本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Config 受管規則清單
AWS Config 目前支援下列受管規則。
考量事項
受管規則的預設值
只有在使用 AWS 主控台時,才會預先填入針對受管理規則指定的預設值。不會為API、CLI或提供預設值SDK。
組態項目錄製延遲
AWS Config 通常會在偵測到變更之後或您指定的頻率,立即記錄資源的組態變更。但是,這是在最大努力的基礎上,有時可能需要更長的時間。某些具有已知延遲的資源類型包括:AWS::SecretsManager::Secret
。
不支援目錄儲存貯體
受管規則僅在評估 Amazon 簡單儲存服務 (Amazon S3) 資源時支援一般用途儲存貯體。 AWS Config 不會記錄目錄值區的組態變更。如需一般用途儲存貯體和目錄儲存貯體的詳細資訊,請參閱 Amazon S3 使用者指南中的儲存貯體概觀和目錄儲存貯體。
受管規則和全域IAM資源類型
2022 年 2 月之前登入的全域IAM資源類型 (AWS::IAM::Group
、AWS::IAM::Policy
AWS::IAM::Role
、和AWS::IAM::User
) 只能在 2022 年 2 月之前提供的 AWS AWS Config 區域 AWS Config 中記錄。這些資源類型無法在 2022 年 2 月 AWS Config 之後支援的地區中記錄。如需這些區域的清單,請參閱錄製 AWS 資源 | 全域資源。
如果您至少在一個「區域」中記錄全域IAM資源型態,則針對全域IAM資源型態報告相容性的週期性規則將會在新增週期性規則的所有「區域」中執行評估,即使您尚未在新增週期性規則的「區域」中啟用全域IAM資源型態的記錄。
若要避免不必要的評估,您應該只將報告全域IAM資源類型符合性的週期性規則部署到其中一個支援的區域。如需哪些區域支援受管理規則的清單,請參閱依區域可用性區域排列的 AWS Config 受管規則清單。
主題
- access-keys-rotated
- account-part-of-organizations
- acm-certificate-expiration-check
- acm-certificate-rsa-check
- acm-pca-root-ca-禁用
- alb-desync-mode-check
- alb-http-drop-invalid-頭啟用
- alb-http-to-https-重定向檢查
- alb-waf-enabled
- 阿皮-V2-access-logs-enabled
- 阿皮-V2-authorization-type-configured
- api-gw-associated-with-waf
- api-gw-cache-enabled和加密
- api-gw-endpoint-type-檢查
- api-gw-execution-logging啟用
- api-gw-ssl-enabled
- api-gw-xray-enabled
- approved-amis-by-id
- approved-amis-by-tag
- appsync-associated-with-waf
- appsync-authorization-check
- appsync-cache-encryption-at-休息
- appsync-logging-enabled
- athena-workgroup-encrypted-at-休息
- athena-workgroup-logging-enabled
- aurora-last-backup-recovery-點創建
- aurora-meets-restore-time-目標
- aurora-mysql-backtracking-enabled
- aurora-resources-protected-by-備份計劃
- autoscaling-capacity-rebalancing
- autoscaling-group-elb-healthcheck-必需
- autoscaling-launchconfig-requires-imdsv2
- autoscaling-launch-config-hop-限制
- autoscaling-launch-config-public-IP-禁用
- autoscaling-launch-template
- autoscaling-multiple-az
- autoscaling-multiple-instance-types
- backup-plan-min-frequency-and-min-retention-check
- backup-recovery-point-encrypted
- backup-recovery-point-manual-刪除禁用
- backup-recovery-point-minimum-保留檢查
- beanstalk-enhanced-health-reporting啟用
- clb-desync-mode-check
- clb-multiple-az
- cloudformation-stack-drift-detection-檢查
- cloudformation-stack-notification-check
- cloudfront-accesslogs-enabled
- cloudfront-associated-with-waf
- cloudfront-custom-ssl-certificate
- cloudfront-default-root-object-配置
- cloudfront-no-deprecated-ssl-協議
- cloudfront-origin-access-identity啟用
- cloudfront-origin-failover-enabled
- 雲前端 -3-origin-access-control-enabled
- 雲前端 -3-origin-non-existent-bucket
- cloudfront-security-policy-check
- cloudfront-sni-enabled
- cloudfront-traffic-to-origin-加密
- cloudfront-viewer-policy-https
- cloudtrail-all-read-s3-data-event-check
- cloudtrail-all-write-s3-data-event-check
- 雲步道 -3-bucket-access-logging
- 雲步道 -3-bucket-public-access-prohibited
- cloudtrail-s3-dataevents-enabled
- cloudtrail-security-trail-enabled
- cloudwatch-alarm-action-check
- cloudwatch-alarm-action-enabled-檢查
- cloudwatch-alarm-resource-check
- cloudwatch-alarm-settings-check
- cloudwatch-log-group-encrypted
- cloud-trail-cloud-watch-日誌啟用
- cloudtrail-enabled
- cloud-trail-encryption-enabled
- cloud-trail-log-file-驗證啟用
- cmk-backing-key-rotation啟用
- codebuild-project-artifact-encryption
- codebuild-project-environment-privileged-檢查
- codebuild-project-envvar-awscred-檢查
- codebuild-project-logging-enabled
- codebuild-project-s3 日誌加密
- codebuild-project-source-repo-網址檢查
- codebuild-report-group-encrypted-在休息
- codedeploy-auto-rollback-monitor啟用
- 代碼部署-ec2-minimum-healthy-hosts-configured
- codedeploy-lambda-allatonce-traffic-移位禁用
- codepipeline-deployment-count-check
- codepipeline-region-fanout-check
- cognito-user-pool-advanced-安全啟用
- custom-eventbus-policy-attached
- custom-schema-registry-policy-附
- cw-loggroup-retention-period-檢查
- datasync-task-logging-enabled
- dax-encryption-enabled
- dax-tls-endpoint-encryption
- db-instance-backup-enabled
- desired-instance-tenancy
- desired-instance-type
- dms-auto-minor-version-升級檢查
- dms-endpoint-ssl-configured
- dms-mongo-db-authentication啟用
- dms-neptune-iam-authorization啟用
- dms-redis-tls-enabled
- dms-replication-not-public
- dms-replication-task-sourcedb-日誌記錄
- dms-replication-task-targetdb-日誌記錄
- docdb-cluster-audit-logging啟用
- docdb-cluster-backup-retention-檢查
- docdb-cluster-deletion-protection啟用
- docdb-cluster-encrypted
- docdb-cluster-snapshot-public-禁止
- dynamodb-autoscaling-enabled
- dynamodb-in-backup-plan
- dynamodb-last-backup-recovery-點創建
- dynamodb-meets-restore-time-目標
- dynamodb-pitr-enabled
- dynamodb-resources-protected-by-備份計劃
- dynamodb-table-deletion-protection啟用
- dynamodb-table-encrypted-kms
- dynamodb-table-encryption-enabled
- dynamodb-throughput-limit-check
- ebs-in-backup-plan
- ebs-last-backup-recovery-點創建
- ebs-meets-restore-time-目標
- ebs-optimized-instance
- ebs-resources-protected-by-備份計劃
- ebs-snapshot-public-restorable-檢查
- client-vpn-connection-log啟用 ec2-
- ec2-client-vpn-not-authorize 所有
- ec2-ebs-encryption-by-default
- ec2-imdsv2-check
- ec2-instance-detailed-monitoring-enabled
- ec2-instance-managed-by-systems 經理
- ec2-instance-multiple-eni-check
- ec2-instance-no-public-ip
- ec2-instance-profile-attached
- ec2-創last-backup-recovery-point建
- EC2-禁launch-template-public-ip用
- ec2-managedinstance-applications-blacklisted
- ec2-managedinstance-applications-required
- ec2-檢managedinstance-association-compliance-status查
- ec2-managedinstance-inventory-blacklisted
- ec2-檢managedinstance-patch-compliance-status查
- ec2-managedinstance-platform-check
- ec2-meets-restore-time-target
- ec2-no-amazon-key-pair
- ec2-paravirtual-instance-check
- ec2-resources-protected-by-backup 計劃
- EC2-埃security-group-attached-to尼
- ec2-週期security-group-attached-to性
- ec2-stopped-instance
- ec2-token-hop-limit-check
- ec2-附件禁transit-gateway-auto-vpc用
- ec2-volume-inuse-check
- ecr-private-image-scanning啟用
- ecr-private-lifecycle-policy-配置
- ecr-private-tag-immutability啟用
- ecs-awsvpc-networking-enabled
- ecs-containers-nonprivileged
- ecs-containers-readonly-access
- ecs-container-insights-enabled
- ecs-fargate-latest-platform-版本
- ecs-no-environment-secrets
- ecs-task-definition-log-配置
- ecs-task-definition-memory-硬限制
- ecs-task-definition-nonroot-用戶
- ecs-task-definition-pid-模式檢查
- ecs-task-definition-user-for-host-mode-check
- efs-access-point-enforce-根目錄
- efs-access-point-enforce-用戶身份
- efs-automatic-backups-enabled
- efs-encrypted-check
- efs-in-backup-plan
- efs-last-backup-recovery-點創建
- efs-meets-restore-time-目標
- efs-mount-target-public-可訪問
- efs-resources-protected-by-備份計劃
- eip-attached
- eks-cluster-logging-enabled
- eks-cluster-log-enabled
- eks-cluster-oldest-supported-版本
- eks-cluster-secrets-encrypted
- eks-cluster-supported-version
- eks-endpoint-no-public-訪問
- eks-secrets-encrypted
- elasticache-auto-minor-version-升級檢查
- elasticache-rbac-auth-enabled
- elasticache-redis-cluster-automatic-備份檢查
- elasticache-repl-grp-auto-啟用容錯移轉
- elasticache-repl-grp-encrypted-在休息
- elasticache-repl-grp-encrypted在途中
- elasticache-repl-grp-redis-授權啟用
- elasticache-subnet-group-check
- elasticache-supported-engine-version
- elasticsearch-encrypted-at-rest
- elasticsearch-in-vpc-only
- elasticsearch-logs-to-cloudwatch
- elasticsearch-node-to-node-加密檢查
- elastic-beanstalk-logs-to-雲觀察
- elastic-beanstalk-managed-updates啟用
- 易爾布 2-acm-certificate-required
- elbv2-multiple-az
- elb-acm-certificate-required
- elb-cross-zone-load-平衡啟用
- elb-custom-security-policy-ssl 檢查
- elb-deletion-protection-enabled
- elb-logging-enabled
- elb-predefined-security-policy-ssl 檢查
- elb-tls-https-listeners-只
- emr-block-public-access
- emr-kerberos-enabled
- emr-master-no-public-ip
- encrypted-volumes
- fms-shield-resource-policy-檢查
- fms-webacl-resource-policy-檢查
- fms-webacl-rulegroup-association-檢查
- fsx-last-backup-recovery-點創建
- fsx-lustre-copy-tags到備份
- fsx-meets-restore-time-目標
- fsx-openzfs-copy-tags啟用
- fsx-resources-protected-by-備份計劃
- fsx-windows-audit-log-配置
- global-endpoint-event-replication啟用
- glue-job-logging-enabled
- glue-ml-transform-encrypted-在休息
- guardduty-eks-protection-audit啟用
- guardduty-eks-protection-runtime啟用
- guardduty-enabled-centralized
- guardduty-lambda-protection-enabled
- guardduty-malware-protection-enabled
- guardduty-non-archived-findings
- guardduty-rds-protection-enabled
- 安全防護-s3 保護啟用
- iam-customer-policy-blocked-KMS-動作
- iam-external-access-analyzer啟用
- iam-group-has-users-檢查
- iam-inline-policy-blocked-公里動作
- iam-no-inline-policy-檢查
- iam-password-policy
- iam-policy-blacklisted-check
- iam-policy-in-use
- iam-policy-no-statements-with-admin-access
- iam-policy-no-statements-with-full-access
- iam-role-managed-policy-檢查
- iam-root-access-key-檢查
- iam-server-certificate-expiration-檢查
- iam-user-group-membership-檢查
- iam-user-mfa-enabled
- iam-user-no-policies-檢查
- iam-user-unused-credentials-檢查
- restricted-ssh
- 檢查器-ec2 掃描啟用
- inspector-ecr-scan-enabled
- inspector-lambda-code-scan啟用
- inspector-lambda-standard-scan啟用
- ec2-instances-in-vpc
- internet-gateway-authorized-vpc-只有
- kinesis-firehose-delivery-stream-加密
- kinesis-stream-backup-retention-檢查
- kinesis-stream-encrypted
- kms-cmk-not-scheduled-換刪除
- lambda-concurrency-check
- lambda-dlq-check
- lambda-function-public-access-禁止
- lambda-function-settings-check
- lambda-inside-vpc
- lambda-vpc-multi-az-檢查
- macie-auto-sensitive-data-發現檢查
- macie-status-check
- mfa-enabled-for-iam-控制台訪問
- mq-active-deployment-mode
- mq-automatic-minor-version-啟用升級
- mq-auto-minor-version-啟用升級
- mq-cloudwatch-audit-logging啟用
- mq-cloudwatch-audit-log啟用
- mq-no-public-access
- mq-rabbit-deployment-mode
- msk-enhanced-monitoring-enabled
- msk-in-cluster-node-需要 TLS
- multi-region-cloudtrail-enabled
- nacl-no-unrestricted-ssh-rdp
- neptune-cluster-backup-retention-檢查
- neptune-cluster-cloudwatch-log-導出功能
- neptune-cluster-copy-tags-to-snapshot-enabled
- neptune-cluster-deletion-protection啟用
- neptune-cluster-encrypted
- neptune-cluster-iam-database-身份驗證
- neptune-cluster-multi-az啟用
- neptune-cluster-snapshot-encrypted
- neptune-cluster-snapshot-public-禁止
- netfw-deletion-protection-enabled
- netfw-logging-enabled
- netfw-multi-az-enabled
- netfw-policy-default-action-碎片數據包
- netfw-policy-default-action-全包
- netfw-policy-rule-group-相關
- netfw-stateless-rule-group-不是空的
- nlb-cross-zone-load-平衡啟用
- no-unrestricted-route-to-IGW
- opensearch-access-control-enabled
- opensearch-audit-logging-enabled
- opensearch-data-node-fault-容忍
- opensearch-encrypted-at-rest
- opensearch-https-required
- opensearch-in-vpc-only
- opensearch-logs-to-cloudwatch
- opensearch-node-to-node-加密檢查
- opensearch-primary-node-fault-容忍
- opensearch-update-check
- rds-aurora-mysql-audit-啟用日誌
- rds-aurora-postgresql-logs到雲端觀看
- rds-automatic-minor-version-啟用升級
- rds-cluster-auto-minor-version-upgrade-enable
- rds-cluster-default-admin-檢查
- rds-cluster-deletion-protection啟用
- rds-cluster-encrypted-at-休息
- rds-cluster-iam-authentication啟用
- rds-cluster-multi-az啟用
- rds-db-security-group-不允許
- rds-enhanced-monitoring-enabled
- rds-instance-default-admin-檢查
- rds-instance-deletion-protection啟用
- rds-instance-iam-authentication啟用
- rds-instance-public-access-檢查
- rds-in-backup-plan
- rds-last-backup-recovery-點創建
- rds-logging-enabled
- rds-meets-restore-time-目標
- rds-multi-az-support
- rds-postgresql-logs-to-雲觀察
- rds-resources-protected-by-備份計劃
- rds-snapshots-public-prohibited
- rds-snapshot-encrypted
- rds-storage-encrypted
- redshift-audit-logging-enabled
- redshift-backup-enabled
- redshift-cluster-configuration-check
- redshift-cluster-kms-enabled
- redshift-cluster-maintenancesettings-check
- redshift-cluster-public-access-檢查
- redshift-default-admin-check
- redshift-default-db-name-檢查
- redshift-enhanced-vpc-routing啟用
- redshift-require-tls-ssl
- redshift-unrestricted-port-access
- required-tags
- restricted-common-ports
- root-account-hardware-mfa啟用
- root-account-mfa-enabled
- 路線 53-query-logging-enabled
- 第三-access-point-in-vpc 只有
- 三 access-point-public-access-塊
- 三 account-level-public-access-塊
- s3-塊-週期account-level-public-access性
- S3-bucket-acl-prohibited
- S3-bucket-blacklisted-actions-prohibited
- bucket-cross-region-replication啟用 S3-
- S3-bucket-default-lock-enabled
- 3-禁bucket-level-public-access止
- S3-bucket-logging-enabled
- S3-bucket-mfa-delete-enabled
- S3-bucket-policy-grantee-check
- S3-寬bucket-policy-not-more容
- S3-bucket-public-read-prohibited
- S3-bucket-public-write-prohibited
- S3-bucket-replication-enabled
- bucket-server-side-encryption啟用 S3-
- S3-bucket-ssl-requests-only
- S3-bucket-versioning-enabled
- S3-default-encryption-kms
- S3-event-notifications-enabled
- s3-已last-backup-recovery-point建立
- S3-lifecycle-policy-check
- S3-meets-restore-time-target
- S3-resources-protected-by-backup 計劃
- S3-version-lifecycle-policy-check
- sagemaker-endpoint-configuration-kms-密鑰配置
- sagemaker-endpoint-config-prod-實例計數
- sagemaker-notebook-instance-inside-VPC
- sagemaker-notebook-instance-kms-密鑰配置
- sagemaker-notebook-instance-root-訪問檢查
- sagemaker-notebook-no-direct-互聯網接入
- secretsmanager-rotation-enabled-check
- secretsmanager-scheduled-rotation-success-檢查
- secretsmanager-secret-periodic-rotation
- secretsmanager-secret-unused
- secretsmanager-using-cmk
- securityhub-enabled
- security-account-information-provided
- service-catalog-shared-within-組織
- service-vpc-endpoint-enabled
- ses-malware-scanning-enabled
- shield-advanced-enabled-autorenew
- shield-drt-access
- sns-encrypted-kms
- sns-topic-message-delivery-通知啟用
- ssm-document-not-public
- step-functions-state-machine-啟用日誌
- storagegateway-last-backup-recovery-點創建
- storagegateway-resources-protected-by-備份計劃
- subnet-auto-assign-public-IP-禁用
- transfer-family-server-no-ftp
- virtualmachine-last-backup-recovery-點創建
- virtualmachine-resources-protected-by-備份計劃
- vpc-default-security-group-關閉
- vpc-flow-logs-enabled
- vpc-network-acl-unused-檢查
- vpc-peering-dns-resolution-檢查
- vpc-sg-open-only-to-authorized-ports
- vpc-sg-port-restriction-檢查
- vpc-vpn-2-tunnels-up
- wafv2-logging-enabled
- 波夫 2-rulegroup-logging-enabled
- 波夫 2-rulegroup-not-empty
- 波夫 2-webacl-not-empty
- waf-classic-logging-enabled
- waf-global-rulegroup-not-空
- waf-global-rule-not-空
- waf-global-webacl-not-空
- waf-regional-rulegroup-not-空
- waf-regional-rule-not-空
- waf-regional-webacl-not-空
- workspaces-root-volume-encryption啟用
- workspaces-user-volume-encryption啟用