AWS Security Blog

Announcing the AWS Config Rules Repository: A New Community-Based Source of Custom Rules for AWS Config

Today, we’re happy to release the AWS Config Rules repository, a community-based source of custom AWS Config Rules. This new repository gives you a streamlined way to automate your assessment and compliance against best practices for security of AWS resources. AWS Config Rules is a service that provides automated, periodic security and compliance checking of AWS resources, and affords customers the ability to forego manual inspection of security configurations.

The AWS Config Rules repository accelerates automated compliance checking by allowing customers to tap in to the collective ingenuity and expertise of the AWS community. Additionally, the repository is free, public, and hosted on an independent platform, and it contains full source code for each rule, allowing you to learn and contribute. We look forward to working together to leverage the combined wisdom and lessons learned by our security experts and the security experts in the broader AWS user base.

As I mentioned in my previous post, we have partnered with the Center for Internet Security to establish industry best practices for securing AWS accounts. The repository has been seeded with rules that will help you maintain alignment with these best practices. Here’s a sample of the Custom Rules you now have access to:

  1. Ensure CloudTrail is enabled in all regions.
  2. Ensure all accounts have multi-factor authentication (MFA) enabled.
  3. Ensure no access keys exist for the root account.
  4. Ensure an AWS Identity and Access Management (IAM) password policy exists.
  5. Ensure access keys are rotated.

To get started using these rules in your AWS account, see the readme file on GitHub. I encourage you to use this repository to share with the AWS community the Custom Rules you have written.

– Chad