AWS Config Rules Inventory

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

Remediation Category: Automatic Remediation

ams-nist-cis-guardduty-enabled-centralized GUARDDUTY_ENABLED_CENTRALIZEDPeriodicCIS, NIST,

ams-nist-cis-vpc-flow-logs-enabled VPC_FLOW_LOGS_ENABLED PeriodicCIS,

NIST, Remediation Category: Auto Incident

ams-nist-cis-iam-password-policy IAM_PASSWORD_POLICY PeriodicNIST,

HIPAA,

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-iam-root-access-key-check IAM_ROOT_ACCESS_KEY_CHECK PeriodicCIS,

NIST,

ams-nist-cis-iam-user-mfa-enabled IAM_USER_MFA_ENABLED PeriodicCIS,

NIST,

Rule Name Identifier TriggerFrameworksCIS

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-securityhub-enabled SECURITYHUB_ENABLED PeriodicCIS,

NIST,

Remediation Category: Config Report Only

ams-nist-cis-cloudtrail-enabled CLOUD_TRAIL_ENABLED PeriodicCIS,

NIST,

ams-nist-cis-access-keys-rotated ACCESS_KEYS_ROTATED PeriodicCIS,

NIST,

ams-nist-cis-alb-http-to-https-redirection-check ALB_HTTP_TO_HTTPS_REDIRECTION_CHECKPeriodicCIS, NIST,

Rule Name Identifier TriggerFrameworksCIS

ams-nist-cis-cloud-trail-cloud-watch-logs-enabled CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLEDPeriodicCIS, NIST,

ams-nist-cis-cloud-trail-encryption-enabled CLOUD_TRAIL_ENCRYPTION_ENABLEDPeriodicCIS, NIST,

ams-nist-cis-cloud-trail-log-file-validation-enabled CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLEDPeriodicCIS, NIST,

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-cloudtrail-s3-dataevents-enabled CLOUDTRAIL_S3_DATAEVENTS_ENABLEDPeriodicCIS, NIST,

ams-nist-cis-cloudwatch-log-group-encrypted CLOUDWATCH_LOG_GROUP_ENCRYPTEDPeriodicCIS, HIPAA,

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-dms-replication-not-public DMS_REPLICATION_NOT_PUBLIC PeriodicCIS,

NIST,

ams-nist-dynamodb-autoscaling-enabled DYNAMODB_AUTOSCALING_ENABLED PeriodicNIST, HIPAANA ID.BE-5

ams-nist-cis-dynamodb-pitr-enabled DYNAMODB_PITR_ENABLED PeriodicCIS,

NIST,

ams-nist-dynamodb-throughput-limit-check DYNAMODB_THROUGHPUT_LIMIT_CHECKPeriodicHIPAANA NA 164.312(b) NA

ams-nist-ebs-optimized-instance EBS_OPTIMIZED_INSTANCE Config

ChangesHIPAANA NA 164.308(a)

(7)(i) NA

ams-nist-cis-ebs-snapshot-public-restorable-check EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECKPeriodicCIS, NIST,

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-ec2-stopped-instance EC2_STOPPED_INSTANCE PeriodicCIS,

NISTCIS.2ID.AM-2

ams-nist-cis-efs-encrypted-check EFS_ENCRYPTED_CHECK PeriodicCIS,

NIST,

ams-nist-cis-elasticsearch-in-vpc-only ELASTICSEARCH_IN_VPC_ONLY PeriodicCIS,

NIST,

Rule Name Identifier TriggerFrameworksCIS

ams-nist-cis-emr-kerberos-enabled EMR_KERBEROS_ENABLED PeriodicCIS,

NIST,

ams-nist-cis-emr-master-no-public-ip EMR_MASTER_NO_PUBLIC_IP PeriodicCIS,

NIST,

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-guardduty-non-archived-findings GUARDDUTY_NON_ARCHIVED_FINDINGSPeriodicCIS, NIST,

Rule Name Identifier TriggerFrameworksCIS

ams-nist-cis-iam-user-unused-credentials-check IAM_USER_UNUSED_CREDENTIALS_CHECKPeriodicCIS, NIST,

ams-nist-cis-internet-gateway-authorized-vpc-only INTERNET_GATEWAY_AUTHORIZED_VPC_ONLYPeriodicCISCIS.9

CIS.12NA NA NA

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-kms-cmk-not-scheduled-for-deletion KMS_CMK_NOT_SCHEDULED_FOR_DELETIONPeriodicCIS, NIST, PCI

CIS.13

CIS.14PR.DS-1NA 3.5 3.6

ams-nist-lambda-concurrency-check LAMBDA_CONCURRENCY_CHECK Config

ChangesHIPAANA NA 164.312(b) NA

ams-nist-lambda-dlq-check LAMBDA_DLQ_CHECK Config

ChangesHIPAANA NA 164.312(b) NA

ams-nist-cis-mfa-enabled-for-iam-console-access MFA_ENABLED_FOR_IAM_CONSOLE_ACCESSPeriodicCIS, NIST, HIPAA, PCI

CIS.16PR.AC-7164.312(d) 2.2 8.3

ams-nist-cis-multi-region-cloudtrail-enabled MULTI_REGION_CLOUD_TRAIL_ENABLEDPeriodicCIS, NIST,

HIPAANA PR.PT-1164.312(b) NA

Rule Name Identifier TriggerFrameworksCIS

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-nist-cis-redshift-require-tls-ssl REDSHIFT_REQUIRE_TLS_SSL PeriodicCIS,

NIST,

ams-nist-cis-root-account-hardware-mfa-enabled ROOT_ACCOUNT_HARDWARE_MFA_ENABLEDPeriodicCIS, NIST, HIPAA, PCI

CIS.16

CIS.4PR.AC-7164.312(d) 2.2 8.3

ams-nist-cis-root-account-mfa-enabled ROOT_ACCOUNT_MFA_ENABLED PeriodicCIS,

NIST, HIPAA, PCI

CIS.16

CIS.4PR.AC-7164.312(d) 2.2 8.3

Rule Name Identifier TriggerFrameworksCIS

ams-nist-cis-s3-bucket-versioning-enabled S3_BUCKET_VERSIONING_ENABLED PeriodicCIS, NIST,

Remediation using AWS Config Rules

Rule Name Identifier TriggerFrameworksCIS

NIST-CSF HIPAA PCI

ams-cis-ec2-ebs-encryption-by-default EC2_EBS_ENCRYPTION_BY_DEFAULT PeriodicCIS, NIST,

Incident response

Upon receiving an alert, the AMS team uses automated and manual remediations to bring the resources back to a healthy state. If remediation fails, AMS starts the incident management process to collaborate with your team. You can change the baselines by updating the default configuration in a configuration file.

Incident response and onboarding in AMS Accelerate

During onboarding, AMS Accelerate suppresses automatic incident creation for your existing

noncompliant resources; instead, your Cloud Service Deliver Manager (CSDM) provides you with a report that contains all the noncompliance rules and resources for your review. After you have identified the rules that you want AMS to remediate, create a service request in the AWS Support Center console indicating those rule and resources. The following Service Request template is an example of a customer request to AMS to manually remediate noncompliant resources. If AMS has additional questions, we work with you in the Service Request to gather the information required.

Hello,

Please remediate the following resources for the Config Rule “ENCRYPTED_VOLUMES”.

Resource List:

"Vol-12345678"

"Vol-87654312"

Thank you

After the onboarding process is completed, AMS Accelerate automatically creates an incident for each noncompliant resource for the rules marked as Automatic Incident below.

Resilience

The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.

For more information about AWS Regions and Availability Zones, see AWS global infrastructure.

For information about AMS Accelerate continuity management, see Backup Management in AMS Accelerate (p. 178).

Security control for end-of-support operating