AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2025-09-10 · Documentation medium

File: config/latest/developerguide/operational-best-practices-for-acsc_essential_8.md

Summary

Added new AWS Config rules: CloudWatch Log Group encryption check, EC2 allowed AMI validation, and S3 bucket default lock enforcement

Security assessment

New rules document security controls for log encryption, AMI whitelisting, and S3 object lock - all security best practices but not tied to resolving specific vulnerabilities.

Diff

diff --git a/config/latest/developerguide/operational-best-practices-for-acsc_essential_8.md b/config/latest/developerguide/operational-best-practices-for-acsc_essential_8.md
index 2ab348282..b9922c14a 100644
--- a//config/latest/developerguide/operational-best-practices-for-acsc_essential_8.md
+++ b//config/latest/developerguide/operational-best-practices-for-acsc_essential_8.md
@@ -18,0 +19 @@ Application_control | [api-gw-associated-with-waf](https://docs.aws.amazon.com/c
+Application_control | [cloudwatch-log-group-encrypted](https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html) |  Checks if Amazon CloudWatch Log Groups are encrypted with any AWS KMS key or a specified AWS KMS key Id. The rule is NON_COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter.  
@@ -26,0 +28 @@ Patch_applications | [ecs-fargate-latest-platform-version](https://docs.aws.amaz
+Patch_applications | [ec2-instance-launched-with-allowed-ami](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-launched-with-allowed-ami.html) |  Checks if running or stopped EC2 instances were launched with Amazon Machine Images (AMIs) that meet your Allowed AMIs criteria. The rule is NON_COMPLIANT if an AMI doesn't meet the Allowed AMIs criteria and the Allowed AMIs settings isn't disabled.  
@@ -58,0 +61 @@ Regular_backups | [rds-in-backup-plan](https://docs.aws.amazon.com/config/latest
+Regular_backups | [s3-bucket-default-lock-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-default-lock-enabled.html) |  Checks if the S3 bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.  
@@ -79 +82 @@ Operational Best Practices for ABS CCIG 2.0 Standard Workloads
-Operational Best Practices for ACSC ISM 
+Operational Best Practices for ACSC ISM - Part 1