AWS config documentation change
Summary
Added multiple new AWS Config managed rules to the documentation, including resource tagging checks, encryption validations, logging requirements, and network configuration rules.
Security assessment
Several added rules relate to security best practices such as encryption (event-data-store-cmk-encryption-enabled, rds-proxy-tls-encryption), audit logging (redshift-audit-logging-enabled), and secure network configurations (ecs-task-definition-network-mode-not-host). However, there is no evidence these changes address specific disclosed vulnerabilities.
Diff
diff --git a/config/latest/developerguide/managing-rules-by-region-availability.md b/config/latest/developerguide/managing-rules-by-region-availability.md index c6a35b826..102daebab 100644 --- a/config/latest/developerguide/managing-rules-by-region-availability.md +++ b/config/latest/developerguide/managing-rules-by-region-availability.md @@ -34,0 +35,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [alb-listener-tagged](./alb-listener-tagged.html) + @@ -312,0 +315,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [dms-endpoint-tagged](./dms-endpoint-tagged.html) + @@ -322,0 +327,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [dms-replication-task-tagged](./dms-replication-task-tagged.html) + @@ -370,0 +377,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html) + + * [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html) + @@ -372,0 +383,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html) + @@ -374,0 +387,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html) + @@ -376,0 +391,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-fleet-tagged](./ec2-fleet-tagged.html) + @@ -412,0 +429,6 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html) + + * [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html) + + * [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html) + @@ -442,0 +465,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html) + @@ -472,0 +497,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html) + @@ -586,0 +613,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html) + @@ -636,0 +665,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html) + + * [glb-listener-tagged](./glb-listener-tagged.html) + @@ -752,0 +785,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lightsail-bucket-tagged](./lightsail-bucket-tagged.html) + + * [lightsail-certificate-tagged](./lightsail-certificate-tagged.html) + @@ -824,0 +861,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html) + @@ -826,0 +865,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [nlb-listener-tagged](./nlb-listener-tagged.html) + + * [nlb-logging-enabled](./nlb-logging-enabled.html) + @@ -878,0 +921,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html) + @@ -896,0 +941,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html) + @@ -908,0 +955,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html) + @@ -930,0 +979,8 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html) + + * [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html) + + * [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html) + + * [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html) + @@ -986,0 +1043,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html) + @@ -1143,0 +1202,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [alb-listener-tagged](./alb-listener-tagged.html) + @@ -1461,0 +1522,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [dms-endpoint-tagged](./dms-endpoint-tagged.html) + @@ -1471,0 +1534,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [dms-replication-task-tagged](./dms-replication-task-tagged.html) + @@ -1519,0 +1584,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html) + + * [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html) + @@ -1521,0 +1590,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html) + @@ -1523,0 +1594,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html) + @@ -1525,0 +1598,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-fleet-tagged](./ec2-fleet-tagged.html) + @@ -1561,0 +1636,6 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html) + + * [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html) + + * [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html) + @@ -1575,0 +1656,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html) + @@ -1593,0 +1676,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html) + @@ -1623,0 +1708,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html) + @@ -1737,0 +1824,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html) + @@ -1787,0 +1876,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html) + + * [glb-listener-tagged](./glb-listener-tagged.html) + @@ -1827,0 +1920,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [iam-oidc-provider-tagged](./iam-oidc-provider-tagged.html) + @@ -1841,0 +1936,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [iam-saml-provider-tagged](./iam-saml-provider-tagged.html) + @@ -1843,0 +1940,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [iam-server-certificate-tagged](./iam-server-certificate-tagged.html) + @@ -1929,0 +2028,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lightsail-bucket-tagged](./lightsail-bucket-tagged.html) + + * [lightsail-certificate-tagged](./lightsail-certificate-tagged.html) + @@ -2001,0 +2104,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html) + @@ -2003,0 +2108,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [nlb-listener-tagged](./nlb-listener-tagged.html) + + * [nlb-logging-enabled](./nlb-logging-enabled.html) + @@ -2057,0 +2166,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html) + @@ -2075,0 +2186,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html) + @@ -2087,0 +2200,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html) + @@ -2109,0 +2224,8 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html) + + * [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html) + + * [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html) + + * [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html) + @@ -2167,0 +2290,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html) + @@ -2342,0 +2467,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [alb-listener-tagged](./alb-listener-tagged.html) + @@ -2600,0 +2727,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [dms-endpoint-tagged](./dms-endpoint-tagged.html) + @@ -2610,0 +2739,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [dms-replication-task-tagged](./dms-replication-task-tagged.html) + @@ -2646,0 +2777,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html) + @@ -2648,0 +2781,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html) + @@ -2650,0 +2785,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html) + @@ -2652,0 +2789,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-fleet-tagged](./ec2-fleet-tagged.html) + @@ -2688,0 +2827,6 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html) + + * [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html) + + * [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html) +