From 492cd111213103a272f4e76bb7be7b7a4b8c848c Mon Sep 17 00:00:00 2001 From: Isaac Teuscher Date: Fri, 16 May 2025 16:25:39 -0600 Subject: [PATCH 1/3] spacing --- .../Operational-Best-Practices-for-FedRAMP-Low.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml b/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml index f17721b2..38836bef 100644 --- a/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml +++ b/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml @@ -1,9 +1,9 @@ ################################################################################## # # Conformance Pack: -# Operational Best Practices for FedRAMP(Low) +# Operational Best Practices for FedRAMP (Low) # -# This conformance pack helps verify compliance with FedRAMP(Low) requirements. +# This conformance pack helps verify compliance with FedRAMP (Low) requirements. # # This Conformance Pack has been designed for compatibility with the majority of AWS # regions and to not require setting of any Parameters. Additional managed rules that From 8a803b88cce01ceca29d4acb1082f5f6ebce3f20 Mon Sep 17 00:00:00 2001 From: Isaac Teuscher Date: Fri, 16 May 2025 16:32:20 -0600 Subject: [PATCH 2/3] Fixes to config rules for GovCloud --- ...tional-Best-Practices-for-FedRAMP-Low.yaml | 157 +++++++++--------- 1 file changed, 82 insertions(+), 75 deletions(-) diff --git a/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml b/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml index 38836bef..44483c5a 100644 --- a/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml +++ b/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml @@ -257,7 +257,7 @@ Resources: Type: AWS::Config::ConfigRule CloudTrailEnabled: Properties: - ConfigRuleName: cloudtrail-enabled + ConfigRuleName: cloud-trail-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENABLED @@ -476,7 +476,7 @@ Resources: Type: AWS::Config::ConfigRule Ec2InstanceManagedBySsm: Properties: - ConfigRuleName: ec2-instance-managed-by-systems-manager + ConfigRuleName: ec2-instance-managed-by-ssm Scope: ComplianceResourceTypes: - AWS::EC2::Instance @@ -558,16 +558,16 @@ Resources: Owner: AWS SourceIdentifier: EC2_VOLUME_INUSE_CHECK Type: AWS::Config::ConfigRule - EcsTaskDefinitionMemoryHardLimit: - Properties: - ConfigRuleName: ecs-task-definition-memory-hard-limit - Scope: - ComplianceResourceTypes: - - AWS::ECS::TaskDefinition - Source: - Owner: AWS - SourceIdentifier: ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT - Type: AWS::Config::ConfigRule + # EcsTaskDefinitionMemoryHardLimit: + # Properties: + # ConfigRuleName: ecs-task-definition-memory-hard-limit + # Scope: + # ComplianceResourceTypes: + # - AWS::ECS::TaskDefinition + # Source: + # Owner: AWS + # SourceIdentifier: ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT + # Type: AWS::Config::ConfigRule EcsTaskDefinitionUserForHostModeCheck: Properties: ConfigRuleName: ecs-task-definition-user-for-host-mode-check @@ -869,7 +869,7 @@ Resources: Type: AWS::Config::ConfigRule IncomingSshDisabled: Properties: - ConfigRuleName: restricted-ssh + ConfigRuleName: incoming-ssh-disabled Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup @@ -879,7 +879,7 @@ Resources: Type: AWS::Config::ConfigRule InstancesInVpc: Properties: - ConfigRuleName: ec2-instances-in-vpc + ConfigRuleName: instances-in-vpc Scope: ComplianceResourceTypes: - AWS::EC2::Instance @@ -957,11 +957,18 @@ Resources: Type: AWS::Config::ConfigRule MultiRegionCloudTrailEnabled: Properties: - ConfigRuleName: multi-region-cloudtrail-enabled + ConfigRuleName: multi-region-cloud-trail-enabled Source: Owner: AWS SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule + NaclNoUnrestrictedSshRdp: + Properties: + ConfigRuleName: nacl-no-unrestricted-ssh-rdp + Source: + Owner: AWS + SourceIdentifier: NACL_NO_UNRESTRICTED_SSH_RDP + Type: AWS::Config::ConfigRule NoUnrestrictedRouteToIgw: Properties: ConfigRuleName: no-unrestricted-route-to-igw @@ -978,16 +985,16 @@ Resources: Owner: AWS SourceIdentifier: NO_UNRESTRICTED_ROUTE_TO_IGW Type: AWS::Config::ConfigRule - OpensearchInVpcOnly: - Properties: - ConfigRuleName: opensearch-in-vpc-only - Scope: - ComplianceResourceTypes: - - AWS::OpenSearch::Domain - Source: - Owner: AWS - SourceIdentifier: OPENSEARCH_IN_VPC_ONLY - Type: AWS::Config::ConfigRule + # OpensearchInVpcOnly: + # Properties: + # ConfigRuleName: opensearch-in-vpc-only + # Scope: + # ComplianceResourceTypes: + # - AWS::OpenSearch::Domain + # Source: + # Owner: AWS + # SourceIdentifier: OPENSEARCH_IN_VPC_ONLY + # Type: AWS::Config::ConfigRule RdsEnhancedMonitoringEnabled: Properties: ConfigRuleName: rds-enhanced-monitoring-enabled @@ -1122,56 +1129,56 @@ Resources: Owner: AWS SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL Type: AWS::Config::ConfigRule - RestrictedIncomingTraffic: - Properties: - ConfigRuleName: restricted-common-ports - InputParameters: - blockedPort1: - Fn::If: - - restrictedIncomingTrafficParamBlockedPort1 - - Ref: RestrictedIncomingTrafficParamBlockedPort1 - - Ref: AWS::NoValue - blockedPort2: - Fn::If: - - restrictedIncomingTrafficParamBlockedPort2 - - Ref: RestrictedIncomingTrafficParamBlockedPort2 - - Ref: AWS::NoValue - blockedPort3: - Fn::If: - - restrictedIncomingTrafficParamBlockedPort3 - - Ref: RestrictedIncomingTrafficParamBlockedPort3 - - Ref: AWS::NoValue - blockedPort4: - Fn::If: - - restrictedIncomingTrafficParamBlockedPort4 - - Ref: RestrictedIncomingTrafficParamBlockedPort4 - - Ref: AWS::NoValue - blockedPort5: - Fn::If: - - restrictedIncomingTrafficParamBlockedPort5 - - Ref: RestrictedIncomingTrafficParamBlockedPort5 - - Ref: AWS::NoValue - Scope: - ComplianceResourceTypes: - - AWS::EC2::SecurityGroup - Source: - Owner: AWS - SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC - Type: AWS::Config::ConfigRule - RootAccountHardwareMfaEnabled: - Properties: - ConfigRuleName: root-account-hardware-mfa-enabled - Source: - Owner: AWS - SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED - Type: AWS::Config::ConfigRule - RootAccountMfaEnabled: - Properties: - ConfigRuleName: root-account-mfa-enabled - Source: - Owner: AWS - SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED - Type: AWS::Config::ConfigRule + # RestrictedIncomingTraffic: + # Properties: + # ConfigRuleName: restricted-common-ports + # InputParameters: + # blockedPort1: + # Fn::If: + # - restrictedIncomingTrafficParamBlockedPort1 + # - Ref: RestrictedIncomingTrafficParamBlockedPort1 + # - Ref: AWS::NoValue + # blockedPort2: + # Fn::If: + # - restrictedIncomingTrafficParamBlockedPort2 + # - Ref: RestrictedIncomingTrafficParamBlockedPort2 + # - Ref: AWS::NoValue + # blockedPort3: + # Fn::If: + # - restrictedIncomingTrafficParamBlockedPort3 + # - Ref: RestrictedIncomingTrafficParamBlockedPort3 + # - Ref: AWS::NoValue + # blockedPort4: + # Fn::If: + # - restrictedIncomingTrafficParamBlockedPort4 + # - Ref: RestrictedIncomingTrafficParamBlockedPort4 + # - Ref: AWS::NoValue + # blockedPort5: + # Fn::If: + # - restrictedIncomingTrafficParamBlockedPort5 + # - Ref: RestrictedIncomingTrafficParamBlockedPort5 + # - Ref: AWS::NoValue + # Scope: + # ComplianceResourceTypes: + # - AWS::EC2::SecurityGroup + # Source: + # Owner: AWS + # SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC + # Type: AWS::Config::ConfigRule + # RootAccountHardwareMfaEnabled: + # Properties: + # ConfigRuleName: root-account-hardware-mfa-enabled + # Source: + # Owner: AWS + # SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED + # Type: AWS::Config::ConfigRule + # RootAccountMfaEnabled: + # Properties: + # ConfigRuleName: root-account-mfa-enabled + # Source: + # Owner: AWS + # SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED + # Type: AWS::Config::ConfigRule S3AccountLevelPublicAccessBlocksPeriodic: Properties: ConfigRuleName: s3-account-level-public-access-blocks-periodic From a6bc5d1ac37f210d59321bdaf444758deed65b19 Mon Sep 17 00:00:00 2001 From: Isaac Teuscher Date: Fri, 16 May 2025 16:40:15 -0600 Subject: [PATCH 3/3] Remove WAF web acl not empty rule --- ...ational-Best-Practices-for-FedRAMP-Low.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml b/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml index 44483c5a..74030681 100644 --- a/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml +++ b/aws-config-conformance-packs/Operational-Best-Practices-for-FedRAMP-Low.yaml @@ -1364,15 +1364,15 @@ Resources: Owner: AWS SourceIdentifier: VPC_VPN_2_TUNNELS_UP Type: AWS::Config::ConfigRule - WafRegionalWebaclNotEmpty: - Properties: - ConfigRuleName: waf-regional-webacl-not-empty - Scope: - ComplianceResourceTypes: - - AWS::WAFRegional::WebACL - Source: - Owner: AWS - SourceIdentifier: WAF_REGIONAL_WEBACL_NOT_EMPTY + # WafRegionalWebaclNotEmpty: + # Properties: + # ConfigRuleName: waf-regional-webacl-not-empty + # Scope: + # ComplianceResourceTypes: + # - AWS::WAFRegional::WebACL + # Source: + # Owner: AWS + # SourceIdentifier: WAF_REGIONAL_WEBACL_NOT_EMPTY Type: AWS::Config::ConfigRule Wafv2LoggingEnabled: Properties: