AWS Security ChangesHomeSearch

AWS config high security documentation change

Service: config · 2025-06-16 · Security-related high

File: config/latest/developerguide/managing-rules-by-region-availability.md

Summary

Added multiple new AWS Config managed rules across various services including Cognito, EC2, ELB, Lambda, MSK, Redshift, S3, SSM, Backup, and others

Security assessment

Several added rules explicitly address security controls: 'cognito-identity-pool-unauth-access-check' prevents unauthorized access, 'ec2-enis-source-destination-check-enabled' enforces network security, 'elbv2-listener-encryption-in-transit' mandates TLS, 'msk-cluster-public-access-disabled' restricts exposure, 'ssm-automation-block-public-sharing' limits resource sharing, and 'backup-recovery-point-encrypted' ensures backup security. These directly implement security best practices.

Diff

diff --git a/config/latest/developerguide/managing-rules-by-region-availability.md b/config/latest/developerguide/managing-rules-by-region-availability.md
index e4a266e9c..bd27bfee9 100644
--- a//config/latest/developerguide/managing-rules-by-region-availability.md
+++ b//config/latest/developerguide/managing-rules-by-region-availability.md
@@ -282,0 +283,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+
@@ -388,0 +391,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+
@@ -578,0 +583,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+
@@ -772,0 +779,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+
@@ -810,0 +819,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+
+  * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+
@@ -814,0 +827,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+
@@ -956,0 +971,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+
@@ -994,0 +1011,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+
@@ -1106,0 +1125,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+
+  * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+
@@ -1417,0 +1440,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cloudfront-ssl-policy-check](./cloudfront-ssl-policy-check.html)
+
@@ -1485,0 +1510,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+
@@ -1597,0 +1624,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+
@@ -1791,0 +1820,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+
@@ -2017,0 +2048,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+
@@ -2055,0 +2088,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+
+  * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+
@@ -2059,0 +2096,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+
@@ -2203,0 +2242,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+
@@ -2243,0 +2284,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+
@@ -2361,0 +2404,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+
+  * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+
@@ -2698,0 +2745,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+
@@ -2790,0 +2839,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+
@@ -2982,0 +3033,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+
@@ -3138,0 +3191,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+
@@ -3170,0 +3225,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+
+  * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+
@@ -3174,0 +3233,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+
@@ -3466,0 +3527,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+
+  * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+
@@ -3815,0 +3880,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+
@@ -3927,0 +3994,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+
@@ -4121,0 +4190,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+
@@ -4339,0 +4410,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+
@@ -4377,0 +4450,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+
+  * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+
@@ -4381,0 +4458,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+
@@ -4525,0 +4604,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+
@@ -4563,0 +4644,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+
@@ -4677,0 +4760,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+
+  * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+
@@ -4988,0 +5075,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+
@@ -5074,0 +5163,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+
@@ -5252,0 +5343,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+
@@ -5402,0 +5495,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+
@@ -5428,0 +5523,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+
@@ -5432,0 +5529,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+
@@ -5572,0 +5671,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+
@@ -5706,0 +5807,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+
+  * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+
@@ -6029,0 +6134,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+
@@ -6125,0 +6232,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+
@@ -6315,0 +6424,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+
@@ -6469,0 +6580,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+
@@ -6501,0 +6614,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+
@@ -6505,0 +6620,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+
@@ -6647,0 +6764,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+
@@ -6791,0 +6910,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+
+  * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+
@@ -6924,0 +7047,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+
+  * [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+
@@ -6926,0 +7053,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+
+  * [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+
@@ -6940,0 +7071,8 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+
+  * [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+
+  * [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+
+  * [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+
@@ -7040,0 +7179,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+
+  * [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)