AWS Config
Developer Guide

fms-security-group-content-check

Checks whether AWS Firewall Manager created security groups content is the same as the master security groups. The rule is NON_COMPLIANT if the content does not match.

Note

Only AWS Firewall Manager can create this rule.

Identifier: FMS_SECURITY_GROUP_CONTENT_CHECK

Trigger type: Configuration changes

AWS Regions: Only available in US East (N. Virginia), EU (Ireland), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Sydney), EU (Frankfurt), Asia Pacific (Seoul), US East (Ohio), and EU (London).

Parameters:

vpcIds (mandatory)

Comma-separated list of VPC IDs in the account.

securityGroupsIds (mandatory)

Comma-separated list of security groups IDs created by Firewall Manager in every Amazon VPC in an account. They are sorted by VPC IDs.

fmsRemediationEnabled (mandatory)

If true, AWS Firewall Manager will update NON_COMPLIANT resources according to FMS policy. AWS Config ignores this parameter when you create this rule.

revertManualSecurityGroupChangesFlag (mandatory)

If true, AWS Firewall Manager will check the security groups in the securityGroupsIds parameter.

allowSecurityGroup (mandatory)

If true, the rule will check to ensure that all inScope security groups are within the reference security group's inbound/outbound rules.

masterSecurityGroupsIds (optional)

This parameter only applies to AWS Firewall Manager admin account. Comma-separated list of master security groups ID in Firewall Manager admin account.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.