Question to the Community: Interested to give feedback on new Managed Rules in the AWS Console? about aws-config-rules HOT 5 CLOSED

I'd like to see a rule that checks to ensure that EFS volumes are utilizing encryption at rest that can be configured to trigger on EFS volume creation events.

from aws-config-rules.

I would love to see rules that correlate to each of the applicable NIST SP 800-53 controls (obviously physical controls wouldn't apply). It's a moving target since they get updated every now and then, but having a managed rule to flip on for compliance would be great.

from aws-config-rules.

Thanks for the feedback.
@slashrun : Noted, I add the EFS volume encryption in our backlog.
@osintr0ze : Yes that would be great to have NIST I agree, it is such a big task to cover at once. We are thinking to do that iteratively. If you had 10 controls (either NIST, or Config Rules) you really wanted what would they be?

from aws-config-rules.

NIST 800-53 controls that could easily be turned into Config Rules would be:

1. CP-9: Information System Backup - Pretty much checking if backups are deployed (database snapshots, etc) and protected (confidentiality, integrity, and availability).

2. AU-2: Audit Events - auditing is turned on (CloudTrail, CloudWatch, Access Logs, VPC Flow Logs, etc.)

3. AU-7: Audit Reduction and Report Generation - audit review, analysis, and reporting is available and content is not altered - (CloudTrail forwarding to CloudWatch, Athena, Lambda, log validation turned on, etc.)

4. AU-10: Non-Repudiation - protects against an individual falsely denying having done something (IAM users, CloudTrail log user/role assumption, etc)

5. AU-11: Audit Record Retention - retain audit records for x time period (Lifecycle policies, log expiration in CloudWatch/CloudTrail S3 policies)

6. CA-2: Security Assessments - security assessment capability, implementation of security controls, reporting (AWS Config, State Manager > Compliance, reports generated)

7. CM-5: Access Restrictions for Change - enforce logical access restrictions associated with changes to the information system (IAM policies that are restricted to ReadOnly, etc)

8. CM-8: Information System Component Inventory - documents an inventory of information system components (generate a list of EC2 instances, endpoints, VPCs, etc)

9. SC-4: Information in Shared Resources - prevent unauthorized and unintended information transfer via shared system resources (S3 bucket policies, prevent public exposure)

10. SC-5: Denial of Service Protection - protect against effects of denial of service attacks (AWS Shield, etc)

from aws-config-rules.

Thanks a lot for the feedback. We are now providing the ability for you to post your aspirational rule, we will do our best to build it.

from aws-config-rules.