AWS config medium security documentation change
Summary
Added multiple new AWS Config managed rules including security-related checks for CloudFront SSL policies, Cognito unauthorized access, EC2 ENI source/destination checks, ELBv2 encryption, Lambda X-Ray, MSK access controls, Redshift Multi-AZ, S3 lifecycle rules, and SSM automation security settings
Security assessment
Added rules explicitly enforce security controls: 1) cloudfront-ssl-policy-check ensures proper TLS configuration 2) cognito-identity-pool-unauth-access-check prevents unauthorized access 3) ec2-enis-source-destination-check-enabled prevents IP spoofing 4) elbv2-listener-encryption-in-transit enforces encryption in transit 5) msk-cluster-public-access-disabled restricts network exposure 6) ssm-automation-block-public-sharing prevents credential leakage. These directly address security configuration risks.
Diff
diff --git a/config/latest/developerguide/managed-rules-by-trigger-type.md b/config/latest/developerguide/managed-rules-by-trigger-type.md index 78001594a..00ca8979c 100644 --- a//config/latest/developerguide/managed-rules-by-trigger-type.md +++ b//config/latest/developerguide/managed-rules-by-trigger-type.md @@ -220,0 +221,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [cloudfront-ssl-policy-check](./cloudfront-ssl-policy-check.html) + @@ -262,0 +265,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html) + @@ -334,0 +339,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html) + @@ -466,0 +473,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html) + @@ -616,0 +625,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html) + @@ -640,0 +651,4 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html) + + * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html) + @@ -644,0 +659,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html) + @@ -762,0 +779,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html) + @@ -780,0 +799,2 @@ _Change-triggered rules_ are rules that AWS Config evaluates in response to conf + * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html) + @@ -1241,0 +1262,4 @@ _Periodic rules_ are rules that AWS Config evaluates periodicially at a frequenc + * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html) + + * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html) +