# Conformance Packs for AWS Config
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can also use AWS Systems Manager documents (SSM documents) to store your conformance pack templates on AWS and directly deploy conformance packs using SSM document names. You can deploy the template by using the AWS Config console or the AWS CLI.
To quickly get started and to evaluate your AWS environment, use one of the [sample conformance pack templates](https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html). You can also create a conformance pack YAML file from scratch based on [Custom Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/custom-conformance-pack.html).
**Topics**
+ [Conformance Pack Dashboard](conformance-pack-dashboard.md)
+ [Prerequisites](cpack-prerequisites.md)
+ [Region Support](#conformance-packs-regions)
+ [Process Checks](process-checks.md)
+ [Conformance Pack Sample Templates](conformancepack-sample-templates.md)
+ [Creating Custom Templates](custom-conformance-pack.md)
+ [Deploying Conformance Packs](conformance-pack-deploy.md)
+ [Editing Conformance Packs](conformance-pack-edit.md)
+ [Deleting Conformance Packs](conformance-pack-delete.md)
+ [Viewing Conformance Packs](conformance-pack-view.md)
+ [Viewing Compliance History](compliance-history-conformance-pack.md)
+ [Querying Compliance History](querying-compliance-history-conformance-pack.md)
+ [Managing Organizational Conformance Packs](conformance-pack-organization-apis.md)
+ [Troubleshooting](troubleshooting-conformance-pack.md)
# Viewing Compliance Data in the Conformance Packs Dashboard for AWS Config
The main page for **Conformance Packs** displays all of the conformance packs that you currently have in your AWS account. The page also contains the name, deployment status, and compliance score of each conformance pack. A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack.
You can use this dashboard to understand the level of compliance of your conformance packs and use the compliance score to track remediation progress, perform comparisons across different sets of requirements, and see the impact a specific change or deployment has on a conformance pack.
## Navigating the Conformance Packs Main Page
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the **Conformance packs** page. Review your conformance packs and their compliance score. You can also do the following:
+ To add and configure a new conformance pack, choose **Deploy conformance pack**.
+ To delete a conformance pack and its data, change the configuration settings, or view additional details, such as the delivery location or parameters, choose a conformance pack and choose **Actions**.
**Note**
You cannot edit a deployed conformance pack. You can modify the other selections at any time by choosing the name of the conformance pack and **Edit** in the **Actions** dropdown.
+ To view the history of compliance state changes, choose a conformance pack and choose **Conformance pack timeline**. For more information, see [Viewing the Compliance History Timeline for Conformance Packs](https://docs.aws.amazon.com/config/latest/developerguide/compliance-history-conformance-pack.html).
+ To view the deployment status, compliance score, compliance score timeline, and rules for a conformance pack in a detailed view, choose a conformance pack and choose **View**.
# Prerequisite for Conformance Packs for AWS Config
Before you deploy your conformance pack, turn on AWS Config recording.
**Topics**
+ [Step 1: Start AWS Config Recording](#cpack-prerequisites-config-recording)
+ [Step 2: Additional Prerequisites by Conformance Pack Type](#cpack-prerequisites-config-recording)
## Step 1: Start AWS Config Recording (Required for all conformance packs)
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Choose **Settings** in the navigation pane.
1. To start recording, under **Recording is off**, choose **Turn on**. When prompted, choose **Continue**.
## Step 2: Additional Prerequisites by Conformance Pack Type
### A. Prerequisites for Using a Conformance Pack With Remediation
Before deploying conformance packs using sample templates with remediation, you must create appropriate resources such as automation assume role and other AWS resources based on your remediation target.
If you have an existing automation role that you are using for remediation using SSM documents, you can directly provide the ARN of that role. If you have any resources you can provide those in the template.
**Note**
When deploying a conformance pack with remediation to an organization, the management account ID of the organization needs to be specified. Otherwise, during deployment of the organizational conformance pack AWS Config replaces the management account ID with the member account ID automatically.
AWS Config does not support CloudFormation intrinsic functions for the automation execution role or the `ConfigRuleName`. You must provide the exact ARN of the role as a string, and you must use the complete rule name without intrinsic functions.
For more information about how to pass the exact ARN, see [Conformance Pack Sample Templates for AWS Config](conformancepack-sample-templates.md). While using example templates, update your Account ID and management account ID for organization.
### B. Prerequisites for Using a Conformance Pack With One or More Custom AWS Config Rules
Before deploying a conformance pack with one or more custom AWS Config rules, create appropriate resources such as AWS Lambda function and the corresponding execution role.
If you have an existing custom AWS Config rule, you can directly provide the `ARN` of AWS Lambda function to create another instance of that custom rule as part of the pack.
If you do not have an existing custom AWS Config rule, you can create a AWS Lambda function and use the ARN of the Lambda function. For more information, see [AWS Config Custom Rules](evaluate-config_develop-rules.md).
If your AWS Lambda function is present in a different AWS account, you can create AWS Config rules with appropriate cross-account AWS Lambda function authorization. For more information, see [How to Centrally Manage AWS Config Rules across Multiple AWS accounts](https://aws.amazon.com/blogs/devops/how-to-centrally-manage-aws-config-rules-across-multiple-aws-accounts/) blog post.
------
#### [ Same account bucket policy ]
For AWS Config to be able to store conformance pack artifacts, you will need to provide an Amazon S3 bucket and add the following permissions. For more information on naming your bucket, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSConfigConformsBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::delivery-bucket-name"
},
{
"Sid": "AWSConfigConformsBucketDelivery",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::delivery-bucket-name/[optional] prefix/AWSLogs/AccountId/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
```
------
------
#### [ Cross-account bucket policy ]
For AWS Config to be able to store conformance pack artifacts, you will need to provide an Amazon S3 bucket and add the following permissions. For more information on naming your bucket, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSConfigConformsBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms",
"PutConformancePack API caller user principal like arn:aws:iam::SourceAccountId:user/userName "
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::awsconfigconforms-suffix in bucket name"
},
{
"Sid": "AWSConfigConformsBucketDelivery",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::awsconfigconforms-suffix in bucket name/[optional] prefix/AWSLogs/AccountID/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " AWSConfigConformsBucketReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::awsconfigconforms-suffix in bucket name/[optional] prefix/AWSLogs/AccountID/Config/*"
}
]
}
```
------
**Note**
When deploying cross-account conformance packs, the name of the delivery Amazon S3 bucket should start with `awsconfigconforms`.
------
### C. Prerequisites for Organization Conformance Packs
Specify an automation execution role ARN for that remediation in the template if the input template has an autoremediation configuration. Ensure a role with the specified name exists in all the accounts (management and member) of an organization. You must create this role in all accounts before calling `PutOrganizationConformancePack`. You can create this role manually or using the AWS CloudFormation stack-sets to create this role in every account.
If your template uses AWS CloudFormation intrinsic function `[Fn::ImportValue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html)` to import a particular variable, then that variable must be defined as an `[Export Value](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html)` in all the member accounts of that organization.
For custom AWS Config rule, see [How to Centrally Manage AWS Config Rules across Multiple AWS accounts](https://aws.amazon.com/blogs/devops/how-to-centrally-manage-aws-config-rules-across-multiple-aws-accounts/) blog to setup proper permissions.
**Organization bucket policy:**
For AWS Config to be able to store conformance pack artifacts, you will need to provide an Amazon S3 bucket and add the following permissions. For more information on naming your bucket, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::awsconfigconforms-suffix in bucket name/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "customer_org_id"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
}
}
},
{
"Sid": "AllowGetBucketAcl",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::awsconfigconforms-suffix in bucket name",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "customer_org_id"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
}
}
}
]
}
```
------
**Note**
When deploying conformance packs to an organization, the name of the delivery Amazon S3 bucket should start with `awsconfigconforms`.
## Region Support
Conformance packs are supported in the following Regions.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html)
Deploying conformance packs across member accounts in an AWS Organization is supported in the following Regions.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html)
# AWS Config Process Checks Within a Conformance Pack for AWS Config
Process checks is a type of AWS Config rule that allows you to track your external and internal tasks that require verification as part of the conformance packs. These checks can be added to an existing conformance pack or a new conformance pack. You can track all compliance that includes AWS Configurations and manual checks in a single location.
With process checks, you can list the compliance of requirements and actions at a single location. These process checks help increase the coverage of compliance regimes-based conformance packs. You can further expand the conformance pack by adding new process checks that track processes and actions needing manual verification and tracking. This enables conformance pack to become the template that provides details about AWS Configurations and manual processes for a compliance regime.
You can track and manage the compliance of processes not associated with resource configuration changes within a conformance packs as process checks. For example, you can add a process check to track the PCI-DSS compliance requirement to store media backup at an offsite location. You will manually evaluate the compliance of this according to PCI-DSS guidelines, or according to your organization's guidance.
**Region availability**: Process checks with the conformance packs are available in all AWS Regions where AWS Config conformance packs are available. For more information, see [Region Support](conformance-packs.md#conformance-packs-regions).
**Topics**
+ [Sample Template](Sample-CPack-Template-for-Creating-Process-Check-Rule.md)
+ [Creating Process Checks](How-to-create-a-Process-Check-Rule.md)
+ [Changing Compliance Status](change-compliance-status.md)
+ [View and Edit](view-a-process-check-console.md)
# Sample Conformance Pack Template for Creating Process Checks
```
################################################################################
#
# Conformance Pack template for process check
#
################################################################################
Resources:
AWSConfigProcessCheck:
Properties:
ConfigRuleName: RuleName
Description: Description of Rule
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
```
See two sample templates, the [Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1](operational-best-practices-for-cis_aws_benchmark_level_1.md) template and the [Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2](operational-best-practices-for-cis_aws_benchmark_level_2.md) template.
# Include Process Checks Within a Conformance Pack
1. Add a process check in the conformance pack template. Refer to [Sample Conformance Pack Template for Creating Process Checks](Sample-CPack-Template-for-Creating-Process-Check-Rule.md).
```
Resources:
ConfigEnabledAllRegions:
Properties:
ConfigRuleName: Config-Enabled-All-Regions
Description: Ensure AWS Config is enabled in all Regions.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
```
1. Enter the name for the process check.
1. Enter the description for the process check.
1. Deploy the conformance pack. For more information, see [Deploying Conformance Packs for AWS Config](conformance-pack-deploy.md).
# Change Compliance Status of a Process Check
You can change the compliance status of a process check using the AWS Config console, the AWS CLI, and APIs.
------
#### [ Change Compliance Status for Process Checks (Console) ]
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the AWS Config Rules page.
1. Choose the name of the process check that you specified in the template along with the identifier in the conformance pack.
**Note**
All the process checks from the same conformance pack have the same suffix.
1. On the Rule details page, you cannot edit the rule but you can edit the compliance of the rule. In the Manual compliance section, choose **Edit compliance**.
1. Choose the appropriate compliance from the dropdown list.
1. (Optional) Enter a description for the compliance status.
1. Choose **Save**.
------
#### [ Change the Compliance Status for Process Checks (AWS CLI) ]
You can update the compliance of process checks within a conformance pack using the AWS Command Line Interface (AWS CLI).
To install the AWS CLI on your local machine, see [Installing the AWS CLI](http://docs.aws.amazon.com/cli/latest/userguide/installing.html) in the *AWS CLI User Guide*.
If necessary, type `AWS Configure` to configure the AWS CLI to use an AWS Region where AWS Config conformance packs are available.
1. Open a command prompt or a terminal window.
1. Enter the following command to update the compliance of a process check where `ComplianceResourceId` is your `Account ID`, and include the name of your rule.
```
aws configservice put-external-evaluation --config-rule-name process-check-rule-name --external-evaluation ComplianceResourceType=AWS::::Account,ComplianceResourceId=Account ID,ComplianceType=NON_COMPLIANT,OrderingTimestamp=2020-12-17T00:10:00.000Z
```
1. Press Enter to run the command.
------
#### [ Change the Compliance Status for Process Checks (API) ]
After the deployment is complete, to update the evaluations and compliance of the process checks, use the `PutExternalEvaluation` API. For more information, see [PutExternalEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_PutExternalEvaluation.html).
------
# View and Edit the Process Check (Console)
You can view process checks only after a compliance state has been added to process checks. Choose the specific conformance pack to view all the process checks within that conformance pack. Here you can see a list of process checks that are in compliant and noncompliant status.
Because this is a service linked rule, you cannot edit the process check through the Rule details page.
**Note**
However, you can update the compliance of the process check by choosing **Edit Compliance** and selecting the appropriate value from Compliant, noncompliant or not applicable.
You can edit or delete a process check from the conformance pack where you added the process checks.
# Conformance Pack Sample Templates for AWS Config
Here are the conformance pack YAML templates that you see in AWS Config console. Within each conformance pack template, you can use one or more AWS Config rules and remediation actions. The AWS Config rules listed within the conformance pack can be AWS Config managed rules and/or AWS Config custom rules. You can download all the conformance pack templates from [GitHub](https://github.com/awslabs/aws-config-rules/tree/master/aws-config-conformance-packs).
**Important**
Conformance packs provide a general-purpose compliance framework to help you create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. AWS conformance pack sample templates intend to help you create your own conformance packs with different or additional rules, input parameters and remediation actions that suit your environment. The sample templates, including those related to compliance standards and industry benchmarks, are not designed to ensure your compliance with a specific governance standard. They can neither replace your internal efforts nor guarantee that you will pass a compliance assessment.
**Note**
It is recommended that you review the rules available in the region where you deploy a conformance pack ([List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html)) and amend the template for rules not yet available in that region before deploying.
**Topics**
+ [AI/ML Security & Governance Supporting Infrastructure Best Practices](AI-ML-security-governance-supporting-infrastructure-best-practices.md)
+ [Amazon Bedrock Security and Governance Best Practices](amazon-bedrock-security-and-governance-best-practices.md)
+ [Amazon SageMaker AI Security and Governance Best Practices](amazon-sagemaker-ai-security-and-governance-best-practices.md)
+ [AWS Control Tower Detective Guardrails Conformance Pack](aws-control-tower-detective-guardrails.md)
+ [Cyber Resilience Best Practices for Amazon S3, Amazon EBS, and Amazon DynamoDB](cyber-resilience-best-practices-for-s3-ebs-dynamoDB.md)
+ [Operational Best Practices for ABS CCIG 2.0 Material Workloads](operational-best-practices-for-ABS-CCIGv2-Material.md)
+ [Operational Best Practices for ABS CCIG 2.0 Standard Workloads](operational-best-practices-for-ABS-CCIGv2-Standard.md)
+ [Operational Best Practices for ACSC Essential 8](operational-best-practices-for-acsc_essential_8.md)
+ [Operational Best Practices for ACSC ISM - Part 1](operational-best-practices-for-acsc-ism.md)
+ [Operational Best Practices for ACSC ISM - Part 2](operational-best-practices-for-acsc-ism-part-2.md)
+ [Operational Best Practices for Amazon API Gateway](operational-best-practices-for-amazon-API-gateway.md)
+ [Operational Best Practices for Amazon CloudWatch](operational-best-practices-for-amazon-cloudwatch.md)
+ [Operational Best Practices for Amazon DynamoDB](operational-best-practices-for-amazon-dynamodb.md)
+ [Operational Best Practices for Amazon S3](operational-best-practices-for-amazon-s3.md)
+ [Operational Best Practices for APRA CPG 234](operational-best-practices-for-apra_cpg_234.md)
+ [Operational Best Practices for Asset Management](operational-best-practices-for-asset-management.md)
+ [Operational Best Practices for AWS Backup](operational-best-practices-for-aws-backup.md)
+ [Operational Best Practices for AWS Identity And Access Management](operational-best-practices-for-aws-identity-and-access-management.md)
+ [Operational Best Practices for AWS Well-Architected Framework Reliability Pillar](operational-best-practices-for-wa-Reliability-Pillar.md)
+ [Operational Best Practices for AWS Well-Architected Framework Security Pillar](operational-best-practices-for-wa-Security-Pillar.md)
+ [Operational Best Practices for BCP and DR](operational-best-practices-for-BCP-and-DR.md)
+ [Operational Best Practices for BNM RMiT](operational-best-practices-for-bnm-rmit.md)
+ [Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile](operational-best-practices-for-cccs_medium.md)
+ [Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1](operational-best-practices-for-cis_aws_benchmark_level_1.md)
+ [Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2](operational-best-practices-for-cis_aws_benchmark_level_2.md)
+ [Operational Best Practices for CIS Critical Security Controls v8 IG1](operational-best-practices-for-cis-critical-security-controls-v8.md)
+ [Operational Best Practices for CIS Critical Security Controls v8 IG2](operational-best-practices-for-cis-critical-security-controls-v8-ig2.md)
+ [Operational Best Practices for CIS Critical Security Controls v8 IG3](operational-best-practices-for-cis-critical-security-controls-v8-ig3.md)
+ [Operational Best Practices for CIS Top 20](operational-best-practices-for-cis_top_20.md)
+ [Operational Best Practices for CISA Cyber Essentials](operational-best-practices-for-cisa-ce.md)
+ [Operational Best Practices for Criminal Justice Information Services (CJIS)](operational-best-practices-for-cjis.md)
+ [Operational Best Practices for CMMC 2.0 Level 1](operational-best-practices-for-cmmc_2.0_level_1.md)
+ [Operational Best Practices for CMMC 2.0 Level 2](operational-best-practices-for-cmmc_2.0_level_2.md)
+ [Operational Best Practices for Compute Services](operational-best-practices-for-Compute-Services.md)
+ [Operational Best Practices for Data Resiliency](operational-best-practices-for-Data-Resiliency.md)
+ [Operational Best Practices for Databases Services](operational-best-practices-for-Databases-Services.md)
+ [Operational Best Practices for Data Lakes and Analytics Services](operational-best-practices-for-Datalakes-and-Analytics-Services.md)
+ [Operational Best Practices for DevOps](operational-best-practices-for-DevOps.md)
+ [Operational Best Practices for EC2](operational-best-practices-for-EC2.md)
+ [Operational Best Practices for Encryption and Key Management](operational-best-practices-for-Encryption-and-Keys.md)
+ [Operational Best Practices for ENISA Cybersecurity guide for SMEs](operational-best-practices-for-enisa-cybersecurity-guide-for-smes.md)
+ [Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low](operational-best-practices-for-ens-low.md)
+ [Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium](operational-best-practices-for-ens-medium.md)
+ [Operational Best Practices for Esquema Nacional de Seguridad (ENS) High](operational-best-practices-for-ens_high.md)
+ [Operational Best Practices for FDA Title 21 CFR Part 11](operational-best-practices-for-FDA-21CFR-Part-11.md)
+ [Operational Best Practices for FedRAMP(Low)](operational-best-practices-for-fedramp-low.md)
+ [Operational Best Practices for FedRAMP(Moderate)](operational-best-practices-for-fedramp-moderate.md)
+ [Operational Best Practices for FedRAMP (High Part 1)](operational-best-practices-for-fedramp-high-part-1.md)
+ [Operational Best Practices for FedRAMP (High Part 2)](operational-best-practices-for-fedramp-high-part-2.md)
+ [Operational Best Practices for FFIEC](operational-best-practices-for-ffiec.md)
+ [Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5)](operational-best-practices-for-germany-c5.md)
+ [Operational Best Practices for Gramm Leach Bliley Act (GLBA)](operational-best-practices-for-gramm-leach-bliley-act.md)
+ [Operational Best Practices for GxP EU Annex 11](operational-best-practices-for-gxp-eu-annex-11.md)
+ [Operational Best Practices for HIPAA Security](operational-best-practices-for-hipaa_security.md)
+ [Operational Best Practices for IRS 1075](operational-best-practices-for-irs-1075.md)
+ [Operational Best Practices for K-ISMS](operational-best-practices-for-k-isms.md)
+ [Operational Best Practices for Load Balancing](operational-best-practices-for-load-balancing.md)
+ [Operational Best Practices for Logging](operational-best-practices-for-logging.md)
+ [Operational Best Practices for Management and Governance Services](operational-best-practices-for-Management-and-Governance-Services.md)
+ [Operational Best Practices for MAS Notice 655](operational-best-practices-for-mas_notice_655.md)
+ [Operational Best Practices for MAS TRMG](operational-best-practices-for-mas-trmg.md)
+ [Operational Best Practices for Monitoring](operational-best-practices-for-monitoring.md)
+ [Operational Best Practices for NBC TRMG](operational-best-practices-for-nbc-trmg.md)
+ [Operational Best Practices for NERC CIP BCSI](operational-best-practices-for-nerc.md)
+ [Operational Best Practices for NCSC Cloud Security Principles](operational-best-practices-for-ncsc.md)
+ [Operational Best Practices for NCSC Cyber Assesment Framework](operational-best-practices-for-ncsc_cafv3.md)
+ [Operational Best Practices for Networking and Content Delivery Services](operational-best-practices-for-Networking-and-Content-Delivery-Services.md)
+ [Operational Best Practices for NIST 800-53 rev 4](operational-best-practices-for-nist-800-53_rev_4.md)
+ [Operational Best Practices for NIST 800-53 rev 5](operational-best-practices-for-nist-800-53_rev_5.md)
+ [Operational Best Practices for NIST 800 171](operational-best-practices-for-nist_800-171.md)
+ [Operational Best Practices for NIST 800 172](operational-best-practices-for-nist_800-172.md)
+ [Operational Best Practices for NIST 800 181](operational-best-practices-for-nist_800-181.md)
+ [Operational Best Practices for NIST 1800 25](operational-best-practices-for-nist_1800_25.md)
+ [Operational Best Practices for NIST CSF](operational-best-practices-for-nist-csf.md)
+ [Operational Best Practices for NIST Privacy Framework v1.0](operational-best-practices-for-nist_privacy_framework.md)
+ [Operational Best Practices for NYDFS 23](operational-best-practices-for-us_nydfs.md)
+ [Operational Best Practices for NZISM 3.8](operational-best-practices-for-nzism.md)
+ [Operational Best Practices for PCI DSS 3.2.1](operational-best-practices-for-pci-dss.md)
+ [Operational Best Practices for PCI DSS 4.0 (Excluding global resource types)](operational-best-practices-for-pci-dss-v4-excluding-global-resource-types.md)
+ [Operational Best Practices for PCI DSS 4.0 (Including global resource types)](operational-best-practices-for-pci-dss-v4-including-global-resource-types.md)
+ [Operational Best Practices for Publicly Accessible Resources](operational-best-practices-for-Publicly-Accessible-Resources.md)
+ [Operational Best Practices for RBI Cyber Security Framework for UCBs](operational-best-practices-for-rbi-bcsf-ucb.md)
+ [Operational Best Practices for RBI MD-ITF](operational-best-practices-for-rbi-md-itf.md)
+ [Operational Best Practices for Security, Identity, and Compliance Services](operational-best-practices-for-Security-Identity-and-Compliance-Services.md)
+ [Operational Best Practices for Serverless](operational-best-practices-for-serverless.md)
+ [Operational Best Practices for Storage Services](operational-best-practices-for-Storage-Services.md)
+ [Operational Best Practices for SWIFT CSP](operational-best-practices-for-swift-csp.md)
+ [Security Best Practices for Amazon Elastic Container Service (Amazon ECS)](security-best-practices-for-ECS.md)
+ [Security Best Practices for Amazon Elastic File System (Amazon EFS)](security-best-practices-for-EFS.md)
+ [Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS)](security-best-practices-for-EKS.md)
+ [Security Best Practices for Amazon CloudFront](security-best-practices-for-CloudFront.md)
+ [Security Best Practices for Amazon OpenSearch Service](security-best-practices-for-OpenSearch.md)
+ [Security Best Practices for Amazon Redshift](security-best-practices-for-redshift.md)
+ [Security Best Practices for Amazon Relational Database Service (Amazon RDS)](security-best-practices-for-RDS.md)
+ [Security Best Practices for AWS Auto Scaling](security-best-practices-for-AutoScaling.md)
+ [Security Best Practices for AWS CloudTrail](security-best-practices-for-CloudTrail.md)
+ [Security Best Practices for AWS CodeBuild](security-best-practices-for-CodeBuild.md)
+ [Security Best Practices for Amazon ECR](security-best-practices-for-ECR.md)
+ [Security Best Practices for AWS Lambda](security-best-practices-for-Lambda.md)
+ [Security Best Practices for AWS Network Firewall](security-best-practices-for-Network-Firewall.md)
+ [Security Best Practices for Amazon SageMaker AI](security-best-practices-for-SageMaker.md)
+ [Security Best Practices for AWS Secrets Manager](security-best-practices-for-Secrets-Manager.md)
+ [Security Best Practices for AWS WAF](security-best-practices-for-aws-waf.md)
+ [Self-Hosted AI/ML Security & Governance Best Practices](self-hosted-AI-ML-security-governance-best-practices.md)
+ [Example Templates with Remediation Action](templateswithremediation.md)
# AI/ML Security & Governance Supporting Infrastructure Best Practices
This conformance pack is intended to provide a baseline of security configurations for any AI workload (inclusive of AI, ML, generative AI, agentic AI, and physical AI). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [AI/ML Security & Governance Supporting Infrastructure Best Practices](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/AI-ML-Security-Governance-Supporting-Infrastructure-Best-Practices.yaml).
# Amazon Bedrock Security and Governance Best Practices
This conformance pack is intended to provide a baseline of security configurations for Amazon Bedrock AI workloads (inclusive of AI, ML, generative AI, agentic AI, and physical AI). Expected to be deployed in conjunction with the [AI/ML Security & Governance Supporting Infrastructure Best Practices](https://docs.aws.amazon.com/config/latest/developerguide/AI-ML-security-governance-supporting-infrastructure-best-practices.html) conformance pack. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Amazon Bedrock Security and Governance Best Practices](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Amazon-Bedrock-Security-and-Governance-Best-Practices.yaml).
# Amazon SageMaker AI Security and Governance Best Practices
This conformance pack is intended to provide a baseline of security configurations for AI workloads (inclusive of AI, ML, generative AI, agentic AI, and physical AI). Expected to be deployed in conjunction with the [AI/ML Security & Governance Supporting Infrastructure Best Practices](https://docs.aws.amazon.com/config/latest/developerguide/AI-ML-security-governance-supporting-infrastructure-best-practices.html) conformance pack. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Amazon SageMaker AI Security and Governance Best Practices](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Amazon-Sagemaker-AI-Security-and-Governance-Best-Practices.yaml).
# AWS Control Tower Detective Guardrails Conformance Pack
This conformance pack contains AWS Config rules based on AWS Control Tower Detective Guardrails. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [AWS Control Tower Detective Guardrails Conformance Pack](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/AWS-Control-Tower-Detective-Guardrails.yaml).
# Cyber Resilience Best Practices for Amazon S3, Amazon EBS, and Amazon DynamoDB
This conformance pack contains AWS Config rules based on Cyber Resilience Best Practices for Amazon S3, Amazon EBS, and Amazon DynamoDB. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Cyber Resilience Best Practices for Amazon S3, Amazon EBS, and Amazon DynamoDB](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Cyber-Resilience-Best-Practices-for-S3-EBS-DynamoDB.yml).
# Operational Best Practices for ABS CCIG 2.0 Material Workloads
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the ABS Cloud Computing Implementation Guide 2.0 - Material Workloads and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ABS Cloud Computing Implementation Guide controls. An ABS Cloud Computing Implementation Guide control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ABS-CCIGv2-Material.html)
## Template
The template is available on GitHub: [Operational Best Practices for ABS CCIG 2.0 Material Workloads](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-ABS-CCIGv2-Material.yaml).
# Operational Best Practices for ABS CCIG 2.0 Standard Workloads
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the ABS Cloud Computing Implementation Guide 2.0 - Standard Workloads and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ABS Cloud Computing Implementation Guide controls. An ABS Cloud Computing Implementation Guide control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ABS-CCIGv2-Standard.html)
## Template
The template is available on GitHub: [Operational Best Practices for ABS CCIG 2.0 Standard Workloads](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-ABS-CCIGv2-Standard.yaml).
# Operational Best Practices for ACSC Essential 8
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Australian Cyber Security Centre (ACSC) Essential Eight Maturity Model and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ACSC Essential Eight controls. An ACSC Essential Eight control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings. Some of the mappings to config rules are for the higher order section (eg. Mitigation Strategies to Limit the Extent of Cyber Security Incidents) as opposed to the more prescriptive sections.
This sample conformance pack template contains mappings to controls within the ACSC Essential 8, which was created by the Commonwealth of Australia and can be found at [ACSC \$1 Essential Eight](https://www.cyber.gov.au/acsc/view-all-content/essential-eight). Licensing of the framework under Creative Commons Attribution 4.0 International Public License and copyright information for the framework (including a disclaimer of warranties) can be found at [ACSC \$1 Copyright](https://www.cyber.gov.au/acsc/copyright).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-acsc_essential_8.html)
## Template
The template is available on GitHub: [Operational Best Practices for ACSC Essential 8](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-ACSC-Essential8.yaml).
# Operational Best Practices for ACSC ISM - Part 1
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) 2020-06 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ISM controls. An ISM control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the ISM framework, which was created by the Commonwealth of Australia and can be found at [Australian Government Information Security Manual](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-principles). Licensing of the framework under Creative Commons Attribution 4.0 International Public License and copyright information for the framework (including a disclaimer of warranties) can be found at [ACSC \$1 Copyright](https://www.cyber.gov.au/acsc/copyright).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-acsc-ism.html)
## Template
These templates are available on GitHub:
+ [Operational Best Practices for ACSC ISM - Part 1](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-ACSC-ISM.yaml)
+ [Operational Best Practices for ACSC ISM - Part 2](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-ACSC-ISM-Part2.yaml)
# Operational Best Practices for ACSC ISM - Part 2
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides additional sample mapping between the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) 2020-06 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ISM controls. An ISM control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the ISM framework, which was created by the Commonwealth of Australia and can be found at [Australian Government Information Security Manual](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-principles). Licensing of the framework under Creative Commons Attribution 4.0 International Public License and copyright information for the framework (including a disclaimer of warranties) can be found at [ACSC \$1 Copyright](https://www.cyber.gov.au/acsc/copyright).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-acsc-ism-part-2.html)
## Template
This templates is available on GitHub: [Operational Best Practices for ACSC ISM - Part 2](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-ACSC-ISM-Part2.yaml).
# Operational Best Practices for Amazon API Gateway
This conformance pack contains AWS Config rules based on the usage of Amazon API Gateway within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Amazon API Gateway](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-API-Gateway.yaml).
# Operational Best Practices for Amazon CloudWatch
This conformance pack contains AWS Config rules based on the usage of Amazon CloudWatch within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Amazon CloudWatch](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CloudWatch.yaml).
# Operational Best Practices for Amazon DynamoDB
The template is available on GitHub: [Operational Best Practices for Amazon DynamoDB](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Amazon-DynamoDB.yaml).
# Operational Best Practices for Amazon S3
The template is available on GitHub: [Operational Best Practices for Amazon S3](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Amazon-S3.yaml).
# Operational Best Practices for APRA CPG 234
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Australian Prudential Regulation Authority (APRA) CPG 234 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more APRA CPG 234 controls. An APRA CPG 234 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within APRA CPG 234 2019, which was created by the Commonwealth of Australia and can be found at [Prudential Practice Guide: CPG 234 Information Security](https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_1.pdf). Licensing of the framework under Creative Commons Australia Attribution 3.0 Licence and copyright information for the framework (including a disclaimer of warranties) can be found at [APRA \$1 Copyright](https://www.apra.gov.au/copyright).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-apra_cpg_234.html)
## Template
The template is available on GitHub: [Operational Best Practices for APRA CPG 234](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-APRA-CPG-234.yaml).
# Operational Best Practices for Asset Management
This conformance pack contains AWS Config rules based on asset management within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Asset Management](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Asset-Management.yaml).
# Operational Best Practices for AWS Backup
This conformance pack contains AWS Config rules based on AWS Backup within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for AWS Backup](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-AWS-Backup.yaml).
# Operational Best Practices for AWS Identity And Access Management
The template is available on GitHub: [Operational Best Practices for AWS Identity And Access Management](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-AWS-Identity-and-Access-Management.yaml).
# Operational Best Practices for AWS Well-Architected Framework Reliability Pillar
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between Amazon Web Services’ Well-Architected Framework Reliability Pillar and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more of the pillar’s design principles. A Well-Architected Framework category can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-wa-Reliability-Pillar.html)
## Template
The template is available on GitHub: [Operational Best Practices for AWS Well-Architected Reliability Pillar](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-AWS-Well-Architected-Reliability-Pillar.yaml).
# Operational Best Practices for AWS Well-Architected Framework Security Pillar
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between Amazon Web Services’ Well-Architected Framework Security Pillar and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more of the pillar’s design principles. A Well-Architected Framework category can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-wa-Security-Pillar.html)
## Template
The template is available on GitHub: [Operational Best Practices for AWS Well-Architected Security Pillar](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-AWS-Well-Architected-Security-Pillar.yaml).
# Operational Best Practices for BCP and DR
This conformance pack contains AWS Config rules based on BCP and DR within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for BCP and DR](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-BCP-and-DR.yaml).
# Operational Best Practices for BNM RMiT
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more BNM RMiT controls. A BNM RMiT control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-bnm-rmit.html)
## Template
The template is available on GitHub: [Operational Best Practices for BNM RMiT](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-BNM-RMiT.yaml).
# Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CCCS Medium Cloud Control Profile controls. A CCCS Medium Cloud Control Profile control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cccs_medium.html)
## Template
The template is available on GitHub: [Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CCCS-Medium.yaml).
# Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level 1 and AWS managed Config rules/AWS Config Process Checks. Each Config rule applies to a specific AWS resource, and relates to one or more CIS Amazon Web Services Foundation v1.4 Level 1 controls. A CIS Amazon Web Services Foundation v1.4 Level 1 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
For more information about process checks, see [process-checks](https://docs.aws.amazon.com/config/latest/developerguide/process-checks.html).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html)
## Template
The template is available on GitHub: [Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level1.yaml).
# Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level 2 and AWS managed Config rules/AWS Config Process Checks. Each Config rule applies to a specific AWS resource, and relates to one or more CIS Amazon Web Services Foundation v1.4 Level 2 controls. A CIS Amazon Web Services Foundation v1.4 Level 2 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
For more information about process checks, see [process-checks](https://docs.aws.amazon.com/config/latest/developerguide/process-checks.html).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html)
## Template
The template is available on GitHub: [ Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml).
# Operational Best Practices for CIS Critical Security Controls v8 IG1
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Center for Internet Security (CIS) Critical Security Controls v8 IG1 and AWS managed Config rules. Each AWS Config applies to a specific AWS resource, and relates to one or more CIS Critical Security Controls v8 IG1 controls. A CIS Critical Security Controls v8 IG1 control can be related to multiple AWS Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis-critical-security-controls-v8.html)
## Template
The template is available on GitHub: [ Operational Best Practices for CIS Critical Security Controls v8 IG1](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-Critical-Security-Controls-v8-IG1.yaml).
# Operational Best Practices for CIS Critical Security Controls v8 IG2
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Center for Internet Security (CIS) Critical Security Controls v8 IG2 and AWS managed Config rules. Each AWS Config applies to a specific AWS resource, and relates to one or more CIS Critical Security Controls v8 IG2 controls. A CIS Critical Security Controls v8 IG2 control can be related to multiple AWS Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis-critical-security-controls-v8-ig2.html)
## Template
The template is available on GitHub: [ Operational Best Practices for CIS Critical Security Controls v8 IG2](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-Critical-Security-Controls-v8-IG2.yaml).
# Operational Best Practices for CIS Critical Security Controls v8 IG3
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Center for Internet Security (CIS) Critical Security Controls v8 IG3 and AWS managed Config rules. Each AWS Config applies to a specific AWS resource, and relates to one or more CIS Critical Security Controls v8 IG3 controls. A CIS Critical Security Controls v8 IG3 control can be related to multiple AWS Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis-critical-security-controls-v8-ig3.html)
## Template
The template is available on GitHub: [ Operational Best Practices for CIS Critical Security Controls v8 IG3](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-Critical-Security-Controls-v8-IG3.yaml).
# Operational Best Practices for CIS Top 20
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Center for Internet Security (CIS) Top 20 Critical Security Controls and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CIS Top 20 controls. A CIS Top 20 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This Conformance Pack was validated by AWS Security Assurance Services LLC (AWS SAS), which is a team of Payment Card Industry Qualified Security Assessors (QSAs), HITRUST Certified Common Security Framework Practitioners (CCSFPs), and compliance professionals certified to provide guidance and assessments for various industry frameworks. AWS SAS professionals designed this Conformance Pack to enable a customer to align to a subset of the CIS Top 20.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_top_20.html)
## Template
The template is available on GitHub: [Operational Best Practices for CIS Top 20](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-Top20.yaml).
# Operational Best Practices for CISA Cyber Essentials
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Cybersecurity & Infrastructure Security Agency (CISA) Cyber Essentials (CE) and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more CISA CE controls. A CISA CE control can be related to multiple AWS Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cisa-ce.html)
## Template
The template is available on GitHub: [Operational Best Practices for CISA Cyber Essentials](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CISA-Cyber-Essentials.yaml).
# Operational Best Practices for Criminal Justice Information Services (CJIS)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Criminal Justice Information Services (CJIS) Compliance Requirements and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CJIS controls. A CJIS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cjis.html)
## Template
The template is available on GitHub: [Operational Best Practices for CJIS](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CJIS.yaml).
# Operational Best Practices for CMMC 2.0 Level 1
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 1 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 1 controls. A CMMC 2.0 Level 1 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cmmc_2.0_level_1.html)
## Template
The template is available on GitHub: [Operational Best Practices for CMMC 2.0 Level 1](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CMMC-2.0-Level-1.yaml).
# Operational Best Practices for CMMC 2.0 Level 2
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cmmc_2.0_level_2.html)
## Template
The template is available on GitHub: [Operational Best Practices for CMMC 2.0 Level 2](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CMMC-2.0-Level-2.yaml).
# Operational Best Practices for Compute Services
This conformance pack contains AWS Config rules based on Compute Services. For more information, see [Compute for any workload](https://aws.amazon.com/products/compute/). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Compute Services](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Compute-Services.yaml).
# Operational Best Practices for Data Resiliency
For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Data Resiliency](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Data-Resiliency.yaml).
# Operational Best Practices for Databases Services
This conformance pack contains AWS Config rules based on Databases Services. For more information, see [Databases on AWS](https://aws.amazon.com/products/databases/). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Databases Services](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Database-Services.yaml).
# Operational Best Practices for Data Lakes and Analytics Services
This conformance pack contains AWS Config rules for Data Lakes and Analytics Services. For more information, see [Data Lakes and Analytics on AWS](https://aws.amazon.com/big-data/datalakes-and-analytics/). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Data Lakes and Analytics Services](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Datalakes-and-Analytics-Services.yaml).
# Operational Best Practices for DevOps
This conformance pack contains AWS Config rules based on DevOps within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for DevOps](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-DevOps.yaml).
# Operational Best Practices for EC2
This conformance pack contains AWS Config rules based on EC2. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for EC2](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-EC2.yaml).
# Operational Best Practices for Encryption and Key Management
For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Encryption and Key Management](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Encryption-and-Keys.yaml).
# Operational Best Practices for ENISA Cybersecurity guide for SMEs
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the European Union Agency for Cybersecurity (ENISA) Cybersecurity guide for SMEs and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ENISA Cybersecurity guide for SMEs controls. An ENISA Cybersecurity guide for SMEs control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls adapted from the ENISA Cybersecurity guide for SMEs. The ENISA Cybersecurity guide for SMEs is available at [Cybersecurity guide for SMEs - 12 steps to securing your business](https://www.enisa.europa.eu/publications/cybersecurity-guide-for-smes).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-enisa-cybersecurity-guide-for-smes.html)
## Template
The template is available on GitHub: [Operational Best Practices for ENISA Cybersecurity guide for SMEs](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-ENISA-Cybersecurity-Guide.yaml).
# Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between Spain Esquema Nacional de Seguridad (ENS) Low framework controls and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more Spain ENS Low controls. A Spain ENS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the Spain ENS Low framework, as last updated on 2020/10/23.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ens-low.html)
## Template
The template is available on GitHub: [Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Low.yaml).
# Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between Spain Esquema Nacional de Seguridad (ENS) Medium framework controls and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more Spain ENS Medium controls. A Spain ENS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the Spain ENS Medium framework, as last updated on 2020/10/23.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ens-medium.html)
## Template
The template is available on GitHub: [Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml).
# Operational Best Practices for Esquema Nacional de Seguridad (ENS) High
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between Spain Esquema Nacional de Seguridad (ENS) High framework controls and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more Spain ENS High controls. A Spain ENS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the Spain ENS High framework, as last updated on 2021/07/09.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ens_high.html)
## Template
The template is available on GitHub: [Operational Best Practices for Esquema Nacional de Seguridad (ENS) High](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-High.yaml).
# Operational Best Practices for FDA Title 21 CFR Part 11
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Title 21 of the Code of Federal Regulations (CFR) Part 11 and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more FDA Title 21 CFR Part 11 controls. A FDA Title 21 CFR Part 11 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-FDA-21CFR-Part-11.html)
## Template
The template is available on GitHub: [Operational Best Practices for FDA Title 21 CFR Part 11](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-FDA-21CFR-Part-11.yaml).
# Operational Best Practices for FedRAMP(Low)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Federal Risk and Authorization Management Program (FedRAMP) Low Baseline Controls and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more FedRAMP controls. A FedRAMP control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-low.html)
## Template
The template is available on GitHub: [Operational Best Practices for FedRAMP(Low)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml).
# Operational Best Practices for FedRAMP(Moderate)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Federal Risk and Authorization Management Program (FedRAMP) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more FedRAMP controls. A FedRAMP control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This Conformance Pack was validated by AWS Security Assurance Services LLC (AWS SAS), which is a team of Payment Card Industry Qualified Security Assessors (QSAs), HITRUST Certified Common Security Framework Practitioners (CCSFPs), and compliance professionals certified to provide guidance and assessments for various industry frameworks. AWS SAS professionals designed this Conformance Pack to enable a customer to align to a subset of the FedRAMP controls.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-moderate.html)
## Template
The template is available on GitHub: [Operational Best Practices for FedRAMP(Moderate)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP.yaml).
# Operational Best Practices for FedRAMP (High Part 1)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Federal Risk and Authorization Management Program (FedRAMP) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more FedRAMP controls. A FedRAMP control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-high-part-1.html)
## Template
The template is available on GitHub: [Operational Best Practices for FedRAMP (High Part 1)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-HighPart1.yaml).
# Operational Best Practices for FedRAMP (High Part 2)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Federal Risk and Authorization Management Program (FedRAMP) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more FedRAMP controls. A FedRAMP control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-high-part-2.html)
## Template
The template is available on GitHub: [Operational Best Practices for FedRAMP (High Part 2)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-HighPart2.yaml).
# Operational Best Practices for FFIEC
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Federal Financial Institutions Examination Council (FFIEC) Cyber Security Assessment Tool domains and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more FFIEC Cyber Security Assessment Tool controls. A FFIEC Cyber Security Assessment Tool control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ffiec.html)
## Template
The template is available on GitHub: [Operational Best Practices for FFIEC](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-FFIEC.yaml).
# Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Germany Cloud Computing Compliance Criteria Catalog (C5) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more Germany C5 controls. A Germany C5 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-germany-c5.html)
## Template
The template is available on GitHub: [Germany Cloud Computing Compliance Criteria Catalog (C5)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Germany-C5.yaml).
# Operational Best Practices for Gramm Leach Bliley Act (GLBA)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Gramm-Leach-Bliley Act (GLBA) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more GLBA controls. A GLBA control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-gramm-leach-bliley-act.html)
## Template
The template is available on GitHub: [Operational Best Practices for Gramm Leach Bliley Act (GLBA)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Gramm-Leach-Bliley-Act.yaml).
# Operational Best Practices for GxP EU Annex 11
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the GxP EU Annex 11 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more GxP EU Annex 11 controls. A GxP EU Annex 11 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-gxp-eu-annex-11.html)
## Template
The template is available on GitHub: [Operational Best Practices for GxP EU Annex 11](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-GxP-EU-Annex-11.yaml).
# Operational Best Practices for HIPAA Security
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Health Insurance Portability and Accountability Act (HIPAA) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more HIPAA controls. A HIPAA control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This Conformance Pack was validated by AWS Security Assurance Services LLC (AWS SAS), which is a team of Payment Card Industry Qualified Security Assessors (QSAs), HITRUST Certified Common Security Framework Practitioners (CCSFPs), and compliance professionals certified to provide guidance and assessments for various industry frameworks. AWS SAS professionals designed this Conformance Pack to enable a customer to align to a subset of the HIPAA.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html)
## Template
The template is available on GitHub: [Operational Best Practices for HIPAA Security](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml).
# Operational Best Practices for IRS 1075
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the IRS 1075 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more IRS 1075 controls. An IRS 1075 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-irs-1075.html)
## Template
The template is available on GitHub: [Operational Best Practices for IRS 1075](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-IRS-1075.yaml).
# Operational Best Practices for K-ISMS
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between Korea – Information Security Management System (ISMS) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more Korea – ISMS controls. A Korea – ISMS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-k-isms.html)
## Template
The template is available on GitHub: [Operational Best Practices for K-ISMS](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-KISMS.yaml).
# Operational Best Practices for Load Balancing
This conformance pack contains AWS Config rules based on load balancing within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Load Balancing](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Load-Balancing.yaml).
# Operational Best Practices for Logging
This conformance pack contains AWS Config rules based on logging within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Logging](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Logging.yaml).
# Operational Best Practices for Management and Governance Services
This conformance pack contains AWS Config rules based on Management and Governance Services. For more information, see [Management and Governance on AWS](https://aws.amazon.com/products/management-tools/). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Management and Governance Services](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Management-Governance-Services.yaml).
# Operational Best Practices for MAS Notice 655
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Monetary Authority of Singapore (MAS) Notice 655 – Cyber Hygiene and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more MAS Notice 655 – Cyber Hygiene controls. A MAS Notice 655 – Cyber Hygiene control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-mas_notice_655.html)
## Template
The template is available on GitHub: [Operational Best Practices for MAS Notice 655](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-MAS-Notice-655.yaml).
# Operational Best Practices for MAS TRMG
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Monetary Authority of Singapore (MAS) Technology Risk Managment Guidelines (TRMG) January 2021 and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more MAS TRMG controls. A MAS TRMG January 2021 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-mas-trmg.html)
## Template
The template is available on GitHub: [Operational Best Practices for MAS TRMG](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-MAS-TRMG.yaml).
# Operational Best Practices for Monitoring
This conformance pack contains AWS Config rules based on monitoring within AWS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Monitoring](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Monitoring.yaml).
# Operational Best Practices for NBC TRMG
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the National Bank of Cambodia’s (NBC) Technology Risk Management (TRM) Guidelines framework and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NBC TRM Guideline. An NBC TRM Guideline can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the National Bank of Cambodia’s (NBC) Technology Risk Management (TRM) Guidelines framework, which can be accessed here: [National Bank of Cambodia: Technology Risk Management Guidelines](https://www.nbc.gov.kh/english/publications/guidelines_it_policy.php).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nbc-trmg.html)
## Template
The template is available on GitHub: [Operational Best Practices for NBC TRMG](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NBC-TRMG.yaml).
# Operational Best Practices for NERC CIP BCSI
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP) for BES Cyber System Information (BCSI), CIP-004-7 & CIP-011-3, and AWS Config managed rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more NERC CIP controls applicable to BCSI. A NERC CIP control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nerc.html)
## Template
The template is available on GitHub: [Operational Best Practices for NERC CIP BCSI](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NERC-CIP-BCSI.yaml).
# Operational Best Practices for NCSC Cloud Security Principles
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the UK National Cyber Security Centre (NCSC) Cloud Security Principles and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more UK NCSC Cloud Security Principles controls. A UK NCSC Cloud Security Principles control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the UK NCSC Cloud Security Principles ([National Cyber Security Centre \$1 Cloud security guidance](https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles)), with such public sector information licensed under the Open Government Licence v3.0. The Open Government Licence should can be accessed here: [Open Government Licence for public sector information](http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ncsc.html)
## Template
The template is available on GitHub: [Operational Best Practices for NCSC Cloud Security Principles](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml).
# Operational Best Practices for NCSC Cyber Assesment Framework
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between UK National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) controls and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more UK NCSC CAF controls. A UK NCSC CAF control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls within the UK NCSC CAF ([National Cyber Security Centre \$1 NCSC CAF guidance](https://www.ncsc.gov.uk/collection/caf/cyber-assessment-framework)), with such public sector information licensed under the Open Government Licence v3.0. The Open Government Licence should can be accessed here: [Open Government Licence for public sector information](http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ncsc_cafv3.html)
## Template
The template is available on GitHub: [Operational Best Practices for NCSC Cyber Assesment Framework](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CAF.yaml).
# Operational Best Practices for Networking and Content Delivery Services
This conformance pack contains AWS Config rules based on Networking and Content Delivery Services. For more information, see [Networking and Content Delivery on AWS](https://aws.amazon.com/products/networking/). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Networking and Content Delivery Services](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Networking-Services.yaml).
# Operational Best Practices for NIST 800-53 rev 4
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the NIST 800-53 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NIST 800-53 controls. A NIST 800-53 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This Conformance Pack was validated by AWS Security Assurance Services LLC (AWS SAS), which is a team of Payment Card Industry Qualified Security Assessors (QSAs), HITRUST Certified Common Security Framework Practitioners (CCSFPs), and compliance professionals certified to provide guidance and assessments for various industry frameworks. AWS SAS professionals designed this Conformance Pack to enable a customer to align to a subset of the NIST 800-53.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html)
## Template
The template is available on GitHub: [Operational Best Practices for NIST 800-53 rev 4](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-800-53-rev-4.yaml).
# Operational Best Practices for NIST 800-53 rev 5
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the NIST 800-53 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NIST 800-53 controls. A NIST 800-53 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html)
## Template
The template is available on GitHub: [Operational Best Practices for NIST 800-53 rev 5](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-800-53-rev-5.yaml).
# Operational Best Practices for NIST 800 171
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the NIST 800-171 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NIST 800-171 controls. A NIST 800-171 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html)
## Template
The template is available on GitHub: [Operational Best Practices for NIST 800 171](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-800-171.yaml).
# Operational Best Practices for NIST 800 172
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the NIST 800-172 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NIST 800-172 controls. A NIST 800-172 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-172.html)
## Template
The template is available on GitHub: [Operational Best Practices for NIST 800 172](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-800-172.yaml).
# Operational Best Practices for NIST 800 181
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the NIST 800 181 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NIST 800 181 controls. A NIST 800 181 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-181.html)
## Template
The template is available on GitHub: [Operational Best Practices for NIST 800 181](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-For-NIST-800-181.yaml).
# Operational Best Practices for NIST 1800 25
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between NIST 1800-25 and AWS managed Config rules. Each AWS Config applies to a specific AWS resource,and relates to one or more NIST 1800-25 controls. A NIST 1800-25 control can be related to multiple AWS Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_1800_25.html)
## Template
The template is available on GitHub: [ Operational Best Practices for NIST 1800 25](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-1800-25.yaml).
# Operational Best Practices for NIST CSF
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the NIST Cyber Security Framework (CSF) and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more NIST CSF controls. A NIST CSF control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-csf.html)
## Template
The template is available on GitHub: [Operational Best Practices for NIST CSF](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-CSF.yaml).
# Operational Best Practices for NIST Privacy Framework v1.0
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the NIST Privacy Framework and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more NIST Privacy Framework controls. A NIST Privacy Framework control can be related to multiple AWS Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_privacy_framework.html)
## Template
The template is available on GitHub: [Operational Best Practices for NIST Privacy Framework v1.0](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-Privacy-Framework.yaml).
# Operational Best Practices for NYDFS 23
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the New York State Department Of Financial Services (NYDFS) cybersecurity requirements for financial services companies (23 NYCRR 500) and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more US NYDFS controls. A US NYDFS 23 NYCRR 500 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-us_nydfs.html)
## Template
The template is available on GitHub: [Operational Best Practices for NYDFS 23](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NYDFS-23-NYCRR-500.yaml).
# Operational Best Practices for NZISM 3.8
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the [New Zealand Government Communications Security Bureau (GCSB) Information Security Manual (NZISM) 2022-09 Version 3.8](https://www.nzism.gcsb.govt.nz/ism-document) and AWS Managed Config rules. Each Config rule applies to a specific AWS resource type, and relates to one or more NZISM controls. An NZISM control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings. Only controls representing recommended or baseline practice for information classified RESTRICTED and below are included in the mappings.
This sample conformance pack template contains mappings to controls within the NZISM framework, which is an integral part of the Protective Security Requirements (PSR) framework that sets out the New Zealand Government’s expectations for the management of personnel, information and physical security.
The NZISM is licensed under the Creative Commons Attribution 4.0 New Zealand licence, available at [https://creativecommons.org/licenses/by/4.0/](https://creativecommons.org/licenses/by/4.0/). Copyright information can be found at [NZISM New Zealand Information Security Manual \$1 Legal, Privacy, and Copyright](https://www.nzism.gcsb.govt.nz/legal-privacy-and-copyright/).
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nzism.html)
## Template
The template is available on GitHub: [Operational Best Practices for NZISM](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NZISM.yaml).
# Operational Best Practices for PCI DSS 3.2.1
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more PCI DSS controls. A PCI DSS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html)
## Template
The template is available on GitHub: [Operational Best Practices for PCI DSS 3.2.1](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-PCI-DSS.yaml).
# Operational Best Practices for PCI DSS 4.0 (Excluding global resource types)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Payment Card Industry Data Security Standard (PCI DSS) 4.0 (Excluding global resource types) and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more PCI DSS controls. A PCI DSS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss-v4-excluding-global-resource-types.html)
## Template
The template is available on GitHub: [Operational Best Practices for PCI DSS 4.0 (Excluding global resource types)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-PCI-DSS-v4.0-excluding-global-resourcetypes.yaml).
# Operational Best Practices for PCI DSS 4.0 (Including global resource types)
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Payment Card Industry Data Security Standard (PCI DSS) 4.0 (Excluding global resource types) and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more PCI DSS controls. A PCI DSS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss-v4-including-global-resource-types.html)
## Template
The template is available on GitHub: [Operational Best Practices for PCI DSS 4.0 (Including global resource types)](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-PCI-DSS-v4.0-including-global-resourcetypes.yaml).
# Operational Best Practices for Publicly Accessible Resources
This conformance pack helps identify resources that may be publicly accessible.
For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Publicly Accessible Resources](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Publicly-Accessible-Resources.yaml).
# Operational Best Practices for RBI Cyber Security Framework for UCBs
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Reserve Bank of India (RBI) Cyber Security Framework for Urban Cooperative Banks (UCBs) and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more RBI Cyber Security Framework for UCBs controls. An RBI Cyber Security Framework for UCBs control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-rbi-bcsf-ucb.html)
## Template
The template is available on GitHub: [Operational Best Practices for RBI Cyber Security Framework for UCBs](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-RBI-Basic-Cyber-Security-Framework.yaml).
# Operational Best Practices for RBI MD-ITF
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Reserve Bank of India (RBI) Master Direction – Information Technology Framework and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more RBI Master Direction – Information Technology Framework controls. An RBI Master Direction – Information Technology Framework control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-rbi-md-itf.html)
## Template
The template is available on GitHub: [Operational Best Practices for RBI MD-ITF](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-RBI-MasterDirection.yaml).
# Operational Best Practices for Security, Identity, and Compliance Services
This conformance pack contains AWS Config rules based on Security, Identity, and Compliance Services. For more information, see [Security, Identity, and Compliance on AWS](https://aws.amazon.com/products/security/). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Security, Identity, and Compliance Services](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Security-Services.yaml).
# Operational Best Practices for Serverless
This conformance pack contains AWS Config rules based on Serverless solutions. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Serverless](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Serverless.yaml).
# Operational Best Practices for Storage Services
This conformance pack contains AWS Config rules based on Storage Services. For more information, see [Cloud Storage on AWS](https://aws.amazon.com/products/storage/). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Operational Best Practices for Storage Services](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Storage-Services.yaml).
# Operational Best Practices for SWIFT CSP
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the SWIFT's Customer Security Programme (CSP) and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more SWIFT CSP controls. A SWIFT CSP control can be related to multiple AWS Config rules. Refer to the table below for more detail and guidance related to these mappings.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-swift-csp.html)
## Template
The template is available on GitHub: [Operational Best Practices for SWIFT CSP](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-SWIFT-CSP.yaml).
# Security Best Practices for Amazon Elastic Container Service (Amazon ECS)
This conformance pack contains AWS Config rules based on Amazon ECS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon ECS](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-ECS.yaml).
# Security Best Practices for Amazon Elastic File System (Amazon EFS)
This conformance pack contains AWS Config rules based on Amazon EFS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon EFS](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-EFS.yaml).
# Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS)
This conformance pack contains AWS Config rules based on Amazon EKS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon EKS](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-EKS.yaml).
# Security Best Practices for Amazon CloudFront
This conformance pack contains AWS Config rules based on Amazon CloudFront. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon CloudFront](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-CloudFront.yaml).
# Security Best Practices for Amazon OpenSearch Service
This conformance pack contains AWS Config rules based on Amazon OpenSearch Service. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon OpenSearch Service](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-Amazon-OpenSearch-Service.yaml).
# Security Best Practices for Amazon Redshift
This conformance pack contains AWS Config rules based on Amazon Redshift. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon Redshift](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-Redshift.yaml).
# Security Best Practices for Amazon Relational Database Service (Amazon RDS)
This conformance pack contains AWS Config rules based on Amazon RDS. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon RDS](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-RDS.yaml).
# Security Best Practices for AWS Auto Scaling
This conformance pack contains AWS Config rules based on AWS Auto Scaling. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for AWS Auto Scaling](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-AutoScaling.yaml).
# Security Best Practices for AWS CloudTrail
This conformance pack contains AWS Config rules based on AWS CloudTrail. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for AWS CloudTrail](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-CloudTrail.yaml).
# Security Best Practices for AWS CodeBuild
This conformance pack contains AWS Config rules based on AWS CodeBuild. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for AWS CodeBuild](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-CodeBuild.yaml).
# Security Best Practices for Amazon ECR
This conformance pack contains AWS Config rules based on Amazon Elastic Container Registry (Amazon ECR). For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon ECR](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-ECR.yaml).
# Security Best Practices for AWS Lambda
This conformance pack contains AWS Config rules based on AWS Lambda. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for AWS Lambda](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-Lambda.yaml).
# Security Best Practices for AWS Network Firewall
This conformance pack contains AWS Config rules based on AWS Network Firewall. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for AWS Network Firewall](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-Network-Firewall.yaml).
# Security Best Practices for Amazon SageMaker AI
This conformance pack contains AWS Config rules based on Amazon SageMaker AI. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for Amazon SageMaker AI](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-SageMaker.yaml).
# Security Best Practices for AWS Secrets Manager
This conformance pack contains AWS Config rules based on AWS Secrets Manager. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for AWS Secrets Manager](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-Secrets-Manager.yaml).
# Security Best Practices for AWS WAF
This conformance pack contains AWS Config rules based on AWS WAF. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Security Best Practices for AWS WAF](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-AWS-WAF.yaml).
# Self-Hosted AI/ML Security & Governance Best Practices
This conformance pack is intended to provide a baseline of security configurations for self-hosted AI/ML workloads (inclusive of AI, ML, generative AI, agentic AI, and physical AI) running on AWS compute, storage, and networking infrastructure. Expected to be deployed in conjunction with the [AI/ML Security & Governance Supporting Infrastructure Best Practices](https://docs.aws.amazon.com/config/latest/developerguide/AI-ML-security-governance-supporting-infrastructure-best-practices.html) conformance pack. For a list of all managed rules supported by AWS Config, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
See the `Parameters` section in the following template for the names and descriptions of the required parameters.
The template is available on GitHub: [Self-Hosted AI/ML Security & Governance Best Practices](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Self-Hosted-AI-ML-Security-Governance-Best-Practices.yaml).
# Example Templates with Remediation Action
## Operational Best Practices For Amazon DynamoDB with Remediation
The template is available on GitHub: [Operational Best Practices For Amazon DynamoDB with Remediation](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Amazon-DynamoDB-with-Remediation.yaml).
## Operational Best Practices For Amazon S3 with Remediation
The template is available on GitHub: [Operational Best Practices For Amazon S3 with Remediation](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-Amazon-S3-with-Remediation.yaml).
For more information about template structure, see [Template Anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.
# Creating templates for Custom Conformance Packs for AWS Config
A custom conformance pack is a unique collection of AWS Config rules and remediation actions that you can deploy together in an account and an AWS Region, or across an organization in AWS Organizations.
To make a custom conformance pack, follow the steps in the following **Customizing the template **section to author a YAML file that contains the list of [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) or [AWS Config Custom Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) that you want to work with.
**Topics**
+ [Terminology](#custom-conformance-pack-terminology)
+ [Customizing the template](#create-yaml-file.title)
## Terminology
*AWS Config Managed Rules* are predefined rules owned by AWS Config.
*AWS Config Custom Rules* are rules that you create from scratch.
There are two ways to create AWS Config custom rules: with Lambda functions ([AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. AWS Config custom rules created with AWS Lambda are called *AWS Config Custom Lambda Rules* and AWS Config custom rules created with Guard are called *AWS Config Custom Policy Rules*.
## Customizing the template
**Creating your YAML file**
To create a YAML file, open a text editor and save the file as *.yaml*.
**Note**
Your file will contain a **Parameters** and **Resources** section.
** Parameters**
The `Parameters` section in your YAML file is for the rule parameters for the set of AWS Config rules that you will add later in the `Resources` section. Create the `Parameters` section by copying and pasting the following code block into your YAML file, customizing it as needed and repeating for each rule parameter.
```
Parameters:
NameOfRuleParamNameOfRuleParameter:
Default: Parameter value
Type: Type
...
```
For example:
```
Parameters:
IamPasswordPolicyParamMinimumPasswordLength:
Default: '14'
Type: String
```
**Note**
When selecting the AWS Config Rules to build your custom conformance pack, check you have the resources provisioned within your account that will be evaluated for the AWS Config Rules.
1. The first line in the parameter section after `Parameters:` is a concatenated string of *NameOfRule* \$1 Param \$1 *NameOfRuleParameter*.
1. Replace `NameOfRule` with a consistent name that you create for the rule. For example, that could be **IamPasswordPolicy** for the **iam-password-policy **rule.
1. Type `Param`.
1. Then, replace `NameOfRuleParameter` with the name of the rule parameter for your specific rule. For AWS Config Managed Rules, the name of the rule parameter is located in the [ List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) (for example, **MinimumPasswordLength** is a name of a rule parameter for the **iam-password-policy** rule). For AWS Config Custom Rules, the name of the rule parameter is the name that you chose when you created the rule.
1. If you are using an AWS Config Managed Rule, find the appropriate AWS Config rule in the list of managed rules so you'll know the accepted values for `Default` and `Type` for your particular rule. For AWS Config Custom Rules, use the values you selected when creating your rule.
**Note**
For each parameter, `Type` must be specified. `Type` can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".
** Resources**
The `Resources` section lists the rules that are being added to your Custom Conformance Pack. Add the following `Resources` block directly beneath your `Parameters` section, customizing it as needed and repeating for each rule. For more information on the specifications, see [AWS::Config::ConfigRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html#aws-resource-config-configrule-syntax).
```
Resources:
NameOfRule:
Properties:
ConfigRuleName: ActualConfigRuleName
InputParameters:
NameOfRuleParameter: !Ref NameOfRuleParamNameOfRuleParameter
Source:
Owner: Owner
SourceIdentifier: SOURCE_IDENTIFIER
Type: AWS::Config::ConfigRule
...
```
For example:
```
Resources:
IamPasswordPolicy:
Properties:
ConfigRuleName: iam-password-policy
InputParameters:
MinimumPasswordLength: !Ref IamPasswordPolicyParamMinimumPasswordLength
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
Type: AWS::Config::ConfigRule
```
**Note**
When selecting the AWS Config rules to build your custom conformance pack, check that you have the resources that will be evaluated for the AWS Config rules provisioned within your account. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).
1. Replace `NameOfRule` with the same name you created in the `Parameters` section.
1. For AWS Config Managed Rules, replace `ActualConfigRuleName` with the title of the appropriate rule page on the [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). For AWS Config Custom Rules, use the Config Rule name you chose at the time of the rule's creation.
1. Replace `NameOfRuleParameter` with the same name you used in the `Parameters` section. After the colon, copy and paste the same concatenated string of `!Ref` \$1 *NameOfRule* \$1 Param \$1 *NameOfRuleParameter* that you created in `Parameters` section.
1. Change `Owner` to the appropriate value.
**Note**
**AWS Config Managed Rules**
For AWS Config Managed Rules, the value for `Owner` will be `AWS`.
**AWS Config Custom Rules**
For AWS Config custom rules created with Guard, the value for `Owner` will be `CUSTOM_POLICY`. For AWS Config custom rules created with Lambda, the value for `Owner` will be `CUSTOM_LAMBDA`.
1. Change `SOURCE_IDENTIFIER` to the appropriate value.
**Note**
**AWS Config Managed Rules**
For AWS Config Managed Rules, copy the identifier by following the link from the rule you select from the [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) (for example, the source identifier for the **access-keys-rotated** rule is **ACCESS\$1KEYS\$1ROTATED**).
**AWS Config Custom Rules**
For AWS Config custom rules created with Lambda, the `SourceIdentifier` is the Amazon Resource Name (ARN) of the rule's AWS Lambda function, such as `arn:aws:lambda:us-east-2:123456789012:function:ActualConfigRuleName`. For AWS Config custom rules created with Guard, this field is not needed.
Altogether, your filled out custom conformance pack should begin to look similar to the following, which is an example using these AWS Config Managed Rules: **iam-password-policy**, **access-keys-rotated**, and **iam-user-unused-credentials-check**.
```
Parameters:
IamPasswordPolicyParamMinimumPasswordLength:
Default: '14'
Type: String
AccessKeysRotatedParamMaxAccessKeyAge:
Default: '90'
Type: String
IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:
Default: '45'
Type: String
Resources:
IamPasswordPolicy:
Properties:
ConfigRuleName: iam-password-policy
InputParameters:
MinimumPasswordLength: !Ref IamPasswordPolicyParamMinimumPasswordLength
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
Type: AWS::Config::ConfigRule
AccessKeysRotated:
Properties:
ConfigRuleName: access-keys-rotated
InputParameters:
maxAccessKeyAge: !Ref AccessKeysRotatedParamMaxAccessKeyAge
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
Type: AWS::Config::ConfigRule
IamUserUnusedCredentialsCheck:
Properties:
ConfigRuleName: iam-user-unused-credentials-check
InputParameters:
maxCredentialUsageAge: !Ref IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
Type: AWS::Config::ConfigRule
```
# Deploying Conformance Packs for AWS Config
You can use the AWS Config console or the AWS CLI to deploy your conformance packs.
------
#### [ Deploy Conformance Packs (Console) ]
On the **Conformance packs** page, you can deploy a conformance pack for an account in a Region. You can also edit and delete the deployed conformance pack.
You can deploy a conformance pack using AWS Config sample templates or your own custom template. For instructions on how to create personalized conformance packs, see [Custom Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/custom-conformance-pack.html).
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Navigate to the **Conformance packs** page and choose **Deploy conformance pack**.
1. On the **Specify template** page, either choose a sample template or use an existing template. For more information, see [Conformance Pack Sample Templates.](https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html)
+ If you choose **Use sample template**, select a **Sample template** from the dropdown list of sample templates.
For information about the contents of each template, see Conformance Pack Sample Templates.
+ If you choose **Template is ready**, specify the template source. It is either an Amazon S3 URI, an AWS Systems Manager document (SSM document), or a template that you upload.
If your template is more than 50 KB, upload it to the S3 bucket and select that S3 bucket location. For example: s3://*bucketname/prefix*.
**Important**
Choose **Template is ready** if you created your conformance pack YAML file from scratch based on [Custom Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/custom-conformance-pack.html).
1. Choose **Next**.
1. On the **Specify conformance pack details** page, enter the name for your conformance pack.
The conformance pack name must be a unique name with a maximum of 256 alphanumeric characters. The name can contain hyphens but cannot contain spaces.
1. Optional: Add a parameter.
Parameters are defined in your template and help you manage and organize your resources.
1. Choose **Next**.
1. On the **Review and deploy** page, review all of the information.
You can edit the template details and conformance pack details by choosing **Edit**.
1. Choose **Deploy conformance pack**.
AWS Config displays the conformance pack on the conformance pack page with the appropriate status.
If your conformance pack deployment fails, check your permissions, verify that you did the prerequisite steps, and try again. Or you can contact AWS Support.
To deploy a **conformance pack using sample template with remediations**, see the [A. Prerequisites for Using a Conformance Pack With Remediation](cpack-prerequisites.md#cpack-prerequisites-remediations) and then use the preceding procedure.
To deploy a **conformance pack with one or more AWS Config rules**, see the [B. Prerequisites for Using a Conformance Pack With One or More Custom AWS Config Rules](cpack-prerequisites.md#cpack-prerequisites-oneormorerules).
------
#### [ Deploy Conformance Packs (AWS CLI) ]
1. Open a command prompt or a terminal window.
1. Enter one of the following commands to deploy a conformance pack named **MyConformancePack**. The template source is either an Amazon S3 URI, a template that you upload, or an AWS Systems Manager document (SSM document).
**Amazon S3 URI**
```
aws configservice put-conformance-pack
--conformance-pack-name MyConformancePack
--template-s3-uri "s3://amzn-s3-demo-bucket/templateName.yaml"
--delivery-s3-bucket amzn-s3-demo-bucket
```
**YAML template from your local directory**
```
aws configservice put-conformance-pack
--conformance-pack-name MyConformancePack
--template-body template body
```
**AWS Systems Manager Document (Systems Manager Document)**
```
aws configservice put-conformance-pack
--conformance-pack-name MyConformancePack
--template-ssm-document-details DocumentName=SSMDocumentName,DocumentVersion=SSMDocumentVersion
--delivery-s3-bucket amzn-s3-demo-bucket
```
1. Press Enter to run the command.
You should see output similar to the following.
```
{
"conformancePackArn": "arn:aws:config:us-west-2:AccountID:conformance-pack/MyConformancePack1/conformance-pack-ID"
}
```
**Note**
For more information on creating a YAML template for a conformance pack, see [Custom Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/custom-conformance-pack.html).
------
# Editing Conformance Packs for AWS Config
You can use the AWS Config console or the AWS CLI to edit your conformance packs.
------
#### [ Editing Conformance Packs (Console) ]
1. To edit a conformance pack, select the conformance pack from the table.
1. Choose **Actions** and then choose **Edit**.
1. On the **Edit conformance pack** page, you can edit the template details, sample template, conformance pack, and parameters section.
You cannot change the name of the conformance pack.
1. Choose **Save changes**.
The conformance pack is displayed with the AWS Config rules.
------
#### [ Editing Conformance Packs (AWS CLI) ]
If you are editing a conformance pack that you added previously, use the same `PutConformancePack` command that you use when deploying a conformance pack.
1. Open a command prompt or a terminal window.
1. Enter one of the following commands to deploy a conformance pack named **MyConformancePack**. The template source is either an Amazon S3 URI, a template that you upload, or an AWS Systems Manager document (SSM document).
**Amazon S3 URI**
```
aws configservice put-conformance-pack
--conformance-pack-name MyConformancePack
--template-s3-uri "s3://amzn-s3-demo-bucket/templateName.yaml"
--delivery-s3-bucket amzn-s3-demo-bucket
```
**YAML template from your local directory**
```
aws configservice put-conformance-pack
--conformance-pack-name MyConformancePack
--template-body template body
```
**AWS Systems Manager Document (Systems Manager Document)**
```
aws configservice put-conformance-pack
--conformance-pack-name MyConformancePack
--template-ssm-document-details DocumentName=SSMDocumentName,DocumentVersion=SSMDocumentVersion
--delivery-s3-bucket amzn-s3-demo-bucket
```
1. Press Enter to run the command.
You should see output similar to the following.
```
{
"conformancePackArn": "arn:aws:config:us-west-2:AccountID:conformance-pack/MyConformancePack1/conformance-pack-ID"
}
```
**Note**
For more information on creating a YAML template for a conformance pack, see [Custom Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/custom-conformance-pack.html).
------
# Deleting Conformance Packs for AWS Config
You can use the AWS Config console or the AWS CLI to delete conformance packs.
## Considerations
**Recommendation: Consider excluding the `AWS::Config::ResourceCompliance` resource type from recording before deleting rules**
Deleting rules creates configuration items (CIs) for `AWS::Config::ResourceCompliance` that can affect your costs for the configuration recorder. If you are deleting rules which evaluate a large number of resource types, this can lead to a spike in the number of CIs recorded.
To avoid the associated costs, you can opt to disable recording for the `AWS::Config::ResourceCompliance` resource type before deleting rules, and re-enable recording after the rules have been deleted.
However, since deleting rules is an asynchronous process, it might take an hour or more to complete. During the time when recording is disabled for `AWS::Config::ResourceCompliance`, rule evaluations will not be recorded in the associated resource’s history.
## To delete a conformance pack
------
#### [ Deleting Conformance Packs (Console) ]
1. To delete a conformance pack, select the conformance pack from the table.
1. Choose **Actions** and then choose **Delete**.
1. On the delete *conformance pack* dialog box, confirm if you would like to permanently delete this conformance pack.
**Important**
You cannot revert this action. When you delete a conformance pack, you delete all of the AWS Config rules and remediation actions in that conformance pack.
1. Enter **Delete** and choose **Delete**.
On the **Conformance packs** page, you can see the deployment status as **Deleting** until the conformance pack is completely deleted.
------
#### [ Deleting Conformance Packs (AWS CLI) ]
Enter the following command.
```
aws configservice delete-conformance-pack --conformance-pack-name MyConformancePack1
```
If successful, the command runs with no additional output.
**Important**
You cannot revert this action. When you delete a conformance pack, you delete all of the AWS Config rules and remediation actions in that conformance pack.
------
# Viewing Details and Compliance Information for your Conformance Packs for AWS Config
**Important**
For accurate reporting on the compliance status, you must record the `AWS::Config::ResourceCompliance` resource type. For more information, see [Recording AWS Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html).
You can use the AWS Config console or the AWS CLI to view your conformance packs. The AWS Config console has a unified dashboard. The AWS CLI allows you to run commands for specific information.
------
#### [ Viewing Conformance Packs (Console) ]
To view your conformance packs in the AWS Management Console, see [Conformance Pack Dashboard Pack](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-dashboard.html).
------
#### [ Viewing the Details for your Conformance Packs (AWS CLI) ]
1. Enter the following command.
```
aws configservice describe-conformance-packs
```
OR
```
aws configservice describe-conformance-packs --conformance-pack-name="MyConformancePack1"
```
1. You should see output similar to the following.
```
{
"conformancePackName": "MyConformancePack1",
"conformancePackId": "conformance-pack-ID",
"conformancePackArn": "arn:aws:config:us-west-2:AccountID:conformance-pack/MyConformancePack1/conformance-pack-ID",
"conformancePackInputParameters": [],
"lastUpdateRequestedTime": "Thu Jul 18 16:07:05 PDT 2019"
}
```
------
#### [ Viewing the Status for your Conformance Packs (AWS CLI) ]
1. Enter the following command.
```
aws configservice describe-conformance-pack-status --conformance-pack-name="MyConformancePack1"
```
1. You should see output similar to the following .
```
{
"stackArn": "arn:aws:cloudformation:us-west-2:AccountID:stack/awsconfigconforms-MyConformancePack1-conformance-pack-ID/d4301fe0-a9b1-11e9-994d-025f28dd83ba",
"conformancePackName": "MyConformancePack1",
"conformancePackId": "conformance-pack-ID",
"lastUpdateCompletedTime": "Thu Jul 18 16:15:17 PDT 2019",
"conformancePackState": "CREATE_COMPLETE",
"conformancePackArn": "arn:aws:config:us-west-2:AccountID:conformance-pack/MyConformancePack1/conformance-pack-ID",
"lastUpdateRequestedTime": "Thu Jul 18 16:14:35 PDT 2019"
}
```
------
#### [ Viewing the Compliance Status for your Conformance Packs (AWS CLI) ]
1. Enter the following command.
```
aws configservice describe-conformance-pack-compliance --conformance-pack-name="MyConformancePack1"
```
1. You should see output similar to the following.
```
{
"conformancePackName": "MyConformancePack1",
"conformancePackRuleComplianceList": [
{
"configRuleName": "awsconfigconforms-RuleName1-conformance-pack-ID",
"complianceType": "NON_COMPLIANT"
},
{
"configRuleName": "awsconfigconforms-RuleName2-conformance-pack-ID",
"complianceType": "COMPLIANT"
}
]
}
```
------
#### [ Viewing the Compliance Details for your Conformance Packs (AWS CLI) ]
1. Enter the following command.
```
aws configservice get-conformance-pack-compliance-details --conformance-pack-name="MyConformancePack1"
```
1. You should see output similar to the following.
```
{
"conformancePackRuleEvaluationResults": [
{
"evaluationResultIdentifier": {
"orderingTimestamp": "Tue Jul 16 23:07:35 PDT 2019",
"evaluationResultQualifier": {
"resourceId": "resourceID",
"configRuleName": "awsconfigconforms-RuleName1-conformance-pack-ID",
"resourceType": "AWS::::Account"
}
},
"configRuleInvokedTime": "Tue Jul 16 23:07:50 PDT 2019",
"resultRecordedTime": "Tue Jul 16 23:07:51 PDT 2019",
"complianceType": "NON_COMPLIANT"
},
{
"evaluationResultIdentifier": {
"orderingTimestamp": "Thu Jun 27 15:16:36 PDT 2019",
"evaluationResultQualifier": {
"resourceId": "resourceID",
"configRuleName": "awsconfigconforms-RuleName2-conformance-pack-ID",
"resourceType": "AWS::EC2::SecurityGroup"
}
},
"configRuleInvokedTime": "Thu Jul 11 23:08:06 PDT 2019",
"resultRecordedTime": "Thu Jul 11 23:08:06 PDT 2019",
"complianceType": "COMPLIANT"
}
],
"conformancePackName": "MyConformancePack1"
}
}
```
------
# Viewing the Compliance History Timeline for Conformance Packs for AWS Config
AWS Config supports storing compliance state changes to your conformance packs. This allows you to view the history of compliance state changes. These compliance state changes are presented as a timeline. The timeline captures changes as `ConfigurationItems` over a period of time. You can also use this feature to find specific rules within a conformance pack that are noncompliant.
You can opt in or out to record all resource types in AWS Config. If you have opted to record all resource types, AWS Config automatically begins recording the conformance pack compliance history as evaluated by AWS Config Rules. By default, AWS Config records the configuration changes for all supported resources. You can also select only the specific conformance pack compliance history resource type: `AWS::Config::ConformancePackCompliance`. Recording for the `AWS::Config::ConformancePackCompliance` resource type is available at no additional charge. For more information, see [Recording AWS Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-console).
A conformance pack is compliant if all of the rules in a conformance packs are compliant. It is noncompliant if any of the rules are not compliant. The compliance status of a conformance pack is INSUFFICIENT\$1DATA only if all rules within a conformance pack cannot be evaluated due to insufficient data. If some of the rules in a conformance pack are compliant but the compliance status of other rules in that same conformance pack is INSUFFICIENT\$1DATA, the conformance pack shows compliant. Compliance for a conformance pack is not evaluated all at one time. Some rules may take a longer time to evaluate than others. Compliance is evaluated for groups of rules at a time, continuing in stages until all the rules in a conformance pack have been evaluated.
## Viewing the Compliance Timeline
Access the compliance timeline by selecting a specific conformance pack from the **Conformance pack** main page.
1. Navigate to the **Conformance Pack** page.
1. On the **Conformance Pack** main page, choose a specific conformance pack and then choose **Conformance pack timeline** .
**Note**
Alternatively, you can use the compliance timeline from the conformance pack's details page. Choose a conformance pack and choose **View details** in the **Actions** dropdown. From this page, choose **Conformance pack timeline**.
The timeline shows you the history of compliance state changes for a conformance pack. You can do the following:
1. Expand a compliance change to view the line-by-line compliance status of each rule within a conformance pack.
1. From the expanded view, choose a specific rule to view its details page.
# Querying Compliance History for Conformance Packs for AWS Config
Query the compliance history using get-resource-config-history using the resource type `AWS::Config::ConformancePackCompliance`.
```
aws configservice get-resource-config-history --resource-type AWS::Config::ConformancePackCompliance --resource-id conformance-pack-ID
```
You should see output similar to the following:
```
{
"configurationItems": [
{
"version": "1.3",
"accountId": "Account ID",
"configurationItemCaptureTime": 1614641951.442,
"configurationItemStatus": "OK",
"configurationStateId": "1614641951442",
"configurationItemMD5Hash": "",
"arn": "arn:aws:config:us-east-1:Account ID:conformance-pack/MyConformancePack1/conformance-pack-ID",
"resourceType": "AWS::Config::ConformancePackCompliance",
"resourceId": "conformance-pack-ID",
"resourceName": "MyConformancePack1",
"awsRegion": "us-east-1",
"tags": {},
"relatedEvents": [],
"relationships": [],
"configuration": "{\"compliantRuleCount\":1,\"configRuleList\":[{\"configRuleName\":\"RuleName1-conformance-pack-ID\",\"controls\":[],\"configRuleArn\":\"arn:aws:config:us-east-1:Account ID:config-rule/aws-service-rule/config-conforms.amazonaws.com/config-rule-nnnnnn\",\"complianceType\":\"INSUFFICIENT_DATA\"},{\"configRuleName\":\"RuleName2-conformance-pack-ID\",\"controls\":[],\"configRuleArn\":\"arn:aws:config:us-east-1:Account ID:config-rule/aws-service-rule/config-conforms.amazonaws.com/config-rule-mmmmmm\",\"complianceType\":\"COMPLIANT\"},{\"configRuleName\":\"RuleName3-conformance-pack-ID\",\"controls\":[],\"configRuleArn\":\"arn:aws:config:us-east-1:Account ID:config-rule/aws-service-rule/config-conforms.amazonaws.com/config-rule-pppppp\",\"complianceType\":\"INSUFFICIENT_DATA\"}],\"totalRuleCount\":3,\"nonCompliantRuleCount\":0,\"complianceType\":\"COMPLIANT\"}",
"supplementaryConfiguration": {}
},
{
"version": "1.3",
"accountId": "768311917693",
"configurationItemCaptureTime": 1605551029.515,
"configurationItemStatus": "ResourceDiscovered",
"configurationStateId": "1605551029515",
"configurationItemMD5Hash": "",
"resourceType": "AWS::Config::ConformancePackCompliance",
"resourceId": "conformance-pack-ID",
"resourceName": "MyConformancePack1",
"awsRegion": "us-east-1",
"tags": {},
"relatedEvents": [],
"relationships": [],
"configuration": "{\"compliantRuleCount\":1,\"configRuleList\":[{\"configRuleName\":\"RuleName1-conformance-pack-ID\",\"controls\":[],\"configRuleArn\":\"arn:aws:config:us-east-1:Account ID:config-rule/aws-service-rule/config-conforms.amazonaws.com/config-rule-nnnnnn\",\"complianceType\":\"INSUFFICIENT_DATA\"},{\"configRuleName\":\"RuleName2-conformance-pack-ID\",\"controls\":[],\"configRuleArn\":\"arn:aws:config:us-east-1:Account ID:config-rule/aws-service-rule/config-conforms.amazonaws.com/config-rule-mmmmmm\",\"complianceType\":\"COMPLIANT\"},{\"configRuleName\":\"RuleName3-conformance-pack-ID\",\"controls\":[],\"configRuleArn\":\"arn:aws:config:us-east-1:Account ID:config-rule/aws-service-rule/config-conforms.amazonaws.com/config-rule-pppppp\",\"complianceType\":\"INSUFFICIENT_DATA\"}],\"totalRuleCount\":3,\"nonCompliantRuleCount\":0,\"complianceType\":\"COMPLIANT\"}",
"supplementaryConfiguration": {}
}
]
}
```
For more information, see [Supported Resource Types (AWS Config)](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#awsconfig) and [GetResourceConfigHistory](https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceConfigHistory.html) in the API reference.
# Managing Conformance Packs for AWS Config Across all Accounts in Your Organization
Use AWS Config to manage conformance packs across all AWS accounts within an organization. You can do the following:
+ Centrally deploy, update, and delete conformance packs across member accounts in an organization in AWS Organizations.
+ Deploy a common set of AWS Config rules and remediation actions across all accounts and specify accounts where AWS Config rules and remediation actions should not be created.
+ Use the management account in AWS Organizations to enforce governance by ensuring that the underlying AWS Config rules and remediation actions are not modifiable by your organization’s member accounts.
## Considerations
**For deployments across different regions**
The API call to deploy rules and conformance packs across accounts is AWS Region specific. At the organization level, you need to change the context of your API call to a different region if you want to deploy rules in other regions. For example, to deploy a rule in US East (N. Virginia), change the region to US East (N. Virginia) and then call `PutOrganizationConfigRule`.
**For accounts within an organization**
If a new account joins an organization, the rule or conformance pack is deployed to that account. When an account leaves an organization, the rule or conformance pack is removed.
If you deploy an organizational rule or conformance pack in an organization administrator account, and then establish a delegated administrator and deploy an organizational rule or conformance pack in the delegated administrator account, you won't be able to see the organizational rule or conformance pack in the organization administrator account from the delegated administrator account or see the organizational rule or conformance pack in the delegated administrator account from organization administrator account. The [DescribeOrganizationConfigRules](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConfigRules.html) and [DescribeOrganizationConformancePacks](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConformancePacks.html) APIs can only see and interact with the organization-related resource that were deployed from within the account calling those APIs.
**Retry mechanism for new accounts added to an organization**
Deployment of existing organizational rules and conformance packs will only be retried for 7 hours after an account is added to your organization if a recorder is not available. You are expected to create a recorder if one doesn't exist within 7 hours of adding an account to your organization.
**Organization management accounts, delegated administrators, and service-linked roles**
If you are using an organization management account and intend to use a delegated administrator for organizational deployment, be aware that AWS Config won't automatically create the service-linked role (SLR). You must manually create the service-linked role (SLR) separately using IAM.
If you do not have an SLR for your management account, you will not be able to deploy resources to that account from a delegated administrator account. You will still be able to deploy conformance packs to member accounts from management and delegated administrator accounts. For more information, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *AWS Identity and Access Management (IAM) User Guide*.
## Deployment
------
#### [ To deploy with the AWS Management Console ]
To a deploy a conformance pack across an organization from the AWS console, use AWS Systems Manager. For more information, see [Deploy AWS Config conformance packs](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-cpack.html) in the *AWS Systems Manager User Guide*.
------
#### [ To deploy with the AWS API ]
For information on how to integrate AWS Config with AWS Organizations, see [AWS Config and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html) in the *AWS Organizations User Guide*. Ensure AWS Config recording is on before you use the following APIs to manage conformance pack rules across all AWS accounts within an organization:
+ [DeleteOrganizationConformancePack](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteOrganizationConformancePack.html), deletes the specified organization conformance pack and all of the config rules and remediation actions from all member accounts in that organization.
+ [DescribeOrganizationConformancePacks](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConformancePacks.html), returns a list of organization conformance packs.
+ [DescribeOrganizationConformancePackStatuses](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConformancePackStatuses.html), provides organization conformance pack deployment status for an organization.
+ [GetOrganizationConformancePackDetailedStatus](https://docs.aws.amazon.com/config/latest/APIReference/API_GetOrganizationConformancePackDetailedStatus.html), returns detailed status for each member account within an organization for a given organization conformance pack.
+ [PutOrganizationConformancePack](https://docs.aws.amazon.com/config/latest/APIReference/API_PutOrganizationConformancePack.html), deploys conformance packs across member accounts in an AWS Organization.
------
## Region Support
Deploying conformance packs across member accounts in an AWS Organization is supported in the following Regions.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html)
# Troubleshooting for Conformance Packs for AWS Config
Check the following issues to help troubleshoot issues you might run into when using conformance packs.
**Topics**
+ [Failed status for a conformance pack](#w2aac22c41b7)
+ [Dangling rules in a conformance pack](#w2aac22c41b9)
## Failed status for a conformance pack
If you get an error indicating that the conformance pack failed while creating, updating, or deleting it, you can check the status of your conformance pack.
```
aws configservice describe-conformance-pack-status --conformance-pack-name MyConformancePack1
```
You should see output similar to the following.
```
"ConformancePackStatusDetails": [
{
"ConformancePackName": "ConformancePackName",
"ConformancePackId": "ConformancePackId",
"ConformancePackArn": "ConformancePackArn",
"ConformancePackState": "CREATE_FAILED",
"StackArn": "CloudFormation stackArn",
"ConformancePackStatusReason": "Failure Reason",
"LastUpdateRequestedTime": 1573865201.619,
"LastUpdateCompletedTime": 1573864244.653
}
]
```
Check the **ConformancePackStatusReason** for information about the failure.
**When the stackArn is present in the response**
If the error message is not clear or if the failure is due to an internal error, go to the CloudFormation console and do the following:
1. Search for the **stackArn** from the output.
1. Choose the **Events** tab of the CloudFormation stack and check for failed events.
The status reason indicates why the conformance pack failed.
**When the stackArn is not present in the response**
If you receive a failure while you create a conformance pack but the stackArn is not present in the status response, the possible reason is that the stack creation failed and CloudFormation rolled back and deleted the stack. Go to the CloudFormation console and search for stacks that are in a **Deleted** state. The failed stack might be available there. The CloudFormation stack contains the conformance pack name. If you find the failed stack, choose the **Events** tab of the CloudFormation stack and check for failed events.
If none of these steps worked and if the failure reason is an internal service error, then try operation again or contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
## Dangling rules in a conformance pack
Deploying a conformance pack involves the creation of an underlying AWS CloudFormation stack in the background to deploy the rules in the conformance pack template. These rules are [service-linked rules](https://docs.aws.amazon.com/config/latest/developerguide/service-linked-awsconfig-rules.html) and cannot be updated or deleted outside the conformance pack.
If you make changes to the underlying CloudFormation stack, this results in a situation where the conformance pack and its rules become unmanageable. These unmanageable rules are *dangling rules*.
**Drift between the CloudFormation stack and the conformance pack**
You can update the rule names in a conformance pack template directly from the CloudFormation console. If you update the template directly from the CloudFormation console, this does not update the deployed conformance pack.
This drift creates a dangling rule. If you try to delete the rule from the conformance pack, you receive an error similiar to the following:
```
"An AWS service owns ServiceLinkedConfigRule. You do not have permissions to take action on this rule. (Service: AmazonConfig; Status Code: 400; Error Code: AccessDeniedException; Request ID: my-request-ID; Proxy: null)".
```
If you try to delete the conformance pack, the dangling rule cannot be deleted and you receive an error similiar to the following:
```
"User: arn:aws:sts::111122223333:assumed-role/AWSServiceRoleForConfigConforms/AwsConfigConformsWorkflow is not authorized to perform: config:DeleteConfigRule on resource: my-dangling-rule
```
To fix this issue, do the following steps:
1. Delete the stack. For more information, see [Deleting a stack on the CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) in the *CloudFormation User Guide*.
1. Delete the conformance pack using the AWS Config console or using the [DeleteConformancePack](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteConformancePack.html) API. If it is an organizational conformance pack and you are using the management or delegated administrator account, use the [DeleteOrganizationConformancePack](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteOrganizationConformancePack.html) API.
1. Reach out to the [AWS Support Center](https://console.aws.amazon.com/support/home#/) with the Amazon Resource Name (ARN) of the dangling rules in the conformance pack to help clean up your account.
To avoid this issue, remember these best practices:
+ Never make any direct updates to the CloudFormation stack of a conformance pack.
+ Never try and make changes which create drift between the conformance pack and its underlying CloudFormation stack.
+ The [service-linked role (SLR) for conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) cannot be modified. Make sure the resources you are updating are part of the permissions policy for the SLR.
**Deleted CloudFormation stack for a conformance pack**
Unless there is drift between the CloudFormation stack and the conformance pack, it is never recommended to delete rules in a conformance pack or its CloudFormation stack directly from the CloudFormation console.
To fix this issue, reach out to the [AWS Support Center](https://console.aws.amazon.com/support/home#/) with the Amazon Resource Name (ARN) of the dangling rules in the conformance pack to help clean up your account.
To avoid this issue, remember these best practices:
+ Never delete the underlying CloudFormation stack for a conformance pack.
+ Delete conformance packs using the [DeleteConformancePack](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteConformancePack.html) API. If it is an organizational conformance pack and you are using the management or delegated administrator account, use the [DeleteOrganizationConformancePack](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteOrganizationConformancePack.html) API.