Curated SCPs and Config Rules - AMS Advanced User Guide
SCP-AMS-001: Restrict EBS creationSCP-AMS-002: Restrict EC2 launchSCP-ADV-001: Restrict RFC submissionsSCP-AMS-003: Restrict EC2 or RDS creationSCP-AMS-004: Restrict S3 uploadsSCP-AMS-005: Restrict API and console accessSCP-AMS-006: Prevent IAM entity from removing member account from the organizationSCP-AMS-007: Prevent sharing resources to accounts outside your organizationSCP-AMS-008: Prevent sharing with organizations or organizational units (OUs)SCP-AMS-009: Prevent users from accepting resource share invitationsSCP-AMS-010: Prevent account Region enable and disable actionsSCP-AMS-011: Prevent billing modification actionsSCP-AMS-012: Prevent deletion or modification to specific CloudTrailsSCP-AMS-013: Prevent disabling default EBS encryptionSCP-AMS-014: Prevent creating default VPC and subnetSCP-AMS-015: Prevent disabling and modifying GuardDutySCP-AMS-016: Prevent root user activitySCP-AMS-017: Prevent creating access keys for the root userSCP-AMS-018: Prevent disabling S3 account public access blockSCP-AMS-019: Prevent disabling AWS Config or modifying Config rulesSCP-AMS-020: Prevent all IAM actionsSCP-AMS-021: Prevent deleting CloudWatch Logs groups and streamsSCP-AMS-022: Prevent Glacier deletionSCP-AMS-023: Prevent deletion of IAM Access AnalyzerSCP-AMS-024: Prevent modifications to Security HubSCP-AMS-025: Prevent deletion under Directory ServiceSCP-AMS-026: Prevent use of denylisted serviceSCP-AMS-027: Prevent use of denylisted service in specific RegionsSCP-AMS-028: Prevent tags from being modified except by authorized principalsSCP-AMS-029: Prevent users from deleting Amazon VPC Flow LogsSCP-AMS-030: Prevent sharing VPC subnet with account other than network accountSCP-AMS-031: Prevent launching instances with prohibited instance typesSCP-AMS-032: Prevent launching instances without IMDSv2SCP-AMS-033: Prevent modifications to specific IAM roleSCP-AMS-034: Prevent AssumeRolePolicy modification on specific IAM rolesConfigRule: Required tagsConfigRule: Access key rotatedConfigRule: IAM root access keyConfigRule: SSM managed EC2ConfigRule: Unused IAM userConfigRule: S3 bucket loggingConfigRule: S3 bucket versioningConfigRule: S3 public accessConfigRule: Non-archived GuardDuty findingsConfigRule: CMK deletionConfigRule: CMK rotation

Curated SCPs and Config Rules

Curated SCPs and Config Rules for AMS Advanced.

  • Service control policies (SCPs): The provided SCPs are in addition to default AMS ones.

    You can use these library controls in tandem with the default ones to meet specific security requirements.

  • Config Rules: As a baseline measure, AMS recommends applying Conformance Packs (see Conformance Packs in the AWS Config guide) in addition to the default AMS config rules (see AMS Artifacts for default rules). The Conformance Packs cover a majority of compliance requirements and AWS regularly updates them.

    The rules listed here can be used to cover use-case specific gaps that aren’t covered by Conformance Packs

Note

As AMS default rules and conformance packs get updated over time, you might see duplicates of these rules.

AMS recommends doing periodic clean-up of duplicate Config Rules in general.

For AMS Advanced, Config Rules should not use auto-remediations (see Remediating Noncompliant AWS Resources by AWS Config Rules) in order to avoid out-of-band changes.

SCP-AMS-001: Restrict EBS creation

Prevent the creation of EBS volumes if you don’t have encryption enabled.

{ "Condition": { "Bool": { "ec2:Encrypted": "false" } }, "Action": "ec2:CreateVolume", "Resource": "*", "Effect": "Deny" }

SCP-AMS-002: Restrict EC2 launch

Prevent the launch of an EC2 instance if the EBS volume is unencrypted. This includes denying an EC2 launch from unencrypted AMIs because this SCP also applies to root volumes.

{ "Condition": { "Bool": { "ec2:Encrypted": "false" } }, "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:volume/*", "Effect": "Deny" }

SCP-ADV-001: Restrict RFC submissions

Restrict default AMS roles from submitting specific automated RFCs like Create VPC or Delete VPC. This is helpful if you want to apply more granular permissions to your federated roles.

For example, you might want the default AWSManagedServicesChangeManagement Role to be able to submit most of the available RFCs except the ones that allow for the creation and deletion of a VPC, creation of additional subnets, offboarding of an application account, updating or deleting SAML identity providers:

{ "Version": "2012-10-17", "Statement": [ { "Condition": { "ArnLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/AWSManagedServicesChangeManagement Role", "arn:aws:iam::*:role/AWSManagedServicesAdminRole" ] } }, "Action": [ "amscm:ApproveRfc", "amscm:CancelRfc", "amscm:CreateRfc", "amscm:CreateRfcAttachment", "amscm:CreateRfcCorrespondence", "amscm:GetRfcAttachment", "amscm:ListRfcAttachmentSummaries", "amscm:ListRfcCorrespondences", "amscm:RejectRfc", "amscm:SubmitRfc", "amscm:UpdateRestrictedExecutionTimes", "amscm:UpdateRfc" ], "Resource": [ "arn:aws:amscm:global:*:changetype/ct-1j3503fres5a5:*", "arn:aws:amscm:global:*:changetype/ct-2paw0y79kvr3l:*" "arn:aws:amscm:global:*:changetype/ct-2ha68tpd7nr3y:*" "arn:aws:amscm:global:*:changetype/ct-2wlfo2jxj2rkj:*" "arn:aws:amscm:global:*:changetype/ct-3hox8uwjgze1f:*" "arn:aws:amscm:global:*:changetype/ct-01zl37gmuk4q2:*" "arn:aws:amscm:global:*:changetype/ct-379uwo67vbvng:*" ], "Effect": "Deny", "Sid": "RestrictAppAccountRFCs" } ] }

SCP-AMS-003: Restrict EC2 or RDS creation in AMS

Prevent creation of Amazon EC2 and RDS instances that don't have specific tags, while allowing the AMS default AMS Backup IAM role to do so. This is needed for disaster recover or DR.

{ "Sid": "DenyRunInstanceWithNoOrganizationTag", "Effect": "Deny", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:rds:*:*:db:*" ], "Condition": { "Null": { "aws:RequestTag/organization": "true" }, "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::<Account_Number>:role/ams-backup-iam-role" ] } } }

SCP-AMS-004: Restrict S3 uploads

Prevent uploads of unencrypted S3 objects.

{ "Sid": "DenyUnencryptedS3Uploads", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "*", "Condition": { "StringNotLike": { "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"] }, "Null": { "s3:x-amz-server-side-encryption": "false" } } } ] }

SCP-AMS-005: Restrict API and console access

Prevent AWS Console and API access for requests coming from known bad IP addresses as determined customer InfoSec.

{ "Version": "2012-10-17", "Statement": [ { "Condition": { "IpAddressIfExists": { "aws:SourceIp": [ "<ip address 1>", "<ip address 2>", "<ip address n>" ] } }, "Action": [ "*" ], "Resource": [ "*" ], "Effect": "Deny", "Sid": "IPDeny" } ] }

SCP-AMS-006: Prevent IAM entity from removing member account from the organization

Prevent an AWS Identity and Access Management entity from removing member accounts from the organization.

{ "Effect": "Deny", "Action": ["organizations:LeaveOrganization"], "Resource": ["*"] }

SCP-AMS-007: Prevent sharing resources to accounts outside your organization

Prevent sharing resources with external accounts outside your AWS organization

{ "Effect": "Deny", "Action": [ "ram:*" ], "Resource": [ "*" ], "Condition": { "Bool": { "ram:AllowsExternalPrincipals": "true" } } }, { "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:UpdateResourceShare" ], "Resource": "*", "Condition": { "Bool": { "ram:RequestedAllowsExternalPrincipals": "true" } } }

SCP-AMS-008: Prevent sharing with organizations or organizational units (OUs)

Prevent sharing resources with an account and/or OU that's in an organization.

{ "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "ram:Principal": [ "arn:aws:organizations::*:account/o-${OrganizationId}/${AccountId}", "arn:aws:organizations::*:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}" ] } } }

SCP-AMS-009: Prevent users from accepting resource share invitations

Prevent member accounts from accepting invitations from AWS RAM to join resource shares. This API doesn't support any conditions and prevents shares only from external accounts.

{ "Effect": "Deny", "Action": ["ram:AcceptResourceShareInvitation"], "Resource": ["*"] }

SCP-AMS-010: Prevent account Region enable and disable actions

Prevent enabling or disabling any new AWS Regions for your AWS accounts.

{ "Effect": "Deny", "Action": [ "account:EnableRegion", "account:DisableRegion" ], "Resource": "*" }

SCP-AMS-011: Prevent billing modification actions

Prevent modifications to billing and payment configuration.

{ "Effect": "Deny", "Action": [ "aws-portal:ModifyBilling", "aws-portal:ModifyAccount", "aws-portal:ModifyPaymentMethods" ], "Resource": "*" }

SCP-AMS-012: Prevent deletion or modification to specific CloudTrails

Prevent modifications to specific AWS CloudTrail trails.

{ "Effect": "Deny", "Action": [ "cloudtrail:DeleteEventDataStore", "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:PutInsightSelectors", "cloudtrail:UpdateEventDataStore", "cloudtrail:UpdateTrail", "cloudtrail:StopLogging" ], "Resource": [ "arn:${Partition}:cloudtrail:${Region}:${Account}:trail/${TrailName}" ] }

SCP-AMS-013: Prevent disabling default EBS encryption

Prevent disabling of default Amazon EBS encryption.

{ "Effect": "Deny", "Action": [ "ec2:DisableEbsEncryptionByDefault" ], "Resource": "*" }

SCP-AMS-014: Prevent creating default VPC and subnet

Prevent the creation of a default Amazon VPC and subnets.

{ "Effect": "Deny", "Action": [ "ec2:CreateDefaultSubnet", "ec2:CreateDefaultVpc" ], "Resource": "*" }

SCP-AMS-015: Prevent disabling and modifying GuardDuty

Prevent Amazon GuardDuty from being modified or disabled.

{ "Effect": "Deny", "Action": [ "guardduty:AcceptInvitation", "guardduty:ArchiveFindings", "guardduty:CreateDetector", "guardduty:CreateFilter", "guardduty:CreateIPSet", "guardduty:CreateMembers", "guardduty:CreatePublishingDestination", "guardduty:CreateSampleFindings", "guardduty:CreateThreatIntelSet", "guardduty:DeclineInvitations", "guardduty:DeleteDetector", "guardduty:DeleteFilter", "guardduty:DeleteInvitations", "guardduty:DeleteIPSet", "guardduty:DeleteMembers", "guardduty:DeletePublishingDestination", "guardduty:DeleteThreatIntelSet", "guardduty:DisableOrganizationAdminAccount", "guardduty:DisassociateFromMasterAccount", "guardduty:DisassociateMembers", "guardduty:InviteMembers", "guardduty:StartMonitoringMembers", "guardduty:StopMonitoringMembers", "guardduty:TagResource", "guardduty:UnarchiveFindings", "guardduty:UntagResource", "guardduty:UpdateDetector", "guardduty:UpdateFilter", "guardduty:UpdateFindingsFeedback", "guardduty:UpdateIPSet", "guardduty:UpdateMalwareScanSettings", "guardduty:UpdateMemberDetectors", "guardduty:UpdateOrganizationConfiguration", "guardduty:UpdatePublishingDestination", "guardduty:UpdateThreatIntelSet" ], "Resource": "*" }

SCP-AMS-016: Prevent root user activity

Prevent the root user from performing any action.

{ "Action": "*", "Resource": "*", "Effect": "Deny", "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } }

SCP-AMS-017: Prevent creating access keys for the root user

Prevent the creation of access keys for the root user.

{ "Effect": "Deny", "Action": "iam:CreateAccessKey", "Resource": "arn:aws:iam::*:root" }

SCP-AMS-018: Prevent disabling S3 account public access block

Prevent disabling an Amazon S3 account public access block. This prevents any bucket in the account from becoming public.

{ "Effect": "Deny", "Action": "s3:PutAccountPublicAccessBlock", "Resource": "*" }

SCP-AMS-019: Prevent disabling AWS Config or modifying Config rules

Prevent disabling or modifying AWS Config rules.

{ "Effect": "Deny", "Action": [ "config:DeleteConfigRule", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteEvaluationResults", "config:StopConfigurationRecorder" ], "Resource": "*" }

SCP-AMS-020: Prevent all IAM actions

Prevent all IAM actions.

{ "Effect": "Deny", "Action": [ "iam:*" ], "Resource": "*" }

SCP-AMS-021: Prevent deleting CloudWatch Logs groups and streams

Prevent deleting Amazon CloudWatch Logs groups and streams.

{ "Effect": "Deny", "Action": [ "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" }

SCP-AMS-022: Prevent Glacier deletion

Prevent Amazon S3 Glacier deletion.

{ "Effect": "Deny", "Action": [ "glacier:DeleteArchive", "glacier:DeleteVault" ], "Resource": "*" }

SCP-AMS-023: Prevent deletion of IAM Access Analyzer

Prevent the deletion of IAM Access Analyzer.

{ "Action": [ "access-analyzer:DeleteAnalyzer" ], "Resource": "*", "Effect": "Deny" }

SCP-AMS-024: Prevent modifications to Security Hub

Prevent the deletion of AWS Security Hub.

{ "Action": [ "securityhub:DeleteInvitations", "securityhub:DisableSecurityHub", "securityhub:DisassociateFromMasterAccount", "securityhub:DeleteMembers", "securityhub:DisassociateMembers" ], "Resource": "*", "Effect": "Deny" }

SCP-AMS-025: Prevent deletion under Directory Service

Prevent the deletion of resources under AWS Directory Service.

{ "Action": [ "ds:DeleteDirectory", "ds:DeleteLogSubscription", "ds:DeleteSnapshot", "ds:DeleteTrust", "ds:DeregisterCertificate", "ds:DeregisterEventTopic", "ds:DisableLDAPS", "ds:DisableRadius", "ds:DisableSso", "ds:UnshareDirectory" ], "Resource": "*", "Effect": "Deny" }

SCP-AMS-026: Prevent use of denylisted service

Prevent the use of denylisted services.

Note

Replace service1 and service2 with your service names. Example access-analyzer or IAM.

{ "Effect": "Deny", "Resource": "*", "Action": ["service1:*", "service2:*"] }

SCP-AMS-027: Prevent use of denylisted service in specific Regions

Prevent the use of denylisted services in specific AWS Regions.

Note

Replace service1 and service2 with your service names. Example access-analyzer or IAM.

Replace region1 and region2 with your service names. Example us-west-2 or use-east-1.

{ "Effect": "Deny", "Resource": "*", "Action": ["service1:*", "service2:*"], "Condition": { "StringEquals": { "aws:RequestedRegion": [ "region1", "region2" ] } } }

SCP-AMS-028: Prevent tags from being modified except by authorized principals

Prevent tag modifications by any user except the authorized principals. Use authorization tags to authorize principals. Authorization tags must be associated with resources and with principals. A user/role is only considered authorized if the tag on both the resource and the principal match. For more information, see the following resources:

{ "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ec2:ResourceTag/access-project": "${aws:PrincipalTag/access-project}", "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "Null": { "ec2:ResourceTag/access-project": false } } }, { "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}", "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "access-project" ] } } }, { "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" }, "Null": { "aws:PrincipalTag/access-project": true } } }

SCP-AMS-029: Prevent users from deleting Amazon VPC Flow Logs

Prevent the deletion of Amazon VPC Flow Logs.

{ "Action": [ "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream", "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutLifecycleConfiguration", "firehose:DeleteDeliveryStream" ], "Resource": "*", "Effect": "Deny" }

SCP-AMS-030: Prevent sharing VPC subnet with account other than network account

Prevent sharing Amazon VPC subnets with accounts other than the network account.

Note

Replace NETWORK_ACCOUNT_ID with your network account ID.

{ "Effect": "Deny", "Action": [ "ram:AssociateResourceShare", "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringNotEquals": { "ram:Principal": "NETWORK_ACCOUNT_ID" }, "StringEquals": { "ram:RequestedResourceType": "ec2:Subnet" } } }

SCP-AMS-031: Prevent launching instances with prohibited instance types

Prevent launcing prohibited Amazon EC2 instance types.

Note

Replace instance_type1 and instance_type2 with the instance types that you want to restrict, such as t2.micro or a wildcard string such as *.nano.

{ "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringLike": { "ec2:InstanceType": [ "instance_type1", "instance_type2" ] } } }

SCP-AMS-032: Prevent launching instances without IMDSv2

Prevent Amazon EC2 instances without IMDSv2.

[ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } }, { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "NumericGreaterThan": { "ec2:MetadataHttpPutResponseHopLimit": "3" } } }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NumericLessThan": { "ec2:RoleDelivery": "2.0" } } }, { "Effect": "Deny", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "*" } ]

SCP-AMS-033: Prevent modifications to specific IAM role

Prevent modifications to specified IAM roles.

{ "Action": [ "iam:AttachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:TagRole", "iam:UntagRole", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": [ "arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}" ], "Effect": "Deny" }

SCP-AMS-034: Prevent AssumeRolePolicy modification on specific IAM roles

Prevent modifications to the AssumeRolePolicy for specified IAM roles.

{ "Action": [ "iam:UpdateAssumeRolePolicy" ], "Resource": [ "arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}" ], "Effect": "Deny" }

ConfigRule: Required tags

Check whether EC2 instances have custom tags that you have required. In addition to InfoSec, this is also useful for your Cost Management

ConfigRuleName: required-tags Description: >- A Config rule that checks whether EC2 instances have the required tags. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' InputParameters: tag1Key: COST_CENTER tag2Key: APP_ID Source: Owner: AWS SourceIdentifier: REQUIRED_TAGS

ConfigRule: Access key rotated

Check that access keys are being rotated within the specified time period. This is usually set to be 90 days per typical compliance requirements.

ConfigRuleName: access-keys-rotated Description: >- A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days. InputParameters: maxAccessKeyAge: '90' Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED MaximumExecutionFrequency: TwentyFour_Hours

ConfigRule: IAM root access key in AMS

Check that a root access key is not present on an account. For AMS Advanced accounts, this is expected to be compliant out-of-the-box.

ConfigRuleName: iam-root-access-key-check Description: >- A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist. Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK MaximumExecutionFrequency: TwentyFour_Hours

ConfigRule: SSM managed EC2

Check that your EC2s are being managed by SSM Systems Manager.

ConfigRuleName: ec2-instance-managed-by-systems-manager Description: >- A Config rule that checks whether the EC2 instances in the account are managed by AWS Systems Manager. Scope: ComplianceResourceTypes: - 'AWS::EC2::Instance' - 'AWS::SSM::ManagedInstanceInventory' Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM

ConfigRule: Unused IAM user in AMS

Check for IAM user credentials that have not been used for a specified duration. Like the key-rotation check, this usually defaults to 90 days per typical compliance requirements.

ConfigRuleName: iam-user-unused-credentials-check Description: >- A config rule that checks whether IAM users have passwords or active access keys that have not been used within the specified number of days provided. InputParameters: maxCredentialUsageAge: '90' Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK MaximumExecutionFrequency: TwentyFour_Hours

ConfigRule: S3 bucket logging

Check that logging has been enabled for S3 buckets in the account.

ConfigRuleName: s3-bucket-logging-enabled Description: >- A Config rule that checks whether logging is enabled for S3 buckets. Scope: ComplianceResourceTypes: - 'AWS::S3::Bucket' Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED

ConfigRule: S3 bucket versioning

Check that versioning and MFA-delete (optional) is enabled on all S3 buckets

ConfigRuleName: s3-bucket-versioning-enabled Description: >- A Config rule that checks whether versioning is enabled for S3 buckets. Optionally, the rule checks if MFA delete is enabled for S3 buckets. Scope: ComplianceResourceTypes: - 'AWS::S3::Bucket' Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED

ConfigRule: S3 public access

Check that public access settings (Public ACL, Public Policy, Public Buckets) are restricted across the account

ConfigRuleName: s3-account-level-public-access-blocks Description: >- A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item. Scope: ComplianceResourceTypes: - 'AWS::S3::AccountPublicAccessBlock' InputParameters: IgnorePublicAcls: 'True' BlockPublicPolicy: 'True' BlockPublicAcls: 'True' RestrictPublicBuckets: 'True' Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS

ConfigRule: Non-archived GuardDuty findings

Check for any non-archived GuardDuty findings that are older than the specified duration. The default duration is 30 days for low-sev, 7 days for medium-sev and 1 day for high-sev findings.

ConfigRuleName: guardduty-non-archived-findings Description: >- A Config rule that checks whether the Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if GuardDuty has non archived low/medium/high severity findings older than the specified number. InputParameters: daysLowSev: '30' daysMediumSev: '7' daysHighSev: '1' Source: Owner: AWS SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS MaximumExecutionFrequency: TwentyFour_Hours

ConfigRule: CMK deletion

Check for any AWS Key Management Service custom master keys (CMKs) that are scheduled (aka pending) for deletion. This is crucial as unawareness around CMK deletion can lead to data being unrecoverable

ConfigRuleName: kms-cmk-not-scheduled-for-deletion Description: >- A config rule that checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if CMKs are scheduled for deletion. Source: Owner: AWS SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION MaximumExecutionFrequency: TwentyFour_Hours

ConfigRule: CMK rotation

Check that auto-rotation is enabled for every CMK in the account

ConfigRuleName: cmk-backing-key-rotation-enabled Description: >- A config rule that checks that key rotation is enabled for each customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material. Source: Owner: AWS SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED MaximumExecutionFrequency: TwentyFour_Hours