AWS Security ChangesHomeSearch

AWS config high security documentation change

Service: config · 2026-03-10 · Security-related high

File: config/latest/developerguide/managing-rules-by-region-availability.md

Summary

Added multiple new AWS Config managed rules covering services like ACM, Amplify, API Gateway, AppMesh, CloudTrail, EC2, ECS, ELBv2, IAM, Lambda, RDS, S3, SageMaker, and others

Security assessment

Several added rules enforce security controls: Certificate transparency logging (acm-certificate-transparent-logging-enabled), TLS checks (apigateway-domain-name-tls-check), EBS encryption (ec2-launchtemplate-ebs-encrypted), IAM policy descriptions (iam-policy-description), encrypted health checks (elbv2-targetgroup-healthcheck-protocol-encrypted), backup retention (rds-cluster-backup-retention-check), security group hardening (vpc-default-security-group-closed), and data encryption requirements. These address security best practices for encryption, access control, logging, and resource hardening.

Diff

diff --git a/config/latest/developerguide/managing-rules-by-region-availability.md b/config/latest/developerguide/managing-rules-by-region-availability.md
index a9310d558..44fb1b482 100644
--- a//config/latest/developerguide/managing-rules-by-region-availability.md
+++ b//config/latest/developerguide/managing-rules-by-region-availability.md
@@ -22,0 +23,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+
@@ -42,0 +45,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+
@@ -46,0 +51,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-app-platform-check](./amplify-app-platform-check.html)
+
@@ -48,0 +55,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+
+  * [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+
@@ -50,0 +61,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+
@@ -52,0 +65,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+
@@ -54,0 +69,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+
@@ -56,0 +73,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+
@@ -116,0 +135,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+
@@ -122,0 +143,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+
@@ -132,0 +155,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+
+  * [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+
@@ -134,0 +161,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+
@@ -266,0 +295,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+
@@ -278,0 +309,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+
@@ -296,0 +329,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+
@@ -308,0 +343,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [codebuild-project-tagged](./codebuild-project-tagged.html)
+
@@ -472,0 +509,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+
@@ -474,0 +513,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+
@@ -516,0 +557,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+
@@ -568,0 +611,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+
@@ -676,0 +721,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+
+  * [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+
@@ -706,0 +755,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+
+  * [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+
@@ -770,0 +823,6 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [groundstation-config-tagged](./groundstation-config-tagged.html)
+
+  * [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+
+  * [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+
@@ -792,0 +851,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [healthlake-fhirdatastore-tagged](./healthlake-fhirdatastore-tagged.html)
+
@@ -806,0 +867,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [iam-policy-description](./iam-policy-description.html)
+
@@ -822,0 +885,10 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+
+  * [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+
+  * [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+
+  * [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+
+  * [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+
@@ -866,0 +939,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+
+  * [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+
@@ -884,0 +961,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+
@@ -886,0 +965,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+
@@ -890,0 +971,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+
@@ -898,0 +981,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+
@@ -910,0 +995,6 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+
+  * [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+
+  * [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+
@@ -964,0 +1055,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+
@@ -994,0 +1087,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+
+  * [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+
@@ -1024,0 +1121,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+
@@ -1038,0 +1137,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+
@@ -1130,0 +1231,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+
+  * [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+
@@ -1142,0 +1247,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+
@@ -1192,0 +1299,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+
@@ -1208,0 +1317,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+
+  * [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+
@@ -1216,0 +1329,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+
@@ -1222,0 +1337,8 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+
+  * [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+
+  * [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+
+  * [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+
@@ -1226,0 +1349,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+
@@ -1258,0 +1383,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+
@@ -1298,0 +1425,6 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+
+  * [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+
+  * [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+
@@ -1361,0 +1494,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+
@@ -1381,0 +1516,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+
@@ -1385,0 +1522,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-app-platform-check](./amplify-app-platform-check.html)
+
@@ -1387,0 +1526,4 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+
+  * [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+
@@ -1389,0 +1532,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+
@@ -1391,0 +1536,2 @@ AWS Config currently supports the following managed rules. Before using these ru
+  * [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)