AWS Config Supports New Managed Rules

Posted on: Jan 25, 2018

AWS Config now supports seven new managed rules, which are predefined rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices.

The following managed rules are now supported:

  • codebuild-project-envvar-awscred-check
    • Identifies projects that store access key ID or secret access key as a plain text environment variable. This rule helps improve security posture of your AWS CodeBuild projects.
  • codebuild-project-source-repo-url-check
    • Identifies projects that use either personal access tokens or username and password in their source repository URL. This rule detects if credentials for GitHub and Bitbucket are included in the source URL submitted to AWS CodeBuild.
  • elb_acm_certificate_required
    • Verifies that the certificates associated with your Load Balancers are managed by AWS Certificate Manager by checking if your Classic Load Balancer have an SSL or HTTPS listener.
  • elb_custom_security_policy_ssl_check
    • Checks whether your Classic Load Balancer SSL listeners are using a custom security policy.
  • elb_predefined_security_policy_ssl_check
    • Checks whether your Classic Load Balancer SSL listeners are using a predefined security policy.
  • iam-group-has-users-check
    • Checks whether your IAM groups have at least one IAM user. This rule identifies empty IAM groups.
  • s3-bucket-server-side-encryption-enabled
    • Checks whether server-side encryption is enabled on your S3 buckets. This rule helps improve the security posture of your S3 buckets.

AWS Config supports these new rules in all public regions where Config rules are currently available and in the AWS GovCloud (US).

For more information on AWS Config: