AWS Config Rule Reference

Checks whether Amazon EC2 instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the EC2 instance configuration item.

Checks if your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

Checks if your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

Checks if versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.

Checks if your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption.

Checks if the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key, the rule checks if the volumes are encrypted with that KMS key.

Checks if the account password policy for IAM users meets the specified requirements indicated in the parameters.

Checks if the root user access key is available. The rule is NON_COMPLIANT if the root user access key exists.

Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.

Checks if the root user of your AWS account requires multi-factor authentication for console sign-in.

Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true.

Checks whether storage encryption is enabled for your Amazon RDS DB instances.

Checks whether high availability is enabled for your RDS DB instances via Multi-AZ deployments.

Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access.

Checks that the AWS Lambda function settings for runtime, role, timeout, and memory size match the expected values.

Checks if an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled.

Checks if AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS key encryption.

Checks if CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.

Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.

Checks if the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager.

Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers.

Checks if Amazon GuardDuty is enabled in your AWS account and region. If you provide a centralized account, the rule evaluates the GuardDuty results in that account.

Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

Checks whether Amazon Elastic Block Store snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots have RestorableByUserIds set to all.

Checks if your Amazon DynamoDB tables are encrypted at rest with AWS managed or customer managed KMS keys.

Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.

Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the cluster configuration.

Checks if the incoming SSH traffic for the security groups is accessible. The rule is NON_COMPLIANT if any inbound security group rule allows SSH traffic from 0.0.0.0/0 or ::/0.