AWS config high security documentation change
Summary
Added multiple new AWS Config managed rules across various services including Cognito, EC2, ELB, Lambda, MSK, Redshift, S3, SSM, Backup, and others
Security assessment
Several added rules explicitly address security controls: 'cognito-identity-pool-unauth-access-check' prevents unauthorized access, 'ec2-enis-source-destination-check-enabled' enforces network security, 'elbv2-listener-encryption-in-transit' mandates TLS, 'msk-cluster-public-access-disabled' restricts exposure, 'ssm-automation-block-public-sharing' limits resource sharing, and 'backup-recovery-point-encrypted' ensures backup security. These directly implement security best practices.
Diff
diff --git a/config/latest/developerguide/managing-rules-by-region-availability.md b/config/latest/developerguide/managing-rules-by-region-availability.md index e4a266e9c..bd27bfee9 100644 --- a//config/latest/developerguide/managing-rules-by-region-availability.md +++ b//config/latest/developerguide/managing-rules-by-region-availability.md @@ -282,0 +283,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html) + @@ -388,0 +391,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html) + @@ -578,0 +583,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html) + @@ -772,0 +779,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html) + @@ -810,0 +819,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html) + + * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html) + @@ -814,0 +827,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html) + @@ -956,0 +971,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html) + @@ -994,0 +1011,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html) + @@ -1106,0 +1125,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html) + + * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html) + @@ -1417,0 +1440,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [cloudfront-ssl-policy-check](./cloudfront-ssl-policy-check.html) + @@ -1485,0 +1510,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html) + @@ -1597,0 +1624,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html) + @@ -1791,0 +1820,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html) + @@ -2017,0 +2048,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html) + @@ -2055,0 +2088,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html) + + * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html) + @@ -2059,0 +2096,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html) + @@ -2203,0 +2242,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html) + @@ -2243,0 +2284,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html) + @@ -2361,0 +2404,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html) + + * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html) + @@ -2698,0 +2745,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html) + @@ -2790,0 +2839,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html) + @@ -2982,0 +3033,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html) + @@ -3138,0 +3191,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html) + @@ -3170,0 +3225,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html) + + * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html) + @@ -3174,0 +3233,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html) + @@ -3466,0 +3527,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html) + + * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html) + @@ -3815,0 +3880,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html) + @@ -3927,0 +3994,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html) + @@ -4121,0 +4190,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html) + @@ -4339,0 +4410,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html) + @@ -4377,0 +4450,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html) + + * [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html) + @@ -4381,0 +4458,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html) + @@ -4525,0 +4604,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html) + @@ -4563,0 +4644,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html) + @@ -4677,0 +4760,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html) + + * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html) + @@ -4988,0 +5075,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html) + @@ -5074,0 +5163,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html) + @@ -5252,0 +5343,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html) + @@ -5402,0 +5495,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html) + @@ -5428,0 +5523,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html) + @@ -5432,0 +5529,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html) + @@ -5572,0 +5671,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html) + @@ -5706,0 +5807,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html) + + * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html) + @@ -6029,0 +6134,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html) + @@ -6125,0 +6232,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html) + @@ -6315,0 +6424,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html) + @@ -6469,0 +6580,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [lambda-function-xray-enabled](./lambda-function-xray-enabled.html) + @@ -6501,0 +6614,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html) + @@ -6505,0 +6620,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [msk-unrestricted-access-check](./msk-unrestricted-access-check.html) + @@ -6647,0 +6764,2 @@ AWS Config currently supports the following managed rules. Before using these ru + * [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html) + @@ -6791,0 +6910,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html) + + * [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html) + @@ -6924,0 +7047,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html) + + * [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html) + @@ -6926,0 +7053,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html) + + * [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html) + @@ -6940,0 +7071,8 @@ AWS Config currently supports the following managed rules. Before using these ru + * [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html) + + * [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html) + + * [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html) + + * [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html) + @@ -7040,0 +7179,4 @@ AWS Config currently supports the following managed rules. Before using these ru + * [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html) + + * [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)