AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2025-03-23 · Documentation low

File: config/latest/developerguide/managed-rules-by-aws-config.md

Summary

Added multiple new AWS Config managed rules related to resource tagging, encryption, logging, and security configurations across services (ALB, DMS, EC2, RDS, Redshift, S3, etc.)

Security assessment

Added rules like 'event-data-store-cmk-encryption-enabled', 'rds-proxy-tls-encryption', and 'redshift-serverless-workgroup-no-public-access' document security best practices for encryption and access control. However, there's no evidence these changes address specific vulnerabilities or incidents.

Diff

diff --git a/config/latest/developerguide/managed-rules-by-aws-config.md b/config/latest/developerguide/managed-rules-by-aws-config.md
index 1a125f259..feb9eae92 100644
--- a/config/latest/developerguide/managed-rules-by-aws-config.md
+++ b/config/latest/developerguide/managed-rules-by-aws-config.md
@@ -32,0 +33,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [alb-listener-tagged](./alb-listener-tagged.html)
+
@@ -350,0 +353,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+
@@ -360,0 +365,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+
@@ -408,0 +415,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+
+  * [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+
@@ -410,0 +421,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+
@@ -412,0 +425,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+
@@ -414,0 +429,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+
@@ -450,0 +467,6 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+
+  * [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+
+  * [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+
@@ -464,0 +487,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+
@@ -482,0 +507,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+
@@ -512,0 +539,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+
@@ -626,0 +655,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+
@@ -676,0 +707,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+
+  * [glb-listener-tagged](./glb-listener-tagged.html)
+
@@ -716,0 +751,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [iam-oidc-provider-tagged](./iam-oidc-provider-tagged.html)
+
@@ -730,0 +767,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [iam-saml-provider-tagged](./iam-saml-provider-tagged.html)
+
@@ -732,0 +771,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [iam-server-certificate-tagged](./iam-server-certificate-tagged.html)
+
@@ -818,0 +859,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+
+  * [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+
@@ -890,0 +935,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+
@@ -892,0 +939,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [nlb-listener-tagged](./nlb-listener-tagged.html)
+
+  * [nlb-logging-enabled](./nlb-logging-enabled.html)
+
@@ -946,0 +997,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+
@@ -964,0 +1017,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+
@@ -976,0 +1031,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+
@@ -998,0 +1055,8 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+
+  * [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+
+  * [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+
+  * [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+
@@ -1056,0 +1121,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+