Package software.amazon.awscdk.services.config

Class ManagedRuleIdentifiers

java.lang.Object

software.amazon.jsii.JsiiObject

software.amazon.awscdk.services.config.ManagedRuleIdentifiers

All Implemented Interfaces:

software.amazon.jsii.JsiiSerializable

@Generated(value="jsii-pacmak/1.104.0 (build e79254c)",
           date="2024-11-06T23:25:06.532Z")
@Stability(Stable)
public class ManagedRuleIdentifiers
extends software.amazon.jsii.JsiiObject

Managed rules that are supported by AWS Config.

Example:

 Function fn;
 String samplePolicyText;
 ManagedRule.Builder.create(this, "ManagedRule")
         .identifier(ManagedRuleIdentifiers.API_GW_XRAY_ENABLED)
         .evaluationModes(EvaluationMode.DETECTIVE_AND_PROACTIVE)
         .build();
 CustomRule.Builder.create(this, "CustomRule")
         .lambdaFunction(fn)
         .evaluationModes(EvaluationMode.PROACTIVE)
         .build();
 CustomPolicy.Builder.create(this, "CustomPolicy")
         .policyText(samplePolicyText)
         .evaluationModes(EvaluationMode.DETECTIVE)
         .build();
 

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

Nested Class Summary

Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

software.amazon.jsii.JsiiObject.InitializationMode

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ACCESS_KEYS_ROTATED	Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge.
static final String	ACCOUNT_PART_OF_ORGANIZATIONS	Checks whether AWS account is part of AWS Organizations.
static final String	ACM_CERTIFICATE_EXPIRATION_CHECK	Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.
static final String	ALB_DESYNC_MODE_CHECK	Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode.
static final String	ALB_HTTP_DROP_INVALID_HEADER_ENABLED	Checks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers.
static final String	ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK	Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer.
static final String	ALB_WAF_ENABLED	Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs).
static final String	API_GW_ASSOCIATED_WITH_WAF	Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL.
static final String	API_GW_CACHE_ENABLED_AND_ENCRYPTED	Checks that all methods in Amazon API Gateway stages have caching enabled and encrypted.
static final String	API_GW_ENDPOINT_TYPE_CHECK	Checks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType.
static final String	API_GW_EXECUTION_LOGGING_ENABLED	Checks that all methods in Amazon API Gateway stage has logging enabled.
static final String	API_GW_SSL_ENABLED	Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate.
static final String	API_GW_XRAY_ENABLED	Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs.
static final String	API_GWV2_ACCESS_LOGS_ENABLED	Checks if Amazon API Gateway V2 stages have access logging enabled.
static final String	API_GWV2_AUTHORIZATION_TYPE_CONFIGURED	Checks if Amazon API Gatewayv2 API routes have an authorization type set.
static final String	APPROVED_AMIS_BY_ID	Checks whether running instances are using specified AMIs.
static final String	APPROVED_AMIS_BY_TAG	Checks whether running instances are using specified AMIs.
static final String	AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for Amazon Aurora DB clusters.
static final String	AURORA_MYSQL_BACKTRACKING_ENABLED	Checks if an Amazon Aurora MySQL cluster has backtracking enabled.
static final String	AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon Aurora DB clusters are protected by a backup plan.
static final String	AUTOSCALING_CAPACITY_REBALANCING	Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.
static final String	AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED	Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
static final String	AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT	Checks the number of network hops that the metadata token can travel.
static final String	AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED	Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations.
static final String	AUTOSCALING_LAUNCH_TEMPLATE	Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template.
static final String	AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2	Checks whether only IMDSv2 is enabled.
static final String	AUTOSCALING_MULTIPLE_AZ	Checks if the Auto Scaling group spans multiple Availability Zones.
static final String	AUTOSCALING_MULTIPLE_INSTANCE_TYPES	Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types.
static final String	BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK	Checks if a backup plan has a backup rule that satisfies the required frequency and retention period.
static final String	BACKUP_RECOVERY_POINT_ENCRYPTED	Checks if a recovery point is encrypted.
static final String	BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED	Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points.
static final String	BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK	Checks if a recovery point expires no earlier than after the specified period.
static final String	BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED	Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.
static final String	CLB_DESYNC_MODE_CHECK	Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode.
static final String	CLB_MULTIPLE_AZ	Checks if a Classic Load Balancer spans multiple Availability Zones (AZs).
static final String	CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED	Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.
static final String	CLOUD_TRAIL_ENABLED	Checks whether AWS CloudTrail is enabled in your AWS account.
static final String	CLOUD_TRAIL_ENCRYPTION_ENABLED	Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.
static final String	CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED	Checks whether AWS CloudTrail creates a signed digest file with logs.
static final String	CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK	Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.
static final String	CLOUDFORMATION_STACK_NOTIFICATION_CHECK	Checks whether your CloudFormation stacks are sending event notifications to an SNS topic.
static final String	CLOUDFRONT_ACCESSLOGS_ENABLED	Checks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs.
static final String	CLOUDFRONT_ASSOCIATED_WITH_WAF	Checks if Amazon CloudFront distributions are associated with either WAF or WAFv2 web access control lists (ACLs).
static final String	CLOUDFRONT_CUSTOM_SSL_CERTIFICATE	Checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate.
static final String	CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED	Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object.
static final String	CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS	Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins.
static final String	CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED	Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.
static final String	CLOUDFRONT_ORIGIN_FAILOVER_ENABLED	Checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront.
static final String	CLOUDFRONT_SECURITY_POLICY_CHECK	Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections.
static final String	CLOUDFRONT_SNI_ENABLED	Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests.
static final String	CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED	Checks if Amazon CloudFront distributions are encrypting traffic to custom origins.
static final String	CLOUDFRONT_VIEWER_POLICY_HTTPS	Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection).
static final String	CLOUDTRAIL_MULTI_REGION_ENABLED	Checks that there is at least one multi-region AWS CloudTrail.
static final String	CLOUDTRAIL_S3_DATAEVENTS_ENABLED	Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.
static final String	CLOUDTRAIL_SECURITY_TRAIL_ENABLED	Checks that there is at least one AWS CloudTrail trail defined with security best practices.
static final String	CLOUDWATCH_ALARM_ACTION_CHECK	Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.
static final String	CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK	Checks if Amazon CloudWatch alarms actions are in enabled state.
static final String	CLOUDWATCH_ALARM_RESOURCE_CHECK	Checks whether the specified resource type has a CloudWatch alarm for the specified metric.
static final String	CLOUDWATCH_ALARM_SETTINGS_CHECK	Checks whether CloudWatch alarms with the given metric name have the specified settings.
static final String	CLOUDWATCH_LOG_GROUP_ENCRYPTED	Checks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).
static final String	CMK_BACKING_KEY_ROTATION_ENABLED	Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK).
static final String	CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION	Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts.
static final String	CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK	Checks if an AWS CodeBuild project environment has privileged mode enabled.
static final String	CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK	Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
static final String	CODEBUILD_PROJECT_LOGGING_ENABLED	Checks if an AWS CodeBuild project environment has at least one log option enabled.
static final String	CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED	Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.
static final String	CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK	Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.
static final String	CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED	Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached.
static final String	CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED	Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold.
static final String	CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED	Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration.
static final String	CODEPIPELINE_DEPLOYMENT_COUNT_CHECK	Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment.
static final String	CODEPIPELINE_REGION_FANOUT_CHECK	Checks whether each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number.
static final String	CW_LOGGROUP_RETENTION_PERIOD_CHECK	Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.
static final String	DAX_ENCRYPTION_ENABLED	Checks that DynamoDB Accelerator (DAX) clusters are encrypted.
static final String	DMS_REPLICATION_NOT_PUBLIC	Checks whether AWS Database Migration Service replication instances are public.
static final String	DYNAMODB_AUTOSCALING_ENABLED	Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.
static final String	DYNAMODB_IN_BACKUP_PLAN	Checks whether Amazon DynamoDB table is present in AWS Backup plans.
static final String	DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period.
static final String	DYNAMODB_PITR_ENABLED	Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables.
static final String	DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon DynamoDB tables are protected by a backup plan.
static final String	DYNAMODB_TABLE_ENCRYPTED_KMS	Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).
static final String	DYNAMODB_TABLE_ENCRYPTION_ENABLED	Checks whether the Amazon DynamoDB tables are encrypted and checks their status.
static final String	DYNAMODB_THROUGHPUT_LIMIT_CHECK	Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account.
static final String	EBS_ENCRYPTED_VOLUMES	Checks whether the EBS volumes that are in an attached state are encrypted.
static final String	EBS_IN_BACKUP_PLAN	Checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup.
static final String	EBS_OPTIMIZED_INSTANCE	Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized.
static final String	EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan.
static final String	EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK	Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.
static final String	EC2_DESIRED_INSTANCE_TENANCY	Checks instances for specified tenancy.
static final String	EC2_DESIRED_INSTANCE_TYPE	Checks whether your EC2 instances are of the specified instance types.
static final String	EC2_EBS_ENCRYPTION_BY_DEFAULT	Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.
static final String	EC2_IMDSV2_CHECK	Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2).
static final String	EC2_INSTANCE_DETAILED_MONITORING_ENABLED	Checks whether detailed monitoring is enabled for EC2 instances.
static final String	EC2_INSTANCE_MANAGED_BY_SSM	Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.
static final String	EC2_INSTANCE_MULTIPLE_ENI_CHECK	Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs).
static final String	EC2_INSTANCE_NO_PUBLIC_IP	Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association.
static final String	EC2_INSTANCE_PROFILE_ATTACHED	Checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it.
static final String	EC2_INSTANCES_IN_VPC	Checks whether your EC2 instances belong to a virtual private cloud (VPC).
static final String	EC2_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances.
static final String	EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED	Checks that none of the specified applications are installed on the instance.
static final String	EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED	Checks whether all of the specified applications are installed on the instance.
static final String	EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK	Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance.
static final String	EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED	Checks whether instances managed by AWS Systems Manager are configured to collect blocked inventory types.
static final String	EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK	Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
static final String	EC2_MANAGED_INSTANCE_PLATFORM_CHECK	Checks whether EC2 managed instances have the desired configurations.
static final String	EC2_NO_AMAZON_KEY_PAIR	Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs.
static final String	EC2_PARAVIRTUAL_INSTANCE_CHECK	Checks if the virtualization type of an EC2 instance is paravirtual.
static final String	EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan.
static final String	EC2_SECURITY_GROUP_ATTACHED_TO_ENI	Checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface.
static final String	EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC	Checks if non-default security groups are attached to Elastic network interfaces (ENIs).
static final String	EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED	Checks whether the incoming SSH traffic for the security groups is accessible.
static final String	EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFIC	Checks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports.
static final String	EC2_STOPPED_INSTANCE	Checks whether there are instances stopped for more than the allowed number of days.
static final String	EC2_TOKEN_HOP_LIMIT_CHECK	Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit.
static final String	EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED	Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled.
static final String	EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECK	Checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.
static final String	EC2_VOLUME_INUSE_CHECK	Checks whether EBS volumes are attached to EC2 instances.
static final String	ECR_PRIVATE_IMAGE_SCANNING_ENABLED	Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled.
static final String	ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED	Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured.
static final String	ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED	Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled.
static final String	ECS_AWSVPC_NETWORKING_ENABLED	Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’.
static final String	ECS_CONTAINER_INSIGHTS_ENABLED	Checks if Amazon Elastic Container Service clusters have container insights enabled.
static final String	ECS_CONTAINERS_NONPRIVILEGED	Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’.
static final String	ECS_CONTAINERS_READONLY_ACCESS	Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems.
static final String	ECS_FARGATE_LATEST_PLATFORM_VERSION	Checks if Amazon Elastic Container Service (ECS) Fargate Services is running on the latest Fargate platform version.
static final String	ECS_NO_ENVIRONMENT_SECRETS	Checks if secrets are passed as container environment variables.
static final String	ECS_TASK_DEFINITION_LOG_CONFIGURATION	Checks if logConfiguration is set on active ECS Task Definitions.
static final String	ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT	Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions.
static final String	ECS_TASK_DEFINITION_NONROOT_USER	Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on.
static final String	ECS_TASK_DEFINITION_PID_MODE_CHECK	Checks if ECSTaskDefinitions are configured to share a host’s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers.
static final String	EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY	Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory.
static final String	EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY	Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity.
static final String	EFS_ENCRYPTED_CHECK	hecks whether Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS).
static final String	EFS_IN_BACKUP_PLAN	Checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup.
static final String	EFS_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems.
static final String	EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan.
static final String	EIP_ATTACHED	Checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).
static final String	EKS_CLUSTER_OLDEST_SUPPORTED_VERSION	Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version.
static final String	EKS_CLUSTER_SUPPORTED_VERSION	Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version.
static final String	EKS_ENDPOINT_NO_PUBLIC_ACCESS	Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.
static final String	EKS_SECRETS_ENCRYPTED	Checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.
static final String	ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED	Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled.
static final String	ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK	Check if the Amazon ElastiCache Redis clusters have automatic backup turned on.
static final String	ELASTICSEARCH_ENCRYPTED_AT_REST	Checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled.
static final String	ELASTICSEARCH_IN_VPC_ONLY	Checks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC).
static final String	ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK	Check that Amazon ElasticSearch Service nodes are encrypted end to end.
static final String	ELB_ACM_CERTIFICATE_REQUIRED	Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager.
static final String	ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED	Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs).
static final String	ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK	Checks whether your Classic Load Balancer SSL listeners are using a custom policy.
static final String	ELB_DELETION_PROTECTION_ENABLED	Checks whether Elastic Load Balancing has deletion protection enabled.
static final String	ELB_LOGGING_ENABLED	Checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled.
static final String	ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK	Checks whether your Classic Load Balancer SSL listeners are using a predefined policy.
static final String	ELB_TLS_HTTPS_LISTENERS_ONLY	Checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners.
static final String	ELBV2_ACM_CERTIFICATE_REQUIRED	Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM).
static final String	ELBV2_MULTIPLE_AZ	Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZ's).
static final String	EMR_KERBEROS_ENABLED	Checks that Amazon EMR clusters have Kerberos enabled.
static final String	EMR_MASTER_NO_PUBLIC_IP	Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs.
static final String	FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK	Deprecated. Inactive managed rule
static final String	FMS_SECURITY_GROUP_CONTENT_CHECK	Deprecated. Inactive managed rule
static final String	FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK	Deprecated. Inactive managed rule
static final String	FMS_SHIELD_RESOURCE_POLICY_CHECK	Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection.
static final String	FMS_WEBACL_RESOURCE_POLICY_CHECK	Checks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions.
static final String	FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK	Checks that the rule groups associate with the web ACL at the correct priority.
static final String	FSX_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for Amazon FSx File Systems.
static final String	FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon FSx File Systems are protected by a backup plan.
static final String	GUARDDUTY_ENABLED_CENTRALIZED	Checks whether Amazon GuardDuty is enabled in your AWS account and region.
static final String	GUARDDUTY_NON_ARCHIVED_FINDINGS	Checks whether the Amazon GuardDuty has findings that are non archived.
static final String	IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS	Checks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on all AWS AWS KMS keys.
static final String	IAM_GROUP_HAS_USERS_CHECK	Checks whether IAM groups have at least one IAM user.
static final String	IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS	Checks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not allow blocked actions on all AWS Key Management Service keys.
static final String	IAM_NO_INLINE_POLICY_CHECK	Checks that inline policy feature is not in use.
static final String	IAM_PASSWORD_POLICY	Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters.
static final String	IAM_POLICY_BLOCKED_CHECK	Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource.
static final String	IAM_POLICY_IN_USE	Checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.
static final String	IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS	Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.
static final String	IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS	Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources.
static final String	IAM_ROLE_MANAGED_POLICY_CHECK	Checks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles.
static final String	IAM_ROOT_ACCESS_KEY_CHECK	Checks whether the root user access key is available.
static final String	IAM_USER_GROUP_MEMBERSHIP_CHECK	Checks whether IAM users are members of at least one IAM group.
static final String	IAM_USER_MFA_ENABLED	Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.
static final String	IAM_USER_NO_POLICIES_CHECK	Checks that none of your IAM users have policies attached.
static final String	IAM_USER_UNUSED_CREDENTIALS_CHECK	Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.
static final String	INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY	Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs).
static final String	KINESIS_STREAM_ENCRYPTED	Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption.
static final String	KMS_CMK_NOT_SCHEDULED_FOR_DELETION	Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS).
static final String	LAMBDA_CONCURRENCY_CHECK	Checks whether the AWS Lambda function is configured with function-level concurrent execution limit.
static final String	LAMBDA_DLQ_CHECK	Checks whether an AWS Lambda function is configured with a dead-letter queue.
static final String	LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED	Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access.
static final String	LAMBDA_FUNCTION_SETTINGS_CHECK	Checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.
static final String	LAMBDA_INSIDE_VPC	Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud.
static final String	LAMBDA_VPC_MULTI_AZ_CHECK	Checks if Lambda has more than 1 availability zone associated.
static final String	MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS	Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password.
static final String	NACL_NO_UNRESTRICTED_SSH_RDP	Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted.
static final String	NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS	Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets.
static final String	NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS	Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets.
static final String	NETFW_POLICY_RULE_GROUP_ASSOCIATED	Check AWS Network Firewall policy is associated with stateful OR stateless rule groups.
static final String	NETFW_STATELESS_RULE_GROUP_NOT_EMPTY	Checks if a Stateless Network Firewall Rule Group contains rules.
static final String	NLB_CROSS_ZONE_LOAD_BALANCING_ENABLED	Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs).
static final String	OPENSEARCH_ACCESS_CONTROL_ENABLED	Checks if Amazon OpenSearch Service domains have fine-grained access control enabled.
static final String	OPENSEARCH_AUDIT_LOGGING_ENABLED	Checks if Amazon OpenSearch Service domains have audit logging enabled.
static final String	OPENSEARCH_DATA_NODE_FAULT_TOLERANCE	Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
static final String	OPENSEARCH_ENCRYPTED_AT_REST	Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled.
static final String	OPENSEARCH_HTTPS_REQUIRED	Checks whether connections to OpenSearch domains are using HTTPS.
static final String	OPENSEARCH_IN_VPC_ONLY	Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).
static final String	OPENSEARCH_LOGS_TO_CLOUDWATCH	Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs.
static final String	OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK	Check if Amazon OpenSearch Service nodes are encrypted end to end.
static final String	RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED	Checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades.
static final String	RDS_CLUSTER_DEFAULT_ADMIN_CHECK	Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value.
static final String	RDS_CLUSTER_DELETION_PROTECTION_ENABLED	Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled.
static final String	RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED	Checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled.
static final String	RDS_CLUSTER_MULTI_AZ_ENABLED	Checks if Multi-AZ replication is enabled on Amazon Aurora and Hermes clusters managed by Amazon Relational Database Service (Amazon RDS).
static final String	RDS_DB_INSTANCE_BACKUP_ENABLED	Checks whether RDS DB instances have backups enabled.
static final String	RDS_DB_SECURITY_GROUP_NOT_ALLOWED	Checks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group.
static final String	RDS_ENHANCED_MONITORING_ENABLED	Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.
static final String	RDS_IN_BACKUP_PLAN	Checks whether Amazon RDS database is present in back plans of AWS Backup.
static final String	RDS_INSTANCE_DEFAULT_ADMIN_CHECK	Checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value.
static final String	RDS_INSTANCE_DELETION_PROTECTION_ENABLED	Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled.
static final String	RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED	Checks if an Amazon RDS instance has AWS Identity and Access Management (IAM) authentication enabled.
static final String	RDS_INSTANCE_PUBLIC_ACCESS_CHECK	Check whether the Amazon Relational Database Service instances are not publicly accessible.
static final String	RDS_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS).
static final String	RDS_LOGGING_ENABLED	Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled.
static final String	RDS_MULTI_AZ_SUPPORT	Checks whether high availability is enabled for your RDS DB instances.
static final String	RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan.
static final String	RDS_SNAPSHOT_ENCRYPTED	Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.
static final String	RDS_SNAPSHOTS_PUBLIC_PROHIBITED	Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
static final String	RDS_STORAGE_ENCRYPTED	Checks whether storage encryption is enabled for your RDS DB instances.
static final String	REDSHIFT_AUDIT_LOGGING_ENABLED	Checks if Amazon Redshift clusters are logging audits to a specific bucket.
static final String	REDSHIFT_BACKUP_ENABLED	Checks that Amazon Redshift automated snapshots are enabled for clusters.
static final String	REDSHIFT_CLUSTER_CONFIGURATION_CHECK	Checks whether Amazon Redshift clusters have the specified settings.
static final String	REDSHIFT_CLUSTER_KMS_ENABLED	Checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption.
static final String	REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECK	Checks whether Amazon Redshift clusters have the specified maintenance settings.
static final String	REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK	Checks whether Amazon Redshift clusters are not publicly accessible.
static final String	REDSHIFT_DEFAULT_ADMIN_CHECK	Checks if an Amazon Redshift cluster has changed the admin username from its default value.
static final String	REDSHIFT_DEFAULT_DB_NAME_CHECK	Checks if a Redshift cluster has changed its database name from the default value.
static final String	REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED	Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled.
static final String	REDSHIFT_REQUIRE_TLS_SSL	Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients.
static final String	REQUIRED_TAGS	Checks whether your resources have the tags that you specify.
static final String	ROOT_ACCOUNT_HARDWARE_MFA_ENABLED	Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials.
static final String	ROOT_ACCOUNT_MFA_ENABLED	Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.
static final String	S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS	Checks whether the required public access block settings are configured from account level.
static final String	S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC	Checks if the required public access block settings are configured from account level.
static final String	S3_BUCKET_ACL_PROHIBITED	Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs).
static final String	S3_BUCKET_BLOCKED_ACTIONS_PROHIBITED	Checks if the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.
static final String	S3_BUCKET_DEFAULT_LOCK_ENABLED	Checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.
static final String	S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED	Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible.
static final String	S3_BUCKET_LOGGING_ENABLED	Checks whether logging is enabled for your S3 buckets.
static final String	S3_BUCKET_POLICY_GRANTEE_CHECK	Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide.
static final String	S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE	Checks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
static final String	S3_BUCKET_PUBLIC_READ_PROHIBITED	Checks if your Amazon S3 buckets do not allow public read access.
static final String	S3_BUCKET_PUBLIC_WRITE_PROHIBITED	Checks that your Amazon S3 buckets do not allow public write access.
static final String	S3_BUCKET_REPLICATION_ENABLED	Checks whether S3 buckets have cross-region replication enabled.
static final String	S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED	Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.
static final String	S3_BUCKET_SSL_REQUESTS_ONLY	Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
static final String	S3_BUCKET_VERSIONING_ENABLED	Checks whether versioning is enabled for your S3 buckets.
static final String	S3_DEFAULT_ENCRYPTION_KMS	Checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS).
static final String	S3_EVENT_NOTIFICATIONS_ENABLED	Checks if Amazon S3 Events Notifications are enabled on an S3 bucket.
static final String	S3_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3).
static final String	S3_LIFECYCLE_POLICY_CHECK	Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket.
static final String	S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan.
static final String	S3_VERSION_LIFECYCLE_POLICY_CHECK	Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured.
static final String	SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED	Checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration.
static final String	SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED	Check whether an AWS Key Management Service (KMS) key is configured for SageMaker notebook instance.
static final String	SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS	Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance.
static final String	SECRETSMANAGER_ROTATION_ENABLED_CHECK	Checks whether AWS Secrets Manager secret has rotation enabled.
static final String	SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK	Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.
static final String	SECRETSMANAGER_SECRET_PERIODIC_ROTATION	Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days.
static final String	SECRETSMANAGER_SECRET_UNUSED	Checks if AWS Secrets Manager secrets have been accessed within a specified number of days.
static final String	SECRETSMANAGER_USING_CMK	Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS).
static final String	SECURITYHUB_ENABLED	Checks that AWS Security Hub is enabled for an AWS account.
static final String	SERVICE_VPC_ENDPOINT_ENABLED	Checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC.
static final String	SHIELD_ADVANCED_ENABLED_AUTO_RENEW	Checks whether EBS volumes are attached to EC2 instances.
static final String	SHIELD_DRT_ACCESS	Verify that DDoS response team (DRT) can access AWS account.
static final String	SNS_ENCRYPTED_KMS	Checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS).
static final String	SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLED	Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints.
static final String	SSM_DOCUMENT_NOT_PUBLIC	Checks if AWS Systems Manager documents owned by the account are public.
static final String	STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for AWS Storage Gateway volumes.
static final String	SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED	hecks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address.
static final String	VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED	Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines.
static final String	VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN	Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan.
static final String	VPC_DEFAULT_SECURITY_GROUP_CLOSED	Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.
static final String	VPC_FLOW_LOGS_ENABLED	Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.
static final String	VPC_NETWORK_ACL_UNUSED_CHECK	Checks if there are unused network access control lists (network ACLs).
static final String	VPC_PEERING_DNS_RESOLUTION_CHECK	Checks if DNS resolution from accepter/requester VPC to private IP is enabled.
static final String	VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS	Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic.
static final String	VPC_VPN_2_TUNNELS_UP	Checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status.
static final String	WAF_CLASSIC_LOGGING_ENABLED	Checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs.
static final String	WAF_GLOBAL_RULE_NOT_EMPTY	Checks if an AWS WAF global rule contains any conditions.
static final String	WAF_GLOBAL_RULEGROUP_NOT_EMPTY	Checks if an AWS WAF Classic rule group contains any rules.
static final String	WAF_GLOBAL_WEBACL_NOT_EMPTY	Checks whether a WAF Global Web ACL contains any WAF rules or rule groups.
static final String	WAF_REGIONAL_RULE_NOT_EMPTY	Checks whether WAF regional rule contains conditions.
static final String	WAF_REGIONAL_RULEGROUP_NOT_EMPTY	Checks if WAF Regional rule groups contain any rules.
static final String	WAF_REGIONAL_WEBACL_NOT_EMPTY	Checks if a WAF regional Web ACL contains any WAF rules or rule groups.
static final String	WAFV2_LOGGING_ENABLED	Checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs).

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	ManagedRuleIdentifiers(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	ManagedRuleIdentifiers(software.amazon.jsii.JsiiObjectRef objRef)

Method Summary

Methods inherited from class software.amazon.jsii.JsiiObject

jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Field Details

ACCESS_KEYS_ROTATED

@Stability(Stable)
public static final String ACCESS_KEYS_ROTATED

Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html

ACCOUNT_PART_OF_ORGANIZATIONS

@Stability(Stable)
public static final String ACCOUNT_PART_OF_ORGANIZATIONS

Checks whether AWS account is part of AWS Organizations.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/account-part-of-organizations.html

ACM_CERTIFICATE_EXPIRATION_CHECK

@Stability(Stable)
public static final String ACM_CERTIFICATE_EXPIRATION_CHECK

Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html

ALB_DESYNC_MODE_CHECK

@Stability(Stable)
public static final String ALB_DESYNC_MODE_CHECK

Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html

ALB_HTTP_DROP_INVALID_HEADER_ENABLED

@Stability(Stable)
public static final String ALB_HTTP_DROP_INVALID_HEADER_ENABLED

Checks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html

ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK

@Stability(Stable)
public static final String ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK

Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html

ALB_WAF_ENABLED

@Stability(Stable)
public static final String ALB_WAF_ENABLED

Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html

API_GW_ASSOCIATED_WITH_WAF

@Stability(Stable)
public static final String API_GW_ASSOCIATED_WITH_WAF

Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gw-associated-with-waf.html

API_GW_CACHE_ENABLED_AND_ENCRYPTED

@Stability(Stable)
public static final String API_GW_CACHE_ENABLED_AND_ENCRYPTED

Checks that all methods in Amazon API Gateway stages have caching enabled and encrypted.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html

API_GW_ENDPOINT_TYPE_CHECK

@Stability(Stable)
public static final String API_GW_ENDPOINT_TYPE_CHECK

Checks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gw-endpoint-type-check.html

API_GW_EXECUTION_LOGGING_ENABLED

@Stability(Stable)
public static final String API_GW_EXECUTION_LOGGING_ENABLED

Checks that all methods in Amazon API Gateway stage has logging enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html

API_GW_SSL_ENABLED

@Stability(Stable)
public static final String API_GW_SSL_ENABLED

Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gw-ssl-enabled.html

API_GW_XRAY_ENABLED

@Stability(Stable)
public static final String API_GW_XRAY_ENABLED

Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gw-xray-enabled.html

API_GWV2_ACCESS_LOGS_ENABLED

@Stability(Stable)
public static final String API_GWV2_ACCESS_LOGS_ENABLED

Checks if Amazon API Gateway V2 stages have access logging enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-access-logs-enabled.html

API_GWV2_AUTHORIZATION_TYPE_CONFIGURED

@Stability(Stable)
public static final String API_GWV2_AUTHORIZATION_TYPE_CONFIGURED

Checks if Amazon API Gatewayv2 API routes have an authorization type set.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-authorization-type-configured.html

APPROVED_AMIS_BY_ID

@Stability(Stable)
public static final String APPROVED_AMIS_BY_ID

Checks whether running instances are using specified AMIs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-id.html

APPROVED_AMIS_BY_TAG

@Stability(Stable)
public static final String APPROVED_AMIS_BY_TAG

Checks whether running instances are using specified AMIs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-tag.html

AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for Amazon Aurora DB clusters.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/aurora-last-backup-recovery-point-created.html

AURORA_MYSQL_BACKTRACKING_ENABLED

@Stability(Stable)
public static final String AURORA_MYSQL_BACKTRACKING_ENABLED

Checks if an Amazon Aurora MySQL cluster has backtracking enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-backtracking-enabled.html

AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon Aurora DB clusters are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-protected-by-backup-plan.html

AUTOSCALING_CAPACITY_REBALANCING

@Stability(Stable)
public static final String AUTOSCALING_CAPACITY_REBALANCING

Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-capacity-rebalancing.html

AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED

@Stability(Stable)
public static final String AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED

Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html

AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT

@Stability(Stable)
public static final String AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT

Checks the number of network hops that the metadata token can travel.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-hop-limit.html

AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

@Stability(Stable)
public static final String AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html

AUTOSCALING_LAUNCH_TEMPLATE

@Stability(Stable)
public static final String AUTOSCALING_LAUNCH_TEMPLATE

Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-template.html

AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2

@Stability(Stable)
public static final String AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2

Checks whether only IMDSv2 is enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launchconfig-requires-imdsv2.html

AUTOSCALING_MULTIPLE_AZ

@Stability(Stable)
public static final String AUTOSCALING_MULTIPLE_AZ

Checks if the Auto Scaling group spans multiple Availability Zones.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-az.html

AUTOSCALING_MULTIPLE_INSTANCE_TYPES

@Stability(Stable)
public static final String AUTOSCALING_MULTIPLE_INSTANCE_TYPES

Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-instance-types.html

BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK

@Stability(Stable)
public static final String BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK

Checks if a backup plan has a backup rule that satisfies the required frequency and retention period.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/backup-plan-min-frequency-and-min-retention-check.html

BACKUP_RECOVERY_POINT_ENCRYPTED

@Stability(Stable)
public static final String BACKUP_RECOVERY_POINT_ENCRYPTED

Checks if a recovery point is encrypted.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-encrypted.html

BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED

@Stability(Stable)
public static final String BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED

Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-manual-deletion-disabled.html

BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK

@Stability(Stable)
public static final String BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK

Checks if a recovery point expires no earlier than after the specified period.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-minimum-retention-check.html

BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED

@Stability(Stable)
public static final String BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED

Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html

CLB_DESYNC_MODE_CHECK

@Stability(Stable)
public static final String CLB_DESYNC_MODE_CHECK

Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/clb-desync-mode-check.html

CLB_MULTIPLE_AZ

@Stability(Stable)
public static final String CLB_MULTIPLE_AZ

Checks if a Classic Load Balancer spans multiple Availability Zones (AZs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/clb-multiple-az.html

CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED

@Stability(Stable)
public static final String CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED

Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html

CLOUD_TRAIL_ENABLED

@Stability(Stable)
public static final String CLOUD_TRAIL_ENABLED

Checks whether AWS CloudTrail is enabled in your AWS account.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html

CLOUD_TRAIL_ENCRYPTION_ENABLED

@Stability(Stable)
public static final String CLOUD_TRAIL_ENCRYPTION_ENABLED

Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html

CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED

@Stability(Stable)
public static final String CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED

Checks whether AWS CloudTrail creates a signed digest file with logs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html

CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK

@Stability(Stable)
public static final String CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK

Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html

CLOUDFORMATION_STACK_NOTIFICATION_CHECK

@Stability(Stable)
public static final String CLOUDFORMATION_STACK_NOTIFICATION_CHECK

Checks whether your CloudFormation stacks are sending event notifications to an SNS topic.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-notification-check.html

CLOUDFRONT_ACCESSLOGS_ENABLED

@Stability(Stable)
public static final String CLOUDFRONT_ACCESSLOGS_ENABLED

Checks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-accesslogs-enabled.html

CLOUDFRONT_ASSOCIATED_WITH_WAF

@Stability(Stable)
public static final String CLOUDFRONT_ASSOCIATED_WITH_WAF

Checks if Amazon CloudFront distributions are associated with either WAF or WAFv2 web access control lists (ACLs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-associated-with-waf.html

CLOUDFRONT_CUSTOM_SSL_CERTIFICATE

@Stability(Stable)
public static final String CLOUDFRONT_CUSTOM_SSL_CERTIFICATE

Checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-custom-ssl-certificate.html

CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED

@Stability(Stable)
public static final String CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED

Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-default-root-object-configured.html

CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS

@Stability(Stable)
public static final String CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS

Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html

CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED

@Stability(Stable)
public static final String CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED

Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-access-identity-enabled.html

CLOUDFRONT_ORIGIN_FAILOVER_ENABLED

@Stability(Stable)
public static final String CLOUDFRONT_ORIGIN_FAILOVER_ENABLED

Checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-failover-enabled.html

CLOUDFRONT_SECURITY_POLICY_CHECK

@Stability(Stable)
public static final String CLOUDFRONT_SECURITY_POLICY_CHECK

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-security-policy-check.html

CLOUDFRONT_SNI_ENABLED

@Stability(Stable)
public static final String CLOUDFRONT_SNI_ENABLED

Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-sni-enabled.html

CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED

@Stability(Stable)
public static final String CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED

Checks if Amazon CloudFront distributions are encrypting traffic to custom origins.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html

CLOUDFRONT_VIEWER_POLICY_HTTPS

@Stability(Stable)
public static final String CLOUDFRONT_VIEWER_POLICY_HTTPS

Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-viewer-policy-https.html

CLOUDTRAIL_MULTI_REGION_ENABLED

@Stability(Stable)
public static final String CLOUDTRAIL_MULTI_REGION_ENABLED

Checks that there is at least one multi-region AWS CloudTrail.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/multi-region-cloudtrail-enabled.html

CLOUDTRAIL_S3_DATAEVENTS_ENABLED

@Stability(Stable)
public static final String CLOUDTRAIL_S3_DATAEVENTS_ENABLED

Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html

CLOUDTRAIL_SECURITY_TRAIL_ENABLED

@Stability(Stable)
public static final String CLOUDTRAIL_SECURITY_TRAIL_ENABLED

Checks that there is at least one AWS CloudTrail trail defined with security best practices.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-security-trail-enabled.html

CLOUDWATCH_ALARM_ACTION_CHECK

@Stability(Stable)
public static final String CLOUDWATCH_ALARM_ACTION_CHECK

Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-check.html

CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK

@Stability(Stable)
public static final String CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK

Checks if Amazon CloudWatch alarms actions are in enabled state.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-enabled-check.html

CLOUDWATCH_ALARM_RESOURCE_CHECK

@Stability(Stable)
public static final String CLOUDWATCH_ALARM_RESOURCE_CHECK

Checks whether the specified resource type has a CloudWatch alarm for the specified metric.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-resource-check.html

CLOUDWATCH_ALARM_SETTINGS_CHECK

@Stability(Stable)
public static final String CLOUDWATCH_ALARM_SETTINGS_CHECK

Checks whether CloudWatch alarms with the given metric name have the specified settings.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-settings-check.html

CLOUDWATCH_LOG_GROUP_ENCRYPTED

@Stability(Stable)
public static final String CLOUDWATCH_LOG_GROUP_ENCRYPTED

Checks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html

CMK_BACKING_KEY_ROTATION_ENABLED

@Stability(Stable)
public static final String CMK_BACKING_KEY_ROTATION_ENABLED

Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cmk-backing-key-rotation-enabled.html

CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION

@Stability(Stable)
public static final String CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION

Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-artifact-encryption.html

CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK

@Stability(Stable)
public static final String CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK

Checks if an AWS CodeBuild project environment has privileged mode enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-environment-privileged-check.html

CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK

@Stability(Stable)
public static final String CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK

Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-envvar-awscred-check.html

CODEBUILD_PROJECT_LOGGING_ENABLED

@Stability(Stable)
public static final String CODEBUILD_PROJECT_LOGGING_ENABLED

Checks if an AWS CodeBuild project environment has at least one log option enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-logging-enabled.html

CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED

@Stability(Stable)
public static final String CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED

Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-s3-logs-encrypted.html

CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK

@Stability(Stable)
public static final String CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK

Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html

CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED

@Stability(Stable)
public static final String CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED

Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-auto-rollback-monitor-enabled.html

CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED

@Stability(Stable)
public static final String CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED

Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-ec2-minimum-healthy-hosts-configured.html

CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED

@Stability(Stable)
public static final String CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED

Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-lambda-allatonce-traffic-shift-disabled.html

CODEPIPELINE_DEPLOYMENT_COUNT_CHECK

@Stability(Stable)
public static final String CODEPIPELINE_DEPLOYMENT_COUNT_CHECK

Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-deployment-count-check.html

CODEPIPELINE_REGION_FANOUT_CHECK

@Stability(Stable)
public static final String CODEPIPELINE_REGION_FANOUT_CHECK

Checks whether each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-region-fanout-check.html

CW_LOGGROUP_RETENTION_PERIOD_CHECK

@Stability(Stable)
public static final String CW_LOGGROUP_RETENTION_PERIOD_CHECK

Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/cw-loggroup-retention-period-check.html

DAX_ENCRYPTION_ENABLED

@Stability(Stable)
public static final String DAX_ENCRYPTION_ENABLED

Checks that DynamoDB Accelerator (DAX) clusters are encrypted.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dax-encryption-enabled.html

DMS_REPLICATION_NOT_PUBLIC

@Stability(Stable)
public static final String DMS_REPLICATION_NOT_PUBLIC

Checks whether AWS Database Migration Service replication instances are public.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-not-public.html

DYNAMODB_AUTOSCALING_ENABLED

@Stability(Stable)
public static final String DYNAMODB_AUTOSCALING_ENABLED

Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-autoscaling-enabled.html

DYNAMODB_IN_BACKUP_PLAN

@Stability(Stable)
public static final String DYNAMODB_IN_BACKUP_PLAN

Checks whether Amazon DynamoDB table is present in AWS Backup plans.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-in-backup-plan.html

DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-last-backup-recovery-point-created.html

DYNAMODB_PITR_ENABLED

@Stability(Stable)
public static final String DYNAMODB_PITR_ENABLED

Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-pitr-enabled.html

DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon DynamoDB tables are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-resources-protected-by-backup-plan.html

DYNAMODB_TABLE_ENCRYPTED_KMS

@Stability(Stable)
public static final String DYNAMODB_TABLE_ENCRYPTED_KMS

Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encrypted-kms.html

DYNAMODB_TABLE_ENCRYPTION_ENABLED

@Stability(Stable)
public static final String DYNAMODB_TABLE_ENCRYPTION_ENABLED

Checks whether the Amazon DynamoDB tables are encrypted and checks their status.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encryption-enabled.html

DYNAMODB_THROUGHPUT_LIMIT_CHECK

@Stability(Stable)
public static final String DYNAMODB_THROUGHPUT_LIMIT_CHECK

Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-throughput-limit-check.html

EBS_ENCRYPTED_VOLUMES

@Stability(Stable)
public static final String EBS_ENCRYPTED_VOLUMES

Checks whether the EBS volumes that are in an attached state are encrypted.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html

EBS_IN_BACKUP_PLAN

@Stability(Stable)
public static final String EBS_IN_BACKUP_PLAN

Checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ebs-in-backup-plan.html

EBS_OPTIMIZED_INSTANCE

@Stability(Stable)
public static final String EBS_OPTIMIZED_INSTANCE

Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ebs-optimized-instance.html

EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ebs-resources-protected-by-backup-plan.html

EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK

@Stability(Stable)
public static final String EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK

Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html

EC2_DESIRED_INSTANCE_TENANCY

@Stability(Stable)
public static final String EC2_DESIRED_INSTANCE_TENANCY

Checks instances for specified tenancy.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-tenancy.html

EC2_DESIRED_INSTANCE_TYPE

@Stability(Stable)
public static final String EC2_DESIRED_INSTANCE_TYPE

Checks whether your EC2 instances are of the specified instance types.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-type.html

EC2_EBS_ENCRYPTION_BY_DEFAULT

@Stability(Stable)
public static final String EC2_EBS_ENCRYPTION_BY_DEFAULT

Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-ebs-encryption-by-default.html

EC2_IMDSV2_CHECK

@Stability(Stable)
public static final String EC2_IMDSV2_CHECK

Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-imdsv2-check.html

EC2_INSTANCE_DETAILED_MONITORING_ENABLED

@Stability(Stable)
public static final String EC2_INSTANCE_DETAILED_MONITORING_ENABLED

Checks whether detailed monitoring is enabled for EC2 instances.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-detailed-monitoring-enabled.html

EC2_INSTANCE_MANAGED_BY_SSM

@Stability(Stable)
public static final String EC2_INSTANCE_MANAGED_BY_SSM

Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html

EC2_INSTANCE_MULTIPLE_ENI_CHECK

@Stability(Stable)
public static final String EC2_INSTANCE_MULTIPLE_ENI_CHECK

Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-multiple-eni-check.html

EC2_INSTANCE_NO_PUBLIC_IP

@Stability(Stable)
public static final String EC2_INSTANCE_NO_PUBLIC_IP

Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-no-public-ip.html

EC2_INSTANCE_PROFILE_ATTACHED

@Stability(Stable)
public static final String EC2_INSTANCE_PROFILE_ATTACHED

Checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it.

This rule is NON_COMPLIANT if no IAM profile is attached to the Amazon EC2 instance.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html

EC2_INSTANCES_IN_VPC

@Stability(Stable)
public static final String EC2_INSTANCES_IN_VPC

Checks whether your EC2 instances belong to a virtual private cloud (VPC).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html

EC2_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String EC2_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-last-backup-recovery-point-created.html

EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED

@Stability(Stable)
public static final String EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED

Checks that none of the specified applications are installed on the instance.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-blacklisted.html

EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED

@Stability(Stable)
public static final String EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED

Checks whether all of the specified applications are installed on the instance.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-required.html

EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK

@Stability(Stable)
public static final String EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK

Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html

EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED

@Stability(Stable)
public static final String EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED

Checks whether instances managed by AWS Systems Manager are configured to collect blocked inventory types.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-inventory-blacklisted.html

EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK

@Stability(Stable)
public static final String EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK

Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html

EC2_MANAGED_INSTANCE_PLATFORM_CHECK

@Stability(Stable)
public static final String EC2_MANAGED_INSTANCE_PLATFORM_CHECK

Checks whether EC2 managed instances have the desired configurations.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-platform-check.html

EC2_NO_AMAZON_KEY_PAIR

@Stability(Stable)
public static final String EC2_NO_AMAZON_KEY_PAIR

Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-no-amazon-key-pair.html

EC2_PARAVIRTUAL_INSTANCE_CHECK

@Stability(Stable)
public static final String EC2_PARAVIRTUAL_INSTANCE_CHECK

Checks if the virtualization type of an EC2 instance is paravirtual.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-paravirtual-instance-check.html

EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-resources-protected-by-backup-plan.html

EC2_SECURITY_GROUP_ATTACHED_TO_ENI

@Stability(Stable)
public static final String EC2_SECURITY_GROUP_ATTACHED_TO_ENI

Checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni.html

EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC

@Stability(Stable)
public static final String EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC

Checks if non-default security groups are attached to Elastic network interfaces (ENIs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni-periodic.html

EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED

@Stability(Stable)
public static final String EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED

Checks whether the incoming SSH traffic for the security groups is accessible.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html

EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFIC

@Stability(Stable)
public static final String EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFIC

Checks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html

EC2_STOPPED_INSTANCE

@Stability(Stable)
public static final String EC2_STOPPED_INSTANCE

Checks whether there are instances stopped for more than the allowed number of days.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-stopped-instance.html

EC2_TOKEN_HOP_LIMIT_CHECK

@Stability(Stable)
public static final String EC2_TOKEN_HOP_LIMIT_CHECK

Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-token-hop-limit-check.html

EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED

@Stability(Stable)
public static final String EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED

Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-transit-gateway-auto-vpc-attach-disabled.html

EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECK

@Stability(Stable)
public static final String EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECK

Checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html

EC2_VOLUME_INUSE_CHECK

@Stability(Stable)
public static final String EC2_VOLUME_INUSE_CHECK

Checks whether EBS volumes are attached to EC2 instances.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html

ECR_PRIVATE_IMAGE_SCANNING_ENABLED

@Stability(Stable)
public static final String ECR_PRIVATE_IMAGE_SCANNING_ENABLED

Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-image-scanning-enabled.html

ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED

@Stability(Stable)
public static final String ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED

Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html

ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED

@Stability(Stable)
public static final String ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED

Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html

ECS_AWSVPC_NETWORKING_ENABLED

@Stability(Stable)
public static final String ECS_AWSVPC_NETWORKING_ENABLED

Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-awsvpc-networking-enabled.html

ECS_CONTAINER_INSIGHTS_ENABLED

@Stability(Stable)
public static final String ECS_CONTAINER_INSIGHTS_ENABLED

Checks if Amazon Elastic Container Service clusters have container insights enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html

ECS_CONTAINERS_NONPRIVILEGED

@Stability(Stable)
public static final String ECS_CONTAINERS_NONPRIVILEGED

Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html

ECS_CONTAINERS_READONLY_ACCESS

@Stability(Stable)
public static final String ECS_CONTAINERS_READONLY_ACCESS

Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-readonly-access.html

ECS_FARGATE_LATEST_PLATFORM_VERSION

@Stability(Stable)
public static final String ECS_FARGATE_LATEST_PLATFORM_VERSION

Checks if Amazon Elastic Container Service (ECS) Fargate Services is running on the latest Fargate platform version.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html

ECS_NO_ENVIRONMENT_SECRETS

@Stability(Stable)
public static final String ECS_NO_ENVIRONMENT_SECRETS

Checks if secrets are passed as container environment variables.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-no-environment-secrets.html

ECS_TASK_DEFINITION_LOG_CONFIGURATION

@Stability(Stable)
public static final String ECS_TASK_DEFINITION_LOG_CONFIGURATION

Checks if logConfiguration is set on active ECS Task Definitions.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html

ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT

@Stability(Stable)
public static final String ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT

Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-memory-hard-limit.html

ECS_TASK_DEFINITION_NONROOT_USER

@Stability(Stable)
public static final String ECS_TASK_DEFINITION_NONROOT_USER

Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-nonroot-user.html

ECS_TASK_DEFINITION_PID_MODE_CHECK

@Stability(Stable)
public static final String ECS_TASK_DEFINITION_PID_MODE_CHECK

Checks if ECSTaskDefinitions are configured to share a host’s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-stopped-instance.html

EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY

@Stability(Stable)
public static final String EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY

Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-root-directory.html

EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY

@Stability(Stable)
public static final String EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY

Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html

EFS_ENCRYPTED_CHECK

@Stability(Stable)
public static final String EFS_ENCRYPTED_CHECK

hecks whether Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/efs-encrypted-check.html

EFS_IN_BACKUP_PLAN

@Stability(Stable)
public static final String EFS_IN_BACKUP_PLAN

Checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/efs-in-backup-plan.html

EFS_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String EFS_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/efs-last-backup-recovery-point-created.html

EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/efs-resources-protected-by-backup-plan.html

EIP_ATTACHED

@Stability(Stable)
public static final String EIP_ATTACHED

Checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/eip-attached.html

EKS_CLUSTER_OLDEST_SUPPORTED_VERSION

@Stability(Stable)
public static final String EKS_CLUSTER_OLDEST_SUPPORTED_VERSION

Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-oldest-supported-version.html

EKS_CLUSTER_SUPPORTED_VERSION

@Stability(Stable)
public static final String EKS_CLUSTER_SUPPORTED_VERSION

Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-supported-version.html

EKS_ENDPOINT_NO_PUBLIC_ACCESS

@Stability(Stable)
public static final String EKS_ENDPOINT_NO_PUBLIC_ACCESS

Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/eks-endpoint-no-public-access.html

EKS_SECRETS_ENCRYPTED

@Stability(Stable)
public static final String EKS_SECRETS_ENCRYPTED

Checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/eks-secrets-encrypted.html

ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED

@Stability(Stable)
public static final String ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED

Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elastic-beanstalk-managed-updates-enabled.html

ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK

@Stability(Stable)
public static final String ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK

Check if the Amazon ElastiCache Redis clusters have automatic backup turned on.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elasticache-redis-cluster-automatic-backup-check.html

ELASTICSEARCH_ENCRYPTED_AT_REST

@Stability(Stable)
public static final String ELASTICSEARCH_ENCRYPTED_AT_REST

Checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-encrypted-at-rest.html

ELASTICSEARCH_IN_VPC_ONLY

@Stability(Stable)
public static final String ELASTICSEARCH_IN_VPC_ONLY

Checks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-in-vpc-only.html

ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK

@Stability(Stable)
public static final String ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK

Check that Amazon ElasticSearch Service nodes are encrypted end to end.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-node-to-node-encryption-check.html

ELB_ACM_CERTIFICATE_REQUIRED

@Stability(Stable)
public static final String ELB_ACM_CERTIFICATE_REQUIRED

Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html

ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED

@Stability(Stable)
public static final String ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED

Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html

ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK

@Stability(Stable)
public static final String ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK

Checks whether your Classic Load Balancer SSL listeners are using a custom policy.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elb-custom-security-policy-ssl-check.html

ELB_DELETION_PROTECTION_ENABLED

@Stability(Stable)
public static final String ELB_DELETION_PROTECTION_ENABLED

Checks whether Elastic Load Balancing has deletion protection enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elb-deletion-protection-enabled.html

ELB_LOGGING_ENABLED

@Stability(Stable)
public static final String ELB_LOGGING_ENABLED

Checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html

ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK

@Stability(Stable)
public static final String ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK

Checks whether your Classic Load Balancer SSL listeners are using a predefined policy.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html

ELB_TLS_HTTPS_LISTENERS_ONLY

@Stability(Stable)
public static final String ELB_TLS_HTTPS_LISTENERS_ONLY

Checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elb-tls-https-listeners-only.html

ELBV2_ACM_CERTIFICATE_REQUIRED

@Stability(Stable)
public static final String ELBV2_ACM_CERTIFICATE_REQUIRED

Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elbv2-acm-certificate-required.html

ELBV2_MULTIPLE_AZ

@Stability(Stable)
public static final String ELBV2_MULTIPLE_AZ

Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZ's).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/elbv2-multiple-az.html

EMR_KERBEROS_ENABLED

@Stability(Stable)
public static final String EMR_KERBEROS_ENABLED

Checks that Amazon EMR clusters have Kerberos enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/emr-kerberos-enabled.html

EMR_MASTER_NO_PUBLIC_IP

@Stability(Stable)
public static final String EMR_MASTER_NO_PUBLIC_IP

Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/emr-master-no-public-ip.html

FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK

@Stability(Deprecated)
@Deprecated
public static final String FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK

Deprecated.

Inactive managed rule

(deprecated) Checks whether the security groups associated inScope resources are compliant with the master security groups at each rule level based on allowSecurityGroup and denySecurityGroup flag.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-audit-policy-check.html

FMS_SECURITY_GROUP_CONTENT_CHECK

@Stability(Deprecated)
@Deprecated
public static final String FMS_SECURITY_GROUP_CONTENT_CHECK

Deprecated.

Inactive managed rule

(deprecated) Checks whether AWS Firewall Manager created security groups content is the same as the master security groups.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-content-check.html

FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK

@Stability(Deprecated)
@Deprecated
public static final String FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK

Deprecated.

Inactive managed rule

(deprecated) Checks whether Amazon EC2 or an elastic network interface is associated with AWS Firewall Manager security groups.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-resource-association-check.html

FMS_SHIELD_RESOURCE_POLICY_CHECK

@Stability(Stable)
public static final String FMS_SHIELD_RESOURCE_POLICY_CHECK

Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html

FMS_WEBACL_RESOURCE_POLICY_CHECK

@Stability(Stable)
public static final String FMS_WEBACL_RESOURCE_POLICY_CHECK

Checks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-resource-policy-check.html

FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK

@Stability(Stable)
public static final String FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK

Checks that the rule groups associate with the web ACL at the correct priority.

The correct priority is decided by the rank of the rule groups in the ruleGroups parameter.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-rulegroup-association-check.html

FSX_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String FSX_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for Amazon FSx File Systems.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fsx-last-backup-recovery-point-created.html

FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon FSx File Systems are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/fsx-resources-protected-by-backup-plan.html

GUARDDUTY_ENABLED_CENTRALIZED

@Stability(Stable)
public static final String GUARDDUTY_ENABLED_CENTRALIZED

Checks whether Amazon GuardDuty is enabled in your AWS account and region.

If you provide an AWS account for centralization, the rule evaluates the Amazon GuardDuty results in the centralized account.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/guardduty-enabled-centralized.html

GUARDDUTY_NON_ARCHIVED_FINDINGS

@Stability(Stable)
public static final String GUARDDUTY_NON_ARCHIVED_FINDINGS

Checks whether the Amazon GuardDuty has findings that are non archived.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/guardduty-non-archived-findings.html

IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS

@Stability(Stable)
public static final String IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS

Checks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on all AWS AWS KMS keys.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.html

IAM_GROUP_HAS_USERS_CHECK

@Stability(Stable)
public static final String IAM_GROUP_HAS_USERS_CHECK

Checks whether IAM groups have at least one IAM user.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-group-has-users-check.html

IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS

@Stability(Stable)
public static final String IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS

Checks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not allow blocked actions on all AWS Key Management Service keys.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-inline-policy-blocked-kms-actions.html

IAM_NO_INLINE_POLICY_CHECK

@Stability(Stable)
public static final String IAM_NO_INLINE_POLICY_CHECK

Checks that inline policy feature is not in use.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-no-inline-policy-check.html

IAM_PASSWORD_POLICY

@Stability(Stable)
public static final String IAM_PASSWORD_POLICY

Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html

IAM_POLICY_BLOCKED_CHECK

@Stability(Stable)
public static final String IAM_POLICY_BLOCKED_CHECK

Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-blacklisted-check.html

IAM_POLICY_IN_USE

@Stability(Stable)
public static final String IAM_POLICY_IN_USE

Checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-in-use.html

IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS

@Stability(Stable)
public static final String IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS

Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html

IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS

@Stability(Stable)
public static final String IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS

Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-full-access.html

IAM_ROLE_MANAGED_POLICY_CHECK

@Stability(Stable)
public static final String IAM_ROLE_MANAGED_POLICY_CHECK

Checks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-role-managed-policy-check.html

IAM_ROOT_ACCESS_KEY_CHECK

@Stability(Stable)
public static final String IAM_ROOT_ACCESS_KEY_CHECK

Checks whether the root user access key is available.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html

IAM_USER_GROUP_MEMBERSHIP_CHECK

@Stability(Stable)
public static final String IAM_USER_GROUP_MEMBERSHIP_CHECK

Checks whether IAM users are members of at least one IAM group.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-user-group-membership-check.html

IAM_USER_MFA_ENABLED

@Stability(Stable)
public static final String IAM_USER_MFA_ENABLED

Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-user-mfa-enabled.html

IAM_USER_NO_POLICIES_CHECK

@Stability(Stable)
public static final String IAM_USER_NO_POLICIES_CHECK

Checks that none of your IAM users have policies attached.

IAM users must inherit permissions from IAM groups or roles.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html

IAM_USER_UNUSED_CREDENTIALS_CHECK

@Stability(Stable)
public static final String IAM_USER_UNUSED_CREDENTIALS_CHECK

Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/iam-user-unused-credentials-check.html

INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY

@Stability(Stable)
public static final String INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY

Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/internet-gateway-authorized-vpc-only.html

KINESIS_STREAM_ENCRYPTED

@Stability(Stable)
public static final String KINESIS_STREAM_ENCRYPTED

Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/kinesis-stream-encrypted.html

KMS_CMK_NOT_SCHEDULED_FOR_DELETION

@Stability(Stable)
public static final String KMS_CMK_NOT_SCHEDULED_FOR_DELETION

Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/kms-cmk-not-scheduled-for-deletion.html

LAMBDA_CONCURRENCY_CHECK

@Stability(Stable)
public static final String LAMBDA_CONCURRENCY_CHECK

Checks whether the AWS Lambda function is configured with function-level concurrent execution limit.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/lambda-concurrency-check.html

LAMBDA_DLQ_CHECK

@Stability(Stable)
public static final String LAMBDA_DLQ_CHECK

Checks whether an AWS Lambda function is configured with a dead-letter queue.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/lambda-dlq-check.html

LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

@Stability(Stable)
public static final String LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-public-access-prohibited.html

LAMBDA_FUNCTION_SETTINGS_CHECK

@Stability(Stable)
public static final String LAMBDA_FUNCTION_SETTINGS_CHECK

Checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-settings-check.html

LAMBDA_INSIDE_VPC

@Stability(Stable)
public static final String LAMBDA_INSIDE_VPC

Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html

LAMBDA_VPC_MULTI_AZ_CHECK

@Stability(Stable)
public static final String LAMBDA_VPC_MULTI_AZ_CHECK

Checks if Lambda has more than 1 availability zone associated.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/lambda-vpc-multi-az-check.html

MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

@Stability(Stable)
public static final String MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html

NACL_NO_UNRESTRICTED_SSH_RDP

@Stability(Stable)
public static final String NACL_NO_UNRESTRICTED_SSH_RDP

Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/nacl-no-unrestricted-ssh-rdp.html

NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS

@Stability(Stable)
public static final String NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS

Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-fragment-packets.html

NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS

@Stability(Stable)
public static final String NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS

Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-full-packets.html

NETFW_POLICY_RULE_GROUP_ASSOCIATED

@Stability(Stable)
public static final String NETFW_POLICY_RULE_GROUP_ASSOCIATED

Check AWS Network Firewall policy is associated with stateful OR stateless rule groups.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-rule-group-associated.html

NETFW_STATELESS_RULE_GROUP_NOT_EMPTY

@Stability(Stable)
public static final String NETFW_STATELESS_RULE_GROUP_NOT_EMPTY

Checks if a Stateless Network Firewall Rule Group contains rules.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/netfw-stateless-rule-group-not-empty.html

NLB_CROSS_ZONE_LOAD_BALANCING_ENABLED

@Stability(Stable)
public static final String NLB_CROSS_ZONE_LOAD_BALANCING_ENABLED

Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/nlb-cross-zone-load-balancing-enabled.html

OPENSEARCH_ACCESS_CONTROL_ENABLED

@Stability(Stable)
public static final String OPENSEARCH_ACCESS_CONTROL_ENABLED

Checks if Amazon OpenSearch Service domains have fine-grained access control enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-access-control-enabled.html

OPENSEARCH_AUDIT_LOGGING_ENABLED

@Stability(Stable)
public static final String OPENSEARCH_AUDIT_LOGGING_ENABLED

Checks if Amazon OpenSearch Service domains have audit logging enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-audit-logging-enabled.html

OPENSEARCH_DATA_NODE_FAULT_TOLERANCE

@Stability(Stable)
public static final String OPENSEARCH_DATA_NODE_FAULT_TOLERANCE

Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-data-node-fault-tolerance.html

OPENSEARCH_ENCRYPTED_AT_REST

@Stability(Stable)
public static final String OPENSEARCH_ENCRYPTED_AT_REST

Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-encrypted-at-rest.html

OPENSEARCH_HTTPS_REQUIRED

@Stability(Stable)
public static final String OPENSEARCH_HTTPS_REQUIRED

Checks whether connections to OpenSearch domains are using HTTPS.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-https-required.html

OPENSEARCH_IN_VPC_ONLY

@Stability(Stable)
public static final String OPENSEARCH_IN_VPC_ONLY

Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-in-vpc-only.html

OPENSEARCH_LOGS_TO_CLOUDWATCH

@Stability(Stable)
public static final String OPENSEARCH_LOGS_TO_CLOUDWATCH

Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-logs-to-cloudwatch.html

OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK

@Stability(Stable)
public static final String OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK

Check if Amazon OpenSearch Service nodes are encrypted end to end.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/opensearch-node-to-node-encryption-check.html

RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED

@Stability(Stable)
public static final String RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED

Checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-automatic-minor-version-upgrade-enabled.html

RDS_CLUSTER_DEFAULT_ADMIN_CHECK

@Stability(Stable)
public static final String RDS_CLUSTER_DEFAULT_ADMIN_CHECK

Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-default-admin-check.html

RDS_CLUSTER_DELETION_PROTECTION_ENABLED

@Stability(Stable)
public static final String RDS_CLUSTER_DELETION_PROTECTION_ENABLED

Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-deletion-protection-enabled.html

RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED

@Stability(Stable)
public static final String RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED

Checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-iam-authentication-enabled.html

RDS_CLUSTER_MULTI_AZ_ENABLED

@Stability(Stable)
public static final String RDS_CLUSTER_MULTI_AZ_ENABLED

Checks if Multi-AZ replication is enabled on Amazon Aurora and Hermes clusters managed by Amazon Relational Database Service (Amazon RDS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-multi-az-enabled.html

RDS_DB_INSTANCE_BACKUP_ENABLED

@Stability(Stable)
public static final String RDS_DB_INSTANCE_BACKUP_ENABLED

Checks whether RDS DB instances have backups enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/db-instance-backup-enabled.html

RDS_DB_SECURITY_GROUP_NOT_ALLOWED

@Stability(Stable)
public static final String RDS_DB_SECURITY_GROUP_NOT_ALLOWED

Checks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-db-security-group-not-allowed.html

RDS_ENHANCED_MONITORING_ENABLED

@Stability(Stable)
public static final String RDS_ENHANCED_MONITORING_ENABLED

Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-enhanced-monitoring-enabled.html

RDS_IN_BACKUP_PLAN

@Stability(Stable)
public static final String RDS_IN_BACKUP_PLAN

Checks whether Amazon RDS database is present in back plans of AWS Backup.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-in-backup-plan.html

RDS_INSTANCE_DEFAULT_ADMIN_CHECK

@Stability(Stable)
public static final String RDS_INSTANCE_DEFAULT_ADMIN_CHECK

Checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-default-admin-check.html

RDS_INSTANCE_DELETION_PROTECTION_ENABLED

@Stability(Stable)
public static final String RDS_INSTANCE_DELETION_PROTECTION_ENABLED

Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-deletion-protection-enabled.html

RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED

@Stability(Stable)
public static final String RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED

Checks if an Amazon RDS instance has AWS Identity and Access Management (IAM) authentication enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-iam-authentication-enabled.html

RDS_INSTANCE_PUBLIC_ACCESS_CHECK

@Stability(Stable)
public static final String RDS_INSTANCE_PUBLIC_ACCESS_CHECK

Check whether the Amazon Relational Database Service instances are not publicly accessible.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html

RDS_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String RDS_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-last-backup-recovery-point-created.html

RDS_LOGGING_ENABLED

@Stability(Stable)
public static final String RDS_LOGGING_ENABLED

Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-logging-enabled.html

RDS_MULTI_AZ_SUPPORT

@Stability(Stable)
public static final String RDS_MULTI_AZ_SUPPORT

Checks whether high availability is enabled for your RDS DB instances.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-multi-az-support.html

RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-resources-protected-by-backup-plan.html

RDS_SNAPSHOT_ENCRYPTED

@Stability(Stable)
public static final String RDS_SNAPSHOT_ENCRYPTED

Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshot-encrypted.html

RDS_SNAPSHOTS_PUBLIC_PROHIBITED

@Stability(Stable)
public static final String RDS_SNAPSHOTS_PUBLIC_PROHIBITED

Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html

RDS_STORAGE_ENCRYPTED

@Stability(Stable)
public static final String RDS_STORAGE_ENCRYPTED

Checks whether storage encryption is enabled for your RDS DB instances.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/rds-storage-encrypted.html

REDSHIFT_AUDIT_LOGGING_ENABLED

@Stability(Stable)
public static final String REDSHIFT_AUDIT_LOGGING_ENABLED

Checks if Amazon Redshift clusters are logging audits to a specific bucket.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-audit-logging-enabled.html

REDSHIFT_BACKUP_ENABLED

@Stability(Stable)
public static final String REDSHIFT_BACKUP_ENABLED

Checks that Amazon Redshift automated snapshots are enabled for clusters.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-backup-enabled.html

REDSHIFT_CLUSTER_CONFIGURATION_CHECK

@Stability(Stable)
public static final String REDSHIFT_CLUSTER_CONFIGURATION_CHECK

Checks whether Amazon Redshift clusters have the specified settings.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-configuration-check.html

REDSHIFT_CLUSTER_KMS_ENABLED

@Stability(Stable)
public static final String REDSHIFT_CLUSTER_KMS_ENABLED

Checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-kms-enabled.html

REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECK

@Stability(Stable)
public static final String REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECK

Checks whether Amazon Redshift clusters have the specified maintenance settings.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html

REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK

@Stability(Stable)
public static final String REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK

Checks whether Amazon Redshift clusters are not publicly accessible.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-public-access-check.html

REDSHIFT_DEFAULT_ADMIN_CHECK

@Stability(Stable)
public static final String REDSHIFT_DEFAULT_ADMIN_CHECK

Checks if an Amazon Redshift cluster has changed the admin username from its default value.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-admin-check.html

REDSHIFT_DEFAULT_DB_NAME_CHECK

@Stability(Stable)
public static final String REDSHIFT_DEFAULT_DB_NAME_CHECK

Checks if a Redshift cluster has changed its database name from the default value.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-db-name-check.html

REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED

@Stability(Stable)
public static final String REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED

Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html

REDSHIFT_REQUIRE_TLS_SSL

@Stability(Stable)
public static final String REDSHIFT_REQUIRE_TLS_SSL

Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/redshift-require-tls-ssl.html

REQUIRED_TAGS

@Stability(Stable)
public static final String REQUIRED_TAGS

Checks whether your resources have the tags that you specify.

For example, you can check whether your Amazon EC2 instances have the CostCenter tag.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html

ROOT_ACCOUNT_HARDWARE_MFA_ENABLED

@Stability(Stable)
public static final String ROOT_ACCOUNT_HARDWARE_MFA_ENABLED

Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html

ROOT_ACCOUNT_MFA_ENABLED

@Stability(Stable)
public static final String ROOT_ACCOUNT_MFA_ENABLED

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/root-account-mfa-enabled.html

S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS

@Stability(Stable)
public static final String S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS

Checks whether the required public access block settings are configured from account level.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks.html

S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC

@Stability(Stable)
public static final String S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC

Checks if the required public access block settings are configured from account level.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html

S3_BUCKET_ACL_PROHIBITED

@Stability(Stable)
public static final String S3_BUCKET_ACL_PROHIBITED

Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html

S3_BUCKET_BLOCKED_ACTIONS_PROHIBITED

@Stability(Stable)
public static final String S3_BUCKET_BLOCKED_ACTIONS_PROHIBITED

Checks if the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-blacklisted-actions-prohibited.html

S3_BUCKET_DEFAULT_LOCK_ENABLED

@Stability(Stable)
public static final String S3_BUCKET_DEFAULT_LOCK_ENABLED

Checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-default-lock-enabled.html

S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED

@Stability(Stable)
public static final String S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED

Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html

S3_BUCKET_LOGGING_ENABLED

@Stability(Stable)
public static final String S3_BUCKET_LOGGING_ENABLED

Checks whether logging is enabled for your S3 buckets.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html

S3_BUCKET_POLICY_GRANTEE_CHECK

@Stability(Stable)
public static final String S3_BUCKET_POLICY_GRANTEE_CHECK

Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-grantee-check.html

S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE

@Stability(Stable)
public static final String S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE

Checks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-not-more-permissive.html

S3_BUCKET_PUBLIC_READ_PROHIBITED

@Stability(Stable)
public static final String S3_BUCKET_PUBLIC_READ_PROHIBITED

Checks if your Amazon S3 buckets do not allow public read access.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited.html

S3_BUCKET_PUBLIC_WRITE_PROHIBITED

@Stability(Stable)
public static final String S3_BUCKET_PUBLIC_WRITE_PROHIBITED

Checks that your Amazon S3 buckets do not allow public write access.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html

S3_BUCKET_REPLICATION_ENABLED

@Stability(Stable)
public static final String S3_BUCKET_REPLICATION_ENABLED

Checks whether S3 buckets have cross-region replication enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-replication-enabled.html

S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED

@Stability(Stable)
public static final String S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-server-side-encryption-enabled.html

S3_BUCKET_SSL_REQUESTS_ONLY

@Stability(Stable)
public static final String S3_BUCKET_SSL_REQUESTS_ONLY

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html

S3_BUCKET_VERSIONING_ENABLED

@Stability(Stable)
public static final String S3_BUCKET_VERSIONING_ENABLED

Checks whether versioning is enabled for your S3 buckets.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-versioning-enabled.html

S3_DEFAULT_ENCRYPTION_KMS

@Stability(Stable)
public static final String S3_DEFAULT_ENCRYPTION_KMS

Checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-default-encryption-kms.html

S3_EVENT_NOTIFICATIONS_ENABLED

@Stability(Stable)
public static final String S3_EVENT_NOTIFICATIONS_ENABLED

Checks if Amazon S3 Events Notifications are enabled on an S3 bucket.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-event-notifications-enabled.html

S3_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String S3_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-last-backup-recovery-point-created.html

S3_LIFECYCLE_POLICY_CHECK

@Stability(Stable)
public static final String S3_LIFECYCLE_POLICY_CHECK

Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-lifecycle-policy-check.html

S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-resources-protected-by-backup-plan.html

S3_VERSION_LIFECYCLE_POLICY_CHECK

@Stability(Stable)
public static final String S3_VERSION_LIFECYCLE_POLICY_CHECK

Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/s3-version-lifecycle-policy-check.html

SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED

@Stability(Stable)
public static final String SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED

Checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-endpoint-configuration-kms-key-configured.html

SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED

@Stability(Stable)
public static final String SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED

Check whether an AWS Key Management Service (KMS) key is configured for SageMaker notebook instance.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html

SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS

@Stability(Stable)
public static final String SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS

Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html

SECRETSMANAGER_ROTATION_ENABLED_CHECK

@Stability(Stable)
public static final String SECRETSMANAGER_ROTATION_ENABLED_CHECK

Checks whether AWS Secrets Manager secret has rotation enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html

SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK

@Stability(Stable)
public static final String SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK

Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-scheduled-rotation-success-check.html

SECRETSMANAGER_SECRET_PERIODIC_ROTATION

@Stability(Stable)
public static final String SECRETSMANAGER_SECRET_PERIODIC_ROTATION

Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-periodic-rotation.html

SECRETSMANAGER_SECRET_UNUSED

@Stability(Stable)
public static final String SECRETSMANAGER_SECRET_UNUSED

Checks if AWS Secrets Manager secrets have been accessed within a specified number of days.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-unused.html

SECRETSMANAGER_USING_CMK

@Stability(Stable)
public static final String SECRETSMANAGER_USING_CMK

Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html

SECURITYHUB_ENABLED

@Stability(Stable)
public static final String SECURITYHUB_ENABLED

Checks that AWS Security Hub is enabled for an AWS account.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/securityhub-enabled.html

SERVICE_VPC_ENDPOINT_ENABLED

@Stability(Stable)
public static final String SERVICE_VPC_ENDPOINT_ENABLED

Checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/service-vpc-endpoint-enabled.html

SHIELD_ADVANCED_ENABLED_AUTO_RENEW

@Stability(Stable)
public static final String SHIELD_ADVANCED_ENABLED_AUTO_RENEW

Checks whether EBS volumes are attached to EC2 instances.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/shield-advanced-enabled-autorenew.html

SHIELD_DRT_ACCESS

@Stability(Stable)
public static final String SHIELD_DRT_ACCESS

Verify that DDoS response team (DRT) can access AWS account.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/shield-drt-access.html

SNS_ENCRYPTED_KMS

@Stability(Stable)
public static final String SNS_ENCRYPTED_KMS

Checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html

SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLED

@Stability(Stable)
public static final String SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLED

Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-message-delivery-notification-enabled.html

SSM_DOCUMENT_NOT_PUBLIC

@Stability(Stable)
public static final String SSM_DOCUMENT_NOT_PUBLIC

Checks if AWS Systems Manager documents owned by the account are public.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-not-public.html

STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for AWS Storage Gateway volumes.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/storagegateway-last-backup-recovery-point-created.html

SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED

@Stability(Stable)
public static final String SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED

hecks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html

VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED

@Stability(Stable)
public static final String VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED

Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/virtualmachine-last-backup-recovery-point-created.html

VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN

@Stability(Stable)
public static final String VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN

Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/virtualmachine-resources-protected-by-backup-plan.html

VPC_DEFAULT_SECURITY_GROUP_CLOSED

@Stability(Stable)
public static final String VPC_DEFAULT_SECURITY_GROUP_CLOSED

Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.

The rule returns NOT_APPLICABLE if the security group is not default.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html

VPC_FLOW_LOGS_ENABLED

@Stability(Stable)
public static final String VPC_FLOW_LOGS_ENABLED

Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html

VPC_NETWORK_ACL_UNUSED_CHECK

@Stability(Stable)
public static final String VPC_NETWORK_ACL_UNUSED_CHECK

Checks if there are unused network access control lists (network ACLs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/vpc-network-acl-unused-check.html

VPC_PEERING_DNS_RESOLUTION_CHECK

@Stability(Stable)
public static final String VPC_PEERING_DNS_RESOLUTION_CHECK

Checks if DNS resolution from accepter/requester VPC to private IP is enabled.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/vpc-peering-dns-resolution-check.html

VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS

@Stability(Stable)
public static final String VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS

Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html

VPC_VPN_2_TUNNELS_UP

@Stability(Stable)
public static final String VPC_VPN_2_TUNNELS_UP

Checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/vpc-vpn-2-tunnels-up.html

WAF_CLASSIC_LOGGING_ENABLED

@Stability(Stable)
public static final String WAF_CLASSIC_LOGGING_ENABLED

Checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/waf-classic-logging-enabled.html

WAF_GLOBAL_RULE_NOT_EMPTY

@Stability(Stable)
public static final String WAF_GLOBAL_RULE_NOT_EMPTY

Checks if an AWS WAF global rule contains any conditions.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rule-not-empty.html

WAF_GLOBAL_RULEGROUP_NOT_EMPTY

@Stability(Stable)
public static final String WAF_GLOBAL_RULEGROUP_NOT_EMPTY

Checks if an AWS WAF Classic rule group contains any rules.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rulegroup-not-empty.html

WAF_GLOBAL_WEBACL_NOT_EMPTY

@Stability(Stable)
public static final String WAF_GLOBAL_WEBACL_NOT_EMPTY

Checks whether a WAF Global Web ACL contains any WAF rules or rule groups.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/waf-global-webacl-not-empty.html

WAF_REGIONAL_RULE_NOT_EMPTY

@Stability(Stable)
public static final String WAF_REGIONAL_RULE_NOT_EMPTY

Checks whether WAF regional rule contains conditions.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rule-not-empty.html

WAF_REGIONAL_RULEGROUP_NOT_EMPTY

@Stability(Stable)
public static final String WAF_REGIONAL_RULEGROUP_NOT_EMPTY

Checks if WAF Regional rule groups contain any rules.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rulegroup-not-empty.html

WAF_REGIONAL_WEBACL_NOT_EMPTY

@Stability(Stable)
public static final String WAF_REGIONAL_WEBACL_NOT_EMPTY

Checks if a WAF regional Web ACL contains any WAF rules or rule groups.

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-webacl-not-empty.html

WAFV2_LOGGING_ENABLED

@Stability(Stable)
public static final String WAFV2_LOGGING_ENABLED

Checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs).

See Also:

• https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html

Constructor Details

ManagedRuleIdentifiers

protected ManagedRuleIdentifiers(software.amazon.jsii.JsiiObjectRef objRef)

ManagedRuleIdentifiers

protected ManagedRuleIdentifiers(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)