AWS Config
Developer Guide

fms-security-group-audit-policy-check

Checks whether the security groups associated inScope resources are compliant with the master security groups at each rule level based on allowSecurityGroup and denySecurityGroup flag.

Note

Only AWS Firewall Manager can create this rule.

Identifier: FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK

Trigger type: Configuration changes

AWS Regions: Only available in US East (N. Virginia), EU (Ireland), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Sydney), EU (Frankfurt), Asia Pacific (Seoul), US East (Ohio), and EU (London).

Parameters:

masterSecurityGroupsIds (mandatory)

Comma-separated list of master security groups IDs. The rule will check if security groups associated inScope resources are compliant with the master security groups at each rule level.

resourceTags (mandatory)

The resource tags associated with the rule (for example, { "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] }").

inScope (mandatory)

If true, the AWS Config rule owner is in Firewall Manager security group audit policy scope.

excludeResourceTags (mandatory)

If true, exclude resources that match resourceTags.

resourceTypes (mandatory)

The resource types such as Amazon EC2 instance or elastic network interface or security group supported by this rule.

fmsRemediationEnabled (mandatory)

If true, AWS Firewall Manager will update NON_COMPLIANT resources according to FMS policy. AWS Config ignores this parameter when you create this rule.

allowSecurityGroup (mandatory)

If true, the rule will check to ensure that all inScope security groups are within the reference security group's inbound/outbound rules.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.