Class ManagedRuleIdentifiers
Managed rules that are supported by AWS Config.
Inheritance
Namespace: Amazon.CDK.AWS.Config
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class ManagedRuleIdentifiers : DeputyBase
Syntax (vb)
Public Class ManagedRuleIdentifiers
Inherits DeputyBase
Remarks
See: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
ExampleMetadata: infused
Examples
// https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
// https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
new ManagedRule(this, "AccessKeysRotated", new ManagedRuleProps {
Identifier = ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
InputParameters = new Dictionary<string, object> {
{ "maxAccessKeyAge", 60 }
},
// default is 24 hours
MaximumExecutionFrequency = MaximumExecutionFrequency.TWELVE_HOURS
});
Synopsis
Constructors
ManagedRuleIdentifiers(ByRefValue) | Used by jsii to construct an instance of this class from a Javascript-owned object reference |
ManagedRuleIdentifiers(DeputyBase.DeputyProps) | Used by jsii to construct an instance of this class from DeputyProps |
Properties
ACCESS_KEYS_ROTATED | Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. |
ACCOUNT_PART_OF_ORGANIZATIONS | Checks whether AWS account is part of AWS Organizations. |
ACM_CERTIFICATE_EXPIRATION_CHECK | Checks whether ACM Certificates in your account are marked for expiration within the specified number of days. |
ALB_DESYNC_MODE_CHECK | Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode. |
ALB_HTTP_DROP_INVALID_HEADER_ENABLED | Checks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers. |
ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK | Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer. |
ALB_WAF_ENABLED | Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). |
API_GW_ASSOCIATED_WITH_WAF | Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL. |
API_GW_CACHE_ENABLED_AND_ENCRYPTED | Checks that all methods in Amazon API Gateway stages have caching enabled and encrypted. |
API_GW_ENDPOINT_TYPE_CHECK | Checks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType. |
API_GW_EXECUTION_LOGGING_ENABLED | Checks that all methods in Amazon API Gateway stage has logging enabled. |
API_GW_SSL_ENABLED | Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate. |
API_GW_XRAY_ENABLED | Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. |
API_GWV2_ACCESS_LOGS_ENABLED | Checks if Amazon API Gateway V2 stages have access logging enabled. |
API_GWV2_AUTHORIZATION_TYPE_CONFIGURED | Checks if Amazon API Gatewayv2 API routes have an authorization type set. |
APPROVED_AMIS_BY_ID | Checks whether running instances are using specified AMIs. |
APPROVED_AMIS_BY_TAG | Checks whether running instances are using specified AMIs. |
AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for Amazon Aurora DB clusters. |
AURORA_MYSQL_BACKTRACKING_ENABLED | Checks if an Amazon Aurora MySQL cluster has backtracking enabled. |
AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon Aurora DB clusters are protected by a backup plan. |
AUTOSCALING_CAPACITY_REBALANCING | Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types. |
AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED | Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT | Checks the number of network hops that the metadata token can travel. |
AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED | Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. |
AUTOSCALING_LAUNCH_TEMPLATE | Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template. |
AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2 | Checks whether only IMDSv2 is enabled. |
AUTOSCALING_MULTIPLE_AZ | Checks if the Auto Scaling group spans multiple Availability Zones. |
AUTOSCALING_MULTIPLE_INSTANCE_TYPES | Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types. |
BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK | Checks if a backup plan has a backup rule that satisfies the required frequency and retention period. |
BACKUP_RECOVERY_POINT_ENCRYPTED | Checks if a recovery point is encrypted. |
BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED | Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. |
BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK | Checks if a recovery point expires no earlier than after the specified period. |
BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED | Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting. |
CLB_DESYNC_MODE_CHECK | Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode. |
CLB_MULTIPLE_AZ | Checks if a Classic Load Balancer spans multiple Availability Zones (AZs). |
CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED | Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs. |
CLOUD_TRAIL_ENABLED | Checks whether AWS CloudTrail is enabled in your AWS account. |
CLOUD_TRAIL_ENCRYPTION_ENABLED | Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. |
CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED | Checks whether AWS CloudTrail creates a signed digest file with logs. |
CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK | Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. |
CLOUDFORMATION_STACK_NOTIFICATION_CHECK | Checks whether your CloudFormation stacks are sending event notifications to an SNS topic. |
CLOUDFRONT_ACCESSLOGS_ENABLED | Checks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs. |
CLOUDFRONT_ASSOCIATED_WITH_WAF | Checks if Amazon CloudFront distributions are associated with either WAF or WAFv2 web access control lists (ACLs). |
CLOUDFRONT_CUSTOM_SSL_CERTIFICATE | Checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate. |
CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED | Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. |
CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS | Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. |
CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED | Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. |
CLOUDFRONT_ORIGIN_FAILOVER_ENABLED | Checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. |
CLOUDFRONT_SECURITY_POLICY_CHECK | Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. |
CLOUDFRONT_SNI_ENABLED | Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. |
CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED | Checks if Amazon CloudFront distributions are encrypting traffic to custom origins. |
CLOUDFRONT_VIEWER_POLICY_HTTPS | Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection). |
CLOUDTRAIL_MULTI_REGION_ENABLED | Checks that there is at least one multi-region AWS CloudTrail. |
CLOUDTRAIL_S3_DATAEVENTS_ENABLED | Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. |
CLOUDTRAIL_SECURITY_TRAIL_ENABLED | Checks that there is at least one AWS CloudTrail trail defined with security best practices. |
CLOUDWATCH_ALARM_ACTION_CHECK | Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. |
CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK | Checks if Amazon CloudWatch alarms actions are in enabled state. |
CLOUDWATCH_ALARM_RESOURCE_CHECK | Checks whether the specified resource type has a CloudWatch alarm for the specified metric. |
CLOUDWATCH_ALARM_SETTINGS_CHECK | Checks whether CloudWatch alarms with the given metric name have the specified settings. |
CLOUDWATCH_LOG_GROUP_ENCRYPTED | Checks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). |
CMK_BACKING_KEY_ROTATION_ENABLED | Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK). |
CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION | Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. |
CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK | Checks if an AWS CodeBuild project environment has privileged mode enabled. |
CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK | Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. |
CODEBUILD_PROJECT_LOGGING_ENABLED | Checks if an AWS CodeBuild project environment has at least one log option enabled. |
CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED | Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. |
CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK | Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password. |
CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED | Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached. |
CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED | Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold. |
CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED | Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration. |
CODEPIPELINE_DEPLOYMENT_COUNT_CHECK | Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment. |
CODEPIPELINE_REGION_FANOUT_CHECK | Checks whether each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. |
CW_LOGGROUP_RETENTION_PERIOD_CHECK | Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days. |
DAX_ENCRYPTION_ENABLED | Checks that DynamoDB Accelerator (DAX) clusters are encrypted. |
DMS_REPLICATION_NOT_PUBLIC | Checks whether AWS Database Migration Service replication instances are public. |
DYNAMODB_AUTOSCALING_ENABLED | Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes. |
DYNAMODB_IN_BACKUP_PLAN | Checks whether Amazon DynamoDB table is present in AWS Backup plans. |
DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period. |
DYNAMODB_PITR_ENABLED | Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables. |
DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon DynamoDB tables are protected by a backup plan. |
DYNAMODB_TABLE_ENCRYPTED_KMS | Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). |
DYNAMODB_TABLE_ENCRYPTION_ENABLED | Checks whether the Amazon DynamoDB tables are encrypted and checks their status. |
DYNAMODB_THROUGHPUT_LIMIT_CHECK | Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account. |
EBS_ENCRYPTED_VOLUMES | Checks whether the EBS volumes that are in an attached state are encrypted. |
EBS_IN_BACKUP_PLAN | Checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. |
EBS_OPTIMIZED_INSTANCE | Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. |
EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. |
EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK | Checks whether Amazon Elastic Block Store snapshots are not publicly restorable. |
EC2_DESIRED_INSTANCE_TENANCY | Checks instances for specified tenancy. |
EC2_DESIRED_INSTANCE_TYPE | Checks whether your EC2 instances are of the specified instance types. |
EC2_EBS_ENCRYPTION_BY_DEFAULT | Check that Amazon Elastic Block Store (EBS) encryption is enabled by default. |
EC2_IMDSV2_CHECK | Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). |
EC2_INSTANCE_DETAILED_MONITORING_ENABLED | Checks whether detailed monitoring is enabled for EC2 instances. |
EC2_INSTANCE_MANAGED_BY_SSM | Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager. |
EC2_INSTANCE_MULTIPLE_ENI_CHECK | Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs). |
EC2_INSTANCE_NO_PUBLIC_IP | Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. |
EC2_INSTANCE_PROFILE_ATTACHED | Checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. |
EC2_INSTANCES_IN_VPC | Checks whether your EC2 instances belong to a virtual private cloud (VPC). |
EC2_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances. |
EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED | Checks that none of the specified applications are installed on the instance. |
EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED | Checks whether all of the specified applications are installed on the instance. |
EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK | Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. |
EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED | Checks whether instances managed by AWS Systems Manager are configured to collect blocked inventory types. |
EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK | Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. |
EC2_MANAGED_INSTANCE_PLATFORM_CHECK | Checks whether EC2 managed instances have the desired configurations. |
EC2_NO_AMAZON_KEY_PAIR | Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs. |
EC2_PARAVIRTUAL_INSTANCE_CHECK | Checks if the virtualization type of an EC2 instance is paravirtual. |
EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. |
EC2_SECURITY_GROUP_ATTACHED_TO_ENI | Checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface. |
EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC | Checks if non-default security groups are attached to Elastic network interfaces (ENIs). |
EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED | Checks whether the incoming SSH traffic for the security groups is accessible. |
EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFIC | Checks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. |
EC2_STOPPED_INSTANCE | Checks whether there are instances stopped for more than the allowed number of days. |
EC2_TOKEN_HOP_LIMIT_CHECK | Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit. |
EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED | Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled. |
EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECK | Checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions. |
EC2_VOLUME_INUSE_CHECK | Checks whether EBS volumes are attached to EC2 instances. |
ECR_PRIVATE_IMAGE_SCANNING_ENABLED | Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled. |
ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED | Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. |
ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED | Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled. |
ECS_AWSVPC_NETWORKING_ENABLED | Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’. |
ECS_CONTAINER_INSIGHTS_ENABLED | Checks if Amazon Elastic Container Service clusters have container insights enabled. |
ECS_CONTAINERS_NONPRIVILEGED | Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’. |
ECS_CONTAINERS_READONLY_ACCESS | Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. |
ECS_FARGATE_LATEST_PLATFORM_VERSION | Checks if Amazon Elastic Container Service (ECS) Fargate Services is running on the latest Fargate platform version. |
ECS_NO_ENVIRONMENT_SECRETS | Checks if secrets are passed as container environment variables. |
ECS_TASK_DEFINITION_LOG_CONFIGURATION | Checks if logConfiguration is set on active ECS Task Definitions. |
ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT | Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions. |
ECS_TASK_DEFINITION_NONROOT_USER | Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on. |
ECS_TASK_DEFINITION_PID_MODE_CHECK | Checks if ECSTaskDefinitions are configured to share a host’s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers. |
EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY | Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory. |
EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY | Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. |
EFS_ENCRYPTED_CHECK | hecks whether Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS). |
EFS_IN_BACKUP_PLAN | Checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. |
EFS_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems. |
EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. |
EIP_ATTACHED | Checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs). |
EKS_CLUSTER_OLDEST_SUPPORTED_VERSION | Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version. |
EKS_CLUSTER_SUPPORTED_VERSION | Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version. |
EKS_ENDPOINT_NO_PUBLIC_ACCESS | Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. |
EKS_SECRETS_ENCRYPTED | Checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys. |
ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED | Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled. |
ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK | Check if the Amazon ElastiCache Redis clusters have automatic backup turned on. |
ELASTICSEARCH_ENCRYPTED_AT_REST | Checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. |
ELASTICSEARCH_IN_VPC_ONLY | Checks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC). |
ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK | Check that Amazon ElasticSearch Service nodes are encrypted end to end. |
ELB_ACM_CERTIFICATE_REQUIRED | Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. |
ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED | Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). |
ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK | Checks whether your Classic Load Balancer SSL listeners are using a custom policy. |
ELB_DELETION_PROTECTION_ENABLED | Checks whether Elastic Load Balancing has deletion protection enabled. |
ELB_LOGGING_ENABLED | Checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. |
ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK | Checks whether your Classic Load Balancer SSL listeners are using a predefined policy. |
ELB_TLS_HTTPS_LISTENERS_ONLY | Checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners. |
ELBV2_ACM_CERTIFICATE_REQUIRED | Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). |
ELBV2_MULTIPLE_AZ | Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZ's). |
EMR_KERBEROS_ENABLED | Checks that Amazon EMR clusters have Kerberos enabled. |
EMR_MASTER_NO_PUBLIC_IP | Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. |
FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK | (deprecated) Checks whether the security groups associated inScope resources are compliant with the master security groups at each rule level based on allowSecurityGroup and denySecurityGroup flag. |
FMS_SECURITY_GROUP_CONTENT_CHECK | (deprecated) Checks whether AWS Firewall Manager created security groups content is the same as the master security groups. |
FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK | (deprecated) Checks whether Amazon EC2 or an elastic network interface is associated with AWS Firewall Manager security groups. |
FMS_SHIELD_RESOURCE_POLICY_CHECK | Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection. |
FMS_WEBACL_RESOURCE_POLICY_CHECK | Checks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions. |
FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK | Checks that the rule groups associate with the web ACL at the correct priority. |
FSX_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for Amazon FSx File Systems. |
FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon FSx File Systems are protected by a backup plan. |
GUARDDUTY_ENABLED_CENTRALIZED | Checks whether Amazon GuardDuty is enabled in your AWS account and region. |
GUARDDUTY_NON_ARCHIVED_FINDINGS | Checks whether the Amazon GuardDuty has findings that are non archived. |
IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS | Checks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on all AWS AWS KMS keys. |
IAM_GROUP_HAS_USERS_CHECK | Checks whether IAM groups have at least one IAM user. |
IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS | Checks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not allow blocked actions on all AWS Key Management Service keys. |
IAM_NO_INLINE_POLICY_CHECK | Checks that inline policy feature is not in use. |
IAM_PASSWORD_POLICY | Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters. |
IAM_POLICY_BLOCKED_CHECK | Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource. |
IAM_POLICY_IN_USE | Checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity. |
IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS | Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources. |
IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS | Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources. |
IAM_ROLE_MANAGED_POLICY_CHECK | Checks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles. |
IAM_ROOT_ACCESS_KEY_CHECK | Checks whether the root user access key is available. |
IAM_USER_GROUP_MEMBERSHIP_CHECK | Checks whether IAM users are members of at least one IAM group. |
IAM_USER_MFA_ENABLED | Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. |
IAM_USER_NO_POLICIES_CHECK | Checks that none of your IAM users have policies attached. |
IAM_USER_UNUSED_CREDENTIALS_CHECK | Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. |
INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY | Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). |
KINESIS_STREAM_ENCRYPTED | Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption. |
KMS_CMK_NOT_SCHEDULED_FOR_DELETION | Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS). |
LAMBDA_CONCURRENCY_CHECK | Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. |
LAMBDA_DLQ_CHECK | Checks whether an AWS Lambda function is configured with a dead-letter queue. |
LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED | Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. |
LAMBDA_FUNCTION_SETTINGS_CHECK | Checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values. |
LAMBDA_INSIDE_VPC | Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. |
LAMBDA_VPC_MULTI_AZ_CHECK | Checks if Lambda has more than 1 availability zone associated. |
MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS | Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. |
NACL_NO_UNRESTRICTED_SSH_RDP | Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. |
NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS | Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. |
NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS | Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets. |
NETFW_POLICY_RULE_GROUP_ASSOCIATED | Check AWS Network Firewall policy is associated with stateful OR stateless rule groups. |
NETFW_STATELESS_RULE_GROUP_NOT_EMPTY | Checks if a Stateless Network Firewall Rule Group contains rules. |
NLB_CROSS_ZONE_LOAD_BALANCING_ENABLED | Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs). |
OPENSEARCH_ACCESS_CONTROL_ENABLED | Checks if Amazon OpenSearch Service domains have fine-grained access control enabled. |
OPENSEARCH_AUDIT_LOGGING_ENABLED | Checks if Amazon OpenSearch Service domains have audit logging enabled. |
OPENSEARCH_DATA_NODE_FAULT_TOLERANCE | Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. |
OPENSEARCH_ENCRYPTED_AT_REST | Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. |
OPENSEARCH_HTTPS_REQUIRED | Checks whether connections to OpenSearch domains are using HTTPS. |
OPENSEARCH_IN_VPC_ONLY | Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). |
OPENSEARCH_LOGS_TO_CLOUDWATCH | Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. |
OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK | Check if Amazon OpenSearch Service nodes are encrypted end to end. |
RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED | Checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. |
RDS_CLUSTER_DEFAULT_ADMIN_CHECK | Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value. |
RDS_CLUSTER_DELETION_PROTECTION_ENABLED | Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. |
RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED | Checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled. |
RDS_CLUSTER_MULTI_AZ_ENABLED | Checks if Multi-AZ replication is enabled on Amazon Aurora and Hermes clusters managed by Amazon Relational Database Service (Amazon RDS). |
RDS_DB_INSTANCE_BACKUP_ENABLED | Checks whether RDS DB instances have backups enabled. |
RDS_DB_SECURITY_GROUP_NOT_ALLOWED | Checks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group. |
RDS_ENHANCED_MONITORING_ENABLED | Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances. |
RDS_IN_BACKUP_PLAN | Checks whether Amazon RDS database is present in back plans of AWS Backup. |
RDS_INSTANCE_DEFAULT_ADMIN_CHECK | Checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value. |
RDS_INSTANCE_DELETION_PROTECTION_ENABLED | Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. |
RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED | Checks if an Amazon RDS instance has AWS Identity and Access Management (IAM) authentication enabled. |
RDS_INSTANCE_PUBLIC_ACCESS_CHECK | Check whether the Amazon Relational Database Service instances are not publicly accessible. |
RDS_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS). |
RDS_LOGGING_ENABLED | Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. |
RDS_MULTI_AZ_SUPPORT | Checks whether high availability is enabled for your RDS DB instances. |
RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan. |
RDS_SNAPSHOT_ENCRYPTED | Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. |
RDS_SNAPSHOTS_PUBLIC_PROHIBITED | Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. |
RDS_STORAGE_ENCRYPTED | Checks whether storage encryption is enabled for your RDS DB instances. |
REDSHIFT_AUDIT_LOGGING_ENABLED | Checks if Amazon Redshift clusters are logging audits to a specific bucket. |
REDSHIFT_BACKUP_ENABLED | Checks that Amazon Redshift automated snapshots are enabled for clusters. |
REDSHIFT_CLUSTER_CONFIGURATION_CHECK | Checks whether Amazon Redshift clusters have the specified settings. |
REDSHIFT_CLUSTER_KMS_ENABLED | Checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. |
REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECK | Checks whether Amazon Redshift clusters have the specified maintenance settings. |
REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK | Checks whether Amazon Redshift clusters are not publicly accessible. |
REDSHIFT_DEFAULT_ADMIN_CHECK | Checks if an Amazon Redshift cluster has changed the admin username from its default value. |
REDSHIFT_DEFAULT_DB_NAME_CHECK | Checks if a Redshift cluster has changed its database name from the default value. |
REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED | Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled. |
REDSHIFT_REQUIRE_TLS_SSL | Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. |
REQUIRED_TAGS | Checks whether your resources have the tags that you specify. |
ROOT_ACCOUNT_HARDWARE_MFA_ENABLED | Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. |
ROOT_ACCOUNT_MFA_ENABLED | Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. |
S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS | Checks whether the required public access block settings are configured from account level. |
S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC | Checks if the required public access block settings are configured from account level. |
S3_BUCKET_ACL_PROHIBITED | Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). |
S3_BUCKET_BLOCKED_ACTIONS_PROHIBITED | Checks if the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. |
S3_BUCKET_DEFAULT_LOCK_ENABLED | Checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default. |
S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED | Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible. |
S3_BUCKET_LOGGING_ENABLED | Checks whether logging is enabled for your S3 buckets. |
S3_BUCKET_POLICY_GRANTEE_CHECK | Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. |
S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE | Checks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide. |
S3_BUCKET_PUBLIC_READ_PROHIBITED | Checks if your Amazon S3 buckets do not allow public read access. |
S3_BUCKET_PUBLIC_WRITE_PROHIBITED | Checks that your Amazon S3 buckets do not allow public write access. |
S3_BUCKET_REPLICATION_ENABLED | Checks whether S3 buckets have cross-region replication enabled. |
S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED | Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service. |
S3_BUCKET_SSL_REQUESTS_ONLY | Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). |
S3_BUCKET_VERSIONING_ENABLED | Checks whether versioning is enabled for your S3 buckets. |
S3_DEFAULT_ENCRYPTION_KMS | Checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS). |
S3_EVENT_NOTIFICATIONS_ENABLED | Checks if Amazon S3 Events Notifications are enabled on an S3 bucket. |
S3_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3). |
S3_LIFECYCLE_POLICY_CHECK | Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. |
S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan. |
S3_VERSION_LIFECYCLE_POLICY_CHECK | Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. |
SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED | Checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration. |
SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED | Check whether an AWS Key Management Service (KMS) key is configured for SageMaker notebook instance. |
SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS | Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. |
SECRETSMANAGER_ROTATION_ENABLED_CHECK | Checks whether AWS Secrets Manager secret has rotation enabled. |
SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK | Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule. |
SECRETSMANAGER_SECRET_PERIODIC_ROTATION | Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days. |
SECRETSMANAGER_SECRET_UNUSED | Checks if AWS Secrets Manager secrets have been accessed within a specified number of days. |
SECRETSMANAGER_USING_CMK | Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS). |
SECURITYHUB_ENABLED | Checks that AWS Security Hub is enabled for an AWS account. |
SERVICE_VPC_ENDPOINT_ENABLED | Checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. |
SHIELD_ADVANCED_ENABLED_AUTO_RENEW | Checks whether EBS volumes are attached to EC2 instances. |
SHIELD_DRT_ACCESS | Verify that DDoS response team (DRT) can access AWS account. |
SNS_ENCRYPTED_KMS | Checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS). |
SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLED | Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. |
SSM_DOCUMENT_NOT_PUBLIC | Checks if AWS Systems Manager documents owned by the account are public. |
STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for AWS Storage Gateway volumes. |
SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED | hecks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. |
VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED | Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines. |
VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN | Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan. |
VPC_DEFAULT_SECURITY_GROUP_CLOSED | Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. |
VPC_FLOW_LOGS_ENABLED | Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC. |
VPC_NETWORK_ACL_UNUSED_CHECK | Checks if there are unused network access control lists (network ACLs). |
VPC_PEERING_DNS_RESOLUTION_CHECK | Checks if DNS resolution from accepter/requester VPC to private IP is enabled. |
VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS | Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. |
VPC_VPN_2_TUNNELS_UP | Checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status. |
WAF_CLASSIC_LOGGING_ENABLED | Checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. |
WAF_GLOBAL_RULE_NOT_EMPTY | Checks if an AWS WAF global rule contains any conditions. |
WAF_GLOBAL_RULEGROUP_NOT_EMPTY | Checks if an AWS WAF Classic rule group contains any rules. |
WAF_GLOBAL_WEBACL_NOT_EMPTY | Checks whether a WAF Global Web ACL contains any WAF rules or rule groups. |
WAF_REGIONAL_RULE_NOT_EMPTY | Checks whether WAF regional rule contains conditions. |
WAF_REGIONAL_RULEGROUP_NOT_EMPTY | Checks if WAF Regional rule groups contain any rules. |
WAF_REGIONAL_WEBACL_NOT_EMPTY | Checks if a WAF regional Web ACL contains any WAF rules or rule groups. |
WAFV2_LOGGING_ENABLED | Checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). |
Constructors
ManagedRuleIdentifiers(ByRefValue)
Used by jsii to construct an instance of this class from a Javascript-owned object reference
protected ManagedRuleIdentifiers(ByRefValue reference)
Parameters
- reference Amazon.JSII.Runtime.Deputy.ByRefValue
The Javascript-owned object reference
ManagedRuleIdentifiers(DeputyBase.DeputyProps)
Used by jsii to construct an instance of this class from DeputyProps
protected ManagedRuleIdentifiers(DeputyBase.DeputyProps props)
Parameters
- props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps
The deputy props
Properties
ACCESS_KEYS_ROTATED
Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge.
public static string ACCESS_KEYS_ROTATED { get; }
Property Value
System.String
Remarks
ACCOUNT_PART_OF_ORGANIZATIONS
Checks whether AWS account is part of AWS Organizations.
public static string ACCOUNT_PART_OF_ORGANIZATIONS { get; }
Property Value
System.String
Remarks
ACM_CERTIFICATE_EXPIRATION_CHECK
Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.
public static string ACM_CERTIFICATE_EXPIRATION_CHECK { get; }
Property Value
System.String
Remarks
ALB_DESYNC_MODE_CHECK
Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode.
public static string ALB_DESYNC_MODE_CHECK { get; }
Property Value
System.String
Remarks
ALB_HTTP_DROP_INVALID_HEADER_ENABLED
Checks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers.
public static string ALB_HTTP_DROP_INVALID_HEADER_ENABLED { get; }
Property Value
System.String
Remarks
ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer.
public static string ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK { get; }
Property Value
System.String
Remarks
ALB_WAF_ENABLED
Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs).
public static string ALB_WAF_ENABLED { get; }
Property Value
System.String
Remarks
API_GW_ASSOCIATED_WITH_WAF
Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL.
public static string API_GW_ASSOCIATED_WITH_WAF { get; }
Property Value
System.String
Remarks
API_GW_CACHE_ENABLED_AND_ENCRYPTED
Checks that all methods in Amazon API Gateway stages have caching enabled and encrypted.
public static string API_GW_CACHE_ENABLED_AND_ENCRYPTED { get; }
Property Value
System.String
Remarks
API_GW_ENDPOINT_TYPE_CHECK
Checks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType.
public static string API_GW_ENDPOINT_TYPE_CHECK { get; }
Property Value
System.String
Remarks
API_GW_EXECUTION_LOGGING_ENABLED
Checks that all methods in Amazon API Gateway stage has logging enabled.
public static string API_GW_EXECUTION_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
API_GW_SSL_ENABLED
Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate.
public static string API_GW_SSL_ENABLED { get; }
Property Value
System.String
Remarks
API_GW_XRAY_ENABLED
Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs.
public static string API_GW_XRAY_ENABLED { get; }
Property Value
System.String
Remarks
API_GWV2_ACCESS_LOGS_ENABLED
Checks if Amazon API Gateway V2 stages have access logging enabled.
public static string API_GWV2_ACCESS_LOGS_ENABLED { get; }
Property Value
System.String
Remarks
API_GWV2_AUTHORIZATION_TYPE_CONFIGURED
Checks if Amazon API Gatewayv2 API routes have an authorization type set.
public static string API_GWV2_AUTHORIZATION_TYPE_CONFIGURED { get; }
Property Value
System.String
Remarks
APPROVED_AMIS_BY_ID
Checks whether running instances are using specified AMIs.
public static string APPROVED_AMIS_BY_ID { get; }
Property Value
System.String
Remarks
APPROVED_AMIS_BY_TAG
Checks whether running instances are using specified AMIs.
public static string APPROVED_AMIS_BY_TAG { get; }
Property Value
System.String
Remarks
AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for Amazon Aurora DB clusters.
public static string AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
AURORA_MYSQL_BACKTRACKING_ENABLED
Checks if an Amazon Aurora MySQL cluster has backtracking enabled.
public static string AURORA_MYSQL_BACKTRACKING_ENABLED { get; }
Property Value
System.String
Remarks
AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon Aurora DB clusters are protected by a backup plan.
public static string AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
AUTOSCALING_CAPACITY_REBALANCING
Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.
public static string AUTOSCALING_CAPACITY_REBALANCING { get; }
Property Value
System.String
Remarks
AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
public static string AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED { get; }
Property Value
System.String
Remarks
AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT
Checks the number of network hops that the metadata token can travel.
public static string AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT { get; }
Property Value
System.String
Remarks
AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations.
public static string AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED { get; }
Property Value
System.String
Remarks
AUTOSCALING_LAUNCH_TEMPLATE
Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template.
public static string AUTOSCALING_LAUNCH_TEMPLATE { get; }
Property Value
System.String
Remarks
AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2
Checks whether only IMDSv2 is enabled.
public static string AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2 { get; }
Property Value
System.String
Remarks
AUTOSCALING_MULTIPLE_AZ
Checks if the Auto Scaling group spans multiple Availability Zones.
public static string AUTOSCALING_MULTIPLE_AZ { get; }
Property Value
System.String
Remarks
AUTOSCALING_MULTIPLE_INSTANCE_TYPES
Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types.
public static string AUTOSCALING_MULTIPLE_INSTANCE_TYPES { get; }
Property Value
System.String
Remarks
BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
Checks if a backup plan has a backup rule that satisfies the required frequency and retention period.
public static string BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK { get; }
Property Value
System.String
Remarks
BACKUP_RECOVERY_POINT_ENCRYPTED
Checks if a recovery point is encrypted.
public static string BACKUP_RECOVERY_POINT_ENCRYPTED { get; }
Property Value
System.String
Remarks
BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points.
public static string BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED { get; }
Property Value
System.String
Remarks
BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK
Checks if a recovery point expires no earlier than after the specified period.
public static string BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK { get; }
Property Value
System.String
Remarks
BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED
Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.
public static string BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED { get; }
Property Value
System.String
Remarks
CLB_DESYNC_MODE_CHECK
Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode.
public static string CLB_DESYNC_MODE_CHECK { get; }
Property Value
System.String
Remarks
CLB_MULTIPLE_AZ
Checks if a Classic Load Balancer spans multiple Availability Zones (AZs).
public static string CLB_MULTIPLE_AZ { get; }
Property Value
System.String
Remarks
CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.
public static string CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED { get; }
Property Value
System.String
Remarks
CLOUD_TRAIL_ENABLED
Checks whether AWS CloudTrail is enabled in your AWS account.
public static string CLOUD_TRAIL_ENABLED { get; }
Property Value
System.String
Remarks
CLOUD_TRAIL_ENCRYPTION_ENABLED
Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.
public static string CLOUD_TRAIL_ENCRYPTION_ENABLED { get; }
Property Value
System.String
Remarks
CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
Checks whether AWS CloudTrail creates a signed digest file with logs.
public static string CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK
Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.
public static string CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK { get; }
Property Value
System.String
Remarks
CLOUDFORMATION_STACK_NOTIFICATION_CHECK
Checks whether your CloudFormation stacks are sending event notifications to an SNS topic.
public static string CLOUDFORMATION_STACK_NOTIFICATION_CHECK { get; }
Property Value
System.String
Remarks
CLOUDFRONT_ACCESSLOGS_ENABLED
Checks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs.
public static string CLOUDFRONT_ACCESSLOGS_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDFRONT_ASSOCIATED_WITH_WAF
Checks if Amazon CloudFront distributions are associated with either WAF or WAFv2 web access control lists (ACLs).
public static string CLOUDFRONT_ASSOCIATED_WITH_WAF { get; }
Property Value
System.String
Remarks
CLOUDFRONT_CUSTOM_SSL_CERTIFICATE
Checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate.
public static string CLOUDFRONT_CUSTOM_SSL_CERTIFICATE { get; }
Property Value
System.String
Remarks
CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED
Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object.
public static string CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED { get; }
Property Value
System.String
Remarks
CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS
Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins.
public static string CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS { get; }
Property Value
System.String
Remarks
CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED
Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.
public static string CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDFRONT_ORIGIN_FAILOVER_ENABLED
Checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront.
public static string CLOUDFRONT_ORIGIN_FAILOVER_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDFRONT_SECURITY_POLICY_CHECK
Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections.
public static string CLOUDFRONT_SECURITY_POLICY_CHECK { get; }
Property Value
System.String
Remarks
CLOUDFRONT_SNI_ENABLED
Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests.
public static string CLOUDFRONT_SNI_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED
Checks if Amazon CloudFront distributions are encrypting traffic to custom origins.
public static string CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED { get; }
Property Value
System.String
Remarks
CLOUDFRONT_VIEWER_POLICY_HTTPS
Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection).
public static string CLOUDFRONT_VIEWER_POLICY_HTTPS { get; }
Property Value
System.String
Remarks
CLOUDTRAIL_MULTI_REGION_ENABLED
Checks that there is at least one multi-region AWS CloudTrail.
public static string CLOUDTRAIL_MULTI_REGION_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDTRAIL_S3_DATAEVENTS_ENABLED
Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.
public static string CLOUDTRAIL_S3_DATAEVENTS_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDTRAIL_SECURITY_TRAIL_ENABLED
Checks that there is at least one AWS CloudTrail trail defined with security best practices.
public static string CLOUDTRAIL_SECURITY_TRAIL_ENABLED { get; }
Property Value
System.String
Remarks
CLOUDWATCH_ALARM_ACTION_CHECK
Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.
public static string CLOUDWATCH_ALARM_ACTION_CHECK { get; }
Property Value
System.String
Remarks
CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK
Checks if Amazon CloudWatch alarms actions are in enabled state.
public static string CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK { get; }
Property Value
System.String
Remarks
CLOUDWATCH_ALARM_RESOURCE_CHECK
Checks whether the specified resource type has a CloudWatch alarm for the specified metric.
public static string CLOUDWATCH_ALARM_RESOURCE_CHECK { get; }
Property Value
System.String
Remarks
CLOUDWATCH_ALARM_SETTINGS_CHECK
Checks whether CloudWatch alarms with the given metric name have the specified settings.
public static string CLOUDWATCH_ALARM_SETTINGS_CHECK { get; }
Property Value
System.String
Remarks
CLOUDWATCH_LOG_GROUP_ENCRYPTED
Checks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).
public static string CLOUDWATCH_LOG_GROUP_ENCRYPTED { get; }
Property Value
System.String
Remarks
CMK_BACKING_KEY_ROTATION_ENABLED
Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK).
public static string CMK_BACKING_KEY_ROTATION_ENABLED { get; }
Property Value
System.String
Remarks
CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION
Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts.
public static string CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION { get; }
Property Value
System.String
Remarks
CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK
Checks if an AWS CodeBuild project environment has privileged mode enabled.
public static string CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK { get; }
Property Value
System.String
Remarks
CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
public static string CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK { get; }
Property Value
System.String
Remarks
CODEBUILD_PROJECT_LOGGING_ENABLED
Checks if an AWS CodeBuild project environment has at least one log option enabled.
public static string CODEBUILD_PROJECT_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED
Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.
public static string CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED { get; }
Property Value
System.String
Remarks
CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.
public static string CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK { get; }
Property Value
System.String
Remarks
CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED
Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached.
public static string CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED { get; }
Property Value
System.String
Remarks
CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED
Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold.
public static string CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED { get; }
Property Value
System.String
Remarks
CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED
Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration.
public static string CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED { get; }
Property Value
System.String
Remarks
CODEPIPELINE_DEPLOYMENT_COUNT_CHECK
Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment.
public static string CODEPIPELINE_DEPLOYMENT_COUNT_CHECK { get; }
Property Value
System.String
Remarks
CODEPIPELINE_REGION_FANOUT_CHECK
Checks whether each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number.
public static string CODEPIPELINE_REGION_FANOUT_CHECK { get; }
Property Value
System.String
Remarks
CW_LOGGROUP_RETENTION_PERIOD_CHECK
Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.
public static string CW_LOGGROUP_RETENTION_PERIOD_CHECK { get; }
Property Value
System.String
Remarks
DAX_ENCRYPTION_ENABLED
Checks that DynamoDB Accelerator (DAX) clusters are encrypted.
public static string DAX_ENCRYPTION_ENABLED { get; }
Property Value
System.String
Remarks
DMS_REPLICATION_NOT_PUBLIC
Checks whether AWS Database Migration Service replication instances are public.
public static string DMS_REPLICATION_NOT_PUBLIC { get; }
Property Value
System.String
Remarks
DYNAMODB_AUTOSCALING_ENABLED
Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.
public static string DYNAMODB_AUTOSCALING_ENABLED { get; }
Property Value
System.String
Remarks
DYNAMODB_IN_BACKUP_PLAN
Checks whether Amazon DynamoDB table is present in AWS Backup plans.
public static string DYNAMODB_IN_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period.
public static string DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
DYNAMODB_PITR_ENABLED
Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables.
public static string DYNAMODB_PITR_ENABLED { get; }
Property Value
System.String
Remarks
DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon DynamoDB tables are protected by a backup plan.
public static string DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
DYNAMODB_TABLE_ENCRYPTED_KMS
Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).
public static string DYNAMODB_TABLE_ENCRYPTED_KMS { get; }
Property Value
System.String
Remarks
DYNAMODB_TABLE_ENCRYPTION_ENABLED
Checks whether the Amazon DynamoDB tables are encrypted and checks their status.
public static string DYNAMODB_TABLE_ENCRYPTION_ENABLED { get; }
Property Value
System.String
Remarks
DYNAMODB_THROUGHPUT_LIMIT_CHECK
Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account.
public static string DYNAMODB_THROUGHPUT_LIMIT_CHECK { get; }
Property Value
System.String
Remarks
EBS_ENCRYPTED_VOLUMES
Checks whether the EBS volumes that are in an attached state are encrypted.
public static string EBS_ENCRYPTED_VOLUMES { get; }
Property Value
System.String
Remarks
EBS_IN_BACKUP_PLAN
Checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup.
public static string EBS_IN_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
EBS_OPTIMIZED_INSTANCE
Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized.
public static string EBS_OPTIMIZED_INSTANCE { get; }
Property Value
System.String
Remarks
EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan.
public static string EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.
public static string EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK { get; }
Property Value
System.String
Remarks
EC2_DESIRED_INSTANCE_TENANCY
Checks instances for specified tenancy.
public static string EC2_DESIRED_INSTANCE_TENANCY { get; }
Property Value
System.String
Remarks
EC2_DESIRED_INSTANCE_TYPE
Checks whether your EC2 instances are of the specified instance types.
public static string EC2_DESIRED_INSTANCE_TYPE { get; }
Property Value
System.String
Remarks
EC2_EBS_ENCRYPTION_BY_DEFAULT
Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.
public static string EC2_EBS_ENCRYPTION_BY_DEFAULT { get; }
Property Value
System.String
Remarks
EC2_IMDSV2_CHECK
Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2).
public static string EC2_IMDSV2_CHECK { get; }
Property Value
System.String
Remarks
EC2_INSTANCE_DETAILED_MONITORING_ENABLED
Checks whether detailed monitoring is enabled for EC2 instances.
public static string EC2_INSTANCE_DETAILED_MONITORING_ENABLED { get; }
Property Value
System.String
Remarks
EC2_INSTANCE_MANAGED_BY_SSM
Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.
public static string EC2_INSTANCE_MANAGED_BY_SSM { get; }
Property Value
System.String
Remarks
EC2_INSTANCE_MULTIPLE_ENI_CHECK
Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs).
public static string EC2_INSTANCE_MULTIPLE_ENI_CHECK { get; }
Property Value
System.String
Remarks
EC2_INSTANCE_NO_PUBLIC_IP
Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association.
public static string EC2_INSTANCE_NO_PUBLIC_IP { get; }
Property Value
System.String
Remarks
EC2_INSTANCE_PROFILE_ATTACHED
Checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it.
public static string EC2_INSTANCE_PROFILE_ATTACHED { get; }
Property Value
System.String
Remarks
This rule is NON_COMPLIANT if no IAM profile is attached to the Amazon EC2 instance.
See: https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html
EC2_INSTANCES_IN_VPC
Checks whether your EC2 instances belong to a virtual private cloud (VPC).
public static string EC2_INSTANCES_IN_VPC { get; }
Property Value
System.String
Remarks
EC2_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances.
public static string EC2_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED
Checks that none of the specified applications are installed on the instance.
public static string EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED { get; }
Property Value
System.String
Remarks
EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED
Checks whether all of the specified applications are installed on the instance.
public static string EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED { get; }
Property Value
System.String
Remarks
EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance.
public static string EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK { get; }
Property Value
System.String
Remarks
EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED
Checks whether instances managed by AWS Systems Manager are configured to collect blocked inventory types.
public static string EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED { get; }
Property Value
System.String
Remarks
EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
public static string EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK { get; }
Property Value
System.String
Remarks
EC2_MANAGED_INSTANCE_PLATFORM_CHECK
Checks whether EC2 managed instances have the desired configurations.
public static string EC2_MANAGED_INSTANCE_PLATFORM_CHECK { get; }
Property Value
System.String
Remarks
EC2_NO_AMAZON_KEY_PAIR
Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs.
public static string EC2_NO_AMAZON_KEY_PAIR { get; }
Property Value
System.String
Remarks
EC2_PARAVIRTUAL_INSTANCE_CHECK
Checks if the virtualization type of an EC2 instance is paravirtual.
public static string EC2_PARAVIRTUAL_INSTANCE_CHECK { get; }
Property Value
System.String
Remarks
EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan.
public static string EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
EC2_SECURITY_GROUP_ATTACHED_TO_ENI
Checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface.
public static string EC2_SECURITY_GROUP_ATTACHED_TO_ENI { get; }
Property Value
System.String
Remarks
EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC
Checks if non-default security groups are attached to Elastic network interfaces (ENIs).
public static string EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC { get; }
Property Value
System.String
Remarks
EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED
Checks whether the incoming SSH traffic for the security groups is accessible.
public static string EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED { get; }
Property Value
System.String
Remarks
EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFIC
Checks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports.
public static string EC2_SECURITY_GROUPS_RESTRICTED_INCOMING_TRAFFIC { get; }
Property Value
System.String
Remarks
EC2_STOPPED_INSTANCE
Checks whether there are instances stopped for more than the allowed number of days.
public static string EC2_STOPPED_INSTANCE { get; }
Property Value
System.String
Remarks
EC2_TOKEN_HOP_LIMIT_CHECK
Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit.
public static string EC2_TOKEN_HOP_LIMIT_CHECK { get; }
Property Value
System.String
Remarks
EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED
Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled.
public static string EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED { get; }
Property Value
System.String
Remarks
EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECK
Checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.
public static string EC2_VOLUME_IECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECKNUSE_CHECK { get; }
Property Value
System.String
Remarks
EC2_VOLUME_INUSE_CHECK
Checks whether EBS volumes are attached to EC2 instances.
public static string EC2_VOLUME_INUSE_CHECK { get; }
Property Value
System.String
Remarks
ECR_PRIVATE_IMAGE_SCANNING_ENABLED
Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled.
public static string ECR_PRIVATE_IMAGE_SCANNING_ENABLED { get; }
Property Value
System.String
Remarks
ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED
Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured.
public static string ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED { get; }
Property Value
System.String
Remarks
ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED
Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled.
public static string ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED { get; }
Property Value
System.String
Remarks
ECS_AWSVPC_NETWORKING_ENABLED
Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’.
public static string ECS_AWSVPC_NETWORKING_ENABLED { get; }
Property Value
System.String
Remarks
ECS_CONTAINER_INSIGHTS_ENABLED
Checks if Amazon Elastic Container Service clusters have container insights enabled.
public static string ECS_CONTAINER_INSIGHTS_ENABLED { get; }
Property Value
System.String
Remarks
ECS_CONTAINERS_NONPRIVILEGED
Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’.
public static string ECS_CONTAINERS_NONPRIVILEGED { get; }
Property Value
System.String
Remarks
ECS_CONTAINERS_READONLY_ACCESS
Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems.
public static string ECS_CONTAINERS_READONLY_ACCESS { get; }
Property Value
System.String
Remarks
ECS_FARGATE_LATEST_PLATFORM_VERSION
Checks if Amazon Elastic Container Service (ECS) Fargate Services is running on the latest Fargate platform version.
public static string ECS_FARGATE_LATEST_PLATFORM_VERSION { get; }
Property Value
System.String
Remarks
ECS_NO_ENVIRONMENT_SECRETS
Checks if secrets are passed as container environment variables.
public static string ECS_NO_ENVIRONMENT_SECRETS { get; }
Property Value
System.String
Remarks
ECS_TASK_DEFINITION_LOG_CONFIGURATION
Checks if logConfiguration is set on active ECS Task Definitions.
public static string ECS_TASK_DEFINITION_LOG_CONFIGURATION { get; }
Property Value
System.String
Remarks
ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT
Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions.
public static string ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT { get; }
Property Value
System.String
Remarks
ECS_TASK_DEFINITION_NONROOT_USER
Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on.
public static string ECS_TASK_DEFINITION_NONROOT_USER { get; }
Property Value
System.String
Remarks
ECS_TASK_DEFINITION_PID_MODE_CHECK
Checks if ECSTaskDefinitions are configured to share a host’s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers.
public static string ECS_TASK_DEFINITION_PID_MODE_CHECK { get; }
Property Value
System.String
Remarks
EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY
Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory.
public static string EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY { get; }
Property Value
System.String
Remarks
EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY
Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity.
public static string EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY { get; }
Property Value
System.String
Remarks
EFS_ENCRYPTED_CHECK
hecks whether Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS).
public static string EFS_ENCRYPTED_CHECK { get; }
Property Value
System.String
Remarks
EFS_IN_BACKUP_PLAN
Checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup.
public static string EFS_IN_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
EFS_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems.
public static string EFS_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan.
public static string EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
EIP_ATTACHED
Checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).
public static string EIP_ATTACHED { get; }
Property Value
System.String
Remarks
EKS_CLUSTER_OLDEST_SUPPORTED_VERSION
Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version.
public static string EKS_CLUSTER_OLDEST_SUPPORTED_VERSION { get; }
Property Value
System.String
Remarks
EKS_CLUSTER_SUPPORTED_VERSION
Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version.
public static string EKS_CLUSTER_SUPPORTED_VERSION { get; }
Property Value
System.String
Remarks
EKS_ENDPOINT_NO_PUBLIC_ACCESS
Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.
public static string EKS_ENDPOINT_NO_PUBLIC_ACCESS { get; }
Property Value
System.String
Remarks
EKS_SECRETS_ENCRYPTED
Checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.
public static string EKS_SECRETS_ENCRYPTED { get; }
Property Value
System.String
Remarks
ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED
Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled.
public static string ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED { get; }
Property Value
System.String
Remarks
ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
Check if the Amazon ElastiCache Redis clusters have automatic backup turned on.
public static string ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK { get; }
Property Value
System.String
Remarks
ELASTICSEARCH_ENCRYPTED_AT_REST
Checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled.
public static string ELASTICSEARCH_ENCRYPTED_AT_REST { get; }
Property Value
System.String
Remarks
ELASTICSEARCH_IN_VPC_ONLY
Checks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC).
public static string ELASTICSEARCH_IN_VPC_ONLY { get; }
Property Value
System.String
Remarks
ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
Check that Amazon ElasticSearch Service nodes are encrypted end to end.
public static string ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK { get; }
Property Value
System.String
Remarks
ELB_ACM_CERTIFICATE_REQUIRED
Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager.
public static string ELB_ACM_CERTIFICATE_REQUIRED { get; }
Property Value
System.String
Remarks
ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs).
public static string ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED { get; }
Property Value
System.String
Remarks
ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
Checks whether your Classic Load Balancer SSL listeners are using a custom policy.
public static string ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK { get; }
Property Value
System.String
Remarks
ELB_DELETION_PROTECTION_ENABLED
Checks whether Elastic Load Balancing has deletion protection enabled.
public static string ELB_DELETION_PROTECTION_ENABLED { get; }
Property Value
System.String
Remarks
ELB_LOGGING_ENABLED
Checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled.
public static string ELB_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK
Checks whether your Classic Load Balancer SSL listeners are using a predefined policy.
public static string ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK { get; }
Property Value
System.String
Remarks
ELB_TLS_HTTPS_LISTENERS_ONLY
Checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners.
public static string ELB_TLS_HTTPS_LISTENERS_ONLY { get; }
Property Value
System.String
Remarks
ELBV2_ACM_CERTIFICATE_REQUIRED
Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM).
public static string ELBV2_ACM_CERTIFICATE_REQUIRED { get; }
Property Value
System.String
Remarks
ELBV2_MULTIPLE_AZ
Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZ's).
public static string ELBV2_MULTIPLE_AZ { get; }
Property Value
System.String
Remarks
EMR_KERBEROS_ENABLED
Checks that Amazon EMR clusters have Kerberos enabled.
public static string EMR_KERBEROS_ENABLED { get; }
Property Value
System.String
Remarks
EMR_MASTER_NO_PUBLIC_IP
Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs.
public static string EMR_MASTER_NO_PUBLIC_IP { get; }
Property Value
System.String
Remarks
FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK
(deprecated) Checks whether the security groups associated inScope resources are compliant with the master security groups at each rule level based on allowSecurityGroup and denySecurityGroup flag.
public static string FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK { get; }
Property Value
System.String
Remarks
Stability: Deprecated
See: https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-audit-policy-check.html
FMS_SECURITY_GROUP_CONTENT_CHECK
(deprecated) Checks whether AWS Firewall Manager created security groups content is the same as the master security groups.
public static string FMS_SECURITY_GROUP_CONTENT_CHECK { get; }
Property Value
System.String
Remarks
Stability: Deprecated
See: https://docs.aws.amazon.com/config/latest/developerguide/fms-security-group-content-check.html
FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK
(deprecated) Checks whether Amazon EC2 or an elastic network interface is associated with AWS Firewall Manager security groups.
public static string FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK { get; }
Property Value
System.String
Remarks
Stability: Deprecated
FMS_SHIELD_RESOURCE_POLICY_CHECK
Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection.
public static string FMS_SHIELD_RESOURCE_POLICY_CHECK { get; }
Property Value
System.String
Remarks
FMS_WEBACL_RESOURCE_POLICY_CHECK
Checks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions.
public static string FMS_WEBACL_RESOURCE_POLICY_CHECK { get; }
Property Value
System.String
Remarks
FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK
Checks that the rule groups associate with the web ACL at the correct priority.
public static string FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK { get; }
Property Value
System.String
Remarks
The correct priority is decided by the rank of the rule groups in the ruleGroups parameter.
See: https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-rulegroup-association-check.html
FSX_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for Amazon FSx File Systems.
public static string FSX_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon FSx File Systems are protected by a backup plan.
public static string FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
GUARDDUTY_ENABLED_CENTRALIZED
Checks whether Amazon GuardDuty is enabled in your AWS account and region.
public static string GUARDDUTY_ENABLED_CENTRALIZED { get; }
Property Value
System.String
Remarks
If you provide an AWS account for centralization, the rule evaluates the Amazon GuardDuty results in the centralized account.
See: https://docs.aws.amazon.com/config/latest/developerguide/guardduty-enabled-centralized.html
GUARDDUTY_NON_ARCHIVED_FINDINGS
Checks whether the Amazon GuardDuty has findings that are non archived.
public static string GUARDDUTY_NON_ARCHIVED_FINDINGS { get; }
Property Value
System.String
Remarks
IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS
Checks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on all AWS AWS KMS keys.
public static string IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS { get; }
Property Value
System.String
Remarks
IAM_GROUP_HAS_USERS_CHECK
Checks whether IAM groups have at least one IAM user.
public static string IAM_GROUP_HAS_USERS_CHECK { get; }
Property Value
System.String
Remarks
IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS
Checks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not allow blocked actions on all AWS Key Management Service keys.
public static string IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS { get; }
Property Value
System.String
Remarks
IAM_NO_INLINE_POLICY_CHECK
Checks that inline policy feature is not in use.
public static string IAM_NO_INLINE_POLICY_CHECK { get; }
Property Value
System.String
Remarks
IAM_PASSWORD_POLICY
Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters.
public static string IAM_PASSWORD_POLICY { get; }
Property Value
System.String
Remarks
IAM_POLICY_BLOCKED_CHECK
Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource.
public static string IAM_POLICY_BLOCKED_CHECK { get; }
Property Value
System.String
Remarks
IAM_POLICY_IN_USE
Checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.
public static string IAM_POLICY_IN_USE { get; }
Property Value
System.String
Remarks
IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.
public static string IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS { get; }
Property Value
System.String
Remarks
IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS
Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources.
public static string IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS { get; }
Property Value
System.String
Remarks
IAM_ROLE_MANAGED_POLICY_CHECK
Checks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles.
public static string IAM_ROLE_MANAGED_POLICY_CHECK { get; }
Property Value
System.String
Remarks
IAM_ROOT_ACCESS_KEY_CHECK
Checks whether the root user access key is available.
public static string IAM_ROOT_ACCESS_KEY_CHECK { get; }
Property Value
System.String
Remarks
IAM_USER_GROUP_MEMBERSHIP_CHECK
Checks whether IAM users are members of at least one IAM group.
public static string IAM_USER_GROUP_MEMBERSHIP_CHECK { get; }
Property Value
System.String
Remarks
IAM_USER_MFA_ENABLED
Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.
public static string IAM_USER_MFA_ENABLED { get; }
Property Value
System.String
Remarks
IAM_USER_NO_POLICIES_CHECK
Checks that none of your IAM users have policies attached.
public static string IAM_USER_NO_POLICIES_CHECK { get; }
Property Value
System.String
Remarks
IAM users must inherit permissions from IAM groups or roles.
See: https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html
IAM_USER_UNUSED_CREDENTIALS_CHECK
Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.
public static string IAM_USER_UNUSED_CREDENTIALS_CHECK { get; }
Property Value
System.String
Remarks
INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs).
public static string INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY { get; }
Property Value
System.String
Remarks
KINESIS_STREAM_ENCRYPTED
Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption.
public static string KINESIS_STREAM_ENCRYPTED { get; }
Property Value
System.String
Remarks
KMS_CMK_NOT_SCHEDULED_FOR_DELETION
Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS).
public static string KMS_CMK_NOT_SCHEDULED_FOR_DELETION { get; }
Property Value
System.String
Remarks
LAMBDA_CONCURRENCY_CHECK
Checks whether the AWS Lambda function is configured with function-level concurrent execution limit.
public static string LAMBDA_CONCURRENCY_CHECK { get; }
Property Value
System.String
Remarks
LAMBDA_DLQ_CHECK
Checks whether an AWS Lambda function is configured with a dead-letter queue.
public static string LAMBDA_DLQ_CHECK { get; }
Property Value
System.String
Remarks
LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access.
public static string LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED { get; }
Property Value
System.String
Remarks
LAMBDA_FUNCTION_SETTINGS_CHECK
Checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.
public static string LAMBDA_FUNCTION_SETTINGS_CHECK { get; }
Property Value
System.String
Remarks
LAMBDA_INSIDE_VPC
Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud.
public static string LAMBDA_INSIDE_VPC { get; }
Property Value
System.String
Remarks
LAMBDA_VPC_MULTI_AZ_CHECK
Checks if Lambda has more than 1 availability zone associated.
public static string LAMBDA_VPC_MULTI_AZ_CHECK { get; }
Property Value
System.String
Remarks
MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password.
public static string MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS { get; }
Property Value
System.String
Remarks
NACL_NO_UNRESTRICTED_SSH_RDP
Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted.
public static string NACL_NO_UNRESTRICTED_SSH_RDP { get; }
Property Value
System.String
Remarks
NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS
Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets.
public static string NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS { get; }
Property Value
System.String
Remarks
NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS
Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets.
public static string NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS { get; }
Property Value
System.String
Remarks
NETFW_POLICY_RULE_GROUP_ASSOCIATED
Check AWS Network Firewall policy is associated with stateful OR stateless rule groups.
public static string NETFW_POLICY_RULE_GROUP_ASSOCIATED { get; }
Property Value
System.String
Remarks
NETFW_STATELESS_RULE_GROUP_NOT_EMPTY
Checks if a Stateless Network Firewall Rule Group contains rules.
public static string NETFW_STATELESS_RULE_GROUP_NOT_EMPTY { get; }
Property Value
System.String
Remarks
NLB_CROSS_ZONE_LOAD_BALANCING_ENABLED
Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs).
public static string NLB_CROSS_ZONE_LOAD_BALANCING_ENABLED { get; }
Property Value
System.String
Remarks
OPENSEARCH_ACCESS_CONTROL_ENABLED
Checks if Amazon OpenSearch Service domains have fine-grained access control enabled.
public static string OPENSEARCH_ACCESS_CONTROL_ENABLED { get; }
Property Value
System.String
Remarks
OPENSEARCH_AUDIT_LOGGING_ENABLED
Checks if Amazon OpenSearch Service domains have audit logging enabled.
public static string OPENSEARCH_AUDIT_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
OPENSEARCH_DATA_NODE_FAULT_TOLERANCE
Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
public static string OPENSEARCH_DATA_NODE_FAULT_TOLERANCE { get; }
Property Value
System.String
Remarks
OPENSEARCH_ENCRYPTED_AT_REST
Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled.
public static string OPENSEARCH_ENCRYPTED_AT_REST { get; }
Property Value
System.String
Remarks
OPENSEARCH_HTTPS_REQUIRED
Checks whether connections to OpenSearch domains are using HTTPS.
public static string OPENSEARCH_HTTPS_REQUIRED { get; }
Property Value
System.String
Remarks
OPENSEARCH_IN_VPC_ONLY
Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).
public static string OPENSEARCH_IN_VPC_ONLY { get; }
Property Value
System.String
Remarks
OPENSEARCH_LOGS_TO_CLOUDWATCH
Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs.
public static string OPENSEARCH_LOGS_TO_CLOUDWATCH { get; }
Property Value
System.String
Remarks
OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
Check if Amazon OpenSearch Service nodes are encrypted end to end.
public static string OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK { get; }
Property Value
System.String
Remarks
RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED
Checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades.
public static string RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED { get; }
Property Value
System.String
Remarks
RDS_CLUSTER_DEFAULT_ADMIN_CHECK
Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value.
public static string RDS_CLUSTER_DEFAULT_ADMIN_CHECK { get; }
Property Value
System.String
Remarks
RDS_CLUSTER_DELETION_PROTECTION_ENABLED
Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled.
public static string RDS_CLUSTER_DELETION_PROTECTION_ENABLED { get; }
Property Value
System.String
Remarks
RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED
Checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled.
public static string RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED { get; }
Property Value
System.String
Remarks
RDS_CLUSTER_MULTI_AZ_ENABLED
Checks if Multi-AZ replication is enabled on Amazon Aurora and Hermes clusters managed by Amazon Relational Database Service (Amazon RDS).
public static string RDS_CLUSTER_MULTI_AZ_ENABLED { get; }
Property Value
System.String
Remarks
RDS_DB_INSTANCE_BACKUP_ENABLED
Checks whether RDS DB instances have backups enabled.
public static string RDS_DB_INSTANCE_BACKUP_ENABLED { get; }
Property Value
System.String
Remarks
RDS_DB_SECURITY_GROUP_NOT_ALLOWED
Checks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group.
public static string RDS_DB_SECURITY_GROUP_NOT_ALLOWED { get; }
Property Value
System.String
Remarks
RDS_ENHANCED_MONITORING_ENABLED
Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.
public static string RDS_ENHANCED_MONITORING_ENABLED { get; }
Property Value
System.String
Remarks
RDS_IN_BACKUP_PLAN
Checks whether Amazon RDS database is present in back plans of AWS Backup.
public static string RDS_IN_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
RDS_INSTANCE_DEFAULT_ADMIN_CHECK
Checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value.
public static string RDS_INSTANCE_DEFAULT_ADMIN_CHECK { get; }
Property Value
System.String
Remarks
RDS_INSTANCE_DELETION_PROTECTION_ENABLED
Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled.
public static string RDS_INSTANCE_DELETION_PROTECTION_ENABLED { get; }
Property Value
System.String
Remarks
RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED
Checks if an Amazon RDS instance has AWS Identity and Access Management (IAM) authentication enabled.
public static string RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED { get; }
Property Value
System.String
Remarks
RDS_INSTANCE_PUBLIC_ACCESS_CHECK
Check whether the Amazon Relational Database Service instances are not publicly accessible.
public static string RDS_INSTANCE_PUBLIC_ACCESS_CHECK { get; }
Property Value
System.String
Remarks
RDS_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS).
public static string RDS_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
RDS_LOGGING_ENABLED
Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled.
public static string RDS_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
RDS_MULTI_AZ_SUPPORT
Checks whether high availability is enabled for your RDS DB instances.
public static string RDS_MULTI_AZ_SUPPORT { get; }
Property Value
System.String
Remarks
RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan.
public static string RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
RDS_SNAPSHOT_ENCRYPTED
Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.
public static string RDS_SNAPSHOT_ENCRYPTED { get; }
Property Value
System.String
Remarks
RDS_SNAPSHOTS_PUBLIC_PROHIBITED
Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
public static string RDS_SNAPSHOTS_PUBLIC_PROHIBITED { get; }
Property Value
System.String
Remarks
RDS_STORAGE_ENCRYPTED
Checks whether storage encryption is enabled for your RDS DB instances.
public static string RDS_STORAGE_ENCRYPTED { get; }
Property Value
System.String
Remarks
REDSHIFT_AUDIT_LOGGING_ENABLED
Checks if Amazon Redshift clusters are logging audits to a specific bucket.
public static string REDSHIFT_AUDIT_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
REDSHIFT_BACKUP_ENABLED
Checks that Amazon Redshift automated snapshots are enabled for clusters.
public static string REDSHIFT_BACKUP_ENABLED { get; }
Property Value
System.String
Remarks
REDSHIFT_CLUSTER_CONFIGURATION_CHECK
Checks whether Amazon Redshift clusters have the specified settings.
public static string REDSHIFT_CLUSTER_CONFIGURATION_CHECK { get; }
Property Value
System.String
Remarks
REDSHIFT_CLUSTER_KMS_ENABLED
Checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption.
public static string REDSHIFT_CLUSTER_KMS_ENABLED { get; }
Property Value
System.String
Remarks
REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECK
Checks whether Amazon Redshift clusters have the specified maintenance settings.
public static string REDSHIFT_CLUSTER_MAINTENANCE_SETTINGS_CHECK { get; }
Property Value
System.String
Remarks
REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
Checks whether Amazon Redshift clusters are not publicly accessible.
public static string REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK { get; }
Property Value
System.String
Remarks
REDSHIFT_DEFAULT_ADMIN_CHECK
Checks if an Amazon Redshift cluster has changed the admin username from its default value.
public static string REDSHIFT_DEFAULT_ADMIN_CHECK { get; }
Property Value
System.String
Remarks
REDSHIFT_DEFAULT_DB_NAME_CHECK
Checks if a Redshift cluster has changed its database name from the default value.
public static string REDSHIFT_DEFAULT_DB_NAME_CHECK { get; }
Property Value
System.String
Remarks
REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED
Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled.
public static string REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED { get; }
Property Value
System.String
Remarks
REDSHIFT_REQUIRE_TLS_SSL
Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients.
public static string REDSHIFT_REQUIRE_TLS_SSL { get; }
Property Value
System.String
Remarks
REQUIRED_TAGS
Checks whether your resources have the tags that you specify.
public static string REQUIRED_TAGS { get; }
Property Value
System.String
Remarks
For example, you can check whether your Amazon EC2 instances have the CostCenter tag.
See: https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html
ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials.
public static string ROOT_ACCOUNT_HARDWARE_MFA_ENABLED { get; }
Property Value
System.String
Remarks
ROOT_ACCOUNT_MFA_ENABLED
Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.
public static string ROOT_ACCOUNT_MFA_ENABLED { get; }
Property Value
System.String
Remarks
S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
Checks whether the required public access block settings are configured from account level.
public static string S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS { get; }
Property Value
System.String
Remarks
S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
Checks if the required public access block settings are configured from account level.
public static string S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC { get; }
Property Value
System.String
Remarks
S3_BUCKET_ACL_PROHIBITED
Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs).
public static string S3_BUCKET_ACL_PROHIBITED { get; }
Property Value
System.String
Remarks
S3_BUCKET_BLOCKED_ACTIONS_PROHIBITED
Checks if the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.
public static string S3_BUCKET_BLOCKED_ACTIONS_PROHIBITED { get; }
Property Value
System.String
Remarks
S3_BUCKET_DEFAULT_LOCK_ENABLED
Checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.
public static string S3_BUCKET_DEFAULT_LOCK_ENABLED { get; }
Property Value
System.String
Remarks
S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED
Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible.
public static string S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED { get; }
Property Value
System.String
Remarks
S3_BUCKET_LOGGING_ENABLED
Checks whether logging is enabled for your S3 buckets.
public static string S3_BUCKET_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
S3_BUCKET_POLICY_GRANTEE_CHECK
Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide.
public static string S3_BUCKET_POLICY_GRANTEE_CHECK { get; }
Property Value
System.String
Remarks
S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE
Checks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
public static string S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE { get; }
Property Value
System.String
Remarks
S3_BUCKET_PUBLIC_READ_PROHIBITED
Checks if your Amazon S3 buckets do not allow public read access.
public static string S3_BUCKET_PUBLIC_READ_PROHIBITED { get; }
Property Value
System.String
Remarks
S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Checks that your Amazon S3 buckets do not allow public write access.
public static string S3_BUCKET_PUBLIC_WRITE_PROHIBITED { get; }
Property Value
System.String
Remarks
S3_BUCKET_REPLICATION_ENABLED
Checks whether S3 buckets have cross-region replication enabled.
public static string S3_BUCKET_REPLICATION_ENABLED { get; }
Property Value
System.String
Remarks
S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.
public static string S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED { get; }
Property Value
System.String
Remarks
S3_BUCKET_SSL_REQUESTS_ONLY
Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
public static string S3_BUCKET_SSL_REQUESTS_ONLY { get; }
Property Value
System.String
Remarks
S3_BUCKET_VERSIONING_ENABLED
Checks whether versioning is enabled for your S3 buckets.
public static string S3_BUCKET_VERSIONING_ENABLED { get; }
Property Value
System.String
Remarks
S3_DEFAULT_ENCRYPTION_KMS
Checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS).
public static string S3_DEFAULT_ENCRYPTION_KMS { get; }
Property Value
System.String
Remarks
S3_EVENT_NOTIFICATIONS_ENABLED
Checks if Amazon S3 Events Notifications are enabled on an S3 bucket.
public static string S3_EVENT_NOTIFICATIONS_ENABLED { get; }
Property Value
System.String
Remarks
S3_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3).
public static string S3_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
S3_LIFECYCLE_POLICY_CHECK
Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket.
public static string S3_LIFECYCLE_POLICY_CHECK { get; }
Property Value
System.String
Remarks
S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan.
public static string S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
S3_VERSION_LIFECYCLE_POLICY_CHECK
Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured.
public static string S3_VERSION_LIFECYCLE_POLICY_CHECK { get; }
Property Value
System.String
Remarks
SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
Checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration.
public static string SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED { get; }
Property Value
System.String
Remarks
SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
Check whether an AWS Key Management Service (KMS) key is configured for SageMaker notebook instance.
public static string SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED { get; }
Property Value
System.String
Remarks
SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance.
public static string SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS { get; }
Property Value
System.String
Remarks
SECRETSMANAGER_ROTATION_ENABLED_CHECK
Checks whether AWS Secrets Manager secret has rotation enabled.
public static string SECRETSMANAGER_ROTATION_ENABLED_CHECK { get; }
Property Value
System.String
Remarks
SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK
Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.
public static string SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK { get; }
Property Value
System.String
Remarks
SECRETSMANAGER_SECRET_PERIODIC_ROTATION
Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days.
public static string SECRETSMANAGER_SECRET_PERIODIC_ROTATION { get; }
Property Value
System.String
Remarks
SECRETSMANAGER_SECRET_UNUSED
Checks if AWS Secrets Manager secrets have been accessed within a specified number of days.
public static string SECRETSMANAGER_SECRET_UNUSED { get; }
Property Value
System.String
Remarks
SECRETSMANAGER_USING_CMK
Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS).
public static string SECRETSMANAGER_USING_CMK { get; }
Property Value
System.String
Remarks
SECURITYHUB_ENABLED
Checks that AWS Security Hub is enabled for an AWS account.
public static string SECURITYHUB_ENABLED { get; }
Property Value
System.String
Remarks
SERVICE_VPC_ENDPOINT_ENABLED
Checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC.
public static string SERVICE_VPC_ENDPOINT_ENABLED { get; }
Property Value
System.String
Remarks
SHIELD_ADVANCED_ENABLED_AUTO_RENEW
Checks whether EBS volumes are attached to EC2 instances.
public static string SHIELD_ADVANCED_ENABLED_AUTO_RENEW { get; }
Property Value
System.String
Remarks
SHIELD_DRT_ACCESS
Verify that DDoS response team (DRT) can access AWS account.
public static string SHIELD_DRT_ACCESS { get; }
Property Value
System.String
Remarks
SNS_ENCRYPTED_KMS
Checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS).
public static string SNS_ENCRYPTED_KMS { get; }
Property Value
System.String
Remarks
SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLED
Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints.
public static string SNS_TOPIC_MESSAGE_DELIVERY_NOTIFICATION_ENABLED { get; }
Property Value
System.String
Remarks
SSM_DOCUMENT_NOT_PUBLIC
Checks if AWS Systems Manager documents owned by the account are public.
public static string SSM_DOCUMENT_NOT_PUBLIC { get; }
Property Value
System.String
Remarks
STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for AWS Storage Gateway volumes.
public static string STORAGEGATEWAY_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
hecks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address.
public static string SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED { get; }
Property Value
System.String
Remarks
VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED
Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines.
public static string VIRTUALMACHINE_LAST_BACKUP_RECOVERY_POINT_CREATED { get; }
Property Value
System.String
Remarks
VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN
Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan.
public static string VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN { get; }
Property Value
System.String
Remarks
VPC_DEFAULT_SECURITY_GROUP_CLOSED
Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.
public static string VPC_DEFAULT_SECURITY_GROUP_CLOSED { get; }
Property Value
System.String
Remarks
The rule returns NOT_APPLICABLE if the security group is not default.
See: https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html
VPC_FLOW_LOGS_ENABLED
Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.
public static string VPC_FLOW_LOGS_ENABLED { get; }
Property Value
System.String
Remarks
VPC_NETWORK_ACL_UNUSED_CHECK
Checks if there are unused network access control lists (network ACLs).
public static string VPC_NETWORK_ACL_UNUSED_CHECK { get; }
Property Value
System.String
Remarks
VPC_PEERING_DNS_RESOLUTION_CHECK
Checks if DNS resolution from accepter/requester VPC to private IP is enabled.
public static string VPC_PEERING_DNS_RESOLUTION_CHECK { get; }
Property Value
System.String
Remarks
VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic.
public static string VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS { get; }
Property Value
System.String
Remarks
VPC_VPN_2_TUNNELS_UP
Checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status.
public static string VPC_VPN_2_TUNNELS_UP { get; }
Property Value
System.String
Remarks
WAF_CLASSIC_LOGGING_ENABLED
Checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs.
public static string WAF_CLASSIC_LOGGING_ENABLED { get; }
Property Value
System.String
Remarks
WAF_GLOBAL_RULE_NOT_EMPTY
Checks if an AWS WAF global rule contains any conditions.
public static string WAF_GLOBAL_RULE_NOT_EMPTY { get; }
Property Value
System.String
Remarks
WAF_GLOBAL_RULEGROUP_NOT_EMPTY
Checks if an AWS WAF Classic rule group contains any rules.
public static string WAF_GLOBAL_RULEGROUP_NOT_EMPTY { get; }
Property Value
System.String
Remarks
WAF_GLOBAL_WEBACL_NOT_EMPTY
Checks whether a WAF Global Web ACL contains any WAF rules or rule groups.
public static string WAF_GLOBAL_WEBACL_NOT_EMPTY { get; }
Property Value
System.String
Remarks
WAF_REGIONAL_RULE_NOT_EMPTY
Checks whether WAF regional rule contains conditions.
public static string WAF_REGIONAL_RULE_NOT_EMPTY { get; }
Property Value
System.String
Remarks
WAF_REGIONAL_RULEGROUP_NOT_EMPTY
Checks if WAF Regional rule groups contain any rules.
public static string WAF_REGIONAL_RULEGROUP_NOT_EMPTY { get; }
Property Value
System.String
Remarks
WAF_REGIONAL_WEBACL_NOT_EMPTY
Checks if a WAF regional Web ACL contains any WAF rules or rule groups.
public static string WAF_REGIONAL_WEBACL_NOT_EMPTY { get; }
Property Value
System.String
Remarks
WAFV2_LOGGING_ENABLED
Checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs).
public static string WAFV2_LOGGING_ENABLED { get; }
Property Value
System.String