Configuration Compliance
AMS Accelerate helps ensure that all of your resources are configured to high standards for security and operational integrity, and comply with the following industry standards:
Center for Internet Security (CIS)
National Institute of Standards and Technology (NIST) Cloud Security Framework (CSF)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry (PCI) Data Security Standard (DSS)
We do this by deploying our entire
AMS Config Rule library to your account.
Any configuration change triggers a large number of rules to test compliance.
For example, suppose you create an Amazon S3 bucket, and configure it to be publicly
readable, in violation of NIST standards. The ams-nist-cis-s3-bucket-public-read-prohibited
rule detects the
violation and labels your S3 bucket Noncompliant in your
Configuration Report. Because this rule belongs to the
Auto Incident remediation category, it immediately
creates an Incident Report, alerting you to the issue.
Other more severe rule violations might cause AMS to automatically remediate
the issue.
See Responses to violations.
If you want us to do more, for example, if you want AMS to remediate a violation for you, regardless of its remediation category, use the Incident Report to request that AMS remediate the noncompliant resources for you.
If you want us to do less, for example, if you don't want us to take action on a particular S3 bucket that requires public access by design, you can create Rule exceptions.
AMS Config Rule library
By default, Accelerate deploys all of the following rules to your account. AMS config rules always
begin with ams-
. You can view rules within your account, and their compliance state,
from either the AWS Config console, AWS CLI, or the AWS Config API. For general information about using AWS Config, see
Viewing
Configuration Compliance.
You cannot remove any of the deployed AMS Config Rules at this time.
Table of Rules
In this table, rules are sorted by Remediation Category (severity).
Download as aws_config_rules_inventory.zip.
Rule Name | Identifier | Trigger | Frameworks | CIS | NIST-CSF | HIPAA | PCI |
---|---|---|---|---|---|---|---|
Remediation Category: Automatic Remediation | |||||||
ams-nist-cis-guardduty-enabled-centralized | GUARDDUTY_ENABLED_CENTRALIZED | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 2.2 3.4 8.2.1 |
ams-nist-cis-vpc-flow-logs-enabled | VPC_FLOW_LOGS_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.DS-5 PR.PT-1 | 164.308(a)(3)(ii)(A) 164.312(b) | 2.2 10.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 |
Remediation Category: Auto Incident | |||||||
ams-eks-secrets-encrypted | EKS_SECRETS_ENCRYPTED | Periodic | N/A | N/A | N/A | N/A | N/A |
ams-eks-endpoint-no-public-access | EKS_ENDPOINT_NO_PUBLIC_ACCESS | Periodic | N/A | N/A | N/A | N/A | N/A |
ams-nist-cis-vpc-default-security-group-closed | VPC_DEFAULT_SECURITY_GROUP_CLOSED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.11 CIS.12 CIS.9 | DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 | 164.312(e)(1) | 1.2 1.3 2.1 2.2 1.2.1 1.3.1 1.3.2 2.2.2 |
ams-nist-cis-iam-password-policy | IAM_PASSWORD_POLICY | Periodic | NIST, HIPAA, PCI | NA | PR.AC-1 PR.AC-4 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 7.1.2 7.1.3 7.2.1 7.2.2 |
ams-nist-cis-iam-root-access-key-check | IAM_ROOT_ACCESS_KEY_CHECK | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 CIS.4 | PR.AC-1 PR.AC-4 PR.PT-3 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 2.2 7.1.2 7.1.3 7.2.1 7.2.2 |
ams-nist-cis-iam-user-mfa-enabled | IAM_USER_MFA_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 | PR.AC-1 PR.AC-4 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 2.2 7.1.2 7.1.3 7.2.1 7.2.2 |
ams-nist-cis-restricted-ssh | INCOMING_SSH_DISABLED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.16 | PR.AC-1 PR.AC-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 2.2 7.2.1 8.1.4 |
ams-nist-cis-restricted-common-ports | RESTRICTED_INCOMING_TRAFFIC | Config Changes | CIS, NIST, HIPAA, PCI | CIS.11 CIS.12 CIS.9 | DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 2.2.2 |
ams-nist-cis-s3-account-level-public-access-blocks | S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS | Config Changes | CIS, NIST, HIPAA, PCI | CIS.9 CIS.12 CIS.14 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.2.1 1.3 1.3.1 1.3.2 1.3.4 1.3.6 2.2 2.2.2 |
ams-nist-cis-s3-bucket-public-read-prohibited | S3_BUCKET_PUBLIC_READ_PROHIBITED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-s3-bucket-public-write-prohibited | S3_BUCKET_PUBLIC_WRITE_PROHIBITED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-s3-bucket-server-side-encryption-enabled | S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(c)(2) 164.312(e)(2)(ii) | 2.2 3.4 10.5 8.2.1 |
ams-nist-cis-securityhub-enabled | SECURITYHUB_ENABLED | Periodic | CIS, NIST, HIPAA | CIS.3 CIS.4 CIS.6 CIS.12 CIS.16 CIS.19 | PR.DS-5 PR.PT-1 | 164.312(b) | NA |
Remediation Category: Config Report Only | |||||||
ams-nist-cis-ec2-instance-managed-by-systems-manager | EC2_INSTANCE_MANAGED_BY_SSM | Config Changes | CIS, NIST, HIPAA, PCI | CIS.2 CIS.5 | ID.AM-2 PR.IP-1 | 164.308(a)(5)(ii)(B) | 2.4 |
ams-nist-cis-cloudtrail-enabled | CLOUD_TRAIL_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 CIS.6 | DE.AE-1 DE.AE-3 PR.DS-5 PR.MA-2 PR.PT-1 | 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(b) | 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.6 10.2.7 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 |
ams-nist-cis-access-keys-rotated | ACCESS_KEYS_ROTATED | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 | PR.AC-1 | 164.308(a)(4)(ii)(B) | 2.2 |
ams-nist-cis-acm-certificate-expiration-check | ACM_CERTIFICATE_EXPIRATION_CHECK | Config Changes | CIS, NIST, PCI | CIS.13 CIS.14 | PR.AC-5 PR.PT-4 | NA | 4.1 |
ams-nist-cis-alb-http-to-https-redirection-check | ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-2 | 164.312(a)(2)(iv) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) | 2.3 4.1 8.2.1 |
ams-nist-cis-api-gw-cache-enabled-and-encrypted | API_GW_CACHE_ENABLED_AND_ENCRYPTED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 |
ams-nist-cis-api-gw-execution-logging-enabled | API_GW_EXECUTION_LOGGING_ENABLED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.PT-1 | 164.312(b) | 10.1 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.4 |
ams-nist-autoscaling-group-elb-healthcheck-required | AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED | Config Changes | NIST, HIPAA, PCI | NA | PR.PT-1 PR.PT-5 | 164.312(b) | 2.2 |
ams-nist-cis-cloud-trail-cloud-watch-logs-enabled | CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.PT-1 | 164.308(a)(3)(ii)(A) 164.312(b) | 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.3 10.5.4 |
ams-nist-cis-cloud-trail-encryption-enabled | CLOUD_TRAIL_ENCRYPTION_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 2.2 3.4 10.5 |
ams-nist-cis-cloud-trail-log-file-validation-enabled | CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.6 | PR.DS-6 | 164.312(c)(1) 164.312(c)(2) | 2.2 10.5 11.5 10.5.2 10.5.5 |
ams-nist-cis-cloudtrail-s3-dataevents-enabled | CLOUDTRAIL_S3_DATAEVENTS_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.DS-5 PR.PT-1 | 164.308(a)(3)(ii)(A) 164.312(b) | 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 |
ams-nist-cis-cloudwatch-alarm-action-check | CLOUDWATCH_ALARM_ACTION_CHECK | Config Changes | CIS, HIPAA | CIS.13 CIS.14 | NA | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 |
ams-nist-cis-cloudwatch-log-group-encrypted | CLOUDWATCH_LOG_GROUP_ENCRYPTED | Periodic | CIS, HIPAA, PCI | CIS.13 CIS.14 | NA | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 |
ams-nist-cis-codebuild-project-envvar-awscred-check | CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.18 | PR.DS-5 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 8.2.1 |
ams-nist-cis-codebuild-project-source-repo-url-check | CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.18 | PR.DS-5 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 8.2.1 |
ams-nist-cis-db-instance-backup-enabled | DB_INSTANCE_BACKUP_ENABLED | Config Changes | CIS, NIST, HIPAA | CIS.10 | ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) | NA |
ams-nist-cis-dms-replication-not-public | DMS_REPLICATION_NOT_PUBLIC | Periodic | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-dynamodb-autoscaling-enabled | DYNAMODB_AUTOSCALING_ENABLED | Periodic | NIST, HIPAA | NA | ID.BE-5 PR.DS-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) 164.308(a)(7)(ii)(C) | NA |
ams-nist-cis-dynamodb-pitr-enabled | DYNAMODB_PITR_ENABLED | Periodic | CIS, NIST, HIPAA | CIS.10 | ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) | NA |
ams-nist-dynamodb-throughput-limit-check | DYNAMODB_THROUGHPUT_LIMIT_CHECK | Periodic | HIPAA | NA | NA | 164.312(b) | NA |
ams-nist-ebs-optimized-instance | EBS_OPTIMIZED_INSTANCE | Config Changes | HIPAA | NA | NA | 164.308(a)(7)(i) | NA |
ams-nist-cis-ebs-snapshot-public-restorable-check | EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK | Periodic | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-ec2-instance-detailed-monitoring-enabled | EC2_INSTANCE_DETAILED_MONITORING_ENABLED | Config Changes | NIST, HIPAA, PCI | NA | DE.AE-1 PR.PT-1 | 164.312(b) | NA |
ams-nist-cis-ec2-instance-no-public-ip | EC2_INSTANCE_NO_PUBLIC_IP | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-ec2-managedinstance-association-compliance-status-check | EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-ec2-managedinstance-patch-compliance-status-check | EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.2 CIS.5 | ID.AM-2 PR.IP-1 | 164.308(a)(5)(ii)(B) | 6.2 |
ams-nist-cis-ec2-stopped-instance | EC2_STOPPED_INSTANCE | Periodic | CIS, NIST | CIS.2 | ID.AM-2 PR.IP-1 | NA | NA |
ams-nist-cis-ec2-volume-inuse-check | EC2_VOLUME_INUSE_CHECK | Config Changes | CIS, NIST | CIS.2 | PR.IP-1 | NA | NA |
ams-nist-cis-efs-encrypted-check | EFS_ENCRYPTED_CHECK | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 8.2.1 |
ams-nist-cis-eip-attached | EIP_ATTACHED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 8.2.1 |
ams-nist-cis-elasticache-redis-cluster-automatic-backup-check | ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK | Periodic | CIS, NIST, HIPAA | CIS.10 | ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) | NA |
ams-nist-cis-elasticsearch-encrypted-at-rest | ELASTICSEARCH_ENCRYPTED_AT_REST | Periodic | CIS, NIST, HIPAA, PCI | CIS.14 CIS.13 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 8.2.1 |
ams-nist-cis-elasticsearch-in-vpc-only | ELASTICSEARCH_IN_VPC_ONLY | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 8.2.1 |
ams-nist-cis-elb-acm-certificate-required | ELB_ACM_CERTIFICATE_REQUIRED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-elb-deletion-protection-enabled | ELB_DELETION_PROTECTION_ENABLED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-2 | 164.312(a)(2)(iv) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) | 4.1 8.2.1 |
ams-nist-cis-elb-logging-enabled | ELB_LOGGING_ENABLED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.PT-1 | 164.312(b) | 10.1 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.4 |
ams-nist-cis-emr-kerberos-enabled | EMR_KERBEROS_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.PT-1 | 164.312(b) | 10.1 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.4 |
ams-nist-cis-emr-master-no-public-ip | EMR_MASTER_NO_PUBLIC_IP | Periodic | CIS, NIST, HIPAA, PCI | CIS.14 CIS.16 | PR.AC-1 PR.AC-4 PR.AC-6 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 7.2.1 |
ams-nist-cis-encrypted-volumes | ENCRYPTED_VOLUMES | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-guardduty-non-archived-findings | GUARDDUTY_NON_ARCHIVED_FINDINGS | Periodic | CIS, NIST, HIPAA, PCI | CIS.12 CIS.13 CIS.16 CIS.19 CIS.3 CIS.4 CIS.6 CIS.8 | DE.AE-2 DE.AE-3 DE.CM-4 DE.DP-5 ID.RA-1 ID.RA-3 PR.DS-5 PR.PT-1 | 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.312(b) | 6.1 11.4 5.1.2 |
ams-nist-iam-group-has-users-check | IAM_GROUP_HAS_USERS_CHECK | Config Changes | NIST, HIPAA, PCI | NA | PR.AC-4 PR.AC-1 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 7.1.2 7.1.3 7.2.1 7.2.2 |
ams-nist-cis-iam-policy-no-statements-with-admin-access | IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS | Config Changes | CIS, NIST, HIPAA, PCI | CIS.16 | PR.AC-6 PR.AC-7 | 164.308(a)(4)(ii)(B) 164.308(a)(5)(ii)(D) 164.312(d) | 8.2.3 8.2.4 8.2.5 |
ams-nist-cis-iam-user-group-membership-check | IAM_USER_GROUP_MEMBERSHIP_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.16 CIS.4 | PR.AC-1 PR.AC-4 PR.PT-3 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(a)(2)(i) | 2.2 7.1.2 7.2.1 8.1.1 |
ams-nist-cis-iam-user-no-policies-check | IAM_USER_NO_POLICIES_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.16 | PR.AC-1 PR.AC-7 | 164.308(a)(4)(ii)(B) 164.312(d) | 8.3 |
ams-nist-cis-iam-user-unused-credentials-check | IAM_USER_UNUSED_CREDENTIALS_CHECK | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 | PR.AC-1 PR.AC-4 PR.PT-3 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) | 2.2 7.1.2 7.1.3 7.2.1 7.2.2 |
ams-nist-cis-ec2-instances-in-vpc | INSTANCES_IN_VPC | Config Changes | CIS, NIST, HIPAA, PCI | CIS.11 CIS.12 CIS.9 | DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 2.2.2 |
ams-nist-cis-internet-gateway-authorized-vpc-only | INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY | Periodic | CIS | CIS.9 CIS.12 | NA | NA | NA |
ams-nist-cis-kms-cmk-not-scheduled-for-deletion | KMS_CMK_NOT_SCHEDULED_FOR_DELETION | Periodic | CIS, NIST, PCI | CIS.13 CIS.14 | PR.DS-1 | NA | 3.5 3.6 |
ams-nist-lambda-concurrency-check | LAMBDA_CONCURRENCY_CHECK | Config Changes | HIPAA | NA | NA | 164.312(b) | NA |
ams-nist-lambda-dlq-check | LAMBDA_DLQ_CHECK | Config Changes | HIPAA | NA | NA | 164.312(b) | NA |
ams-nist-cis-lambda-function-public-access-prohibited | LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 2.2.2 |
ams-nist-cis-lambda-inside-vpc | LAMBDA_INSIDE_VPC | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 2.2.2 |
ams-nist-cis-mfa-enabled-for-iam-console-access | MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 | PR.AC-7 | 164.312(d) | 2.2 8.3 |
ams-nist-cis-multi-region-cloudtrail-enabled | MULTI_REGION_CLOUD_TRAIL_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.DS-5 PR.MA-2 PR.PT-1 | 164.308(a)(3)(ii)(A) 164.312(b) | 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.6 10.2.7 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 |
ams-nist-rds-enhanced-monitoring-enabled | RDS_ENHANCED_MONITORING_ENABLED | Config Changes | NIST, HIPAA | NA | PR.PT-1 | 164.312(b) | NA |
ams-nist-cis-rds-instance-public-access-check | RDS_INSTANCE_PUBLIC_ACCESS_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-rds-multi-az-support | RDS_MULTI_AZ_SUPPORT | Config Changes | NIST, HIPAA | NA | ID.BE-5 PR.DS-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) 164.308(a)(7)(ii)(C) | NA |
ams-nist-cis-rds-snapshots-public-prohibited | RDS_SNAPSHOTS_PUBLIC_PROHIBITED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-rds-storage-encrypted | RDS_STORAGE_ENCRYPTED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.5 CIS.6 | DE.AE-1 DE.AE-3 PR.DS-1 PR.PT-1 | 164.312(a)(2)(iv) 164.312(b) 164.312(e)(2)(ii) | 3.4 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 8.2.1 |
ams-nist-cis-redshift-cluster-configuration-check | REDSHIFT_CLUSTER_CONFIGURATION_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.6 CIS.13 CIS.5 | DE.AE-1 DE.AE-3 PR.DS-1 PR.PT-1 | 164.312(a)(2)(iv) 164.312(b) 164.312(e)(2)(ii) | 3.4 8.2.1 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 |
ams-nist-cis-redshift-cluster-public-access-check | REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.12 CIS.14 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-redshift-require-tls-ssl | REDSHIFT_REQUIRE_TLS_SSL | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-2 | 164.312(a)(2)(iv) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) | 2.3 4.1 |
ams-nist-cis-root-account-hardware-mfa-enabled | ROOT_ACCOUNT_HARDWARE_MFA_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 CIS.4 | PR.AC-7 | 164.312(d) | 2.2 8.3 |
ams-nist-cis-root-account-mfa-enabled | ROOT_ACCOUNT_MFA_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.16 CIS.4 | PR.AC-7 | 164.312(d) | 2.2 8.3 |
ams-nist-cis-s3-bucket-default-lock-enabled | S3_BUCKET_DEFAULT_LOCK_ENABLED | Config Changes | CIS, NIST | CIS.14 CIS.13 | ID.BE-5 PR.PT-5 RC.RP-1 | NA | NA |
ams-nist-cis-s3-bucket-logging-enabled | S3_BUCKET_LOGGING_ENABLED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.6 | DE.AE-1 DE.AE-3 PR.DS-5 PR.PT-1 | 164.308(a)(3)(ii)(A) 164.312(b) | 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.7 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 |
ams-nist-cis-s3-bucket-replication-enabled | S3_BUCKET_REPLICATION_ENABLED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.10 | ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) | 2.2 10.5.3 |
ams-nist-cis-s3-bucket-ssl-requests-only | S3_BUCKET_SSL_REQUESTS_ONLY | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-2 | 164.312(a)(2)(iv) 164.312(c)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) | 2.2 4.1 8.2.1 |
ams-nist-cis-s3-bucket-versioning-enabled | S3_BUCKET_VERSIONING_ENABLED | Periodic | CIS, NIST, HIPAA, PCI | CIS.10 | ID.BE-5 PR.DS-4 PR.DS-6 PR.IP-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) 164.312(c)(1) 164.312(c)(2) | 10.5.3 |
ams-nist-cis-sagemaker-endpoint-configuration-kms-key-configured | SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 8.2.1 |
ams-nist-cis-sagemaker-notebook-instance-kms-key-configured | SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 8.2.1 |
ams-nist-cis-sagemaker-notebook-no-direct-internet-access | SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS | Periodic | CIS, NIST, HIPAA, PCI | CIS.12 CIS.9 | PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 | 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2 |
ams-nist-cis-secretsmanager-rotation-enabled-check | SECRETSMANAGER_ROTATION_ENABLED_CHECK | Config Changes | CIS, NIST, HIPAA | CIS.16 | PR.AC-1 | 164.308(a)(4)(ii)(B) | NA |
ams-nist-cis-secretsmanager-scheduled-rotation-success-check | SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK | Config Changes | CIS, NIST, HIPAA | CIS.16 | PR.AC-1 | 164.308(a)(4)(ii)(B) | NA |
ams-nist-cis-sns-encrypted-kms | SNS_ENCRYPTED_KMS | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 8.2.1 |
ams-nist-cis-vpc-sg-open-only-to-authorized-ports | VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS | Config Changes | CIS, NIST, HIPAA, PCI | CIS.11 CIS.12 CIS.9 | DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 | 164.312(e)(1) | 1.2 1.3 1.2.1 1.3.1 1.3.2 2.2.2 |
ams-nist-vpc-vpn-2-tunnels-up | VPC_VPN_2_TUNNELS_UP | Config Changes | NIST, HIPAA | NA | ID.BE-5 PR.DS-4 PR.PT-5 RC.RP-1 | 164.308(a)(7)(i) | NA |
ams-cis-ec2-ebs-encryption-by-default | EC2_EBS_ENCRYPTION_BY_DEFAULT | Periodic | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 2.2 3.4 8.2.1 |
ams-cis-rds-snapshot-encrypted | RDS_SNAPSHOT_ENCRYPTED | Config Changes | CIS, NIST, HIPAA, PCI | CIS.13 CIS.14 | PR.DS-1 | 164.312(a)(2)(iv) 164.312(e)(2)(ii) | 3.4 8.2.1 |
ams-cis-redshift-cluster-maintenancesettings-check | REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK | Config Changes | CIS, NIST, HIPAA, PCI | CIS.5 | PR.DS-4 PR.IP-1 PR.IP-4 | 164.308(a)(5)(ii)(A) 164.308(a)(7)(ii)(A) | 6.2 |
Responses to violations
All Config Rule violations appear in your Configuration Report. This is a universal reponse. Depending on the Remediation Category (severity) of the rule, AMS may take additional actions, summarized in the following table.
You cannot modify the Remediation Category for a Config Rule at this time.
Automated Responses
Remediation Category | AMS Actions |
---|---|
Config Report Only | |
Auto Incident | |
Auto Remediate |
Requesting Additional Help
AMS can remediate any violation for you, regardless of its remediation category. To request help, open an Incident Report, and indicate which resources you want AMS to remediate.
AMS Accelerate has a library of AWS Systems Manager Automation documents and runbooks to assist in remediating noncompliant resources.
Add to Config Report
AMS generates a Config Report that tracks the compliance status of all rules and resources in your account. You can request the report from your CSDM. You can also review compliance status from the AWS Config console, AWS CLI, or AWS Config API. Your Config Report includes:
the top, noncompliant resources in your environment, to discover potential threats and misconfigurations
compliance of resources and config rules over time
config rule descriptions, severity of rules, and recommended remediation steps to fix noncompliant resources
When any resource goes into a noncompliant state, the resource status (and rule status) becomes Noncompliant in your Config Report. If the rule belongs to the Config Report Only remediation category, by default, AMS takes no further action. You can always create an Incident Report to request additional help or remediation from AMS.
See the AWS Config Reporting section for more details.
Automatic Incident Report
For moderately severe rule violations, AMS automatically creates an Incident Report to notify you that a resource has gone into a noncompliant state, and asks which actions you would like to be performed. You have the following options when responding to an incident:
Request that AMS remediate the noncompliant resources listed in the incident. Then, we attempt to remediate the noncompliant resource, and notify you once the underlying incident has been resolved.
You can resolve the noncompliant item manually in the console or through your automated deployment system (for example, CI/CD Pipeline template updates); then, you can resolve the incident. The noncompliant resource is re-evaluated as per the rule’s schedule and, if the resource is evaluated as noncompliant, a new incident report is created.
You can choose to not resolve the noncompliant resource and simply resolve the incident. If you update the configuration of the resource later, AWS Config will trigger a re-evaluation and you will again be alerted to evaluate the noncompliance of that resource.
Automatic Remediation
The most critical rules belong to the Auto Remediate category. Noncompliance with these rules may strongly impact the security and availability of your accounts. When a resource violates one of these rules:
AMS automatically notifies you with an Incident Report.
AMS starts an automated remediation using our automated SSM documents.
AMS updates the Incident Report with success or failure of the automated remediation.
If automated remediation failed, an AMS engineer investigates the issue.
Rule exceptions
The AWS Config Rules resource exception feature allows you to suppress reporting of specific, noncompliant resources for a specific rules. Please note that the exempted resources will still show up as Noncompliant in your AWS Config Service console.
You can create a Service request against your account with following inputs:
[ { "resource_name": "
resource_name_1
", "config_rule_name": "config_rule_name_1
", "business_justification": "REASON_TO_EXEMPT_RESOURCE
", "resource_type": "resource_type
" }, { "resource_name": "resource_name_2
", "config_rule_name": "config_rule_name_2
", "business_justification": "REASON_TO_EXEMPT_RESOURCE
", "resource_type": "resource_type
" } ]