Compliance and conformance - AMS Accelerate Operations Plan

Compliance and conformance

AMS Accelerate deploys and manages a library of AWS Config rules and remediation actions, grouped in conformance packs, to protect against misconfigurations that could reduce the security and operational integrity of your accounts.

Conformance packs are a collection of AWS Config Rules and remediation actions that AMS Accelerate deploys and manages in your accounts. These conformance packs are industry-standard compliance checks that track the configuration changes that occur among your resources, and determine whether these changes violate any rule conditions.

The AWS Config Rules deployed by AMS Accelerate evaluate the configurations of AWS resources in your accounts against the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) security frameworks. The rules that AMS Accelerate deploys and manages have the "AMS" prefix in the rule name.

As an example, when an Amazon S3 bucket is created, AWS Config can evaluate the Amazon S3 bucket against a rule that requires Amazon S3 buckets to deny public read access. If the Amazon S3 bucket policy or bucket access control list (ACL), allows public read access, AWS Config flags both the bucket and the rule as noncompliant. These AWS Config Rules mark resources as either Compliant, Noncompliant, or Not Applicable, based on the result of their evaluation. For more information about AWS Config service, see the AWS Config Developer Guide.

You can use the AWS Config console, AWS CLI, or AWS Config API to view the rules deployed in your account and the compliance state of your rules and resources. For more information, see the AWS Config documentation: Viewing Configuration Compliance.

Remediation using AWS Config Rules

AMS Accelerate has a library of AWS Systems Manager Automation documents and runbooks to assist in remediating noncompliant resources. AMS has defined remediation response plan to be implemented for each rule when a resource goes into noncompliance. Response plans are described below:

  • Automatic Remediation

    When a resource goes into the noncompliant state, AMS automatically remediates the rules using automated SSM documents. Noncompliance of these rules may strongly impact the security and availability of your accounts. When the resource goes into noncompliance, you are notified with an incident report. When the resource is returned to the compliant state, you receive an update to the incident report. If the SSM document fails, then you receive an update on the incident, stating that automated remediation has failed, and an AMS engineer will be investigating the issue.

  • Automatic Incident

    AMS automatically creates an incident report to notify you that a resource has gone into a noncompliant state and asks which actions you would like to be performed. You have the following options when responding to the incident:

    • Request that AMS remediate the noncompliant resources listed in the incident. Then, we attempt to remediate the noncompliant resource, and notify you once the underlying incident has been resolved.

    • You can resolve the noncompliant item manually in the console or through your automated deployment system (for example, CI/CD Pipeline template updates); then, you can resolve the incident. The noncompliant resource is re-evaluated as per the rule’s schedule and, if the resource is evaluated as noncompliant, a new incident report is created.

    • You can choose to not resolve the noncompliant resource and simply resolve the incident. If you update the configuration of the resource later, AWS Config will trigger a re-evaluation and you will again be alerted to evaluate the noncompliance of that resource.

  • Config Report Only

    If your resource goes into a noncompliant state, AMS does not automatically remediate or notify you. You can review the compliance states of these rules using the AWS Config console, AWS CLI, or AWS Config API. Additionally, your CSDM will share a report of all rules in your environment upon request. This report highlights the compliant and noncompliant resources in your account.

    For more details, see the following table, AMS AWS Config Rules Remediation.

    Note

    You cannot modify the remediation category for the config rule at this time.

AMS Accelerate AWS Config Rules Inventory

Rule Name Identifier Trigger Type
Remediation Category: Automatic Remediation
ams-nist-cis-guardduty-enabled-centralized GUARDDUTY_ENABLED_CENTRALIZED Periodic
ams-nist-cis-vpc-flow-logs-enabled VPC_FLOW_LOGS_ENABLED Periodic
Remediation Category: Auto Incident
ams-nist-cis-vpc-default-security-group-closed VPC_DEFAULT_SECURITY_GROUP_CLOSED

Config Changes

ams-nist-cis-iam-password-policy IAM_PASSWORD_POLICY Periodic
ams-nist-cis-iam-root-access-key-check IAM_ROOT_ACCESS_KEY_CHECK Periodic
ams-nist-cis-iam-user-mfa-enabled IAM_USER_MFA_ENABLED Periodic
ams-nist-cis-restricted-ssh INCOMING_SSH_DISABLED Config Changes
ams-nist-cis-restricted-common-ports RESTRICTED_INCOMING_TRAFFIC Config Changes
ams-nist-cis-s3-account-level-public-access-blocks S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS Config Changes
ams-nist-cis-s3-bucket-public-read-prohibited S3_BUCKET_PUBLIC_READ_PROHIBITED Config Changes
ams-nist-cis-s3-bucket-public-write-prohibited S3_BUCKET_PUBLIC_WRITE_PROHIBITED Config Changes
ams-nist-cis-s3-bucket-server-side-encryption-enabled S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED Config Changes
ams-nist-cis-securityhub-enabled SECURITYHUB_ENABLED Periodic
Remediation Category: Config Report Only
ams-nist-cis-ec2-instance-managed-by-systems-manager EC2_INSTANCE_MANAGED_BY_SSM

Config Changes

ams-nist-cis-cloudtrail-enabled CLOUD_TRAIL_ENABLED Periodic
ams-nist-cis-access-keys-rotated ACCESS_KEYS_ROTATED Periodic
ams-nist-cis-acm-certificate-expiration-check ACM_CERTIFICATE_EXPIRATION_CHECK Config Changes
ams-nist-cis-alb-http-to-https-redirection-check ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK Periodic
ams-nist-cis-api-gw-cache-enabled-and-encrypted API_GW_CACHE_ENABLED_AND_ENCRYPTED Config Changes
ams-nist-cis-api-gw-execution-logging-enabled API_GW_EXECUTION_LOGGING_ENABLED Config Changes
ams-nist-autoscaling-group-elb-healthcheck-required AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED Config Changes
ams-nist-cis-cloud-trail-cloud-watch-logs-enabled CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Periodic
ams-nist-cis-cloud-trail-encryption-enabled CLOUD_TRAIL_ENCRYPTION_ENABLED Periodic
ams-nist-cis-cloud-trail-log-file-validation-enabled CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED Periodic
ams-nist-cis-cloudtrail-s3-dataevents-enabled CLOUDTRAIL_S3_DATAEVENTS_ENABLED Periodic
ams-nist-cis-cloudwatch-alarm-action-check CLOUDWATCH_ALARM_ACTION_CHECK Config Changes
ams-nist-cis-cloudwatch-log-group-encrypted CLOUDWATCH_LOG_GROUP_ENCRYPTED Periodic
ams-nist-cis-codebuild-project-envvar-awscred-check CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK Config Changes
ams-nist-cis-codebuild-project-source-repo-url-check CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK Config Changes
ams-nist-cis-db-instance-backup-enabled DB_INSTANCE_BACKUP_ENABLED Config Changes
ams-nist-cis-dms-replication-not-public DMS_REPLICATION_NOT_PUBLIC Periodic
ams-nist-dynamodb-autoscaling-enabled DYNAMODB_AUTOSCALING_ENABLED Periodic
ams-nist-cis-dynamodb-pitr-enabled DYNAMODB_PITR_ENABLED Periodic
ams-nist-dynamodb-throughput-limit-check DYNAMODB_THROUGHPUT_LIMIT_CHECK Periodic
ams-nist-ebs-optimized-instance EBS_OPTIMIZED_INSTANCE Config Changes
ams-nist-cis-ebs-snapshot-public-restorable-check EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK Periodic
ams-nist-ec2-instance-detailed-monitoring-enabled EC2_INSTANCE_DETAILED_MONITORING_ENABLED Config Changes
ams-nist-cis-ec2-instance-no-public-ip EC2_INSTANCE_NO_PUBLIC_IP Config Changes
ams-nist-cis-ec2-managedinstance-association-compliance-status-check EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK Config Changes
ams-nist-cis-ec2-managedinstance-patch-compliance-status-check EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK Config Changes
ams-nist-cis-ec2-security-group-attached-to-eni EC2_SECURITY_GROUP_ATTACHED_TO_ENI Config Changes
ams-nist-cis-ec2-stopped-instance EC2_STOPPED_INSTANCE Periodic
ams-nist-cis-ec2-volume-inuse-check EC2_VOLUME_INUSE_CHECK Config Changes
ams-nist-cis-efs-encrypted-check EFS_ENCRYPTED_CHECK Periodic
ams-nist-cis-eip-attached EIP_ATTACHED Config Changes
ams-nist-cis-elasticache-redis-cluster-automatic-backup-check ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK Periodic
ams-nist-cis-elasticsearch-encrypted-at-rest ELASTICSEARCH_ENCRYPTED_AT_REST Periodic
ams-nist-cis-elasticsearch-in-vpc-only ELASTICSEARCH_IN_VPC_ONLY Periodic
ams-nist-cis-elb-acm-certificate-required ELB_ACM_CERTIFICATE_REQUIRED Config Changes
ams-nist-elb-deletion-protection-enabled ELB_DELETION_PROTECTION_ENABLED Config Changes
ams-nist-cis-elb-logging-enabled ELB_LOGGING_ENABLED Config Changes
ams-nist-cis-emr-kerberos-enabled EMR_KERBEROS_ENABLED Periodic
ams-nist-cis-emr-master-no-public-ip EMR_MASTER_NO_PUBLIC_IP Periodic
ams-nist-cis-encrypted-volumes ENCRYPTED_VOLUMES Config Changes
ams-nist-cis-guardduty-non-archived-findings GUARDDUTY_NON_ARCHIVED_FINDINGS Periodic
ams-nist-iam-group-has-users-check IAM_GROUP_HAS_USERS_CHECK Config Changes
ams-nist-cis-iam-policy-no-statements-with-admin-access IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Config Changes
ams-nist-cis-iam-user-group-membership-check IAM_USER_GROUP_MEMBERSHIP_CHECK Config Changes
ams-nist-cis-iam-user-no-policies-check IAM_USER_NO_POLICIES_CHECK Config Changes
ams-nist-cis-iam-user-unused-credentials-check IAM_USER_UNUSED_CREDENTIALS_CHECK Periodic
ams-nist-cis-ec2-instances-in-vpc INSTANCES_IN_VPC Config Changes
ams-nist-cis-internet-gateway-authorized-vpc-only INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY Periodic
ams-nist-cis-kms-cmk-not-scheduled-for-deletion KMS_CMK_NOT_SCHEDULED_FOR_DELETION Periodic
ams-nist-lambda-concurrency-check LAMBDA_CONCURRENCY_CHECK Config Changes
ams-nist-lambda-dlq-check LAMBDA_DLQ_CHECK Config Changes
ams-nist-cis-lambda-function-public-access-prohibited LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED Config Changes
ams-nist-cis-lambda-inside-vpc LAMBDA_INSIDE_VPC Config Changes
ams-nist-cis-mfa-enabled-for-iam-console-access MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Periodic
ams-nist-cis-multi-region-cloudtrail-enabled MULTI_REGION_CLOUD_TRAIL_ENABLED Periodic
ams-nist-rds-enhanced-monitoring-enabled RDS_ENHANCED_MONITORING_ENABLED Config Changes
ams-nist-cis-rds-instance-public-access-check RDS_INSTANCE_PUBLIC_ACCESS_CHECK Config Changes
ams-nist-rds-multi-az-support RDS_MULTI_AZ_SUPPORT Config Changes
ams-nist-cis-rds-snapshots-public-prohibited RDS_SNAPSHOTS_PUBLIC_PROHIBITED Config Changes
ams-nist-cis-rds-storage-encrypted RDS_STORAGE_ENCRYPTED Config Changes
ams-nist-cis-redshift-cluster-configuration-check REDSHIFT_CLUSTER_CONFIGURATION_CHECK Config Changes
ams-nist-cis-redshift-cluster-public-access-check REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK Config Changes
ams-nist-cis-redshift-require-tls-ssl REDSHIFT_REQUIRE_TLS_SSL Periodic
ams-nist-cis-root-account-hardware-mfa-enabled ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Periodic
ams-nist-cis-root-account-mfa-enabled ROOT_ACCOUNT_MFA_ENABLED Periodic
ams-nist-cis-s3-bucket-default-lock-enabled S3_BUCKET_DEFAULT_LOCK_ENABLED Config Changes
ams-nist-cis-s3-bucket-logging-enabled S3_BUCKET_LOGGING_ENABLED Config Changes
ams-nist-cis-s3-bucket-replication-enabled S3_BUCKET_REPLICATION_ENABLED Config Changes
ams-nist-cis-s3-bucket-ssl-requests-only S3_BUCKET_SSL_REQUESTS_ONLY Config Changes
ams-nist-cis-s3-bucket-versioning-enabled S3_BUCKET_VERSIONING_ENABLED Periodic
ams-nist-cis-sagemaker-endpoint-configuration-kms-key-configured SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED Periodic
ams-nist-cis-sagemaker-notebook-instance-kms-key-configured SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED Periodic
ams-nist-cis-sagemaker-notebook-no-direct-internet-access SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS Periodic
ams-nist-cis-secretsmanager-rotation-enabled-check SECRETSMANAGER_ROTATION_ENABLED_CHECK Config Changes
ams-nist-cis-secretsmanager-scheduled-rotation-success-check SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK Config Changes
ams-nist-cis-sns-encrypted-kms SNS_ENCRYPTED_KMS Config Changes
ams-nist-cis-vpc-sg-open-only-to-authorized-ports VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS Config Changes
ams-nist-vpc-vpn-2-tunnels-up VPC_VPN_2_TUNNELS_UP Config Changes
ams-cis-ec2-ebs-encryption-by-default EC2_EBS_ENCRYPTION_BY_DEFAULT Periodic
ams-cis-rds-snapshot-encrypted RDS_SNAPSHOT_ENCRYPTED Config Changes
ams-cis-redshift-cluster-maintenancesettings-check REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK Config Changes