AWS Security ChangesHomeSearch

AWS config medium security documentation change

Service: config · 2025-06-16 · Security-related medium

File: config/latest/developerguide/managed-rules-by-trigger-type.md

Summary

Added multiple new AWS Config managed rules including security-related checks for CloudFront SSL policies, Cognito unauthorized access, EC2 ENI source/destination checks, ELBv2 encryption, Lambda X-Ray, MSK access controls, Redshift Multi-AZ, S3 lifecycle rules, and SSM automation security settings

Security assessment

Added rules explicitly enforce security controls: 1) cloudfront-ssl-policy-check ensures proper TLS configuration 2) cognito-identity-pool-unauth-access-check prevents unauthorized access 3) ec2-enis-source-destination-check-enabled prevents IP spoofing 4) elbv2-listener-encryption-in-transit enforces encryption in transit 5) msk-cluster-public-access-disabled restricts network exposure 6) ssm-automation-block-public-sharing prevents credential leakage. These directly address security configuration risks.

Diff

diff --git a/config/latest/developerguide/managed-rules-by-trigger-type.md b/config/latest/developerguide/managed-rules-by-trigger-type.md
index 78001594a..00ca8979c 100644
--- a//config/latest/developerguide/managed-rules-by-trigger-type.md
+++ b//config/latest/developerguide/managed-rules-by-trigger-type.md
@@ -220,0 +221,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [cloudfront-ssl-policy-check](./cloudfront-ssl-policy-check.html)
+
@@ -262,0 +265,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+
@@ -334,0 +339,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+
@@ -466,0 +473,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+
@@ -616,0 +625,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+
@@ -640,0 +651,4 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+
+  * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+
@@ -644,0 +659,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+
@@ -762,0 +779,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+
@@ -780,0 +799,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf
+  * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+
@@ -1241,0 +1262,4 @@ _Periodic rules_ are rules that AWS Config evaluates periodicially at a frequenc
+  * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+
+  * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+