AMS Config Rule library Responses to violations Creating rule exceptions Reduce AWS Config costs

Configuration compliance in Accelerate

AMS Accelerate helps you configure your resources to high standards for security and operational integrity, and comply with the following industry standards:

Center for Internet Security (CIS)
National Institute of Standards and Technology (NIST) Cloud Security Framework (CSF)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry (PCI) Data Security Standard (DSS)

We do this by deploying our entire compliance AWS Config rule set to your account, see AMS Config Rule library. An AWS Config rule represents desired configurations for a resource and is evaluated against configuration changes on the settings of your AWS resources. Any configuration change triggers a large number of rules to test compliance. For example, suppose you create an Amazon S3 bucket, and configure it to be publicly readable, in violation of NIST standards. The ams-nist-cis-s3-bucket-public-read-prohibited rule detects the violation and labels your S3 bucket Noncompliant in your Configuration Report. Because this rule belongs to the Auto Incident remediation category, it immediately creates a Incident Report, alerting you to the issue. Other more severe rule violations might cause AMS to automatically remediate the issue. See Responses to violations in Accelerate.

Important

If you want us to do more, for example, if you want AMS to remediate a violation for you, regardless of its remediation category, submit a Service Request that asks AMS to remediate the noncompliant resources for you. In the Service Request, include a comment such as "As part of the AMS config rule remediation, please remediate non-complaint resources RESOURCE_ARNS_OR_IDs, config rule CONFIG_RULE_NAME in the account" and add the required inputs to remediate the violation.

If you want us to do less, for example, if you don't want us to take action on a particular S3 bucket that requires public access by design, you can create exceptions, see Creating rule exceptions in Accelerate.

AMS Config Rule library

Accelerate deploys a library of AMS config rules to protect your account. These config rules begin with ams-. You can view rules within your account, and their compliance state, from either the AWS Config console, AWS CLI, or the AWS Config API. For general information about using AWS Config, see ViewingConfiguration Compliance.

Note

For opt-in AWS Regions, and gov cloud Regions, we only deploy a subset of the config rules due to Region restrictions. Check the rule availability in Regions by checking the link associated to the identifier in the AMS Accelerate config rules table.

You cannot remove any of the deployed AMS Config Rules.

Table of Rules

Download as ams_config_rules.zip.

AMS Configuration Rules
Rule Name	Service	Trigger	Action	Frameworks
ams-nist-cis-guardduty-enabled-centralized	GuardDuty	Periodic	Remediate	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 2.2,3.4,8.2.1;
ams-nist-cis-vpc-flow-logs-enabled	VPC	Periodic	Remediate	CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6;
ams-eks-secrets-encrypted	EKS	Periodic	Incident	CIS: NA; NIST-CSF: NA; HIPAA: NA; PCI: NA;
ams-eks-endpoint-no-public-access	EKS	Periodic	Incident	CIS: NA; NIST-CSF: NA; HIPAA: NA; PCI: NA;
ams-nist-cis-vpc-default-security-group-closed	VPC	Config Changes	Incident	CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.312(e)(1); PCI: 1.2,1.3,2.1,2.2,1.2.1,1.3.1,1.3.2,2.2.2;
ams-nist-cis-iam-password-policy	IAM	Periodic	Incident	CIS: NA; NIST-CSF: PR.AC-1,PR.AC-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 7.1.2,7.1.3,7.2.1,7.2.2;
ams-nist-cis-iam-root-access-key-check	IAM	Periodic	Incident	CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-1,PR.AC-4,PR.PT-3; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.1.2,7.1.3,7.2.1,7.2.2;
ams-nist-cis-iam-user-mfa-enabled	IAM	Periodic	Incident	CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.1.2,7.1.3,7.2.1,7.2.2;
ams-nist-cis-restricted-ssh	Security Groups	Config Changes	Incident	CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.2.1,8.1.4;
ams-nist-cis-restricted-common-ports	Security Groups	Config Changes	Incident	CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,2.2.2;
ams-nist-cis-s3-account-level-public-access-blocks	S3	Config Changes	Incident	CIS: CIS.9,CIS.12,CIS.14; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2,2.2.2;
ams-nist-cis-s3-bucket-public-read-prohibited	S3	Config Changes	Incident	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-s3-bucket-public-write-prohibited	S3	Config Changes	Incident	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-s3-bucket-server-side-encryption-enabled	S3	Config Changes	Incident	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(c)(2),164.312(e)(2)(ii); PCI: 2.2,3.4,10.5,8.2.1;
ams-nist-cis-securityhub-enabled	Security Hub	Periodic	Incident	CIS: CIS.3,CIS.4,CIS.6,CIS.12,CIS.16,CIS.19; NIST-CSF: PR.DS-5,PR.PT-1; HIPAA: 164.312(b); PCI: NA;
ams-nist-cis-ec2-instance-managed-by-systems-manager	EC2	Config Changes	Report	CIS: CIS.2,CIS.5; NIST-CSF: ID.AM-2,PR.IP-1; HIPAA: 164.308(a)(5)(ii)(B); PCI: 2.4;
ams-nist-cis-cloudtrail-enabled	CloudTrail	Periodic	Report	CIS: CIS.16,CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.MA-2,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(b); PCI: 10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.2.6,10.2.7,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6;
ams-nist-cis-access-keys-rotated	IAM	Periodic	Report	CIS: CIS.16; NIST-CSF: PR.AC-1; HIPAA: 164.308(a)(4)(ii)(B); PCI: 2.2;
ams-nist-cis-acm-certificate-expiration-check	Certificate Manager	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.AC-5,PR.PT-4; HIPAA: NA; PCI: 4.1;
ams-nist-cis-alb-http-to-https-redirection-check	ALB	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 2.3,4.1,8.2.1;
ams-nist-cis-api-gw-cache-enabled-and-encrypted	API Gateway	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4;
ams-nist-cis-api-gw-execution-logging-enabled	API Gateway	Config Changes	Report	CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.PT-1; HIPAA: 164.312(b); PCI: 10.1,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,10.5.4;
ams-nist-autoscaling-group-elb-healthcheck-required	ELB	Config Changes	Report	CIS: NA; NIST-CSF: PR.PT-1,PR.PT-5; HIPAA: 164.312(b); PCI: 2.2;
ams-nist-cis-cloud-trail-encryption-enabled	CloudTrail	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 2.2,3.4,10.5;
ams-nist-cis-cloud-trail-log-file-validation-enabled	CloudTrail	Periodic	Report	CIS: CIS.6; NIST-CSF: PR.DS-6; HIPAA: 164.312(c)(1),164.312(c)(2); PCI: 2.2,10.5,11.5,10.5.2,10.5.5;
ams-nist-cis-cloudtrail-s3-dataevents-enabled	CloudTrail	Periodic	Report	CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6;
ams-nist-cis-cloudwatch-alarm-action-check	CloudWatch	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: NA; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4;
ams-nist-cis-cloudwatch-log-group-encrypted	CloudWatch	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: NA; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4;
ams-nist-cis-codebuild-project-envvar-awscred-check	CodeBuild	Config Changes	Report	CIS: CIS.18; NIST-CSF: PR.DS-5; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 8.2.1;
ams-nist-cis-codebuild-project-source-repo-url-check	CodeBuild	Config Changes	Report	CIS: CIS.18; NIST-CSF: PR.DS-5; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 8.2.1;
ams-nist-cis-db-instance-backup-enabled	RDS	Config Changes	Report	CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: NA;
ams-nist-cis-dms-replication-not-public	DMS	Periodic	Report	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-dynamodb-autoscaling-enabled	DynamoDB	Periodic	Report	CIS: NA; NIST-CSF: ID.BE-5,PR.DS-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(C); PCI: NA;
ams-nist-cis-dynamodb-pitr-enabled	DynamoDB	Periodic	Report	CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: NA;
ams-nist-dynamodb-throughput-limit-check	DynamoDB	Periodic	Report	CIS: NA; NIST-CSF: NA; HIPAA: 164.312(b); PCI: NA;
ams-nist-ebs-optimized-instance	EBS	Config Changes	Report	CIS: NA; NIST-CSF: NA; HIPAA: 164.308(a)(7)(i); PCI: NA;
ams-nist-cis-ebs-snapshot-public-restorable-check	EBS	Periodic	Report	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-ec2-instance-detailed-monitoring-enabled	EC2	Config Changes	Report	CIS: NA; NIST-CSF: DE.AE-1,PR.PT-1; HIPAA: 164.312(b); PCI: NA;
ams-nist-cis-ec2-instance-no-public-ip	EC2	Config Changes	Report	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-ec2-managedinstance-association-compliance-status-check	EC2	Config Changes	Report	CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-ec2-managedinstance-patch-compliance-status-check	EC2	Config Changes	Report	CIS: CIS.2,CIS.5; NIST-CSF: ID.AM-2,PR.IP-1; HIPAA: 164.308(a)(5)(ii)(B); PCI: 6.2;
ams-nist-cis-ec2-stopped-instance	EC2	Periodic	Report	CIS: CIS.2; NIST-CSF: ID.AM-2,PR.IP-1; HIPAA: NA; PCI: NA;
ams-nist-cis-ec2-volume-inuse-check	EC2	Config Changes	Report	CIS: CIS.2; NIST-CSF: PR.IP-1; HIPAA: NA; PCI: NA;
ams-nist-cis-efs-encrypted-check	EFS	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1;
ams-nist-cis-eip-attached	EC2	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1;
ams-nist-cis-elasticache-redis-cluster-automatic-backup-check	ElastiCache	Periodic	Report	CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: NA;
ams-nist-cis-opensearch-encrypted-at-rest	OpenSearch	Periodic	Report	CIS: CIS.14,CIS.13; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1;
ams-nist-cis-opensearch-in-vpc-only	OpenSearch	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1;
ams-nist-cis-elb-acm-certificate-required	Certificate Manager	Config Changes	Report	CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-elb-deletion-protection-enabled	ELB	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 4.1,8.2.1;
ams-nist-cis-elb-logging-enabled	ELB	Config Changes	Report	CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.PT-1; HIPAA: 164.312(b); PCI: 10.1,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,10.5.4;
ams-nist-cis-emr-kerberos-enabled	EMR	Periodic	Report	CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.PT-1; HIPAA: 164.312(b); PCI: 10.1,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,10.5.4;
ams-nist-cis-emr-master-no-public-ip	EMR	Periodic	Report	CIS: CIS.14,CIS.16; NIST-CSF: PR.AC-1,PR.AC-4,PR.AC-6; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 7.2.1;
ams-nist-cis-encrypted-volumes	EBS	Config Changes	Report	CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-guardduty-non-archived-findings	GuardDuty	Periodic	Report	CIS: CIS.12,CIS.13,CIS.16,CIS.19,CIS.3,CIS.4,CIS.6,CIS.8; NIST-CSF: DE.AE-2,DE.AE-3,DE.CM-4,DE.DP-5,ID.RA-1,ID.RA-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.312(b); PCI: 6.1,11.4,5.1.2;
ams-nist-iam-group-has-users-check	IAM	Config Changes	Report	CIS: NA; NIST-CSF: PR.AC-4,PR.AC-1; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 7.1.2,7.1.3,7.2.1,7.2.2;
ams-nist-cis-iam-policy-no-statements-with-admin-access	IAM	Config Changes	Report	CIS: CIS.16; NIST-CSF: PR.AC-6,PR.AC-7; HIPAA: 164.308(a)(4)(ii)(B),164.308(a)(5)(ii)(D),164.312(d); PCI: 8.2.3,8.2.4,8.2.5;
ams-nist-cis-iam-user-group-membership-check	IAM	Config Changes	Report	CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-1,PR.AC-4,PR.PT-3; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(a)(2)(i); PCI: 2.2,7.1.2,7.2.1,8.1.1;
ams-nist-cis-iam-user-no-policies-check	IAM	Config Changes	Report	CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-7; HIPAA: 164.308(a)(4)(ii)(B),164.312(d); PCI: 8.3;
ams-nist-cis-iam-user-unused-credentials-check	IAM	Periodic	Report	CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-4,PR.PT-3; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.1.2,7.1.3,7.2.1,7.2.2;
ams-nist-cis-ec2-instances-in-vpc	EC2	Config Changes	Report	CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,2.2.2;
ams-nist-cis-internet-gateway-authorized-vpc-only	Internet Gateway	Periodic	Report	CIS: CIS.9,CIS.12; NIST-CSF: NA; HIPAA: NA; PCI: NA;
ams-nist-cis-kms-cmk-not-scheduled-for-deletion	KMS	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: NA; PCI: 3.5,3.6;
ams-nist-lambda-concurrency-check	Lambda	Config Changes	Report	CIS: NA; NIST-CSF: NA; HIPAA: 164.312(b); PCI: NA;
ams-nist-lambda-dlq-check	Lambda	Config Changes	Report	CIS: NA; NIST-CSF: NA; HIPAA: 164.312(b); PCI: NA;
ams-nist-cis-lambda-function-public-access-prohibited	Lambda	Config Changes	Report	CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,2.2.2;
ams-nist-cis-lambda-inside-vpc	Lambda	Config Changes	Report	CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,2.2.2;
ams-nist-cis-mfa-enabled-for-iam-console-access	IAM	Periodic	Report	CIS: CIS.16; NIST-CSF: PR.AC-7; HIPAA: 164.312(d); PCI: 2.2,8.3;
ams-nist-cis-multi-region-cloudtrail-enabled	CloudTrail	Periodic	Report	CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.MA-2,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.2.6,10.2.7,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6;
ams-nist-rds-enhanced-monitoring-enabled	RDS	Config Changes	Report	CIS: NA; NIST-CSF: PR.PT-1; HIPAA: 164.312(b); PCI: NA;
ams-nist-cis-rds-instance-public-access-check	RDS	Config Changes	Report	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-rds-multi-az-support	RDS	Config Changes	Report	CIS: NA; NIST-CSF: ID.BE-5,PR.DS-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(C); PCI: NA;
ams-nist-cis-rds-snapshots-public-prohibited	RDS	Config Changes	Report	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-rds-storage-encrypted	RDS	Config Changes	Report	CIS: CIS.13,CIS.5,CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-1,PR.PT-1; HIPAA: 164.312(a)(2)(iv),164.312(b),164.312(e)(2)(ii); PCI: 3.4,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,8.2.1;
ams-nist-cis-redshift-cluster-configuration-check	RedShift	Config Changes	Report	CIS: CIS.6,CIS.13,CIS.5; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-1,PR.PT-1; HIPAA: 164.312(a)(2)(iv),164.312(b),164.312(e)(2)(ii); PCI: 3.4,8.2.1,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6;
ams-nist-cis-redshift-cluster-public-access-check	RedShift	Config Changes	Report	CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-redshift-require-tls-ssl	RedShift	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 2.3,4.1;
ams-nist-cis-root-account-hardware-mfa-enabled	IAM	Periodic	Report	CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-7; HIPAA: 164.312(d); PCI: 2.2,8.3;
ams-nist-cis-root-account-mfa-enabled	IAM	Periodic	Report	CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-7; HIPAA: 164.312(d); PCI: 2.2,8.3;
ams-nist-cis-s3-bucket-default-lock-enabled	S3	Config Changes	Report	CIS: CIS.14,CIS.13; NIST-CSF: ID.BE-5,PR.PT-5,RC.RP-1; HIPAA: NA; PCI: NA;
ams-nist-cis-s3-bucket-logging-enabled	S3	Config Changes	Report	CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.2.7,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6;
ams-nist-cis-s3-bucket-replication-enabled	S3	Config Changes	Report	CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: 2.2,10.5.3;
ams-nist-cis-s3-bucket-ssl-requests-only	S3	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(c)(2),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 2.2,4.1,8.2.1;
ams-nist-cis-s3-bucket-versioning-enabled	S3	Periodic	Report	CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.DS-6,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B),164.312(c)(1),164.312(c)(2); PCI: 10.5.3;
ams-nist-cis-sagemaker-endpoint-configuration-kms-key-configured	SageMaker	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1;
ams-nist-cis-sagemaker-notebook-instance-kms-key-configured	SageMaker	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1;
ams-nist-cis-sagemaker-notebook-no-direct-internet-access	SageMaker	Periodic	Report	CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2;
ams-nist-cis-secretsmanager-rotation-enabled-check	Secrets Manager	Config Changes	Report	CIS: CIS.16; NIST-CSF: PR.AC-1; HIPAA: 164.308(a)(4)(ii)(B); PCI: NA;
ams-nist-cis-secretsmanager-scheduled-rotation-success-check	Secrets Manager	Config Changes	Report	CIS: CIS.16; NIST-CSF: PR.AC-1; HIPAA: 164.308(a)(4)(ii)(B); PCI: NA;
ams-nist-cis-sns-encrypted-kms	SNS	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 8.2.1;
ams-nist-cis-vpc-sg-open-only-to-authorized-ports	VPC	Config Changes	Report	CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,2.2.2;
ams-nist-vpc-vpn-2-tunnels-up	VPC	Config Changes	Report	CIS: NA; NIST-CSF: ID.BE-5,PR.DS-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i); PCI: NA;
ams-cis-ec2-ebs-encryption-by-default	EC2	Periodic	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 2.2,3.4,8.2.1;
ams-cis-rds-snapshot-encrypted	RDS	Config Changes	Report	CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1;
ams-cis-redshift-cluster-maintenancesettings-check	RedShift	Config Changes	Report	CIS: CIS.5; NIST-CSF: PR.DS-4,PR.IP-1,PR.IP-4; HIPAA: 164.308(a)(5)(ii)(A),164.308(a)(7)(ii)(A); PCI: 6.2;

Responses to violations in Accelerate

All Config Rule violations appear in your Configuration Report. This is a universal response. Depending on the Remediation Category (severity) of the rule, AMS might take additional actions, summarized in the following table. For details on how to customize the Action Code for certain rules, see Customized findings responses.

Remediation Actions

Action Code	AMS Actions
Report	Add to Config Report
Incident	Add to Config Report Automatic incident report in Accelerate
Remediate	Add to Config Report Automatic incident report in Accelerate Automatic remediation in Accelerate

Requesting Additional Help

Note

AMS can remediate any violation for you, regardless of its remediation category. To request help, submit a Service Request, and indicate which resources you want AMS to remediate with a comment such as "As part of the AMS config rule remediation, please remediate non-complaint resources RESOURCE_ARNS_OR_IDsresource ARNs/IDs>, config rule CONFIG_RULE_NAMEin the account" and add the required inputs to remediate the violation.

AMS Accelerate has a library of AWS Systems Manager automation documents and runbooks to assist in remediating noncompliant resources.

Add to Config Report

AMS generates a Config Report that tracks the compliance status of all rules and resources in your account. You can request the report from your CSDM. You can also review compliance status from the AWS Config console, AWS CLI, or AWS Config API. Your Config Report includes:

The top, noncompliant resources in your environment, to discover potential threats and misconfigurations
Compliance of resources and config rules over time
Config rule descriptions, severity of rules, and recommended remediation steps to fix noncompliant resources

When any resource goes into a noncompliant state, the resource status (and rule status) becomes Noncompliant in your Config Report. If the rule belongs to the Config Report Only remediation category, by default, AMS takes no further action. You can always create a Service Request to request additional help or remediation from AMS.

For more details, see AWS Config Reporting.

Automatic incident report in Accelerate

For moderately severe rule violations, AMS automatically creates an Incident Report to notify you that a resource has gone into a noncompliant state, and asks which actions you would like to be performed. You have the following options when responding to an incident:

Request that AMS remediate the noncompliant resources listed in the incident. Then, we attempt to remediate the noncompliant resource, and notify you once the underlying incident has been resolved.
You can resolve the noncompliant item manually in the console or through your automated deployment system (for example, CI/CD Pipeline template updates); then, you can resolve the incident. The noncompliant resource is re-evaluated as per the rule’s schedule and, if the resource is evaluated as noncompliant, a new incident report is created.
You can choose to not resolve the noncompliant resource and simply resolve the incident. If you update the configuration of the resource later, AWS Config will trigger a re-evaluation and you will again be alerted to evaluate the noncompliance of that resource.

Automatic remediation in Accelerate

The most critical rules belong to the Auto Remediate category. Noncompliance with these rules may strongly impact the security and availability of your accounts. When a resource violates one of these rules:

AMS automatically notifies you with an Incident Report.
AMS starts an automated remediation using our automated SSM documents.
AMS updates the Incident Report with success or failure of the automated remediation.
If automated remediation failed, an AMS engineer investigates the issue.

Creating rule exceptions in Accelerate

The AWS Config Rules resource exception feature allows you to suppress reporting of specific, noncompliant resources for a specific rules.

Note

The exempted resources still show up as Noncompliant in your AWS Config Service console. The exempted resources appear with a special flag in Config Reports (resource_exception:True). Your CSDMs can filter out those resources according to that column when generating reports.

If you have resources that you know are not compliant, you can eliminate a specific resource for a specific config rule in their Config Reports. To do this:

Submit a service request to Accelerate against your account, with a list of the config rules and resources that to be exempted from report. You must provide an explicit business justification (such as, no need to report that resource_name_1 and resource_name_2 are not backed up because we do not want them backed up). For help submitting an Accelerate service request, see Creating a service request.

Paste into the request the following inputs (for every resource add a separate block with all the required fields, as shown), and then submit:


[
    {
        "resource_name": "resource_name_1",
        "config_rule_name": "config_rule_name_1",
        "business_justification": "REASON_TO_EXEMPT_RESOURCE",
        "resource_type": "resource_type"
    },
    {
        "resource_name": "resource_name_2",
        "config_rule_name": "config_rule_name_2",
        "business_justification": "REASON_TO_EXEMPT_RESOURCE",
        "resource_type": "resource_type"
    }
]

Reduce AWS Config costs in Accelerate

You can reduce AWS Config costs by using the option to periodically record the AWS::EC2::Instance resource type. Periodic recording captures the latest configuration changes of your resources once every 24 hours, reducing the number of changes delivered. When enabled, AWS Config only records the latest configuration of a resource at the end of a 24-hour period. This allows you to tailor configuration data to specific operational planning, compliance, and audit uses cases that don’t require continuous monitoring. This change is recommended only if you have applications that depend on ephemeral architectures, meaning you constantly scale the number of instances up or down.

To opt in to periodic recording for the AWS::EC2::Instance resource type, contact your AMS Delivery Team.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security event logging and monitoring

Customized findings responses