.

See also: https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-settings-check.html


static LAMBDA_INSIDE_VPC

Type: string

Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud.

See also: https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html


static LAMBDA_VPC_MULTI_AZ_CHECK

Type: string

Checks if Lambda has more than 1 availability zone associated.

See also: https://docs.aws.amazon.com/config/latest/developerguide/lambda-vpc-multi-az-check.html


static MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

Type: string

Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password.

See also: https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html


static NACL_NO_UNRESTRICTED_SSH_RDP

Type: string

Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted.

See also: https://docs.aws.amazon.com/config/latest/developerguide/nacl-no-unrestricted-ssh-rdp.html


static NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS

Type: string

Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets.

See also: https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-fragment-packets.html


static NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS

Type: string

Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets.

See also: https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-full-packets.html


static NETFW_POLICY_RULE_GROUP_ASSOCIATED

Type: string

Check AWS Network Firewall policy is associated with stateful OR stateless rule groups.

See also: https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-rule-group-associated.html


static NETFW_STATELESS_RULE_GROUP_NOT_EMPTY

Type: string

Checks if a Stateless Network Firewall Rule Group contains rules.

See also: https://docs.aws.amazon.com/config/latest/developerguide/netfw-stateless-rule-group-not-empty.html


static NLB_CROSS_ZONE_LOAD_BALANCING_ENABLED

Type: string

Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/nlb-cross-zone-load-balancing-enabled.html


static OPENSEARCH_ACCESS_CONTROL_ENABLED

Type: string

Checks if Amazon OpenSearch Service domains have fine-grained access control enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-access-control-enabled.html


static OPENSEARCH_AUDIT_LOGGING_ENABLED

Type: string

Checks if Amazon OpenSearch Service domains have audit logging enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-audit-logging-enabled.html


static OPENSEARCH_DATA_NODE_FAULT_TOLERANCE

Type: string

Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true.

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-data-node-fault-tolerance.html


static OPENSEARCH_ENCRYPTED_AT_REST

Type: string

Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-encrypted-at-rest.html


static OPENSEARCH_HTTPS_REQUIRED

Type: string

Checks whether connections to OpenSearch domains are using HTTPS.

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-https-required.html


static OPENSEARCH_IN_VPC_ONLY

Type: string

Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-in-vpc-only.html


static OPENSEARCH_LOGS_TO_CLOUDWATCH

Type: string

Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-logs-to-cloudwatch.html


static OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK

Type: string

Check if Amazon OpenSearch Service nodes are encrypted end to end.

See also: https://docs.aws.amazon.com/config/latest/developerguide/opensearch-node-to-node-encryption-check.html


static RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED

Type: string

Checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-automatic-minor-version-upgrade-enabled.html


static RDS_CLUSTER_DEFAULT_ADMIN_CHECK

Type: string

Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-default-admin-check.html


static RDS_CLUSTER_DELETION_PROTECTION_ENABLED

Type: string

Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-deletion-protection-enabled.html


static RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED

Type: string

Checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-iam-authentication-enabled.html


static RDS_CLUSTER_MULTI_AZ_ENABLED

Type: string

Checks if Multi-AZ replication is enabled on Amazon Aurora and Hermes clusters managed by Amazon Relational Database Service (Amazon RDS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-multi-az-enabled.html


static RDS_DB_INSTANCE_BACKUP_ENABLED

Type: string

Checks whether RDS DB instances have backups enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/db-instance-backup-enabled.html


static RDS_DB_SECURITY_GROUP_NOT_ALLOWED

Type: string

Checks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-db-security-group-not-allowed.html


static RDS_ENHANCED_MONITORING_ENABLED

Type: string

Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-enhanced-monitoring-enabled.html


static RDS_INSTANCE_DEFAULT_ADMIN_CHECK

Type: string

Checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-default-admin-check.html


static RDS_INSTANCE_DELETION_PROTECTION_ENABLED

Type: string

Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-deletion-protection-enabled.html


static RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED

Type: string

Checks if an Amazon RDS instance has AWS Identity and Access Management (IAM) authentication enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-iam-authentication-enabled.html


static RDS_INSTANCE_PUBLIC_ACCESS_CHECK

Type: string

Check whether the Amazon Relational Database Service instances are not publicly accessible.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html


static RDS_IN_BACKUP_PLAN

Type: string

Checks whether Amazon RDS database is present in back plans of AWS Backup.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-in-backup-plan.html


static RDS_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-last-backup-recovery-point-created.html


static RDS_LOGGING_ENABLED

Type: string

Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-logging-enabled.html


static RDS_MULTI_AZ_SUPPORT

Type: string

Checks whether high availability is enabled for your RDS DB instances.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-multi-az-support.html


static RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-resources-protected-by-backup-plan.html


static RDS_SNAPSHOTS_PUBLIC_PROHIBITED

Type: string

Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html


static RDS_SNAPSHOT_ENCRYPTED

Type: string

Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshot-encrypted.html


static RDS_STORAGE_ENCRYPTED

Type: string

Checks whether storage encryption is enabled for your RDS DB instances.

See also: https://docs.aws.amazon.com/config/latest/developerguide/rds-storage-encrypted.html


static REDSHIFT_AUDIT_LOGGING_ENABLED

Type: string

Checks if Amazon Redshift clusters are logging audits to a specific bucket.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-audit-logging-enabled.html


static REDSHIFT_BACKUP_ENABLED

Type: string

Checks that Amazon Redshift automated snapshots are enabled for clusters.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-backup-enabled.html


static REDSHIFT_CLUSTER_CONFIGURATION_CHECK

Type: string

Checks whether Amazon Redshift clusters have the specified settings.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-configuration-check.html


static REDSHIFT_CLUSTER_KMS_ENABLED

Type: string

Checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-kms-enabled.html


static REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECK

Type: string

Checks whether Amazon Redshift clusters have the specified maintenance settings.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html


static REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK

Type: string

Checks whether Amazon Redshift clusters are not publicly accessible.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-public-access-check.html


static REDSHIFT_DEFAULT_ADMIN_CHECK

Type: string

Checks if an Amazon Redshift cluster has changed the admin username from its default value.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-admin-check.html


static REDSHIFT_DEFAULT_DB_NAME_CHECK

Type: string

Checks if a Redshift cluster has changed its database name from the default value.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-db-name-check.html


static REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED

Type: string

Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html


static REDSHIFT_REQUIRE_TLS_SSL

Type: string

Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients.

See also: https://docs.aws.amazon.com/config/latest/developerguide/redshift-require-tls-ssl.html


static REQUIRED_TAGS

Type: string

Checks whether your resources have the tags that you specify.

For example, you can check whether your Amazon EC2 instances have the CostCenter tag.

See also: https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html


static ROOT_ACCOUNT_HARDWARE_MFA_ENABLED

Type: string

Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials.

See also: https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html


static ROOT_ACCOUNT_MFA_ENABLED

Type: string

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

See also: https://docs.aws.amazon.com/config/latest/developerguide/root-account-mfa-enabled.html


static S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS

Type: string

Checks whether the required public access block settings are configured from account level.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks.html


static S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC

Type: string

Checks if the required public access block settings are configured from account level.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html


static S3_BUCKET_ACL_PROHIBITED

Type: string

Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html


static S3_BUCKET_BLOCKED_ACTIONS_PROHIBITED

Type: string

Checks if the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-blacklisted-actions-prohibited.html


static S3_BUCKET_DEFAULT_LOCK_ENABLED

Type: string

Checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-default-lock-enabled.html


static S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED

Type: string

Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html


static S3_BUCKET_LOGGING_ENABLED

Type: string

Checks whether logging is enabled for your S3 buckets.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html


static S3_BUCKET_POLICY_GRANTEE_CHECK

Type: string

Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-grantee-check.html


static S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE

Type: string

Checks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-not-more-permissive.html


static S3_BUCKET_PUBLIC_READ_PROHIBITED

Type: string

Checks if your Amazon S3 buckets do not allow public read access.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited.html


static S3_BUCKET_PUBLIC_WRITE_PROHIBITED

Type: string

Checks that your Amazon S3 buckets do not allow public write access.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html


static S3_BUCKET_REPLICATION_ENABLED

Type: string

Checks whether S3 buckets have cross-region replication enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-replication-enabled.html


static S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED

Type: string

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-server-side-encryption-enabled.html


static S3_BUCKET_SSL_REQUESTS_ONLY

Type: string

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html


static S3_BUCKET_VERSIONING_ENABLED

Type: string

Checks whether versioning is enabled for your S3 buckets.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-versioning-enabled.html


static S3_DEFAULT_ENCRYPTION_KMS

Type: string

Checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-default-encryption-kms.html


static S3_EVENT_NOTIFICATIONS_ENABLED

Type: string

Checks if Amazon S3 Events Notifications are enabled on an S3 bucket.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-event-notifications-enabled.html


static S3_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3).

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-last-backup-recovery-point-created.html


static S3_LIFECYCLE_POLICY_CHECK

Type: string

Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-lifecycle-policy-check.html


static S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-resources-protected-by-backup-plan.html


static S3_VERSION_LIFECYCLE_POLICY_CHECK

Type: string

Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured.

See also: https://docs.aws.amazon.com/config/latest/developerguide/s3-version-lifecycle-policy-check.html


static SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED

Type: string

Checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration.

See also: https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-endpoint-configuration-kms-key-configured.html


static SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED

Type: string

Check whether an AWS Key Management Service (KMS) key is configured for SageMaker notebook instance.

See also: https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html


static SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS

Type: string

Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance.

See also: https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html


static SECRETSMANAGER_ROTATION_ENABLED_CHECK

Type: string

Checks whether AWS Secrets Manager secret has rotation enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html


static SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK

Type: string

Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.

See also: https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-scheduled-rotation-success-check.html


static SECRETSMANAGER_SECRET_PERIODIC_ROTATION

Type: string

Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days.

See also: https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-periodic-rotation.html


static SECRETSMANAGER_SECRET_UNUSED

Type: string

Checks if AWS Secrets Manager secrets have been accessed within a specified number of days.

See also: https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-unused.html


static SECRETSMANAGER_USING_CMK

Type: string

Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html


static SECURITYHUB_ENABLED

Type: string

Checks that AWS Security Hub is enabled for an AWS account.

See also: https://docs.aws.amazon.com/config/latest/developerguide/securityhub-enabled.html


static SERVICE_VPC_ENDPOINT_ENABLED

Type: string

Checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC.

See also: https://docs.aws.amazon.com/config/latest/developerguide/service-vpc-endpoint-enabled.html


static SHIELD_ADVANCED_ENABLED_AUTO_RENEW

Type: string

Checks whether EBS volumes are attached to EC2 instances.

See also: https://docs.aws.amazon.com/config/latest/developerguide/shield-advanced-enabled-autorenew.html


static SHIELD_DRT_ACCESS

Type: string

Verify that DDoS response team (DRT) can access AWS account.

See also: https://docs.aws.amazon.com/config/latest/developerguide/shield-drt-access.html


static SNS_ENCRYPTED_KMS

Type: string

Checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS).

See also: https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html


static SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLED

Type: string

Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints.

See also: https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-message-delivery-notification-enabled.html


static SSM_DOCUMENT_NOT_PUBLIC

Type: string

Checks if AWS Systems Manager documents owned by the account are public.

See also: https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-not-public.html


static STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for AWS Storage Gateway volumes.

See also: https://docs.aws.amazon.com/config/latest/developerguide/storagegateway-last-backup-recovery-point-created.html


static SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED

Type: string

hecks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address.

See also: https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html


static VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED

Type: string

Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines.

See also: https://docs.aws.amazon.com/config/latest/developerguide/virtualmachine-last-backup-recovery-point-created.html


static VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Type: string

Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan.

See also: https://docs.aws.amazon.com/config/latest/developerguide/virtualmachine-resources-protected-by-backup-plan.html


static VPC_DEFAULT_SECURITY_GROUP_CLOSED

Type: string

Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.

The rule returns NOT_APPLICABLE if the security group is not default.

See also: https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html


static VPC_FLOW_LOGS_ENABLED

Type: string

Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

See also: https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html


static VPC_NETWORK_ACL_UNUSED_CHECK

Type: string

Checks if there are unused network access control lists (network ACLs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/vpc-network-acl-unused-check.html


static VPC_PEERING_DNS_RESOLUTION_CHECK

Type: string

Checks if DNS resolution from accepter/requester VPC to private IP is enabled.

See also: https://docs.aws.amazon.com/config/latest/developerguide/vpc-peering-dns-resolution-check.html


static VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS

Type: string

Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic.

See also: https://docs.aws.amazon.com/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html


static VPC_VPN_2_TUNNELS_UP

Type: string

Checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status.

See also: https://docs.aws.amazon.com/config/latest/developerguide/vpc-vpn-2-tunnels-up.html


static WAFV2_LOGGING_ENABLED

Type: string

Checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs).

See also: https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html


static WAF_CLASSIC_LOGGING_ENABLED

Type: string

Checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs.

See also: https://docs.aws.amazon.com/config/latest/developerguide/waf-classic-logging-enabled.html


static WAF_GLOBAL_RULEGROUP_NOT_EMPTY

Type: string

Checks if an AWS WAF Classic rule group contains any rules.

See also: https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rulegroup-not-empty.html


static WAF_GLOBAL_RULE_NOT_EMPTY

Type: string

Checks if an AWS WAF global rule contains any conditions.

See also: https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rule-not-empty.html


static WAF_GLOBAL_WEBACL_NOT_EMPTY

Type: string

Checks whether a WAF Global Web ACL contains any WAF rules or rule groups.

See also: https://docs.aws.amazon.com/config/latest/developerguide/waf-global-webacl-not-empty.html


static WAF_REGIONAL_RULEGROUP_NOT_EMPTY

Type: string

Checks if WAF Regional rule groups contain any rules.

See also: https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rulegroup-not-empty.html


static WAF_REGIONAL_RULE_NOT_EMPTY

Type: string

Checks whether WAF regional rule contains conditions.

See also: https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rule-not-empty.html


static WAF_REGIONAL_WEBACL_NOT_EMPTY

Type: string

Checks if a WAF regional Web ACL contains any WAF rules or rule groups.

See also: https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-webacl-not-empty.html