Operational Best Practices for ACSC ISM - Part 2

Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.

The following provides additional sample mapping between the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) 2020-06 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ISM controls. An ISM control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.

This sample conformance pack template contains mappings to controls within the ISM framework, which was created by the Commonwealth of Australia and can be found at Australian Government Information Security Manual. Licensing of the framework under Creative Commons Attribution 4.0 International Public License and copyright information for the framework (including a disclaimer of warranties) can be found at ACSC | Copyright.

Control ID	AWS Config Rule	Guidance
1984	appmesh-virtual-gateway-backend-defaults-tls	Checks if backend defaults for AWS App Mesh virtual gateways require the virtual gateways to communicate with all ports using TLS. The rule is NON_COMPLIANT if configuration.Spec.BackendDefaults.ClientPolicy.Tls.Enforce is false.
1984	appmesh-virtual-node-backend-defaults-tls-on	Checks if backend defaults for AWS App Mesh virtual nodes require the virtual nodes to communicate with all ports using TLS. The rule is NON_COMPLIANT if configuration.Spec.BackendDefaults.ClientPolicy.Tls.Enforce is false.
1984	msk-in-cluster-node-require-tls	Checks if an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.
1984	rds-mysql-instance-encrypted-in-transit	Checks if connections to Amazon RDS for MySQL database instances are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated database parameter group is not in-sync or if the require_secure_transport parameter is not set to 1.
1984	rds-postgres-instance-encrypted-in-transit	Checks if connections to Amazon RDS for PostgreSQL database instances are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated database parameter group is not in-sync or if the rds.force_ssl parameter is not set to 1.
1985	ebs-snapshot-public-restorable-check	Checks if Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public.
1985	s3-bucket-mfa-delete-enabled	Checks if Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public.
1985	s3-bucket-public-read-prohibited	Checks if your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). The rule is compliant when both of the following are true: The Block Public Access setting restricts public policies or the bucket policy does not allow public read access. The Block Public Access setting restricts public ACLs or the bucket ACL does not allow public read access. The rule is non-compliant when: If the Block Public Access setting does not restrict public policies, AWS Config evaluates whether the policy allows public read access. If the policy allows public read access, the rule is non-compliant. If the Block Public Access setting does not restrict public bucket ACLs, AWS Config evaluates whether the bucket ACL allows public read access. If the bucket ACL allows public read access, the rule is non-compliant.
1985	s3-bucket-public-write-prohibited	Checks if your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). The rule is compliant when both of the following are true: The Block Public Access setting restricts public policies or the bucket policy does not allow public write access. The Block Public Access setting restricts public ACLs or the bucket ACL does not allow public write access. The rule is non-compliant when: If the Block Public Access setting does not restrict public policies, AWS Config evaluates whether the policy allows public write access. If the policy allows public write access, the rule is non-compliant. If the Block Public Access setting does not restrict public bucket ACLs, AWS Config evaluates whether the bucket ACL allows public write access. If the bucket ACL allows public write access, the rule is non-compliant.
1985	aurora-resources-in-logically-air-gapped-vault	Checks if Amazon Aurora DB clusters are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon Aurora DB cluster is not in a logically air-gapped vault within the specified time period.
1985	ebs-resources-in-logically-air-gapped-vault	Checks if Amazon Elastic Block Store (Amazon EBS) volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EBS volume is not in a logically air-gapped vault within the specified time period.
1985	ec2-resources-in-logically-air-gapped-vault	Checks if Amazon Elastic Block Store (Amazon EBS) instances are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EBS instance is not in a logically air-gapped vault within the specified time period.
1985	efs-resources-in-logically-air-gapped-vault	Checks if Amazon Elastic File System (Amazon EFS) File Systems are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EFS File System is not in a logically air-gapped vault within the specified time period.
1985	s3-resources-in-logically-air-gapped-vault	Checks if Amazon Simple Storage Service (Amazon S3) buckets are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon S3 bucket is not in a logically air-gapped vault within the specified time period.

Template

This templates is available on GitHub: Operational Best Practices for ACSC ISM - Part 2.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Operational Best Practices for ACSC ISM - Part 1

Operational Best Practices for AI and ML