Automatic updates to AWS managed Config Rules

Author: bensonce

files/pack-rules-list.txt

@@ -81,6 +81,8 @@ Operational-Best-Practices-for-NIST-Privacy-Framework
 Operational-Best-Practices-for-NYDFS-23-NYCRR-500
 Operational-Best-Practices-for-NZISM
 Operational-Best-Practices-for-Networking-Services
+Operational-Best-Practices-for-PCI-DSS-v4.0-excluding-global-resourcetypes
+Operational-Best-Practices-for-PCI-DSS-v4.0-including-global-resourcetypes
 Operational-Best-Practices-for-PCI-DSS
 Operational-Best-Practices-for-Publicly-Accessible-Resources
 Operational-Best-Practices-for-RBI-Basic-Cyber-Security-Framework

files/pack-rules.yaml

@@ -1,4 +1,4 @@
-generated_on: '2024-09-15T00:05:29Z'
+generated_on: '2024-12-01T00:05:29Z'
 packs:
   AWS-Control-Tower-Detective-Guardrails:
   - autoscaling-launch-config-public-ip-disabled
@@ -6882,6 +6882,234 @@ packs:
   - waf-regional-rulegroup-not-empty
   - waf-regional-webacl-not-empty
   - wafv2-logging-enabled
+  Operational-Best-Practices-for-PCI-DSS-v4.0-excluding-global-resourcetypes:
+  - access-keys-rotated
+  - acm-certificate-rsa-check
+  - acm-pca-root-ca-disabled
+  - api-gw-cache-enabled-and-encrypted
+  - api-gw-endpoint-type-check
+  - api-gw-xray-enabled
+  - api-gwv2-access-logs-enabled
+  - appsync-associated-with-waf
+  - appsync-logging-enabled
+  - athena-workgroup-encrypted-at-rest
+  - aurora-resources-protected-by-backup-plan
+  - autoscaling-launchconfig-requires-imdsv2
+  - backup-recovery-point-manual-deletion-disabled
+  - cloudtrail-enabled
+  - cloudtrail-security-trail-enabled
+  - cloudwatch-alarm-action-check
+  - cloudwatch-alarm-resource-check
+  - cloudwatch-alarm-settings-check
+  - codebuild-project-artifact-encryption
+  - codebuild-project-envvar-awscred-check
+  - codebuild-project-s3-logs-encrypted
+  - codebuild-project-source-repo-url-check
+  - codedeploy-lambda-allatonce-traffic-shift-disabled
+  - cw-loggroup-retention-period-check
+  - db-instance-backup-enabled
+  - dms-endpoint-ssl-configured
+  - dms-redis-tls-enabled
+  - dynamodb-in-backup-plan
+  - dynamodb-pitr-enabled
+  - dynamodb-resources-protected-by-backup-plan
+  - dynamodb-table-encrypted-kms
+  - ebs-in-backup-plan
+  - ebs-resources-protected-by-backup-plan
+  - ec2-client-vpn-not-authorize-all
+  - ec2-imdsv2-check
+  - ec2-instance-detailed-monitoring-enabled
+  - ec2-instance-profile-attached
+  - ec2-launch-template-public-ip-disabled
+  - ec2-no-amazon-key-pair
+  - ec2-resources-protected-by-backup-plan
+  - ec2-volume-inuse-check
+  - ecr-private-lifecycle-policy-configured
+  - ecs-task-definition-log-configuration
+  - ecs-task-definition-pid-mode-check
+  - efs-resources-protected-by-backup-plan
+  - eks-cluster-logging-enabled
+  - eks-cluster-oldest-supported-version
+  - eks-cluster-secrets-encrypted
+  - eks-endpoint-no-public-access
+  - eks-secrets-encrypted
+  - elastic-beanstalk-logs-to-cloudwatch
+  - elasticache-redis-cluster-automatic-backup-check
+  - elb-acm-certificate-required
+  - emr-block-public-access
+  - fsx-resources-protected-by-backup-plan
+  - iam-policy-in-use
+  - internet-gateway-authorized-vpc-only
+  - kinesis-stream-encrypted
+  - lambda-function-settings-check
+  - macie-auto-sensitive-data-discovery-check
+  - macie-status-check
+  - mq-cloudwatch-audit-log-enabled
+  - mq-cloudwatch-audit-logging-enabled
+  - msk-in-cluster-node-require-tls
+  - multi-region-cloudtrail-enabled
+  - nacl-no-unrestricted-ssh-rdp
+  - neptune-cluster-backup-retention-check
+  - neptune-cluster-cloudwatch-log-export-enabled
+  - neptune-cluster-encrypted
+  - neptune-cluster-iam-database-authentication
+  - neptune-cluster-snapshot-encrypted
+  - neptune-cluster-snapshot-public-prohibited
+  - netfw-logging-enabled
+  - netfw-policy-default-action-fragment-packets
+  - netfw-policy-default-action-full-packets
+  - rds-in-backup-plan
+  - redshift-backup-enabled
+  - redshift-cluster-kms-enabled
+  - redshift-enhanced-vpc-routing-enabled
+  - restricted-ssh
+  - s3-access-point-public-access-blocks
+  - s3-account-level-public-access-blocks
+  - s3-bucket-blacklisted-actions-prohibited
+  - s3-bucket-default-lock-enabled
+  - s3-bucket-mfa-delete-enabled
+  - s3-bucket-policy-not-more-permissive
+  - s3-bucket-versioning-enabled
+  - s3-resources-protected-by-backup-plan
+  - secretsmanager-scheduled-rotation-success-check
+  - secretsmanager-secret-periodic-rotation
+  - secretsmanager-secret-unused
+  - security-account-information-provided
+  - service-catalog-shared-within-organization
+  - sns-topic-message-delivery-notification-enabled
+  - step-functions-state-machine-logging-enabled
+  - transfer-family-server-no-ftp
+  - wafv2-rulegroup-logging-enabled
+  - wafv2-rulegroup-not-empty
+  - wafv2-webacl-not-empty
+  Operational-Best-Practices-for-PCI-DSS-v4.0-including-global-resourcetypes:
+  - access-keys-rotated
+  - acm-certificate-rsa-check
+  - acm-pca-root-ca-disabled
+  - api-gw-cache-enabled-and-encrypted
+  - api-gw-endpoint-type-check
+  - api-gw-xray-enabled
+  - api-gwv2-access-logs-enabled
+  - appsync-associated-with-waf
+  - appsync-logging-enabled
+  - athena-workgroup-encrypted-at-rest
+  - aurora-resources-protected-by-backup-plan
+  - autoscaling-launchconfig-requires-imdsv2
+  - backup-recovery-point-manual-deletion-disabled
+  - cloudformation-stack-notification-check
+  - cloudfront-accesslogs-enabled
+  - cloudfront-associated-with-waf
+  - cloudfront-custom-ssl-certificate
+  - cloudfront-no-deprecated-ssl-protocols
+  - cloudfront-origin-access-identity-enabled
+  - cloudfront-s3-origin-access-control-enabled
+  - cloudfront-security-policy-check
+  - cloudfront-sni-enabled
+  - cloudfront-traffic-to-origin-encrypted
+  - cloudfront-viewer-policy-https
+  - cloudtrail-enabled
+  - cloudtrail-security-trail-enabled
+  - cloudwatch-alarm-action-check
+  - cloudwatch-alarm-resource-check
+  - cloudwatch-alarm-settings-check
+  - codebuild-project-artifact-encryption
+  - codebuild-project-envvar-awscred-check
+  - codebuild-project-s3-logs-encrypted
+  - codebuild-project-source-repo-url-check
+  - codedeploy-lambda-allatonce-traffic-shift-disabled
+  - codepipeline-deployment-count-check
+  - cw-loggroup-retention-period-check
+  - dax-encryption-enabled
+  - dax-tls-endpoint-encryption
+  - db-instance-backup-enabled
+  - dms-endpoint-ssl-configured
+  - dms-redis-tls-enabled
+  - docdb-cluster-encrypted
+  - docdb-cluster-snapshot-public-prohibited
+  - dynamodb-in-backup-plan
+  - dynamodb-pitr-enabled
+  - dynamodb-resources-protected-by-backup-plan
+  - dynamodb-table-encrypted-kms
+  - dynamodb-table-encryption-enabled
+  - ebs-in-backup-plan
+  - ebs-resources-protected-by-backup-plan
+  - ec2-client-vpn-not-authorize-all
+  - ec2-imdsv2-check
+  - ec2-instance-detailed-monitoring-enabled
+  - ec2-instance-profile-attached
+  - ec2-launch-template-public-ip-disabled
+  - ec2-no-amazon-key-pair
+  - ec2-resources-protected-by-backup-plan
+  - ec2-transit-gateway-auto-vpc-attach-disabled
+  - ec2-volume-inuse-check
+  - ecr-private-lifecycle-policy-configured
+  - ecs-task-definition-log-configuration
+  - ecs-task-definition-pid-mode-check
+  - efs-in-backup-plan
+  - efs-resources-protected-by-backup-plan
+  - eks-cluster-logging-enabled
+  - eks-cluster-oldest-supported-version
+  - eks-cluster-secrets-encrypted
+  - eks-endpoint-no-public-access
+  - eks-secrets-encrypted
+  - elastic-beanstalk-logs-to-cloudwatch
+  - elasticache-redis-cluster-automatic-backup-check
+  - elb-acm-certificate-required
+  - emr-block-public-access
+  - fsx-resources-protected-by-backup-plan
+  - iam-policy-in-use
+  - internet-gateway-authorized-vpc-only
+  - kinesis-stream-encrypted
+  - lambda-function-settings-check
+  - macie-auto-sensitive-data-discovery-check
+  - macie-status-check
+  - mq-cloudwatch-audit-log-enabled
+  - mq-cloudwatch-audit-logging-enabled
+  - msk-in-cluster-node-require-tls
+  - multi-region-cloudtrail-enabled
+  - nacl-no-unrestricted-ssh-rdp
+  - neptune-cluster-backup-retention-check
+  - neptune-cluster-cloudwatch-log-export-enabled
+  - neptune-cluster-encrypted
+  - neptune-cluster-iam-database-authentication
+  - neptune-cluster-snapshot-encrypted
+  - neptune-cluster-snapshot-public-prohibited
+  - netfw-logging-enabled
+  - netfw-policy-default-action-fragment-packets
+  - netfw-policy-default-action-full-packets
+  - rds-cluster-iam-authentication-enabled
+  - rds-db-security-group-not-allowed
+  - rds-in-backup-plan
+  - rds-instance-iam-authentication-enabled
+  - rds-resources-protected-by-backup-plan
+  - redshift-backup-enabled
+  - redshift-cluster-kms-enabled
+  - redshift-enhanced-vpc-routing-enabled
+  - restricted-ssh
+  - s3-access-point-public-access-blocks
+  - s3-account-level-public-access-blocks
+  - s3-bucket-blacklisted-actions-prohibited
+  - s3-bucket-default-lock-enabled
+  - s3-bucket-mfa-delete-enabled
+  - s3-bucket-policy-not-more-permissive
+  - s3-bucket-versioning-enabled
+  - s3-resources-protected-by-backup-plan
+  - secretsmanager-scheduled-rotation-success-check
+  - secretsmanager-secret-periodic-rotation
+  - secretsmanager-secret-unused
+  - security-account-information-provided
+  - service-catalog-shared-within-organization
+  - shield-drt-access
+  - sns-topic-message-delivery-notification-enabled
+  - step-functions-state-machine-logging-enabled
+  - transfer-family-server-no-ftp
+  - waf-classic-logging-enabled
+  - waf-global-rule-not-empty
+  - waf-global-rulegroup-not-empty
+  - waf-global-webacl-not-empty
+  - wafv2-rulegroup-logging-enabled
+  - wafv2-rulegroup-not-empty
+  - wafv2-webacl-not-empty
   Operational-Best-Practices-for-Publicly-Accessible-Resources:
   - autoscaling-launch-config-public-ip-disabled
   - dms-replication-not-public