Compliance and conformance
AMS Accelerate deploys and manages a library of AWS Config rules and remediation actions, grouped in conformance packs, to protect against misconfigurations that could reduce the security and operational integrity of your accounts.
Conformance packs are a collection of AWS Config Rules and remediation actions that AMS Accelerate deploys and manages in your accounts. These conformance packs are industry-standard compliance checks that track the configuration changes that occur among your resources, and determine whether these changes violate any rule conditions.
The AWS Config Rules deployed by AMS Accelerate evaluate the configurations of AWS resources in your accounts against the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) security frameworks. The rules that AMS Accelerate deploys and manages have the "AMS" prefix in the rule name.
As an example, when an Amazon S3 bucket is created, AWS Config can evaluate the Amazon S3 bucket against a rule that requires Amazon S3 buckets to deny public read access. If the Amazon S3 bucket policy or bucket access control list (ACL), allows public read access, AWS Config flags both the bucket and the rule as noncompliant. These AWS Config Rules mark resources as either Compliant, Noncompliant, or Not Applicable, based on the result of their evaluation. For more information about AWS Config service, see the AWS Config Developer Guide.
You can use the AWS Config console, AWS CLI, or AWS Config API to view the rules deployed in your account and the compliance state of your rules and resources. For more information, see the AWS Config documentation: Viewing Configuration Compliance.
Remediation using AWS Config Rules
AMS Accelerate has a library of AWS Systems Manager Automation documents and runbooks to assist in remediating noncompliant resources. AMS has defined remediation response plan to be implemented for each rule when a resource goes into noncompliance. Response plans are described below:
-
Automatic Remediation
When a resource goes into the noncompliant state, AMS automatically remediates the rules using automated SSM documents. Noncompliance of these rules may strongly impact the security and availability of your accounts. When the resource goes into noncompliance, you are notified with an incident report. When the resource is returned to the compliant state, you receive an update to the incident report. If the SSM document fails, then you receive an update on the incident, stating that automated remediation has failed, and an AMS engineer will be investigating the issue.
-
Automatic Incident
AMS automatically creates an incident report to notify you that a resource has gone into a noncompliant state and asks which actions you would like to be performed. You have the following options when responding to the incident:
-
Request that AMS remediate the noncompliant resources listed in the incident. Then, we attempt to remediate the noncompliant resource, and notify you once the underlying incident has been resolved.
-
You can resolve the noncompliant item manually in the console or through your automated deployment system (for example, CI/CD Pipeline template updates); then, you can resolve the incident. The noncompliant resource is re-evaluated as per the rule’s schedule and, if the resource is evaluated as noncompliant, a new incident report is created.
-
You can choose to not resolve the noncompliant resource and simply resolve the incident. If you update the configuration of the resource later, AWS Config will trigger a re-evaluation and you will again be alerted to evaluate the noncompliance of that resource.
-
-
Config Report Only
If your resource goes into a noncompliant state, AMS does not automatically remediate or notify you. You can review the compliance states of these rules using the AWS Config console, AWS CLI, or AWS Config API. Additionally, your CSDM will share a report of all rules in your environment upon request. This report highlights the compliant and noncompliant resources in your account.
For more details, see the following table, AMS AWS Config Rules Remediation.
Note You cannot modify the remediation category for the config rule at this time.
AMS Accelerate AWS Config Rules Inventory
| Rule Name | Identifier | Trigger Type |
|---|---|---|
| Remediation Category: Automatic Remediation | ||
| ams-nist-cis-guardduty-enabled-centralized | GUARDDUTY_ENABLED_CENTRALIZED | Periodic |
| ams-nist-cis-vpc-flow-logs-enabled | VPC_FLOW_LOGS_ENABLED | Periodic |
| Remediation Category: Auto Incident | ||
| ams-nist-cis-vpc-default-security-group-closed | VPC_DEFAULT_SECURITY_GROUP_CLOSED |
Config Changes |
| ams-nist-cis-iam-password-policy | IAM_PASSWORD_POLICY | Periodic |
| ams-nist-cis-iam-root-access-key-check | IAM_ROOT_ACCESS_KEY_CHECK | Periodic |
| ams-nist-cis-iam-user-mfa-enabled | IAM_USER_MFA_ENABLED | Periodic |
| ams-nist-cis-restricted-ssh | INCOMING_SSH_DISABLED | Config Changes |
| ams-nist-cis-restricted-common-ports | RESTRICTED_INCOMING_TRAFFIC | Config Changes |
| ams-nist-cis-s3-account-level-public-access-blocks | S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS | Config Changes |
| ams-nist-cis-s3-bucket-public-read-prohibited | S3_BUCKET_PUBLIC_READ_PROHIBITED | Config Changes |
| ams-nist-cis-s3-bucket-public-write-prohibited | S3_BUCKET_PUBLIC_WRITE_PROHIBITED | Config Changes |
| ams-nist-cis-s3-bucket-server-side-encryption-enabled | S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED | Config Changes |
| ams-nist-cis-securityhub-enabled | SECURITYHUB_ENABLED | Periodic |
| Remediation Category: Config Report Only | ||
| ams-nist-cis-ec2-instance-managed-by-systems-manager | EC2_INSTANCE_MANAGED_BY_SSM |
Config Changes |
| ams-nist-cis-cloudtrail-enabled | CLOUD_TRAIL_ENABLED | Periodic |
| ams-nist-cis-access-keys-rotated | ACCESS_KEYS_ROTATED | Periodic |
| ams-nist-cis-acm-certificate-expiration-check | ACM_CERTIFICATE_EXPIRATION_CHECK | Config Changes |
| ams-nist-cis-alb-http-to-https-redirection-check | ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK | Periodic |
| ams-nist-cis-api-gw-cache-enabled-and-encrypted | API_GW_CACHE_ENABLED_AND_ENCRYPTED | Config Changes |
| ams-nist-cis-api-gw-execution-logging-enabled | API_GW_EXECUTION_LOGGING_ENABLED | Config Changes |
| ams-nist-autoscaling-group-elb-healthcheck-required | AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED | Config Changes |
| ams-nist-cis-cloud-trail-cloud-watch-logs-enabled | CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED | Periodic |
| ams-nist-cis-cloud-trail-encryption-enabled | CLOUD_TRAIL_ENCRYPTION_ENABLED | Periodic |
| ams-nist-cis-cloud-trail-log-file-validation-enabled | CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED | Periodic |
| ams-nist-cis-cloudtrail-s3-dataevents-enabled | CLOUDTRAIL_S3_DATAEVENTS_ENABLED | Periodic |
| ams-nist-cis-cloudwatch-alarm-action-check | CLOUDWATCH_ALARM_ACTION_CHECK | Config Changes |
| ams-nist-cis-cloudwatch-log-group-encrypted | CLOUDWATCH_LOG_GROUP_ENCRYPTED | Periodic |
| ams-nist-cis-codebuild-project-envvar-awscred-check | CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK | Config Changes |
| ams-nist-cis-codebuild-project-source-repo-url-check | CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK | Config Changes |
| ams-nist-cis-db-instance-backup-enabled | DB_INSTANCE_BACKUP_ENABLED | Config Changes |
| ams-nist-cis-dms-replication-not-public | DMS_REPLICATION_NOT_PUBLIC | Periodic |
| ams-nist-dynamodb-autoscaling-enabled | DYNAMODB_AUTOSCALING_ENABLED | Periodic |
| ams-nist-cis-dynamodb-pitr-enabled | DYNAMODB_PITR_ENABLED | Periodic |
| ams-nist-dynamodb-throughput-limit-check | DYNAMODB_THROUGHPUT_LIMIT_CHECK | Periodic |
| ams-nist-ebs-optimized-instance | EBS_OPTIMIZED_INSTANCE | Config Changes |
| ams-nist-cis-ebs-snapshot-public-restorable-check | EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK | Periodic |
| ams-nist-ec2-instance-detailed-monitoring-enabled | EC2_INSTANCE_DETAILED_MONITORING_ENABLED | Config Changes |
| ams-nist-cis-ec2-instance-no-public-ip | EC2_INSTANCE_NO_PUBLIC_IP | Config Changes |
| ams-nist-cis-ec2-managedinstance-association-compliance-status-check | EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK | Config Changes |
| ams-nist-cis-ec2-managedinstance-patch-compliance-status-check | EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK | Config Changes |
| ams-nist-cis-ec2-security-group-attached-to-eni | EC2_SECURITY_GROUP_ATTACHED_TO_ENI | Config Changes |
| ams-nist-cis-ec2-stopped-instance | EC2_STOPPED_INSTANCE | Periodic |
| ams-nist-cis-ec2-volume-inuse-check | EC2_VOLUME_INUSE_CHECK | Config Changes |
| ams-nist-cis-efs-encrypted-check | EFS_ENCRYPTED_CHECK | Periodic |
| ams-nist-cis-eip-attached | EIP_ATTACHED | Config Changes |
| ams-nist-cis-elasticache-redis-cluster-automatic-backup-check | ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK | Periodic |
| ams-nist-cis-elasticsearch-encrypted-at-rest | ELASTICSEARCH_ENCRYPTED_AT_REST | Periodic |
| ams-nist-cis-elasticsearch-in-vpc-only | ELASTICSEARCH_IN_VPC_ONLY | Periodic |
| ams-nist-cis-elb-acm-certificate-required | ELB_ACM_CERTIFICATE_REQUIRED | Config Changes |
| ams-nist-elb-deletion-protection-enabled | ELB_DELETION_PROTECTION_ENABLED | Config Changes |
| ams-nist-cis-elb-logging-enabled | ELB_LOGGING_ENABLED | Config Changes |
| ams-nist-cis-emr-kerberos-enabled | EMR_KERBEROS_ENABLED | Periodic |
| ams-nist-cis-emr-master-no-public-ip | EMR_MASTER_NO_PUBLIC_IP | Periodic |
| ams-nist-cis-encrypted-volumes | ENCRYPTED_VOLUMES | Config Changes |
| ams-nist-cis-guardduty-non-archived-findings | GUARDDUTY_NON_ARCHIVED_FINDINGS | Periodic |
| ams-nist-iam-group-has-users-check | IAM_GROUP_HAS_USERS_CHECK | Config Changes |
| ams-nist-cis-iam-policy-no-statements-with-admin-access | IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS | Config Changes |
| ams-nist-cis-iam-user-group-membership-check | IAM_USER_GROUP_MEMBERSHIP_CHECK | Config Changes |
| ams-nist-cis-iam-user-no-policies-check | IAM_USER_NO_POLICIES_CHECK | Config Changes |
| ams-nist-cis-iam-user-unused-credentials-check |
IAM_USER_UNUSED_CREDENTIALS_CHECK |
Periodic |
| ams-nist-cis-ec2-instances-in-vpc | INSTANCES_IN_VPC | Config Changes |
| ams-nist-cis-internet-gateway-authorized-vpc-only | INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY | Periodic |
| ams-nist-cis-kms-cmk-not-scheduled-for-deletion | KMS_CMK_NOT_SCHEDULED_FOR_DELETION | Periodic |
| ams-nist-lambda-concurrency-check | LAMBDA_CONCURRENCY_CHECK | Config Changes |
| ams-nist-lambda-dlq-check | LAMBDA_DLQ_CHECK | Config Changes |
| ams-nist-cis-lambda-function-public-access-prohibited | LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED | Config Changes |
| ams-nist-cis-lambda-inside-vpc | LAMBDA_INSIDE_VPC | Config Changes |
| ams-nist-cis-mfa-enabled-for-iam-console-access | MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS | Periodic |
| ams-nist-cis-multi-region-cloudtrail-enabled | MULTI_REGION_CLOUD_TRAIL_ENABLED | Periodic |
| ams-nist-rds-enhanced-monitoring-enabled | RDS_ENHANCED_MONITORING_ENABLED | Config Changes |
| ams-nist-cis-rds-instance-public-access-check | RDS_INSTANCE_PUBLIC_ACCESS_CHECK | Config Changes |
| ams-nist-rds-multi-az-support | RDS_MULTI_AZ_SUPPORT | Config Changes |
| ams-nist-cis-rds-snapshots-public-prohibited | RDS_SNAPSHOTS_PUBLIC_PROHIBITED | Config Changes |
| ams-nist-cis-rds-storage-encrypted | RDS_STORAGE_ENCRYPTED | Config Changes |
| ams-nist-cis-redshift-cluster-configuration-check | REDSHIFT_CLUSTER_CONFIGURATION_CHECK | Config Changes |
| ams-nist-cis-redshift-cluster-public-access-check | REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK | Config Changes |
| ams-nist-cis-redshift-require-tls-ssl | REDSHIFT_REQUIRE_TLS_SSL | Periodic |
| ams-nist-cis-root-account-hardware-mfa-enabled | ROOT_ACCOUNT_HARDWARE_MFA_ENABLED | Periodic |
| ams-nist-cis-root-account-mfa-enabled | ROOT_ACCOUNT_MFA_ENABLED | Periodic |
| ams-nist-cis-s3-bucket-default-lock-enabled | S3_BUCKET_DEFAULT_LOCK_ENABLED | Config Changes |
| ams-nist-cis-s3-bucket-logging-enabled | S3_BUCKET_LOGGING_ENABLED | Config Changes |
| ams-nist-cis-s3-bucket-replication-enabled | S3_BUCKET_REPLICATION_ENABLED | Config Changes |
| ams-nist-cis-s3-bucket-ssl-requests-only | S3_BUCKET_SSL_REQUESTS_ONLY | Config Changes |
| ams-nist-cis-s3-bucket-versioning-enabled | S3_BUCKET_VERSIONING_ENABLED | Periodic |
| ams-nist-cis-sagemaker-endpoint-configuration-kms-key-configured | SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED | Periodic |
| ams-nist-cis-sagemaker-notebook-instance-kms-key-configured | SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED | Periodic |
| ams-nist-cis-sagemaker-notebook-no-direct-internet-access | SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS | Periodic |
| ams-nist-cis-secretsmanager-rotation-enabled-check | SECRETSMANAGER_ROTATION_ENABLED_CHECK | Config Changes |
| ams-nist-cis-secretsmanager-scheduled-rotation-success-check | SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK | Config Changes |
| ams-nist-cis-sns-encrypted-kms | SNS_ENCRYPTED_KMS | Config Changes |
| ams-nist-cis-vpc-sg-open-only-to-authorized-ports | VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS | Config Changes |
| ams-nist-vpc-vpn-2-tunnels-up | VPC_VPN_2_TUNNELS_UP | Config Changes |
| ams-cis-ec2-ebs-encryption-by-default | EC2_EBS_ENCRYPTION_BY_DEFAULT | Periodic |
| ams-cis-rds-snapshot-encrypted | RDS_SNAPSHOT_ENCRYPTED | Config Changes |
| ams-cis-redshift-cluster-maintenancesettings-check | REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK | Config Changes |
