List of AWS Config Managed Rules

AWS Config currently supports the following managed rules. Before using these rules, see Considerations.

Topics

• access-keys-rotated

• account-part-of-organizations

• acmpca-certificate-authority-tagged

• acm-certificate-expiration-check

• acm-certificate-rsa-check

• acm-pca-root-ca-disabled

• active-mq-supported-version

• alb-desync-mode-check

• alb-http-drop-invalid-header-enabled

• alb-http-to-https-redirection-check

• alb-internal-scheme-check

• alb-waf-enabled

• amplify-app-branch-auto-deletion-enabled

• amplify-app-description

• amplify-app-tagged

• amplify-branch-performance-mode-enabled

• amplify-branch-tagged

• api-gwv2-access-logs-enabled

• api-gwv2-authorization-type-configured

• api-gw-associated-with-waf

• api-gw-cache-enabled-and-encrypted

• api-gw-endpoint-type-check

• api-gw-execution-logging-enabled

• api-gw-ssl-enabled

• api-gw-xray-enabled

• appconfig-application-description

• appconfig-application-tagged

• appconfig-configuration-profile-tagged

• appconfig-configuration-profile-validators-not-empty

• appconfig-deployment-strategy-description

• appconfig-deployment-strategy-replicate-to-ssm

• appconfig-environment-description

• appconfig-environment-tagged

• appconfig-extension-association-tagged

• appconfig-freeform-profile-config-storage

• appconfig-hosted-configuration-version-description

• appflow-flow-tagged

• appintegrations-event-integration-description

• appintegrations-event-integration-tagged

• appmesh-gateway-route-tagged

• appmesh-mesh-deny-tcp-forwarding

• appmesh-mesh-tagged

• appmesh-route-tagged

• appmesh-virtual-gateway-backend-defaults-tls

• appmesh-virtual-gateway-logging-file-path-exists

• appmesh-virtual-gateway-tagged

• appmesh-virtual-node-backend-defaults-tls-on

• appmesh-virtual-node-logging-file-path-exists

• appmesh-virtual-node-tagged

• appmesh-virtual-router-tagged

• appmesh-virtual-service-tagged

• approved-amis-by-id

• approved-amis-by-tag

• apprunner-service-in-vpc

• apprunner-service-no-public-access

• apprunner-service-observability-enabled

• apprunner-service-tagged

• apprunner-vpc-connector-multi-az

• apprunner-vpc-connector-tagged

• appstream-fleet-in-vpc

• appstream-fleet-multi-az

• appsync-associated-with-waf

• appsync-authorization-check

• appsync-cache-ct-encryption-at-rest

• appsync-cache-ct-encryption-in-transit

• appsync-cache-encryption-at-rest

• appsync-logging-enabled

• athena-data-catalog-description

• athena-prepared-statement-description

• athena-workgroup-description

• athena-workgroup-encrypted-at-rest

• athena-workgroup-enforce-workgroup-configuration

• athena-workgroup-engine-version-auto-upgrade

• athena-workgroup-logging-enabled

• aurora-last-backup-recovery-point-created

• aurora-meets-restore-time-target

• aurora-mysql-backtracking-enabled

• aurora-mysql-cluster-audit-logging

• aurora-resources-in-logically-air-gapped-vault

• aurora-resources-protected-by-backup-plan

• autoscaling-capacity-rebalancing

• autoscaling-group-elb-healthcheck-required

• autoscaling-launchconfig-requires-imdsv2

• autoscaling-launch-config-hop-limit

• autoscaling-launch-config-public-ip-disabled

• autoscaling-launch-template

• autoscaling-multiple-az

• autoscaling-multiple-instance-types

• aws-config-process-check

• backup-plan-min-frequency-and-min-retention-check

• backup-recovery-point-encrypted

• backup-recovery-point-manual-deletion-disabled

• backup-recovery-point-minimum-retention-check

• batch-compute-environment-enabled

• batch-compute-environment-managed

• batch-compute-environment-tagged

• batch-job-queue-enabled

• batch-job-queue-tagged

• batch-managed-compute-environment-using-launch-template

• batch-managed-compute-env-compute-resources-tagged

• batch-scheduling-policy-tagged

• beanstalk-enhanced-health-reporting-enabled

• beanstalk-logs-to-cloudwatch

• cassandra-keyspace-tagged

• clb-desync-mode-check

• clb-multiple-az

• cloudformation-stack-drift-detection-check

• cloudformation-stack-notification-check

• cloudfront-accesslogs-enabled

• cloudfront-associated-with-waf

• cloudfront-custom-ssl-certificate

• cloudfront-default-root-object-configured

• cloudfront-no-deprecated-ssl-protocols

• cloudfront-origin-access-identity-enabled

• cloudfront-origin-failover-enabled

• cloudfront-s3-origin-access-control-enabled

• cloudfront-s3-origin-non-existent-bucket

• cloudfront-security-policy-check

• cloudfront-sni-enabled

• cloudfront-traffic-to-origin-encrypted

• cloudfront-viewer-policy-https

• cloudtrail-all-read-s3-data-event-check

• cloudtrail-all-write-s3-data-event-check

• cloudtrail-s3-bucket-access-logging

• cloudtrail-s3-bucket-public-access-prohibited

• cloudtrail-s3-dataevents-enabled

• cloudtrail-security-trail-enabled

• cloudwatch-alarm-action-check

• cloudwatch-alarm-action-enabled-check

• cloudwatch-alarm-resource-check

• cloudwatch-alarm-settings-check

• cloudwatch-log-group-encrypted

• cloud-trail-cloud-watch-logs-enabled

• cloudtrail-enabled

• cloud-trail-encryption-enabled

• cloud-trail-log-file-validation-enabled

• cmk-backing-key-rotation-enabled

• codebuild-project-artifact-encryption

• codebuild-project-environment-privileged-check

• codebuild-project-envvar-awscred-check

• codebuild-project-logging-enabled

• codebuild-project-s3-logs-encrypted

• codebuild-project-source-repo-url-check

• codebuild-report-group-encrypted-at-rest

• codedeploy-auto-rollback-monitor-enabled

• codedeploy-deployment-group-auto-rollback-enabled

• codedeploy-deployment-group-outdated-instances-update

• codedeploy-ec2-minimum-healthy-hosts-configured

• codedeploy-lambda-allatonce-traffic-shift-disabled

• codeguruprofiler-profiling-group-tagged

• codegurureviewer-repository-association-tagged

• codepipeline-deployment-count-check

• codepipeline-region-fanout-check

• cognito-user-pool-advanced-security-enabled

• connect-instance-logging-enabled

• customerprofiles-object-type-allow-profile-creation

• customerprofiles-object-type-tagged

• custom-eventbus-policy-attached

• custom-schema-registry-policy-attached

• cw-loggroup-retention-period-check

• datasync-task-data-verification-enabled

• datasync-task-logging-enabled

• datasync-task-tagged

• dax-encryption-enabled

• dax-tls-endpoint-encryption

• db-instance-backup-enabled

• desired-instance-tenancy

• desired-instance-type

• dms-auto-minor-version-upgrade-check

• dms-endpoint-ssl-configured

• dms-mongo-db-authentication-enabled

• dms-neptune-iam-authorization-enabled

• dms-redis-tls-enabled

• dms-replication-not-public

• dms-replication-task-sourcedb-logging

• dms-replication-task-targetdb-logging

• docdb-cluster-audit-logging-enabled

• docdb-cluster-backup-retention-check

• docdb-cluster-deletion-protection-enabled

• docdb-cluster-encrypted

• docdb-cluster-encrypted-in-transit

• docdb-cluster-snapshot-public-prohibited

• dynamodb-autoscaling-enabled

• dynamodb-in-backup-plan

• dynamodb-last-backup-recovery-point-created

• dynamodb-meets-restore-time-target

• dynamodb-pitr-enabled

• dynamodb-resources-protected-by-backup-plan

• dynamodb-table-deletion-protection-enabled

• dynamodb-table-encrypted-kms

• dynamodb-table-encryption-enabled

• dynamodb-throughput-limit-check

• ebs-in-backup-plan

• ebs-last-backup-recovery-point-created

• ebs-meets-restore-time-target

• ebs-optimized-instance

• ebs-resources-in-logically-air-gapped-vault

• ebs-resources-protected-by-backup-plan

• ebs-snapshot-public-restorable-check

• ec2-client-vpn-connection-log-enabled

• ec2-client-vpn-not-authorize-all

• ec2-ebs-encryption-by-default

• ec2-imdsv2-check

• ec2-instance-detailed-monitoring-enabled

• ec2-instance-launched-with-allowed-ami

• ec2-instance-managed-by-systems-manager

• ec2-instance-multiple-eni-check

• ec2-instance-no-public-ip

• ec2-instance-profile-attached

• ec2-last-backup-recovery-point-created

• ec2-launch-template-imdsv2-check

• ec2-launch-template-public-ip-disabled

• ec2-launch-template-tagged

• ec2-managedinstance-applications-blacklisted

• ec2-managedinstance-applications-required

• ec2-managedinstance-association-compliance-status-check

• ec2-managedinstance-inventory-blacklisted

• ec2-managedinstance-patch-compliance-status-check

• ec2-managedinstance-platform-check

• ec2-meets-restore-time-target

• ec2-no-amazon-key-pair

• ec2-paravirtual-instance-check

• ec2-prefix-list-tagged

• ec2-resources-in-logically-air-gapped-vault

• ec2-resources-protected-by-backup-plan

• ec2-security-group-attached-to-eni

• ec2-security-group-attached-to-eni-periodic

• ec2-stopped-instance

• ec2-token-hop-limit-check

• ec2-traffic-mirror-filter-description

• ec2-traffic-mirror-filter-tagged

• ec2-traffic-mirror-session-description

• ec2-traffic-mirror-session-tagged

• ec2-traffic-mirror-target-description

• ec2-traffic-mirror-target-tagged

• ec2-transit-gateway-auto-vpc-attach-disabled

• ec2-volume-inuse-check

• ec2-vpn-connection-logging-enabled

• ecr-private-image-scanning-enabled

• ecr-private-lifecycle-policy-configured

• ecr-private-tag-immutability-enabled

• ecr-repository-cmk-encryption-enabled

• ecr-repository-lifecycle-policy-configured

• ecs-awsvpc-networking-enabled

• ecs-containers-nonprivileged

• ecs-containers-readonly-access

• ecs-container-insights-enabled

• ecs-fargate-latest-platform-version

• ecs-no-environment-secrets

• ecs-task-definition-log-configuration

• ecs-task-definition-memory-hard-limit

• ecs-task-definition-nonroot-user

• ecs-task-definition-pid-mode-check

• ecs-task-definition-user-for-host-mode-check

• efs-access-point-enforce-root-directory

• efs-access-point-enforce-user-identity

• efs-automatic-backups-enabled

• efs-encrypted-check

• efs-filesystem-ct-encrypted

• efs-in-backup-plan

• efs-last-backup-recovery-point-created

• efs-meets-restore-time-target

• efs-mount-target-public-accessible

• efs-resources-in-logically-air-gapped-vault

• efs-resources-protected-by-backup-plan

• eip-attached

• eks-cluster-logging-enabled

• eks-cluster-log-enabled

• eks-cluster-oldest-supported-version

• eks-cluster-secrets-encrypted

• eks-cluster-supported-version

• eks-endpoint-no-public-access

• eks-secrets-encrypted

• elasticache-auto-minor-version-upgrade-check

• elasticache-rbac-auth-enabled

• elasticache-redis-cluster-automatic-backup-check

• elasticache-repl-grp-auto-failover-enabled

• elasticache-repl-grp-encrypted-at-rest

• elasticache-repl-grp-encrypted-in-transit

• elasticache-repl-grp-redis-auth-enabled

• elasticache-subnet-group-check

• elasticache-supported-engine-version

• elasticbeanstalk-application-description

• elasticbeanstalk-application-version-description

• elasticbeanstalk-environment-description

• elasticsearch-encrypted-at-rest

• elasticsearch-in-vpc-only

• elasticsearch-logs-to-cloudwatch

• elasticsearch-node-to-node-encryption-check

• elasticsearch-update-check

• elastic-beanstalk-logs-to-cloudwatch

• elastic-beanstalk-managed-updates-enabled

• elbv2-acm-certificate-required

• elbv2-multiple-az

• elbv2-predefined-security-policy-ssl-check

• elb-acm-certificate-required

• elb-cross-zone-load-balancing-enabled

• elb-custom-security-policy-ssl-check

• elb-deletion-protection-enabled

• elb-logging-enabled

• elb-predefined-security-policy-ssl-check

• elb-tls-https-listeners-only

• emr-block-public-access

• emr-kerberos-enabled

• emr-master-no-public-ip

• emr-security-configuration-encryption-rest

• emr-security-configuration-encryption-transit

• encrypted-volumes

• evidently-launch-description

• evidently-launch-tagged

• evidently-project-description

• evidently-project-tagged

• evidently-segment-description

• evidently-segment-tagged

• fis-experiment-template-log-configuration-exists

• fis-experiment-template-tagged

• fms-network-firewall-resource-check

• fms-security-groups-audit-policy-check

• fms-shield-resource-policy-check

• fms-webacl-resource-policy-check

• fms-webacl-rulegroup-association-check

• frauddetector-entity-type-tagged

• frauddetector-label-tagged

• frauddetector-outcome-tagged

• frauddetector-variable-tagged

• fsx-last-backup-recovery-point-created

• fsx-lustre-copy-tags-to-backups

• fsx-meets-restore-time-target

• fsx-ontap-deployment-type-check

• fsx-openzfs-copy-tags-enabled

• fsx-openzfs-deployment-type-check

• fsx-resources-protected-by-backup-plan

• fsx-windows-audit-log-configured

• fsx-windows-deployment-type-check

• global-endpoint-event-replication-enabled

• glue-job-logging-enabled

• glue-ml-transform-encrypted-at-rest

• glue-spark-job-supported-version

• guardduty-ec2-protection-runtime-enabled

• guardduty-ecs-protection-runtime-enabled

• guardduty-eks-protection-audit-enabled

• guardduty-eks-protection-runtime-enabled

• guardduty-enabled-centralized

• guardduty-lambda-protection-enabled

• guardduty-malware-protection-enabled

• guardduty-non-archived-findings

• guardduty-rds-protection-enabled

• guardduty-runtime-monitoring-enabled

• guardduty-s3-protection-enabled

• iam-customer-policy-blocked-kms-actions

• iam-external-access-analyzer-enabled

• iam-group-has-users-check

• iam-inline-policy-blocked-kms-actions

• iam-no-inline-policy-check

• iam-password-policy

• iam-policy-blacklisted-check

• iam-policy-in-use

• iam-policy-no-statements-with-admin-access

• iam-policy-no-statements-with-full-access

• iam-role-managed-policy-check

• iam-root-access-key-check

• iam-server-certificate-expiration-check

• iam-user-group-membership-check

• iam-user-mfa-enabled

• iam-user-no-policies-check

• iam-user-unused-credentials-check

• restricted-ssh

• inspector-ec2-scan-enabled

• inspector-ecr-scan-enabled

• inspector-lambda-code-scan-enabled

• inspector-lambda-standard-scan-enabled

• ec2-instances-in-vpc

• internet-gateway-authorized-vpc-only

• iotevents-alarm-model-tagged

• iotevents-detector-model-tagged

• iotevents-input-tagged

• iotsitewise-asset-model-tagged

• iotsitewise-dashboard-tagged

• iotsitewise-gateway-tagged

• iotsitewise-portal-tagged

• iotsitewise-project-tagged

• iottwinmaker-component-type-tagged

• iottwinmaker-entity-tagged

• iottwinmaker-scene-tagged

• iottwinmaker-sync-job-tagged

• iottwinmaker-workspace-tagged

• iotwireless-fuota-task-tagged

• iotwireless-multicast-group-tagged

• iotwireless-service-profile-tagged

• iot-authorizer-token-signing-enabled

• ivs-channel-playback-authorization-enabled

• ivs-channel-tagged

• ivs-playback-key-pair-tagged

• ivs-recording-configuration-tagged

• kinesis-firehose-delivery-stream-encrypted

• kinesis-stream-backup-retention-check

• kinesis-stream-encrypted

• kms-cmk-not-scheduled-for-deletion

• kms-key-policy-no-public-access

• lambda-concurrency-check

• lambda-dlq-check

• lambda-function-public-access-prohibited

• lambda-function-settings-check

• lambda-inside-vpc

• lambda-vpc-multi-az-check

• lightsail-disk-tagged

• macie-auto-sensitive-data-discovery-check

• macie-status-check

• mariadb-publish-logs-to-cloudwatch-logs

• mfa-enabled-for-iam-console-access

• mq-active-broker-ldap-authentication

• mq-active-deployment-mode

• mq-active-single-instance-broker-storage-type-efs

• mq-automatic-minor-version-upgrade-enabled

• mq-auto-minor-version-upgrade-enabled

• mq-broker-general-logging-enabled

• mq-cloudwatch-audit-logging-enabled

• mq-cloudwatch-audit-log-enabled

• mq-no-public-access

• mq-rabbit-deployment-mode

• msk-enhanced-monitoring-enabled

• msk-in-cluster-node-require-tls

• multi-region-cloudtrail-enabled

• nacl-no-unrestricted-ssh-rdp

• neptune-cluster-backup-retention-check

• neptune-cluster-cloudwatch-log-export-enabled

• neptune-cluster-copy-tags-to-snapshot-enabled

• neptune-cluster-deletion-protection-enabled

• neptune-cluster-encrypted

• neptune-cluster-iam-database-authentication

• neptune-cluster-multi-az-enabled

• neptune-cluster-snapshot-encrypted

• neptune-cluster-snapshot-public-prohibited

• netfw-deletion-protection-enabled

• netfw-logging-enabled

• netfw-multi-az-enabled

• netfw-policy-default-action-fragment-packets

• netfw-policy-default-action-full-packets

• netfw-policy-rule-group-associated

• netfw-stateless-rule-group-not-empty

• netfw-subnet-change-protection-enabled

• nlb-internal-scheme-check

• no-unrestricted-route-to-igw

• opensearch-access-control-enabled

• opensearch-audit-logging-enabled

• opensearch-data-node-fault-tolerance

• opensearch-encrypted-at-rest

• opensearch-https-required

• opensearch-in-vpc-only

• opensearch-logs-to-cloudwatch

• opensearch-node-to-node-encryption-check

• opensearch-primary-node-fault-tolerance

• opensearch-update-check

• rabbit-mq-supported-version

• rds-aurora-mysql-audit-logging-enabled

• rds-aurora-postgresql-logs-to-cloudwatch

• rds-automatic-minor-version-upgrade-enabled

• rds-cluster-auto-minor-version-upgrade-enable

• rds-cluster-default-admin-check

• rds-cluster-deletion-protection-enabled

• rds-cluster-encrypted-at-rest

• rds-cluster-iam-authentication-enabled

• rds-cluster-multi-az-enabled

• rds-db-security-group-not-allowed

• rds-enhanced-monitoring-enabled

• rds-instance-default-admin-check

• rds-instance-deletion-protection-enabled

• rds-instance-iam-authentication-enabled

• rds-instance-public-access-check

• rds-in-backup-plan

• rds-last-backup-recovery-point-created

• rds-logging-enabled

• rds-mariadb-instance-encrypted-in-transit

• rds-meets-restore-time-target

• rds-multi-az-support

• rds-mysql-instance-encrypted-in-transit

• rds-postgresql-logs-to-cloudwatch

• rds-postgres-instance-encrypted-in-transit

• rds-resources-protected-by-backup-plan

• rds-snapshots-public-prohibited

• rds-snapshot-encrypted

• rds-sqlserver-encrypted-in-transit

• rds-sql-server-logs-to-cloudwatch

• rds-storage-encrypted

• redshift-backup-enabled

• redshift-cluster-configuration-check

• redshift-cluster-kms-enabled

• redshift-cluster-maintenancesettings-check

• redshift-cluster-parameter-group-tagged

• redshift-cluster-public-access-check

• redshift-cluster-subnet-group-multi-az

• redshift-default-admin-check

• redshift-default-db-name-check

• redshift-enhanced-vpc-routing-enabled

• redshift-require-tls-ssl

• redshift-serverless-workgroup-routes-within-vpc

• redshift-unrestricted-port-access

• required-tags

• restricted-common-ports

• root-account-hardware-mfa-enabled

• root-account-mfa-enabled

• route53-query-logging-enabled

• s3-access-point-in-vpc-only

• s3-access-point-public-access-blocks

• s3-account-level-public-access-blocks

• s3-account-level-public-access-blocks-periodic

• s3-bucket-acl-prohibited

• s3-bucket-blacklisted-actions-prohibited

• s3-bucket-cross-region-replication-enabled

• s3-bucket-default-lock-enabled

• s3-bucket-level-public-access-prohibited

• s3-bucket-logging-enabled

• s3-bucket-mfa-delete-enabled

• s3-bucket-policy-grantee-check

• s3-bucket-policy-not-more-permissive

• s3-bucket-public-read-prohibited

• s3-bucket-public-write-prohibited

• s3-bucket-replication-enabled

• s3-bucket-server-side-encryption-enabled

• s3-bucket-ssl-requests-only

• s3-bucket-versioning-enabled

• s3-default-encryption-kms

• s3-event-notifications-enabled

• s3-last-backup-recovery-point-created

• s3-meets-restore-time-target

• s3-resources-in-logically-air-gapped-vault

• s3-resources-protected-by-backup-plan

• s3-version-lifecycle-policy-check

• sagemaker-app-image-config-tagged

• sagemaker-domain-in-vpc

• sagemaker-endpoint-configuration-kms-key-configured

• sagemaker-endpoint-config-prod-instance-count

• sagemaker-image-description

• sagemaker-image-tagged

• sagemaker-model-in-vpc

• sagemaker-model-isolation-enabled

• sagemaker-notebook-instance-inside-vpc

• sagemaker-notebook-instance-kms-key-configured

• sagemaker_notebook_instance_platform_version

• sagemaker-notebook-instance-root-access-check

• sagemaker-notebook-no-direct-internet-access

• secretsmanager-rotation-enabled-check

• secretsmanager-scheduled-rotation-success-check

• secretsmanager-secret-periodic-rotation

• secretsmanager-secret-unused

• secretsmanager-using-cmk

• securityhub-enabled

• security-account-information-provided

• service-catalog-shared-within-organization

• service-vpc-endpoint-enabled

• ses-malware-scanning-enabled

• shield-advanced-enabled-autorenew

• shield-drt-access

• sns-encrypted-kms

• sns-topic-message-delivery-notification-enabled

• sns-topic-no-public-access

• sqs-queue-no-public-access

• ssm-document-not-public

• ssm-document-tagged

• step-functions-state-machine-logging-enabled

• storagegateway-last-backup-recovery-point-created

• storagegateway-resources-in-logically-air-gapped-vault

• storagegateway-resources-protected-by-backup-plan

• subnet-auto-assign-public-ip-disabled

• transfer-agreement-description

• transfer-agreement-tagged

• transfer-certificate-description

• transfer-certificate-tagged

• transfer-connector-logging-enabled

• transfer-connector-tagged

• transfer-family-server-no-ftp

• transfer-profile-tagged

• transfer-workflow-description

• transfer-workflow-tagged

• virtualmachine-last-backup-recovery-point-created

• virtualmachine-resources-in-logically-air-gapped-vault

• virtualmachine-resources-protected-by-backup-plan

• vpc-default-security-group-closed

• vpc-endpoint-enabled

• vpc-flow-logs-enabled

• vpc-network-acl-unused-check

• vpc-peering-dns-resolution-check

• vpc-sg-open-only-to-authorized-ports

• vpc-sg-port-restriction-check

• vpc-vpn-2-tunnels-up

• wafv2-logging-enabled

• wafv2-rulegroup-logging-enabled

• wafv2-rulegroup-not-empty

• wafv2-webacl-not-empty

• waf-classic-logging-enabled

• waf-global-rulegroup-not-empty

• waf-global-rule-not-empty

• waf-global-webacl-not-empty

• waf-regional-rulegroup-not-empty

• waf-regional-rule-not-empty

• waf-regional-webacl-not-empty

• workspaces-root-volume-encryption-enabled

• workspaces-user-volume-encryption-enabled