AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2026-01-13 · Documentation low

File: config/latest/developerguide/managed-rules-by-evaluation-mode.md

Summary

Removed 8 rules from proactive evaluation list and added 5 new rules to detective evaluation section

Security assessment

Adds documentation for security-focused rules (CloudFront key groups, ECS non-root/non-admin) while reorganizing evaluation modes. Enhances security documentation without evidence of vulnerability remediation.

Diff

diff --git a/config/latest/developerguide/managed-rules-by-evaluation-mode.md b/config/latest/developerguide/managed-rules-by-evaluation-mode.md
index fce83bdd0..9b7261ec2 100644
--- a//config/latest/developerguide/managed-rules-by-evaluation-mode.md
+++ b//config/latest/developerguide/managed-rules-by-evaluation-mode.md
@@ -19,2 +18,0 @@ Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or
-  * [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
-
@@ -23,14 +20,0 @@ Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or
-  * [lambda-function-settings-check](./lambda-function-settings-check.html)
-
-  * [lambda-inside-vpc](./lambda-inside-vpc.html)
-
-  * [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
-
-  * [rds-storage-encrypted](./rds-storage-encrypted.html)
-
-  * [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
-
-  * [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
-
-  * [sns-encrypted-kms](./sns-encrypted-kms.html)
-
@@ -301,0 +286,2 @@ Currently, all AWS Config rules support detective evaluation.
+  * [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+
@@ -311,0 +298,2 @@ Currently, all AWS Config rules support detective evaluation.
+  * [cloudfront-distribution-key-group-enabled](./cloudfront-distribution-key-group-enabled.html)
+
@@ -639,0 +628,2 @@ Currently, all AWS Config rules support detective evaluation.
+  * [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+
@@ -651,0 +642,2 @@ Currently, all AWS Config rules support detective evaluation.
+  * [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+
@@ -663,0 +656,2 @@ Currently, all AWS Config rules support detective evaluation.
+  * [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+