Configuration compliance in Accelerate
AMS Accelerate helps you configure your resources to high standards for security and operational integrity, and comply with the following industry standards:
Center for Internet Security (CIS)
National Institute of Standards and Technology (NIST) Cloud Security Framework (CSF)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry (PCI) Data Security Standard (DSS)
We do this by deploying our entire compliance AWS Config rule set to your account, see AMS Config Rule library. An AWS Config rule represents desired configurations for a resource and is evaluated against configuration changes on the settings of your AWS resources. Any configuration change triggers a large number of rules to test compliance. For example, suppose you create an Amazon S3 bucket, and configure it to be publicly readable, in violation of NIST standards. The ams-nist-cis-s3-bucket-public-read-prohibited rule detects the violation and labels your S3 bucket Noncompliant in your Configuration Report. Because this rule belongs to the Auto Incident remediation category, it immediately creates a Incident Report, alerting you to the issue. Other more severe rule violations might cause AMS to automatically remediate the issue. See Responses to violations in Accelerate.
Important
If you want us to do more, for example, if you want AMS to remediate a violation for you, regardless of its remediation category,
submit a Service Request that asks AMS to remediate the noncompliant resources for you. In the Service Request, include a comment such as
"As part of the AMS config rule remediation, please remediate non-complaint resources RESOURCE_ARNS_OR_IDs
, config rule
CONFIG_RULE_NAME
in the account" and add the required inputs to remediate the violation.
If you want us to do less, for example, if you don't want us to take action on a particular S3 bucket that requires public access by design, you can create exceptions, see Creating rule exceptions in Accelerate.
AMS Config Rule library
Accelerate deploys a library of AMS config rules to protect your account.
These config rules begin with ams-
.
You can view rules within your account, and their compliance state,
from either the AWS Config console, AWS CLI, or the AWS Config API. For general information about using AWS Config, see
ViewingConfiguration Compliance.
Note
For opt-in AWS Regions, and gov cloud Regions, we only deploy a subset of the config rules due to Region restrictions. Check the rule availability in Regions by checking the link associated to the identifier in the AMS Accelerate config rules table.
You cannot remove any of the deployed AMS Config Rules.
Table of Rules
Download as ams_config_rules.zip.
Rule Name | Service | Trigger | Action | Frameworks |
---|---|---|---|---|
ams-nist-cis-guardduty-enabled-centralized | GuardDuty | Periodic | Remediate | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 2.2,3.4,8.2.1; |
ams-nist-cis-vpc-flow-logs-enabled | VPC | Periodic | Remediate | CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6; |
ams-eks-secrets-encrypted | EKS | Periodic | Incident | CIS: NA; NIST-CSF: NA; HIPAA: NA; PCI: NA; |
ams-eks-endpoint-no-public-access | EKS | Periodic | Incident | CIS: NA; NIST-CSF: NA; HIPAA: NA; PCI: NA; |
ams-nist-cis-vpc-default-security-group-closed | VPC | Config Changes | Incident | CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.312(e)(1); PCI: 1.2,1.3,2.1,2.2,1.2.1,1.3.1,1.3.2,2.2.2; |
ams-nist-cis-iam-password-policy | IAM | Periodic | Incident | CIS: NA; NIST-CSF: PR.AC-1,PR.AC-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 7.1.2,7.1.3,7.2.1,7.2.2; |
ams-nist-cis-iam-root-access-key-check | IAM | Periodic | Incident | CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-1,PR.AC-4,PR.PT-3; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.1.2,7.1.3,7.2.1,7.2.2; |
ams-nist-cis-iam-user-mfa-enabled | IAM | Periodic | Incident | CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.1.2,7.1.3,7.2.1,7.2.2; |
ams-nist-cis-restricted-ssh | Security Groups | Config Changes | Incident | CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.2.1,8.1.4; |
ams-nist-cis-restricted-common-ports | Security Groups | Config Changes | Incident | CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,2.2.2; |
ams-nist-cis-s3-account-level-public-access-blocks | S3 | Config Changes | Incident | CIS: CIS.9,CIS.12,CIS.14; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2,2.2.2; |
ams-nist-cis-s3-bucket-public-read-prohibited | S3 | Config Changes | Incident | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-s3-bucket-public-write-prohibited | S3 | Config Changes | Incident | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-s3-bucket-server-side-encryption-enabled | S3 | Config Changes | Incident | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(c)(2),164.312(e)(2)(ii); PCI: 2.2,3.4,10.5,8.2.1; |
ams-nist-cis-securityhub-enabled | Security Hub | Periodic | Incident | CIS: CIS.3,CIS.4,CIS.6,CIS.12,CIS.16,CIS.19; NIST-CSF: PR.DS-5,PR.PT-1; HIPAA: 164.312(b); PCI: NA; |
ams-nist-cis-ec2-instance-managed-by-systems-manager | EC2 | Config Changes | Report | CIS: CIS.2,CIS.5; NIST-CSF: ID.AM-2,PR.IP-1; HIPAA: 164.308(a)(5)(ii)(B); PCI: 2.4; |
ams-nist-cis-cloudtrail-enabled | CloudTrail | Periodic | Report | CIS: CIS.16,CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.MA-2,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(b); PCI: 10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.2.6,10.2.7,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6; |
ams-nist-cis-access-keys-rotated | IAM | Periodic | Report | CIS: CIS.16; NIST-CSF: PR.AC-1; HIPAA: 164.308(a)(4)(ii)(B); PCI: 2.2; |
ams-nist-cis-acm-certificate-expiration-check | Certificate Manager | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.AC-5,PR.PT-4; HIPAA: NA; PCI: 4.1; |
ams-nist-cis-alb-http-to-https-redirection-check | ALB | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 2.3,4.1,8.2.1; |
ams-nist-cis-api-gw-cache-enabled-and-encrypted | API Gateway | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4; |
ams-nist-cis-api-gw-execution-logging-enabled | API Gateway | Config Changes | Report | CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.PT-1; HIPAA: 164.312(b); PCI: 10.1,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,10.5.4; |
ams-nist-autoscaling-group-elb-healthcheck-required | ELB | Config Changes | Report | CIS: NA; NIST-CSF: PR.PT-1,PR.PT-5; HIPAA: 164.312(b); PCI: 2.2; |
ams-nist-cis-cloud-trail-encryption-enabled | CloudTrail | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 2.2,3.4,10.5; |
ams-nist-cis-cloud-trail-log-file-validation-enabled | CloudTrail | Periodic | Report | CIS: CIS.6; NIST-CSF: PR.DS-6; HIPAA: 164.312(c)(1),164.312(c)(2); PCI: 2.2,10.5,11.5,10.5.2,10.5.5; |
ams-nist-cis-cloudtrail-s3-dataevents-enabled | CloudTrail | Periodic | Report | CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6; |
ams-nist-cis-cloudwatch-alarm-action-check | CloudWatch | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: NA; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4; |
ams-nist-cis-cloudwatch-log-group-encrypted | CloudWatch | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: NA; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4; |
ams-nist-cis-codebuild-project-envvar-awscred-check | CodeBuild | Config Changes | Report | CIS: CIS.18; NIST-CSF: PR.DS-5; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 8.2.1; |
ams-nist-cis-codebuild-project-source-repo-url-check | CodeBuild | Config Changes | Report | CIS: CIS.18; NIST-CSF: PR.DS-5; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 8.2.1; |
ams-nist-cis-db-instance-backup-enabled | RDS | Config Changes | Report | CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: NA; |
ams-nist-cis-dms-replication-not-public | DMS | Periodic | Report | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-dynamodb-autoscaling-enabled | DynamoDB | Periodic | Report | CIS: NA; NIST-CSF: ID.BE-5,PR.DS-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(C); PCI: NA; |
ams-nist-cis-dynamodb-pitr-enabled | DynamoDB | Periodic | Report | CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: NA; |
ams-nist-dynamodb-throughput-limit-check | DynamoDB | Periodic | Report | CIS: NA; NIST-CSF: NA; HIPAA: 164.312(b); PCI: NA; |
ams-nist-ebs-optimized-instance | EBS | Config Changes | Report | CIS: NA; NIST-CSF: NA; HIPAA: 164.308(a)(7)(i); PCI: NA; |
ams-nist-cis-ebs-snapshot-public-restorable-check | EBS | Periodic | Report | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-ec2-instance-detailed-monitoring-enabled | EC2 | Config Changes | Report | CIS: NA; NIST-CSF: DE.AE-1,PR.PT-1; HIPAA: 164.312(b); PCI: NA; |
ams-nist-cis-ec2-instance-no-public-ip | EC2 | Config Changes | Report | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-ec2-managedinstance-association-compliance-status-check | EC2 | Config Changes | Report | CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-ec2-managedinstance-patch-compliance-status-check | EC2 | Config Changes | Report | CIS: CIS.2,CIS.5; NIST-CSF: ID.AM-2,PR.IP-1; HIPAA: 164.308(a)(5)(ii)(B); PCI: 6.2; |
ams-nist-cis-ec2-stopped-instance | EC2 | Periodic | Report | CIS: CIS.2; NIST-CSF: ID.AM-2,PR.IP-1; HIPAA: NA; PCI: NA; |
ams-nist-cis-ec2-volume-inuse-check | EC2 | Config Changes | Report | CIS: CIS.2; NIST-CSF: PR.IP-1; HIPAA: NA; PCI: NA; |
ams-nist-cis-efs-encrypted-check | EFS | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1; |
ams-nist-cis-eip-attached | EC2 | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1; |
ams-nist-cis-elasticache-redis-cluster-automatic-backup-check | ElastiCache | Periodic | Report | CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: NA; |
ams-nist-cis-opensearch-encrypted-at-rest | OpenSearch | Periodic | Report | CIS: CIS.14,CIS.13; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1; |
ams-nist-cis-opensearch-in-vpc-only | OpenSearch | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1; |
ams-nist-cis-elb-acm-certificate-required | Certificate Manager | Config Changes | Report | CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-elb-deletion-protection-enabled | ELB | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 4.1,8.2.1; |
ams-nist-cis-elb-logging-enabled | ELB | Config Changes | Report | CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.PT-1; HIPAA: 164.312(b); PCI: 10.1,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,10.5.4; |
ams-nist-cis-emr-kerberos-enabled | EMR | Periodic | Report | CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.PT-1; HIPAA: 164.312(b); PCI: 10.1,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,10.5.4; |
ams-nist-cis-emr-master-no-public-ip | EMR | Periodic | Report | CIS: CIS.14,CIS.16; NIST-CSF: PR.AC-1,PR.AC-4,PR.AC-6; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 7.2.1; |
ams-nist-cis-encrypted-volumes | EBS | Config Changes | Report | CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-guardduty-non-archived-findings | GuardDuty | Periodic | Report | CIS: CIS.12,CIS.13,CIS.16,CIS.19,CIS.3,CIS.4,CIS.6,CIS.8; NIST-CSF: DE.AE-2,DE.AE-3,DE.CM-4,DE.DP-5,ID.RA-1,ID.RA-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.312(b); PCI: 6.1,11.4,5.1.2; |
ams-nist-iam-group-has-users-check | IAM | Config Changes | Report | CIS: NA; NIST-CSF: PR.AC-4,PR.AC-1; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 7.1.2,7.1.3,7.2.1,7.2.2; |
ams-nist-cis-iam-policy-no-statements-with-admin-access | IAM | Config Changes | Report | CIS: CIS.16; NIST-CSF: PR.AC-6,PR.AC-7; HIPAA: 164.308(a)(4)(ii)(B),164.308(a)(5)(ii)(D),164.312(d); PCI: 8.2.3,8.2.4,8.2.5; |
ams-nist-cis-iam-user-group-membership-check | IAM | Config Changes | Report | CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-1,PR.AC-4,PR.PT-3; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(a)(2)(i); PCI: 2.2,7.1.2,7.2.1,8.1.1; |
ams-nist-cis-iam-user-no-policies-check | IAM | Config Changes | Report | CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-7; HIPAA: 164.308(a)(4)(ii)(B),164.312(d); PCI: 8.3; |
ams-nist-cis-iam-user-unused-credentials-check | IAM | Periodic | Report | CIS: CIS.16; NIST-CSF: PR.AC-1,PR.AC-4,PR.PT-3; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1); PCI: 2.2,7.1.2,7.1.3,7.2.1,7.2.2; |
ams-nist-cis-ec2-instances-in-vpc | EC2 | Config Changes | Report | CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(3)(ii)(B),164.308(a)(4)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(B),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,2.2,1.2.1,1.3.1,1.3.2,2.2.2; |
ams-nist-cis-internet-gateway-authorized-vpc-only | Internet Gateway | Periodic | Report | CIS: CIS.9,CIS.12; NIST-CSF: NA; HIPAA: NA; PCI: NA; |
ams-nist-cis-kms-cmk-not-scheduled-for-deletion | KMS | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: NA; PCI: 3.5,3.6; |
ams-nist-lambda-concurrency-check | Lambda | Config Changes | Report | CIS: NA; NIST-CSF: NA; HIPAA: 164.312(b); PCI: NA; |
ams-nist-lambda-dlq-check | Lambda | Config Changes | Report | CIS: NA; NIST-CSF: NA; HIPAA: 164.312(b); PCI: NA; |
ams-nist-cis-lambda-function-public-access-prohibited | Lambda | Config Changes | Report | CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,2.2.2; |
ams-nist-cis-lambda-inside-vpc | Lambda | Config Changes | Report | CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,2.2.2; |
ams-nist-cis-mfa-enabled-for-iam-console-access | IAM | Periodic | Report | CIS: CIS.16; NIST-CSF: PR.AC-7; HIPAA: 164.312(d); PCI: 2.2,8.3; |
ams-nist-cis-multi-region-cloudtrail-enabled | CloudTrail | Periodic | Report | CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.MA-2,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.2.6,10.2.7,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6; |
ams-nist-rds-enhanced-monitoring-enabled | RDS | Config Changes | Report | CIS: NA; NIST-CSF: PR.PT-1; HIPAA: 164.312(b); PCI: NA; |
ams-nist-cis-rds-instance-public-access-check | RDS | Config Changes | Report | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-rds-multi-az-support | RDS | Config Changes | Report | CIS: NA; NIST-CSF: ID.BE-5,PR.DS-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(C); PCI: NA; |
ams-nist-cis-rds-snapshots-public-prohibited | RDS | Config Changes | Report | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-rds-storage-encrypted | RDS | Config Changes | Report | CIS: CIS.13,CIS.5,CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-1,PR.PT-1; HIPAA: 164.312(a)(2)(iv),164.312(b),164.312(e)(2)(ii); PCI: 3.4,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,8.2.1; |
ams-nist-cis-redshift-cluster-configuration-check | RedShift | Config Changes | Report | CIS: CIS.6,CIS.13,CIS.5; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-1,PR.PT-1; HIPAA: 164.312(a)(2)(iv),164.312(b),164.312(e)(2)(ii); PCI: 3.4,8.2.1,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6; |
ams-nist-cis-redshift-cluster-public-access-check | RedShift | Config Changes | Report | CIS: CIS.12,CIS.14,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-redshift-require-tls-ssl | RedShift | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 2.3,4.1; |
ams-nist-cis-root-account-hardware-mfa-enabled | IAM | Periodic | Report | CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-7; HIPAA: 164.312(d); PCI: 2.2,8.3; |
ams-nist-cis-root-account-mfa-enabled | IAM | Periodic | Report | CIS: CIS.16,CIS.4; NIST-CSF: PR.AC-7; HIPAA: 164.312(d); PCI: 2.2,8.3; |
ams-nist-cis-s3-bucket-default-lock-enabled | S3 | Config Changes | Report | CIS: CIS.14,CIS.13; NIST-CSF: ID.BE-5,PR.PT-5,RC.RP-1; HIPAA: NA; PCI: NA; |
ams-nist-cis-s3-bucket-logging-enabled | S3 | Config Changes | Report | CIS: CIS.6; NIST-CSF: DE.AE-1,DE.AE-3,PR.DS-5,PR.PT-1; HIPAA: 164.308(a)(3)(ii)(A),164.312(b); PCI: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.2.7,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6; |
ams-nist-cis-s3-bucket-replication-enabled | S3 | Config Changes | Report | CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B); PCI: 2.2,10.5.3; |
ams-nist-cis-s3-bucket-ssl-requests-only | S3 | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-2; HIPAA: 164.312(a)(2)(iv),164.312(c)(2),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii); PCI: 2.2,4.1,8.2.1; |
ams-nist-cis-s3-bucket-versioning-enabled | S3 | Periodic | Report | CIS: CIS.10; NIST-CSF: ID.BE-5,PR.DS-4,PR.DS-6,PR.IP-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.308(a)(7)(ii)(B),164.312(c)(1),164.312(c)(2); PCI: 10.5.3; |
ams-nist-cis-sagemaker-endpoint-configuration-kms-key-configured | SageMaker | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1; |
ams-nist-cis-sagemaker-notebook-instance-kms-key-configured | SageMaker | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1; |
ams-nist-cis-sagemaker-notebook-no-direct-internet-access | SageMaker | Periodic | Report | CIS: CIS.12,CIS.9; NIST-CSF: PR.AC-3,PR.AC-4,PR.AC-5,PR.DS-5,PR.PT-3,PR.PT-4; HIPAA: 164.308(a)(3)(i),164.308(a)(4)(ii)(A),164.308(a)(4)(ii)(C),164.312(a)(1),164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2; |
ams-nist-cis-secretsmanager-rotation-enabled-check | Secrets Manager | Config Changes | Report | CIS: CIS.16; NIST-CSF: PR.AC-1; HIPAA: 164.308(a)(4)(ii)(B); PCI: NA; |
ams-nist-cis-secretsmanager-scheduled-rotation-success-check | Secrets Manager | Config Changes | Report | CIS: CIS.16; NIST-CSF: PR.AC-1; HIPAA: 164.308(a)(4)(ii)(B); PCI: NA; |
ams-nist-cis-sns-encrypted-kms | SNS | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 8.2.1; |
ams-nist-cis-vpc-sg-open-only-to-authorized-ports | VPC | Config Changes | Report | CIS: CIS.11,CIS.12,CIS.9; NIST-CSF: DE.AE-1,PR.AC-3,PR.AC-5,PR.PT-4; HIPAA: 164.312(e)(1); PCI: 1.2,1.3,1.2.1,1.3.1,1.3.2,2.2.2; |
ams-nist-vpc-vpn-2-tunnels-up | VPC | Config Changes | Report | CIS: NA; NIST-CSF: ID.BE-5,PR.DS-4,PR.PT-5,RC.RP-1; HIPAA: 164.308(a)(7)(i); PCI: NA; |
ams-cis-ec2-ebs-encryption-by-default | EC2 | Periodic | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 2.2,3.4,8.2.1; |
ams-cis-rds-snapshot-encrypted | RDS | Config Changes | Report | CIS: CIS.13,CIS.14; NIST-CSF: PR.DS-1; HIPAA: 164.312(a)(2)(iv),164.312(e)(2)(ii); PCI: 3.4,8.2.1; |
ams-cis-redshift-cluster-maintenancesettings-check | RedShift | Config Changes | Report | CIS: CIS.5; NIST-CSF: PR.DS-4,PR.IP-1,PR.IP-4; HIPAA: 164.308(a)(5)(ii)(A),164.308(a)(7)(ii)(A); PCI: 6.2; |
Responses to violations in Accelerate
All Config Rule violations appear in your Configuration Report. This is a universal response. Depending on the Remediation Category (severity) of the rule, AMS might take additional actions, summarized in the following table. For details on how to customize the Action Code for certain rules, see Customized findings responses.
Remediation Actions
Action Code | AMS Actions |
---|---|
Report | |
Incident | |
Remediate |
Requesting Additional Help
Note
AMS can remediate any violation for you, regardless of its remediation category. To request help, submit a Service Request, and
indicate which resources you want AMS to remediate with a comment such as "As part of the AMS config rule remediation, please remediate
non-complaint resources RESOURCE_ARNS_OR_IDs
resource ARNs/IDs>, config rule CONFIG_RULE_NAME
in the account"
and add the required inputs to remediate the violation.
AMS Accelerate has a library of AWS Systems Manager automation documents and runbooks to assist in remediating noncompliant resources.
Add to Config Report
AMS generates a Config Report that tracks the compliance status of all rules and resources in your account. You can request the report from your CSDM. You can also review compliance status from the AWS Config console, AWS CLI, or AWS Config API. Your Config Report includes:
The top, noncompliant resources in your environment, to discover potential threats and misconfigurations
Compliance of resources and config rules over time
Config rule descriptions, severity of rules, and recommended remediation steps to fix noncompliant resources
When any resource goes into a noncompliant state, the resource status (and rule status) becomes Noncompliant in your Config Report. If the rule belongs to the Config Report Only remediation category, by default, AMS takes no further action. You can always create a Service Request to request additional help or remediation from AMS.
For more details, see AWS Config Reporting.
Automatic incident report in Accelerate
For moderately severe rule violations, AMS automatically creates an Incident Report to notify you that a resource has gone into a noncompliant state, and asks which actions you would like to be performed. You have the following options when responding to an incident:
Request that AMS remediate the noncompliant resources listed in the incident. Then, we attempt to remediate the noncompliant resource, and notify you once the underlying incident has been resolved.
You can resolve the noncompliant item manually in the console or through your automated deployment system (for example, CI/CD Pipeline template updates); then, you can resolve the incident. The noncompliant resource is re-evaluated as per the rule’s schedule and, if the resource is evaluated as noncompliant, a new incident report is created.
You can choose to not resolve the noncompliant resource and simply resolve the incident. If you update the configuration of the resource later, AWS Config will trigger a re-evaluation and you will again be alerted to evaluate the noncompliance of that resource.
Automatic remediation in Accelerate
The most critical rules belong to the Auto Remediate category. Noncompliance with these rules may strongly impact the security and availability of your accounts. When a resource violates one of these rules:
AMS automatically notifies you with an Incident Report.
AMS starts an automated remediation using our automated SSM documents.
AMS updates the Incident Report with success or failure of the automated remediation.
If automated remediation failed, an AMS engineer investigates the issue.
Creating rule exceptions in Accelerate
The AWS Config Rules resource exception feature allows you to suppress reporting of specific, noncompliant resources for a specific rules.
Note
The exempted resources still show up as Noncompliant in your AWS Config Service console. The exempted resources appear with a special flag in Config Reports (resource_exception:True). Your CSDMs can filter out those resources according to that column when generating reports.
If you have resources that you know are not compliant, you can eliminate a specific resource for a specific config rule in their Config Reports. To do this:
Submit a service request to Accelerate against your account, with a list of the config rules and resources that to be exempted from report. You
must provide an explicit business justification (such as, no need to report that resource_name_1
and resource_name_2
are not backed up
because we do not want them backed up). For help submitting an Accelerate service request, see Creating a service request in Accelerate.
Paste into the request the following inputs (for every resource add a separate block with all the required fields, as shown), and then submit:
[ { "resource_name": "
resource_name_1
", "config_rule_name": "config_rule_name_1
", "business_justification": "REASON_TO_EXEMPT_RESOURCE
", "resource_type": "resource_type
" }, { "resource_name": "resource_name_2
", "config_rule_name": "config_rule_name_2
", "business_justification": "REASON_TO_EXEMPT_RESOURCE
", "resource_type": "resource_type
" } ]
Reduce AWS Config costs in Accelerate
You can reduce AWS Config costs by using the option to periodically record the AWS::EC2::Instance
resource type. Periodic recording captures the latest configuration changes of your resources once every 24 hours, reducing the number of changes delivered. When enabled, AWS Config only records the latest configuration of a resource at the end of a 24-hour period. This allows you to tailor configuration data to specific operational planning, compliance, and audit uses cases that don’t require continuous monitoring. This change is recommended only if you have applications that depend on ephemeral architectures, meaning you constantly scale the number of instances up or down.
To opt in to periodic recording for the AWS::EC2::Instance
resource type, contact your AMS Delivery Team.