AWS Config マネージドルールのリスト

現在 AWS Config では、以下のマネージドルールをサポートしています。

注記

AWS コンソールを使用している場合に限り、マネージドルールには指定されたデフォルト値が自動で設定されます。デフォルト値が API、CLI、または SDK に自動設定されることはありません。

トピック

• access-keys-rotated
• account-part-of-organizations
• acm-certificate-expiration-check
• acm-certificate-rsa-check
• alb-desync-mode-check
• alb-http-drop-invalid-header-enabled
• alb-http-to-https-redirection-check
• alb-waf-enabled
• api-gwv2-access-logs-enabled
• api-gwv2-authorization-type-configured
• api-gw-associated-with-waf
• api-gw-cache-enabled-and-encrypted
• api-gw-endpoint-type-check
• api-gw-execution-logging-enabled
• api-gw-ssl-enabled
• api-gw-xray-enabled
• approved-amis-by-id
• approved-amis-by-tag
• appsync-associated-with-waf
• appsync-authorization-check
• appsync-cache-encryption-at-rest
• appsync-logging-enabled
• athena-workgroup-encrypted-at-rest
• aurora-last-backup-recovery-point-created
• aurora-mysql-backtracking-enabled
• バックアップ計画によって保護された Aurora リソース
• autoscaling-capacity-rebalancing
• autoscaling-group-elb-healthcheck-required
• autoscaling-launchconfig-requires-imdsv2
• autoscaling-launch-config-hop-limit
• autoscaling-launch-config-public-ip-disabled
• autoscaling-launch-template
• autoscaling-multiple-az
• autoscaling-multiple-instance-types
• バックアップ計画-分-頻度と分保持チェック
• バックアップ/リカバリポイント暗号化
• バックアップ/リカバリポイントの手動削除/無効化
• バックアップ/リカバリポイントの最小保存期間チェック
• beanstalk-enhanced-health-reporting-enabled
• clb-desync-mode-check
• clb-multiple-az
• cloudformation-stack-drift-detection-check
• cloudformation-stack-notification-check
• cloudfront-accesslogs-enabled
• cloudfront-associated-with-waf
• cloudfront-custom-ssl-certificate
• cloudfront-default-root-object-configured
• cloudfront-no-deprecated-ssl-protocols
• cloudfront-origin-access-identity-enabled
• cloudfront-origin-failover-enabled
• cloudfront-s3-origin-access-control-enabled
• cloudfront-s3-origin-non-existent-bucket
• cloudfront-security-policy-check
• cloudfront-sni-enabled
• cloudfront-traffic-to-origin-encrypted
• cloudfront-viewer-policy-https
• cloudtrail-s3-dataevents-enabled
• cloudtrail-security-trail-enabled
• cloudwatch-alarm-action-check
• cloudwatch-alarm-action-enabled-check
• cloudwatch-alarm-resource-check
• cloudwatch-alarm-settings-check
• cloudwatch-log-group-encrypted
• cloud-trail-cloud-watch-logs-enabled
• cloudtrail-enabled
• cloud-trail-encryption-enabled
• cloud-trail-log-file-validation-enabled
• cmk-backing-key-rotation-enabled
• codebuild-project-artifact-encryption
• codebuild-project-environment-privileged-check
• codebuild-project-envvar-awscred-check
• codebuild-project-logging-enabled
• codebuild-project-s3-logs-encrypted
• codebuild-project-source-repo-url-check
• codedeploy-auto-rollback-monitor-enabled
• codedeploy-ec2-minimum-healthy-hosts-configured
• codedeploy-lambda-allatonce-traffic-shift-disabled
• codepipeline-deployment-count-check
• codepipeline-region-fanout-check
• custom-eventbus-policy-attached
• custom-schema-registry-policy-attached
• cw-loggroup-retention-period-check
• dax-encryption-enabled
• db-instance-backup-enabled
• desired-instance-tenancy
• desired-instance-type
• dms-auto-minor-version-upgrade-check
• dms-endpoint-ssl-configured
• dms-replication-not-public
• dms-replication-task-sourcedb-logging
• dms-replication-task-targetdb-logging
• docdb-cluster-audit-logging-enabled
• docdb-cluster-backup-retention-check
• docdb-cluster-deletion-protection-enabled
• docdb-cluster-encrypted
• docdb-cluster-snapshot-public-prohibited
• dynamodb-autoscaling-enabled
• dynamodb-in-backup-plan
• dynamodb-last-backup-recovery-point-created
• dynamodb-pitr-enabled
• DynamoDB-バックアップ計画によって保護されるリソース
• dynamodb-table-encrypted-kms
• dynamodb-table-encryption-enabled
• dynamodb-throughput-limit-check
• ebs-in-backup-plan
• ebs-last-backup-recovery-point-created
• ebs-optimized-instance
• バックアップ計画によって保護された EBS リソース
• ebs-snapshot-public-restorable-check
• ec2-client-vpn-not-authorize-all
• ec2-ebs-encryption-by-default
• ec2-imdsv2-check
• ec2-instance-detailed-monitoring-enabled
• ec2-instance-managed-by-systems-manager
• ec2-instance-multiple-eni-check
• ec2-instance-no-public-ip
• ec2-instance-profile-attached
• ec2-last-backup-recovery-point-created
• ec2-launch-template-public-ip-disabled
• ec2-managedinstance-applications-blacklisted
• ec2-managedinstance-applications-required
• ec2-managedinstance-association-compliance-status-check
• ec2-managedinstance-inventory-blacklisted
• ec2-managedinstance-patch-compliance-status-check
• ec2-managedinstance-platform-check
• ec2-no-amazon-key-pair
• ec2-paravirtual-instance-check
• ec2-resources-protected-by-backup-plan
• ec2-security-group-attached-to-eni
• ec2-security-group-attached-to-eni-periodic
• ec2-stopped-instance
• ec2-token-hop-limit-check
• ec2-transit-gateway-auto-vpc-attach-disabled
• ec2-volume-inuse-check
• ecr-private-image-scanning-enabled
• ecr-private-lifecycle-policy-configured
• ecr-private-tag-immutability-enabled
• ecs-awsvpc-networking-enabled
• ecs-containers-nonprivileged
• ecs-containers-readonly-access
• ecs-container-insights-enabled
• ecs-fargate-latest-platform-version
• ecs-no-environment-secrets
• ecs-task-definition-log-configuration
• ecs-task-definition-memory-hard-limit
• ecs-task-definition-nonroot-user
• ecs-task-definition-pid-mode-check
• ecs-task-definition-user-for-host-mode-check
• efs-access-point-enforce-root-directory
• efs-access-point-enforce-user-identity
• efs-encrypted-check
• efs-in-backup-plan
• efs-last-backup-recovery-point-created
• バックアップ計画によって保護された efs リソース
• eip-attached
• eks-cluster-logging-enabled
• eks-cluster-oldest-supported-version
• eks-cluster-supported-version
• eks-endpoint-no-public-access
• eks-secrets-encrypted
• elasticache-auto-minor-version-upgrade-check
• elasticache-rbac-auth-enabled
• elasticache-redis-cluster-automatic-backup-check
• elasticache-repl-grp-auto-failover-enabled
• elasticache-repl-grp-encrypted-at-rest
• elasticache-repl-grp-encrypted-in-transit
• elasticache-repl-grp-redis-auth-enabled
• elasticache-subnet-group-check
• elasticache-supported-engine-version
• elasticsearch-encrypted-at-rest
• elasticsearch-in-vpc-only
• elasticsearch-logs-to-cloudwatch
• elasticsearch-node-to-node-encryption-check
• elastic-beanstalk-logs-to-cloudwatch
• elastic-beanstalk-managed-updates-enabled
• elbv2-acm-certificate-required
• elbv2-multiple-az
• elb-acm-certificate-required
• elb-cross-zone-load-balancing-enabled
• elb-custom-security-policy-ssl-check
• elb-deletion-protection-enabled
• elb-logging-enabled
• elb-predefined-security-policy-ssl-check
• elb-tls-https-listeners-only
• emr-kerberos-enabled
• emr-master-no-public-ip
• encrypted-volumes
• fms-shield-resource-policy-check
• fms-webacl-resource-policy-check
• fms-webacl-rulegroup-association-check
• fsx-last-backup-recovery-point-created
• fsx-resources-protected-by-backup-plan
• global-endpoint-event-replication-enabled
• guardduty-enabled-centralized
• guardduty-non-archived-findings
• iam-customer-policy-blocked-kms-actions
• iam-group-has-users-check
• iam-inline-policy-blocked-kms-actions
• iam-no-inline-policy-check
• iam-password-policy
• iam-policy-blacklisted-check
• iam-policy-in-use
• iam-policy-no-statements-with-admin-access
• iam-policy-no-statements-with-full-access
• iam-role-managed-policy-check
• iam-root-access-key-check
• iam-user-group-membership-check
• iam-user-mfa-enabled
• iam-user-no-policies-check
• iam-user-unused-credentials-check
• restricted-ssh
• ec2-instances-in-vpc
• internet-gateway-authorized-vpc-only
• kinesis-stream-encrypted
• kms-cmk-not-scheduled-for-deletion
• lambda-concurrency-check
• lambda-dlq-check
• lambda-function-public-access-prohibited
• lambda-function-settings-check
• lambda-inside-vpc
• lambda-vpc-multi-az-check
• macie-status-check
• mfa-enabled-for-iam-console-access
• mq-active-deployment-mode
• mq-automatic-minor-version-upgrade-enabled
• mq-cloudwatch-audit-logging-enabled
• mq-no-public-access
• mq-rabbit-deployment-mode
• msk-in-cluster-node-require-tls
• multi-region-cloudtrail-enabled
• nacl-no-unrestricted-ssh-rdp
• neptune-cluster-backup-retention-check
• neptune-cluster-cloudwatch-log-export-enabled
• neptune-cluster-copy-tags-to-snapshot-enabled
• neptune-cluster-deletion-protection-enabled
• neptune-cluster-encrypted
• neptune-cluster-iam-database-authentication
• neptune-cluster-snapshot-encrypted
• neptune-cluster-snapshot-public-prohibited
• netfw-deletion-protection-enabled
• netfw-logging-enabled
• netfw-multi-az-enabled
• netfw-policy-default-action-fragment-packets
• netfw-policy-default-action-full-packets
• netfw-policy-rule-group-associated
• netfw-stateless-rule-group-not-empty
• nlb-cross-zone-load-balancing-enabled
• no-unrestricted-route-to-igw
• opensearch-access-control-enabled
• opensearch-audit-logging-enabled
• opensearch-data-node-fault-tolerance
• opensearch-encrypted-at-rest
• opensearch-https-required
• opensearch-in-vpc-only
• opensearch-logs-to-cloudwatch
• opensearch-node-to-node-encryption-check
• rds-aurora-mysql-audit-logging-enabled
• rds-automatic-minor-version-upgrade-enabled
• rds-cluster-auto-minor-version-upgrade-enable
• rds-cluster-default-admin-check
• rds-cluster-deletion-protection-enabled
• rds-cluster-encrypted-at-rest
• rds-cluster-iam-authentication-enabled
• rds-cluster-multi-az-enabled
• rds-db-security-group-not-allowed
• rds-enhanced-monitoring-enabled
• rds-instance-default-admin-check
• rds-instance-deletion-protection-enabled
• rds-instance-iam-authentication-enabled
• rds-instance-public-access-check
• rds-in-backup-plan
• rds-last-backup-recovery-point-created
• rds-logging-enabled
• rds-multi-az-support
• rds-resources-protected-by-backup-plan
• rds-snapshots-public-prohibited
• rds-snapshot-encrypted
• rds-storage-encrypted
• redshift-audit-logging-enabled
• redshift-backup-enabled
• redshift-cluster-configuration-check
• redshift-cluster-kms-enabled
• redshift-cluster-maintenancesettings-check
• redshift-cluster-public-access-check
• redshift-default-admin-check
• redshift-default-db-name-check
• redshift-enhanced-vpc-routing-enabled
• redshift-require-tls-ssl
• required-tags
• restricted-common-ports
• root-account-hardware-mfa-enabled
• root-account-mfa-enabled
• route53-query-logging-enabled
• s3-account-level-public-access-blocks
• s3-account-level-public-access-blocks-periodic
• s3-bucket-acl-prohibited
• s3-bucket-blacklisted-actions-prohibited
• s3-bucket-default-lock-enabled
• s3-bucket-level-public-access-prohibited
• s3-bucket-logging-enabled
• s3-bucket-policy-grantee-check
• s3-bucket-policy-not-more-permissive
• s3-bucket-public-read-prohibited
• s3-bucket-public-write-prohibited
• s3-bucket-replication-enabled
• s3-bucket-server-side-encryption-enabled
• s3-bucket-ssl-requests-only
• s3-bucket-versioning-enabled
• s3-default-encryption-kms
• s3-event-notifications-enabled
• s3-last-backup-recovery-point-created
• s3-lifecycle-policy-check
• s3-resources-protected-by-backup-plan
• s3-version-lifecycle-policy-check
• sagemaker-endpoint-configuration-kms-key-configured
• sagemaker-notebook-instance-inside-vpc
• sagemaker-notebook-instance-kms-key-configured
• sagemaker-notebook-instance-root-access-check
• sagemaker-notebook-no-direct-internet-access
• secretsmanager-rotation-enabled-check
• secretsmanager-scheduled-rotation-success-check
• secretsmanager-secret-periodic-rotation
• secretsmanager-secret-unused
• secretsmanager-using-cmk
• securityhub-enabled
• security-account-information-provided
• service-vpc-endpoint-enabled
• ses-malware-scanning-enabled
• shield-advanced-enabled-autorenew
• shield-drt-access
• sns-encrypted-kms
• sns-topic-message-delivery-notification-enabled
• ssm-document-not-public
• step-functions-state-machine-logging-enabled
• storagegateway-last-backup-recovery-point-created
• storagegateway-resources-protected-by-backup-plan
• subnet-auto-assign-public-ip-disabled
• virtualmachine-last-backup-recovery-point-created
• virtualmachine-resources-protected-by-backup-plan
• vpc-default-security-group-closed
• vpc-flow-logs-enabled
• vpc-network-acl-unused-check
• vpc-peering-dns-resolution-check
• vpc-sg-open-only-to-authorized-ports
• vpc-vpn-2-tunnels-up
• wafv2-logging-enabled
• wafv2-rulegroup-logging-enabled
• wafv2-rulegroup-not-empty
• wafv2-webacl-not-empty
• waf-classic-logging-enabled
• waf-global-rulegroup-not-empty
• waf-global-rule-not-empty
• waf-global-webacl-not-empty
• waf-regional-rulegroup-not-empty
• waf-regional-rule-not-empty
• waf-regional-webacl-not-empty