Liste des règles AWS Config gérées

AWS Config prend actuellement en charge les règles gérées suivantes.

Note

Les valeurs par défaut spécifiées pour les règles gérées sont préremplies uniquement lors de l'utilisation de la AWS console. Les valeurs par défaut ne sont pas fournies pour l'API, la CLI ou le kit SDK.

Rubriques

access-keys-rotated
account-part-of-organizations
acm-certificate-expiration-check
acm-certificate-rsa-check
acm-pca-root-ca-handicapé
alb-desync-mode-check
alb-http-drop-invalid-activé par en-tête
alb-http-to-https-vérification de redirection
alb-waf-enabled
api-gwv2- access-logs-enabled
api-gwv2- authorization-type-configured
api-gw-associated-with-guerre
api-gw-cache-enabledet crypté
api-gw-endpoint-type-vérifier
api-gw-execution-logging-activé
api-gw-ssl-enabled
api-gw-xray-enabled
approved-amis-by-id
approved-amis-by-tag
appsync-associated-with-waf
appsync-authorization-check
appsync-cache-encryption-at-repos
appsync-logging-enabled
athena-workgroup-encrypted-at-repos
aurora-last-backup-recovery-point créé
aurora-meets-restore-time-cible
aurora-mysql-backtracking-enabled
aurora-resources-protected-by-plan de sauvegarde
autoscaling-capacity-rebalancing
autoscaling-group-elb-healthcheck-obligatoire
autoscaling-launchconfig-requires-imdsv2
autoscaling-launch-config-hop-limite
autoscaling-launch-config-public-IP désactivé
autoscaling-launch-template
autoscaling-multiple-az
autoscaling-multiple-instance-types
backup-plan-min-frequency-and-min-retention-check
backup-recovery-point-encrypted
backup-recovery-point-manual-suppression désactivée
backup-recovery-point-minimum-contrôle de rétention
beanstalk-enhanced-health-reporting-activé
clb-desync-mode-check
clb-multiple-az
cloudformation-stack-drift-detection-vérifier
cloudformation-stack-notification-check
cloudfront-accesslogs-enabled
cloudfront-associated-with-waf
cloudfront-custom-ssl-certificate
cloudfront-default-root-object-configuré
cloudfront-no-deprecated-ssl-protocoles
cloudfront-origin-access-identity-activé
cloudfront-origin-failover-enabled
cloudfront-s3- origin-access-control-enabled
cloudfront-s3- origin-non-existent-bucket
cloudfront-security-policy-check
cloudfront-sni-enabled
cloudfront-traffic-to-origin-crypté
cloudfront-viewer-policy-https
cloudtrail-s3-dataevents-enabled
cloudtrail-security-trail-enabled
cloudwatch-alarm-action-check
cloudwatch-alarm-action-enabled-vérifier
cloudwatch-alarm-resource-check
cloudwatch-alarm-settings-check
cloudwatch-log-group-encrypted
cloud-trail-cloud-watch-activé pour les journaux
cloudtrail-enabled
cloud-trail-encryption-enabled
cloud-trail-log-file-activé pour la validation
cmk-backing-key-rotation-activé
codebuild-project-artifact-encryption
codebuild-project-environment-privileged-vérifier
codebuild-project-envvar-awscred-vérifier
codebuild-project-logging-enabled
codebuild-project-sChiffré à 3 journaux
codebuild-project-source-repo-vérification de l'URL
codedeploy-auto-rollback-monitor-activé
codedeploy-ec2- minimum-healthy-hosts-configured
codedeploy-lambda-allatonce-traffic-shift-disabled
codepipeline-deployment-count-check
codepipeline-region-fanout-check
custom-eventbus-policy-attached
custom-schema-registry-policy-attaché
cw-loggroup-retention-period-vérifier
dax-encryption-enabled
dax-tls-endpoint-encryption
db-instance-backup-enabled
desired-instance-tenancy
desired-instance-type
dms-auto-minor-version-vérification de mise à niveau
dms-endpoint-ssl-configured
dms-mongo-db-authentication-activé
dms-neptune-iam-authorization-activé
dms-redis-tls-enabled
dms-replication-not-public
dms-replication-task-sourcedb-journalisation
dms-replication-task-targetdb-journalisation
docdb-cluster-audit-logging-activé
docdb-cluster-backup-retention-vérifier
docdb-cluster-deletion-protection-activé
docdb-cluster-encrypted
docdb-cluster-snapshot-public-interdit
dynamodb-autoscaling-enabled
dynamodb-in-backup-plan
dynamodb-last-backup-recovery-point créé
dynamodb-meets-restore-time-cible
dynamodb-pitr-enabled
dynamodb-resources-protected-by-plan de sauvegarde
dynamodb-table-deletion-protection-activé
dynamodb-table-encrypted-kms
dynamodb-table-encryption-enabled
dynamodb-throughput-limit-check
ebs-in-backup-plan
ebs-last-backup-recovery-point créé
ebs-meets-restore-time-cible
ebs-optimized-instance
ebs-resources-protected-by-plan de sauvegarde
ebs-snapshot-public-restorable-vérifier
compatible avec ec2 client-vpn-connection-log
ec2- -all client-vpn-not-authorize
ec2- ebs-encryption-by-default
ec2-imdsv2-check
ec2- instance-detailed-monitoring-enabled
ec2- -manager instance-managed-by-systems
ec2- instance-multiple-eni-check
ec2- instance-no-public-ip
ec2- instance-profile-attached
ec2- créé last-backup-recovery-point
ec2- -désactivé launch-template-public-ip
ec2- managedinstance-applications-blacklisted
ec2- managedinstance-applications-required
ec2- -check managedinstance-association-compliance-status
ec2- managedinstance-inventory-blacklisted
ec2- -check managedinstance-patch-compliance-status
ec2- managedinstance-platform-check
ec2- meets-restore-time-target
ec2- no-amazon-key-pair
ec2- paravirtual-instance-check
plan ec2 resources-protected-by-backup
ec2- -eni security-group-attached-to
ec2- -eni-périodique security-group-attached-to
ec2-stopped-instance
ec2- token-hop-limit-check
ec2- -attach-disabled transit-gateway-auto-vpc
ec2- volume-inuse-check
ecr-private-image-scanning-activé
ecr-private-lifecycle-policy-configuré
ecr-private-tag-immutability-activé
ecs-awsvpc-networking-enabled
ecs-containers-nonprivileged
ecs-containers-readonly-access
ecs-container-insights-enabled
ecs-fargate-latest-platform-version
ecs-no-environment-secrets
ecs-task-definition-log-configuration
ecs-task-definition-memory-limite stricte
ecs-task-definition-nonroot-utilisateur
ecs-task-definition-pid-vérification du mode
ecs-task-definition-user-for-host-mode-check
efs-access-point-enforce-répertoire racine
efs-access-point-enforce-identité de l'utilisateur
efs-encrypted-check
efs-in-backup-plan
efs-last-backup-recovery-point créé
efs-meets-restore-time-cible
efs-mount-target-public-accessible
efs-resources-protected-by-plan de sauvegarde
eip-attached
eks-cluster-logging-enabled
eks-cluster-log-enabled
eks-cluster-oldest-supported-version
eks-cluster-secrets-encrypted
eks-cluster-supported-version
eks-endpoint-no-public-accès
eks-secrets-encrypted
elasticache-auto-minor-version-vérification de mise à niveau
elasticache-rbac-auth-enabled
elasticache-redis-cluster-automatic-vérification des sauvegardes
elasticache-repl-grp-auto-compatible avec le basculement
elasticache-repl-grp-encrypted-au repos
elasticache-repl-grp-encrypted-en transit
elasticache-repl-grp-redis-auth activé
elasticache-subnet-group-check
elasticache-supported-engine-version
elasticsearch-encrypted-at-rest
elasticsearch-in-vpc-only
elasticsearch-logs-to-cloudwatch
elasticsearch-node-to-node-vérification du chiffrement
elastic-beanstalk-logs-to- montre cloud
elastic-beanstalk-managed-updates-activé
elbv2- acm-certificate-required
elbv2-multiple-az
elb-acm-certificate-required
elb-cross-zone-load-activé pour l'équilibrage
elb-custom-security-policy-vérification SSL
elb-deletion-protection-enabled
elb-logging-enabled
elb-predefined-security-policy-vérification SSL
elb-tls-https-listeners-uniquement
emr-block-public-access
emr-kerberos-enabled
emr-master-no-public-IP
encrypted-volumes
fms-shield-resource-policy-vérifier
fms-webacl-resource-policy-vérifier
fms-webacl-rulegroup-association-vérifier
fsx-last-backup-recovery-point créé
fsx-lustre-copy-tagsà des sauvegardes
fsx-meets-restore-time-cible
fsx-openzfs-copy-tags-activé
fsx-resources-protected-by-plan de sauvegarde
fsx-windows-audit-log-configuré
global-endpoint-event-replication-activé
guardduty-enabled-centralized
guardduty-non-archived-findings
iam-customer-policy-blocked-kms-actions
iam-group-has-users-vérifier
iam-inline-policy-blocked-kms-actions
iam-no-inline-policy-vérifier
iam-password-policy
iam-policy-blacklisted-check
iam-policy-in-use
iam-policy-no-statements-with-admin-access
iam-policy-no-statements-with-full-access
iam-role-managed-policy-vérifier
iam-root-access-key-vérifier
iam-user-group-membership-vérifier
iam-user-mfa-enabled
iam-user-no-policies-vérifier
iam-user-unused-credentials-vérifier
restricted-ssh
ec2- instances-in-vpc
internet-gateway-authorized-vpc-uniquement
kinesis-firehose-delivery-stream-crypté
kinesis-stream-encrypted
kms-cmk-not-scheduled-pour suppression
lambda-concurrency-check
lambda-dlq-check
lambda-function-public-access-interdit
lambda-function-settings-check
lambda-inside-vpc
lambda-vpc-multi-az-vérifier
macie-auto-sensitive-data-découvre-check
macie-status-check
mfa-enabled-for-iam-accès à la console
mq-active-deployment-mode
mq-automatic-minor-version-activé pour la mise à niveau
mq-auto-minor-version-activé pour la mise à niveau
mq-cloudwatch-audit-logging-activé
mq-cloudwatch-audit-log-activé
mq-no-public-access
mq-rabbit-deployment-mode
msk-enhanced-monitoring-enabled
msk-in-cluster-node-require-tls
multi-region-cloudtrail-enabled
nacl-no-unrestricted-ssh-rdp
neptune-cluster-backup-retention-vérifier
neptune-cluster-cloudwatch-log-compatible avec l'exportation
neptune-cluster-copy-tags-to-snapshot-enabled
neptune-cluster-deletion-protection-activé
neptune-cluster-encrypted
neptune-cluster-iam-database-authentification
neptune-cluster-multi-az-activé
neptune-cluster-snapshot-encrypted
neptune-cluster-snapshot-public-interdit
netfw-deletion-protection-enabled
netfw-logging-enabled
netfw-multi-az-enabled
netfw-policy-default-action-paquets de fragments
netfw-policy-default-action-paquets complets
netfw-policy-rule-group-associé
netfw-stateless-rule-group-non vide
nlb-cross-zone-load-activé pour l'équilibrage
no-unrestricted-route-to-igw
opensearch-access-control-enabled
opensearch-audit-logging-enabled
opensearch-data-node-fault-tolérance
opensearch-encrypted-at-rest
opensearch-https-required
opensearch-in-vpc-only
opensearch-logs-to-cloudwatch
opensearch-node-to-node-vérification du chiffrement
opensearch-primary-node-fault-tolérance
opensearch-update-check
rds-aurora-mysql-audit-activé pour la journalisation
rds-automatic-minor-version-activé pour la mise à niveau
rds-cluster-auto-minor-version-upgrade-enable
rds-cluster-default-admin-vérifier
rds-cluster-deletion-protection-activé
rds-cluster-encrypted-at-repos
rds-cluster-iam-authentication-activé
rds-cluster-multi-az-activé
rds-db-security-group-non autorisé
rds-enhanced-monitoring-enabled
rds-instance-default-admin-vérifier
rds-instance-deletion-protection-activé
rds-instance-iam-authentication-activé
rds-instance-public-access-vérifier
rds-in-backup-plan
rds-last-backup-recovery-point créé
rds-logging-enabled
rds-meets-restore-time-cible
rds-multi-az-support
rds-resources-protected-by-plan de sauvegarde
rds-snapshots-public-prohibited
rds-snapshot-encrypted
rds-storage-encrypted
redshift-audit-logging-enabled
redshift-backup-enabled
redshift-cluster-configuration-check
redshift-cluster-kms-enabled
redshift-cluster-maintenancesettings-check
redshift-cluster-public-access-vérifier
redshift-default-admin-check
redshift-default-db-name-vérifier
redshift-enhanced-vpc-routing-activé
redshift-require-tls-ssl
required-tags
restricted-common-ports
root-account-hardware-mfa-activé
root-account-mfa-enabled
itinéraire 53- query-logging-enabled
s3 access-point-in-vpc - uniquement
blocs s3 access-point-public-access -
blocs s3 account-level-public-access -
s3- account-level-public-access -blocs-périodique
s3- bucket-acl-prohibited
s3- bucket-blacklisted-actions-prohibited
compatible avec bucket-cross-region-replication s3
s3- bucket-default-lock-enabled
s3- bucket-level-public-access -interdit
s3- bucket-logging-enabled
s3- bucket-mfa-delete-enabled
s3- bucket-policy-grantee-check
s3- bucket-policy-not-more -permissif
s3- bucket-public-read-prohibited
s3- bucket-public-write-prohibited
s3- bucket-replication-enabled
compatible s3 bucket-server-side-encryption -
s3- bucket-ssl-requests-only
s3- bucket-versioning-enabled
s3- default-encryption-kms
s3- event-notifications-enabled
s3- last-backup-recovery-point -créé
s3- lifecycle-policy-check
s3- meets-restore-time-target
plan resources-protected-by-backup s3
s3- version-lifecycle-policy-check
sagemaker-endpoint-configuration-kms-configuré par clé
sagemaker-endpoint-config-prod-nombre d'instances
sagemaker-notebook-instance-inside-vpc
sagemaker-notebook-instance-kms-configuré par clé
sagemaker-notebook-instance-root-contrôle d'accès
sagemaker-notebook-no-direct-accès à Internet
secretsmanager-rotation-enabled-check
secretsmanager-scheduled-rotation-success-vérifier
secretsmanager-secret-periodic-rotation
secretsmanager-secret-unused
secretsmanager-using-cmk
securityhub-enabled
security-account-information-provided
service-catalog-shared-within-organisation
service-vpc-endpoint-enabled
ses-malware-scanning-enabled
shield-advanced-enabled-autorenew
shield-drt-access
sns-encrypted-kms
sns-topic-message-delivery-activé pour les notifications
ssm-document-not-public
step-functions-state-machine-activé pour la journalisation
storagegateway-last-backup-recovery-point créé
storagegateway-resources-protected-by-plan de sauvegarde
subnet-auto-assign-public-IP désactivé
transfer-family-server-no-ftp
virtualmachine-last-backup-recovery-point créé
virtualmachine-resources-protected-by-plan de sauvegarde
vpc-default-security-group-fermé
vpc-flow-logs-enabled
vpc-network-acl-unused-vérifier
vpc-peering-dns-resolution-vérifier
vpc-sg-open-only-to-authorized-ports
vpc-vpn-2-tunnels-up
wafv2-logging-enabled
wafv2- rulegroup-logging-enabled
wafv2- rulegroup-not-empty
wafv2- webacl-not-empty
waf-classic-logging-enabled
waf-global-rulegroup-not-vide
waf-global-rule-not-vide
waf-global-webacl-not-vide
waf-regional-rulegroup-not-vide
waf-regional-rule-not-vide
waf-regional-webacl-not-vide

Avertissement JavaScript est désactivé ou n'est pas disponible dans votre navigateur.

Pour que vous puissiez utiliser la documentation AWS, Javascript doit être activé. Vous trouverez des instructions sur les pages d'aide de votre navigateur.

Conventions de rédaction

Règles gérées

access-keys-rotated