AWS Security ChangesHomeSearch

AWS config medium security documentation change

Service: config · 2025-03-23 · Security-related medium

File: config/latest/developerguide/managed-rules-by-trigger-type.md

Summary

Added multiple new AWS Config managed rules across various services including ALB, DMS, EC2, ECS, IAM, Redshift, S3, and others. New rules focus on tagging compliance, encryption requirements, logging, network security, and resource configurations.

Security assessment

Several added rules explicitly address security controls: 'redshift-audit-logging-enabled' enforces logging, 'event-data-store-cmk-encryption-enabled' mandates encryption, 'rds-proxy-tls-encryption' requires TLS, and 'redshift-serverless-workgroup-no-public-access' prevents public exposure. These directly document security features.

Diff

diff --git a/config/latest/developerguide/managed-rules-by-trigger-type.md b/config/latest/developerguide/managed-rules-by-trigger-type.md
index c98882579..d9d637b62 100644
--- a/config/latest/developerguide/managed-rules-by-trigger-type.md
+++ b/config/latest/developerguide/managed-rules-by-trigger-type.md
@@ -26,0 +27,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [alb-listener-tagged](./alb-listener-tagged.html)
+
@@ -288,0 +291,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+
@@ -296,0 +301,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+
@@ -318,0 +325,4 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+
+  * [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+
@@ -320,0 +331,6 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+
+  * [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+
+  * [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+
@@ -350,0 +367,6 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+
+  * [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+
+  * [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+
@@ -358,0 +381,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+
@@ -374,0 +399,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+
@@ -402,0 +429,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+
@@ -498,0 +527,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [glb-listener-tagged](./glb-listener-tagged.html)
+
@@ -514,0 +545,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [iam-oidc-provider-tagged](./iam-oidc-provider-tagged.html)
+
@@ -522,0 +555,4 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [iam-saml-provider-tagged](./iam-saml-provider-tagged.html)
+
+  * [iam-server-certificate-tagged](./iam-server-certificate-tagged.html)
+
@@ -590,0 +627,4 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+
+  * [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+
@@ -644,0 +685,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+
@@ -646,0 +689,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [nlb-listener-tagged](./nlb-listener-tagged.html)
+
@@ -714,0 +759,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+
@@ -776,0 +823,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+
@@ -1031,0 +1080,2 @@ _Periodic rules_ are rules that AWS Config evaluates periodicially at a frequenc
+  * [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+
@@ -1047,0 +1098,2 @@ _Periodic rules_ are rules that AWS Config evaluates periodicially at a frequenc
+  * [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+
@@ -1113,0 +1166,4 @@ _Periodic rules_ are rules that AWS Config evaluates periodicially at a frequenc
+  * [nlb-logging-enabled](./nlb-logging-enabled.html)
+
+  * [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+
@@ -1125,0 +1182,2 @@ _Periodic rules_ are rules that AWS Config evaluates periodicially at a frequenc
+  * [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+
@@ -1129,0 +1188,8 @@ _Periodic rules_ are rules that AWS Config evaluates periodicially at a frequenc
+  * [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+
+  * [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+
+  * [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+
+  * [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+