Configuration Compliance - AMS Accelerate User Guide
AMS Config Rule LibraryResponses to violationsRule exceptions

Configuration Compliance

AMS Accelerate helps ensure that all of your resources are configured to high standards for security and operational integrity, and comply with the following industry standards:

  • Center for Internet Security (CIS)

  • National Institute of Standards and Technology (NIST) Cloud Security Framework (CSF)

  • Health Insurance Portability and Accountability Act (HIPAA)

  • Payment Card Industry (PCI) Data Security Standard (DSS)

We do this by deploying our entire AMS Config Rule library to your account. Any configuration change triggers a large number of rules to test compliance. For example, suppose you create an Amazon S3 bucket, and configure it to be publicly readable, in violation of NIST standards. The ams-nist-cis-s3-bucket-public-read-prohibited rule detects the violation and labels your S3 bucket Noncompliant in your Configuration Report. Because this rule belongs to the Auto Incident remediation category, it immediately creates an Incident Report, alerting you to the issue. Other more severe rule violations might cause AMS to automatically remediate the issue. See Responses to violations.

Important

If you want us to do more, for example, if you want AMS to remediate a violation for you, regardless of its remediation category, use the Incident Report to request that AMS remediate the noncompliant resources for you.

If you want us to do less, for example, if you don't want us to take action on a particular S3 bucket that requires public access by design, you can create Rule exceptions.

AMS Config Rule library

By default, Accelerate deploys all of the following rules to your account. AMS config rules always begin with ams-. You can view rules within your account, and their compliance state, from either the AWS Config console, AWS CLI, or the AWS Config API. For general information about using AWS Config, see Viewing Configuration Compliance.

Note

You cannot remove any of the deployed AMS Config Rules at this time.

Table of Rules

In this table, rules are sorted by Remediation Category (severity).

Download as aws_config_rules_inventory.zip.

Rule Name Identifier Trigger Frameworks CIS NIST-CSF HIPAA PCI
Remediation Category: Automatic Remediation
ams-nist-cis-guardduty-enabled-centralized GUARDDUTY_ENABLED_CENTRALIZED Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 2.2 3.4 8.2.1
ams-nist-cis-vpc-flow-logs-enabled VPC_FLOW_LOGS_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.DS-5 PR.PT-1 164.308(a)(3)(ii)(A) 164.312(b) 2.2 10.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6
Remediation Category: Auto Incident
ams-eks-secrets-encrypted EKS_SECRETS_ENCRYPTED Periodic N/A N/A N/A N/A N/A
ams-eks-endpoint-no-public-access EKS_ENDPOINT_NO_PUBLIC_ACCESS Periodic N/A N/A N/A N/A N/A
ams-nist-cis-vpc-default-security-group-closed VPC_DEFAULT_SECURITY_GROUP_CLOSED Config Changes CIS, NIST, HIPAA, PCI CIS.11 CIS.12 CIS.9 DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 164.312(e)(1) 1.2 1.3 2.1 2.2 1.2.1 1.3.1 1.3.2 2.2.2
ams-nist-cis-iam-password-policy IAM_PASSWORD_POLICY Periodic NIST, HIPAA, PCI NA PR.AC-1 PR.AC-4 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 7.1.2 7.1.3 7.2.1 7.2.2
ams-nist-cis-iam-root-access-key-check IAM_ROOT_ACCESS_KEY_CHECK Periodic CIS, NIST, HIPAA, PCI CIS.16 CIS.4 PR.AC-1 PR.AC-4 PR.PT-3 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 2.2 7.1.2 7.1.3 7.2.1 7.2.2
ams-nist-cis-iam-user-mfa-enabled IAM_USER_MFA_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.16 PR.AC-1 PR.AC-4 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 2.2 7.1.2 7.1.3 7.2.1 7.2.2
ams-nist-cis-restricted-ssh INCOMING_SSH_DISABLED Config Changes CIS, NIST, HIPAA, PCI CIS.16 PR.AC-1 PR.AC-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 2.2 7.2.1 8.1.4
ams-nist-cis-restricted-common-ports RESTRICTED_INCOMING_TRAFFIC Config Changes CIS, NIST, HIPAA, PCI CIS.11 CIS.12 CIS.9 DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 164.308(a)(3)(i) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 2.2.2
ams-nist-cis-s3-account-level-public-access-blocks S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS Config Changes CIS, NIST, HIPAA, PCI CIS.9 CIS.12 CIS.14 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.2.1 1.3 1.3.1 1.3.2 1.3.4 1.3.6 2.2 2.2.2
ams-nist-cis-s3-bucket-public-read-prohibited S3_BUCKET_PUBLIC_READ_PROHIBITED Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-s3-bucket-public-write-prohibited S3_BUCKET_PUBLIC_WRITE_PROHIBITED Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-s3-bucket-server-side-encryption-enabled S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(c)(2) 164.312(e)(2)(ii) 2.2 3.4 10.5 8.2.1
ams-nist-cis-securityhub-enabled SECURITYHUB_ENABLED Periodic CIS, NIST, HIPAA CIS.3 CIS.4 CIS.6 CIS.12 CIS.16 CIS.19 PR.DS-5 PR.PT-1 164.312(b) NA
Remediation Category: Config Report Only
ams-nist-cis-ec2-instance-managed-by-systems-manager EC2_INSTANCE_MANAGED_BY_SSM Config Changes CIS, NIST, HIPAA, PCI CIS.2 CIS.5 ID.AM-2 PR.IP-1 164.308(a)(5)(ii)(B) 2.4
ams-nist-cis-cloudtrail-enabled CLOUD_TRAIL_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.16 CIS.6 DE.AE-1 DE.AE-3 PR.DS-5 PR.MA-2 PR.PT-1 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(b) 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.6 10.2.7 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6
ams-nist-cis-access-keys-rotated ACCESS_KEYS_ROTATED Periodic CIS, NIST, HIPAA, PCI CIS.16 PR.AC-1 164.308(a)(4)(ii)(B) 2.2
ams-nist-cis-acm-certificate-expiration-check ACM_CERTIFICATE_EXPIRATION_CHECK Config Changes CIS, NIST, PCI CIS.13 CIS.14 PR.AC-5 PR.PT-4 NA 4.1
ams-nist-cis-alb-http-to-https-redirection-check ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-2 164.312(a)(2)(iv) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 2.3 4.1 8.2.1
ams-nist-cis-api-gw-cache-enabled-and-encrypted API_GW_CACHE_ENABLED_AND_ENCRYPTED Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4
ams-nist-cis-api-gw-execution-logging-enabled API_GW_EXECUTION_LOGGING_ENABLED Config Changes CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.PT-1 164.312(b) 10.1 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.4
ams-nist-autoscaling-group-elb-healthcheck-required AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED Config Changes NIST, HIPAA, PCI NA PR.PT-1 PR.PT-5 164.312(b) 2.2
ams-nist-cis-cloud-trail-cloud-watch-logs-enabled CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.PT-1 164.308(a)(3)(ii)(A) 164.312(b) 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.3 10.5.4
ams-nist-cis-cloud-trail-encryption-enabled CLOUD_TRAIL_ENCRYPTION_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 2.2 3.4 10.5
ams-nist-cis-cloud-trail-log-file-validation-enabled CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.6 PR.DS-6 164.312(c)(1) 164.312(c)(2) 2.2 10.5 11.5 10.5.2 10.5.5
ams-nist-cis-cloudtrail-s3-dataevents-enabled CLOUDTRAIL_S3_DATAEVENTS_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.DS-5 PR.PT-1 164.308(a)(3)(ii)(A) 164.312(b) 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6
ams-nist-cis-cloudwatch-alarm-action-check CLOUDWATCH_ALARM_ACTION_CHECK Config Changes CIS, HIPAA CIS.13 CIS.14 NA 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4
ams-nist-cis-cloudwatch-log-group-encrypted CLOUDWATCH_LOG_GROUP_ENCRYPTED Periodic CIS, HIPAA, PCI CIS.13 CIS.14 NA 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4
ams-nist-cis-codebuild-project-envvar-awscred-check CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.18 PR.DS-5 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 8.2.1
ams-nist-cis-codebuild-project-source-repo-url-check CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.18 PR.DS-5 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 8.2.1
ams-nist-cis-db-instance-backup-enabled DB_INSTANCE_BACKUP_ENABLED Config Changes CIS, NIST, HIPAA CIS.10 ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) NA
ams-nist-cis-dms-replication-not-public DMS_REPLICATION_NOT_PUBLIC Periodic CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-dynamodb-autoscaling-enabled DYNAMODB_AUTOSCALING_ENABLED Periodic NIST, HIPAA NA ID.BE-5 PR.DS-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) 164.308(a)(7)(ii)(C) NA
ams-nist-cis-dynamodb-pitr-enabled DYNAMODB_PITR_ENABLED Periodic CIS, NIST, HIPAA CIS.10 ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) NA
ams-nist-dynamodb-throughput-limit-check DYNAMODB_THROUGHPUT_LIMIT_CHECK Periodic HIPAA NA NA 164.312(b) NA
ams-nist-ebs-optimized-instance EBS_OPTIMIZED_INSTANCE Config Changes HIPAA NA NA 164.308(a)(7)(i) NA
ams-nist-cis-ebs-snapshot-public-restorable-check EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK Periodic CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-ec2-instance-detailed-monitoring-enabled EC2_INSTANCE_DETAILED_MONITORING_ENABLED Config Changes NIST, HIPAA, PCI NA DE.AE-1 PR.PT-1 164.312(b) NA
ams-nist-cis-ec2-instance-no-public-ip EC2_INSTANCE_NO_PUBLIC_IP Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-ec2-managedinstance-association-compliance-status-check EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-ec2-managedinstance-patch-compliance-status-check EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.2 CIS.5 ID.AM-2 PR.IP-1 164.308(a)(5)(ii)(B) 6.2
ams-nist-cis-ec2-stopped-instance EC2_STOPPED_INSTANCE Periodic CIS, NIST CIS.2 ID.AM-2 PR.IP-1 NA NA
ams-nist-cis-ec2-volume-inuse-check EC2_VOLUME_INUSE_CHECK Config Changes CIS, NIST CIS.2 PR.IP-1 NA NA
ams-nist-cis-efs-encrypted-check EFS_ENCRYPTED_CHECK Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4 8.2.1
ams-nist-cis-eip-attached EIP_ATTACHED Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4 8.2.1
ams-nist-cis-elasticache-redis-cluster-automatic-backup-check ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK Periodic CIS, NIST, HIPAA CIS.10 ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) NA
ams-nist-cis-elasticsearch-encrypted-at-rest ELASTICSEARCH_ENCRYPTED_AT_REST Periodic CIS, NIST, HIPAA, PCI CIS.14 CIS.13 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4 8.2.1
ams-nist-cis-elasticsearch-in-vpc-only ELASTICSEARCH_IN_VPC_ONLY Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4 8.2.1
ams-nist-cis-elb-acm-certificate-required ELB_ACM_CERTIFICATE_REQUIRED Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-elb-deletion-protection-enabled ELB_DELETION_PROTECTION_ENABLED Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-2 164.312(a)(2)(iv) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 4.1 8.2.1
ams-nist-cis-elb-logging-enabled ELB_LOGGING_ENABLED Config Changes CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.PT-1 164.312(b) 10.1 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.4
ams-nist-cis-emr-kerberos-enabled EMR_KERBEROS_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.PT-1 164.312(b) 10.1 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.5.4
ams-nist-cis-emr-master-no-public-ip EMR_MASTER_NO_PUBLIC_IP Periodic CIS, NIST, HIPAA, PCI CIS.14 CIS.16 PR.AC-1 PR.AC-4 PR.AC-6 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 7.2.1
ams-nist-cis-encrypted-volumes ENCRYPTED_VOLUMES Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-guardduty-non-archived-findings GUARDDUTY_NON_ARCHIVED_FINDINGS Periodic CIS, NIST, HIPAA, PCI CIS.12 CIS.13 CIS.16 CIS.19 CIS.3 CIS.4 CIS.6 CIS.8 DE.AE-2 DE.AE-3 DE.CM-4 DE.DP-5 ID.RA-1 ID.RA-3 PR.DS-5 PR.PT-1 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.312(b) 6.1 11.4 5.1.2
ams-nist-iam-group-has-users-check IAM_GROUP_HAS_USERS_CHECK Config Changes NIST, HIPAA, PCI NA PR.AC-4 PR.AC-1 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 7.1.2 7.1.3 7.2.1 7.2.2
ams-nist-cis-iam-policy-no-statements-with-admin-access IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Config Changes CIS, NIST, HIPAA, PCI CIS.16 PR.AC-6 PR.AC-7 164.308(a)(4)(ii)(B) 164.308(a)(5)(ii)(D) 164.312(d) 8.2.3 8.2.4 8.2.5
ams-nist-cis-iam-user-group-membership-check IAM_USER_GROUP_MEMBERSHIP_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.16 CIS.4 PR.AC-1 PR.AC-4 PR.PT-3 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(a)(2)(i) 2.2 7.1.2 7.2.1 8.1.1
ams-nist-cis-iam-user-no-policies-check IAM_USER_NO_POLICIES_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.16 PR.AC-1 PR.AC-7 164.308(a)(4)(ii)(B) 164.312(d) 8.3
ams-nist-cis-iam-user-unused-credentials-check IAM_USER_UNUSED_CREDENTIALS_CHECK Periodic CIS, NIST, HIPAA, PCI CIS.16 PR.AC-1 PR.AC-4 PR.PT-3 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 2.2 7.1.2 7.1.3 7.2.1 7.2.2
ams-nist-cis-ec2-instances-in-vpc INSTANCES_IN_VPC Config Changes CIS, NIST, HIPAA, PCI CIS.11 CIS.12 CIS.9 DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 164.308(a)(3)(i) 164.308(a)(3)(ii)(B) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(B) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 2.2 1.2.1 1.3.1 1.3.2 2.2.2
ams-nist-cis-internet-gateway-authorized-vpc-only INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY Periodic CIS CIS.9 CIS.12 NA NA NA
ams-nist-cis-kms-cmk-not-scheduled-for-deletion KMS_CMK_NOT_SCHEDULED_FOR_DELETION Periodic CIS, NIST, PCI CIS.13 CIS.14 PR.DS-1 NA 3.5 3.6
ams-nist-lambda-concurrency-check LAMBDA_CONCURRENCY_CHECK Config Changes HIPAA NA NA 164.312(b) NA
ams-nist-lambda-dlq-check LAMBDA_DLQ_CHECK Config Changes HIPAA NA NA 164.312(b) NA
ams-nist-cis-lambda-function-public-access-prohibited LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 2.2.2
ams-nist-cis-lambda-inside-vpc LAMBDA_INSIDE_VPC Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 2.2.2
ams-nist-cis-mfa-enabled-for-iam-console-access MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Periodic CIS, NIST, HIPAA, PCI CIS.16 PR.AC-7 164.312(d) 2.2 8.3
ams-nist-cis-multi-region-cloudtrail-enabled MULTI_REGION_CLOUD_TRAIL_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.DS-5 PR.MA-2 PR.PT-1 164.308(a)(3)(ii)(A) 164.312(b) 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.6 10.2.7 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6
ams-nist-rds-enhanced-monitoring-enabled RDS_ENHANCED_MONITORING_ENABLED Config Changes NIST, HIPAA NA PR.PT-1 164.312(b) NA
ams-nist-cis-rds-instance-public-access-check RDS_INSTANCE_PUBLIC_ACCESS_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-rds-multi-az-support RDS_MULTI_AZ_SUPPORT Config Changes NIST, HIPAA NA ID.BE-5 PR.DS-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) 164.308(a)(7)(ii)(C) NA
ams-nist-cis-rds-snapshots-public-prohibited RDS_SNAPSHOTS_PUBLIC_PROHIBITED Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-rds-storage-encrypted RDS_STORAGE_ENCRYPTED Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.5 CIS.6 DE.AE-1 DE.AE-3 PR.DS-1 PR.PT-1 164.312(a)(2)(iv) 164.312(b) 164.312(e)(2)(ii) 3.4 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 8.2.1
ams-nist-cis-redshift-cluster-configuration-check REDSHIFT_CLUSTER_CONFIGURATION_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.6 CIS.13 CIS.5 DE.AE-1 DE.AE-3 PR.DS-1 PR.PT-1 164.312(a)(2)(iv) 164.312(b) 164.312(e)(2)(ii) 3.4 8.2.1 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6
ams-nist-cis-redshift-cluster-public-access-check REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.12 CIS.14 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-redshift-require-tls-ssl REDSHIFT_REQUIRE_TLS_SSL Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-2 164.312(a)(2)(iv) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 2.3 4.1
ams-nist-cis-root-account-hardware-mfa-enabled ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.16 CIS.4 PR.AC-7 164.312(d) 2.2 8.3
ams-nist-cis-root-account-mfa-enabled ROOT_ACCOUNT_MFA_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.16 CIS.4 PR.AC-7 164.312(d) 2.2 8.3
ams-nist-cis-s3-bucket-default-lock-enabled S3_BUCKET_DEFAULT_LOCK_ENABLED Config Changes CIS, NIST CIS.14 CIS.13 ID.BE-5 PR.PT-5 RC.RP-1 NA NA
ams-nist-cis-s3-bucket-logging-enabled S3_BUCKET_LOGGING_ENABLED Config Changes CIS, NIST, HIPAA, PCI CIS.6 DE.AE-1 DE.AE-3 PR.DS-5 PR.PT-1 164.308(a)(3)(ii)(A) 164.312(b) 2.2 10.1 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.7 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6
ams-nist-cis-s3-bucket-replication-enabled S3_BUCKET_REPLICATION_ENABLED Config Changes CIS, NIST, HIPAA, PCI CIS.10 ID.BE-5 PR.DS-4 PR.IP-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) 2.2 10.5.3
ams-nist-cis-s3-bucket-ssl-requests-only S3_BUCKET_SSL_REQUESTS_ONLY Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-2 164.312(a)(2)(iv) 164.312(c)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 2.2 4.1 8.2.1
ams-nist-cis-s3-bucket-versioning-enabled S3_BUCKET_VERSIONING_ENABLED Periodic CIS, NIST, HIPAA, PCI CIS.10 ID.BE-5 PR.DS-4 PR.DS-6 PR.IP-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B) 164.312(c)(1) 164.312(c)(2) 10.5.3
ams-nist-cis-sagemaker-endpoint-configuration-kms-key-configured SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4 8.2.1
ams-nist-cis-sagemaker-notebook-instance-kms-key-configured SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4 8.2.1
ams-nist-cis-sagemaker-notebook-no-direct-internet-access SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS Periodic CIS, NIST, HIPAA, PCI CIS.12 CIS.9 PR.AC-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-3 PR.PT-4 164.308(a)(3)(i) 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(C) 164.312(a)(1) 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 1.3.4 1.3.6 2.2.2
ams-nist-cis-secretsmanager-rotation-enabled-check SECRETSMANAGER_ROTATION_ENABLED_CHECK Config Changes CIS, NIST, HIPAA CIS.16 PR.AC-1 164.308(a)(4)(ii)(B) NA
ams-nist-cis-secretsmanager-scheduled-rotation-success-check SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK Config Changes CIS, NIST, HIPAA CIS.16 PR.AC-1 164.308(a)(4)(ii)(B) NA
ams-nist-cis-sns-encrypted-kms SNS_ENCRYPTED_KMS Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 8.2.1
ams-nist-cis-vpc-sg-open-only-to-authorized-ports VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS Config Changes CIS, NIST, HIPAA, PCI CIS.11 CIS.12 CIS.9 DE.AE-1 PR.AC-3 PR.AC-5 PR.PT-4 164.312(e)(1) 1.2 1.3 1.2.1 1.3.1 1.3.2 2.2.2
ams-nist-vpc-vpn-2-tunnels-up VPC_VPN_2_TUNNELS_UP Config Changes NIST, HIPAA NA ID.BE-5 PR.DS-4 PR.PT-5 RC.RP-1 164.308(a)(7)(i) NA
ams-cis-ec2-ebs-encryption-by-default EC2_EBS_ENCRYPTION_BY_DEFAULT Periodic CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 2.2 3.4 8.2.1
ams-cis-rds-snapshot-encrypted RDS_SNAPSHOT_ENCRYPTED Config Changes CIS, NIST, HIPAA, PCI CIS.13 CIS.14 PR.DS-1 164.312(a)(2)(iv) 164.312(e)(2)(ii) 3.4 8.2.1
ams-cis-redshift-cluster-maintenancesettings-check REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK Config Changes CIS, NIST, HIPAA, PCI CIS.5 PR.DS-4 PR.IP-1 PR.IP-4 164.308(a)(5)(ii)(A) 164.308(a)(7)(ii)(A) 6.2

Responses to violations

All Config Rule violations appear in your Configuration Report. This is a universal reponse. Depending on the Remediation Category (severity) of the rule, AMS may take additional actions, summarized in the following table.

Note

You cannot modify the Remediation Category for a Config Rule at this time.

Automated Responses

Remediation Category AMS Actions
Config Report Only

  1. Add to Config Report

Auto Incident

  1. Add to Config Report

  2. Automatic Incident Report

Auto Remediate

  1. Add to Config Report

  2. Automatic Incident Report

  3. Automatic Remediation

Requesting Additional Help

Note

AMS can remediate any violation for you, regardless of its remediation category. To request help, open an Incident Report, and indicate which resources you want AMS to remediate.

AMS Accelerate has a library of AWS Systems Manager Automation documents and runbooks to assist in remediating noncompliant resources.

Add to Config Report

AMS generates a Config Report that tracks the compliance status of all rules and resources in your account. You can request the report from your CSDM. You can also review compliance status from the AWS Config console, AWS CLI, or AWS Config API. Your Config Report includes:

  • the top, noncompliant resources in your environment, to discover potential threats and misconfigurations

  • compliance of resources and config rules over time

  • config rule descriptions, severity of rules, and recommended remediation steps to fix noncompliant resources

When any resource goes into a noncompliant state, the resource status (and rule status) becomes Noncompliant in your Config Report. If the rule belongs to the Config Report Only remediation category, by default, AMS takes no further action. You can always create an Incident Report to request additional help or remediation from AMS.

See the AWS Config Reporting section for more details.

Automatic Incident Report

For moderately severe rule violations, AMS automatically creates an Incident Report to notify you that a resource has gone into a noncompliant state, and asks which actions you would like to be performed. You have the following options when responding to an incident:

  • Request that AMS remediate the noncompliant resources listed in the incident. Then, we attempt to remediate the noncompliant resource, and notify you once the underlying incident has been resolved.

  • You can resolve the noncompliant item manually in the console or through your automated deployment system (for example, CI/CD Pipeline template updates); then, you can resolve the incident. The noncompliant resource is re-evaluated as per the rule’s schedule and, if the resource is evaluated as noncompliant, a new incident report is created.

  • You can choose to not resolve the noncompliant resource and simply resolve the incident. If you update the configuration of the resource later, AWS Config will trigger a re-evaluation and you will again be alerted to evaluate the noncompliance of that resource.

Automatic Remediation

The most critical rules belong to the Auto Remediate category. Noncompliance with these rules may strongly impact the security and availability of your accounts. When a resource violates one of these rules:

  1. AMS automatically notifies you with an Incident Report.

  2. AMS starts an automated remediation using our automated SSM documents.

  3. AMS updates the Incident Report with success or failure of the automated remediation.

  4. If automated remediation failed, an AMS engineer investigates the issue.

Rule exceptions

The AWS Config Rules resource exception feature allows you to suppress reporting of specific, noncompliant resources for a specific rules. Please note that the exempted resources will still show up as Noncompliant in your AWS Config Service console.

You can create a Service request against your account with following inputs:

[
    {
        "resource_name": "resource_name_1",
        "config_rule_name": "config_rule_name_1",
        "business_justification": "REASON_TO_EXEMPT_RESOURCE",
        "resource_type": "resource_type"
    },
    {
        "resource_name": "resource_name_2",
        "config_rule_name": "config_rule_name_2",
        "business_justification": "REASON_TO_EXEMPT_RESOURCE",
        "resource_type": "resource_type"
    }
]