+ S3BucketPublicReadProhibited:
+ Type: AWS::Config::ConfigRule
+ ConfigRuleName: S3BucketPublicReadProhibited
+ Checks that your Amazon S3 buckets do not allow public read access.
+ The rule checks the Block Public Access settings, the bucket policy, and the
+ bucket access control list (ACL).
+ ComplianceResourceTypes:
+ SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
+ MaximumExecutionFrequency: Six_Hours
+ S3PublicReadRemediation:
+ DependsOn: S3BucketPublicReadProhibited
+ Type: 'AWS::Config::RemediationConfiguration'
+ ConfigRuleName: S3BucketPublicReadProhibited
+ ResourceType: "AWS::S3::Bucket"
+ TargetId: "AWS-DisableS3BucketPublicReadWrite"
+ TargetType: "SSM_DOCUMENT"
+ - arn:aws:iam::<account number>:role/<role>
+ ConcurrentExecutionRatePercentage: 10
+ MaximumAutomaticAttempts: 10
+ RetryAttemptSeconds: 600
+ S3BucketPublicWriteProhibited:
+ Type: "AWS::Config::ConfigRule"
+ ConfigRuleName: S3BucketPublicWriteProhibited
+ Description: "Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL)."
+ ComplianceResourceTypes:
+ SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
+ MaximumExecutionFrequency: Six_Hours
+ S3PublicWriteRemediation:
+ DependsOn: S3BucketPublicWriteProhibited
+ Type: 'AWS::Config::RemediationConfiguration'
+ ConfigRuleName: S3BucketPublicWriteProhibited
+ ResourceType: "AWS::S3::Bucket"
+ TargetId: "AWS-DisableS3BucketPublicReadWrite"
+ TargetType: "SSM_DOCUMENT"
+ - arn:aws:iam::<account number>:role/<role>
+ ConcurrentExecutionRatePercentage: 10
+ MaximumAutomaticAttempts: 10
+ RetryAttemptSeconds: 600
+ S3BucketServerSideEncryptionEnabled:
+ Type: "AWS::Config::ConfigRule"
+ ConfigRuleName: S3BucketServerSideEncryptionEnabled
+ Description: "Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption."
+ ComplianceResourceTypes:
+ SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
+ S3BucketServerSideEncryptionEnabledRemediation:
+ DependsOn: S3BucketServerSideEncryptionEnabled
+ Type: 'AWS::Config::RemediationConfiguration'
+ ConfigRuleName: S3BucketServerSideEncryptionEnabled
+ ResourceType: "AWS::S3::Bucket"
+ TargetId: "AWS-EnableS3BucketEncryption"
+ TargetType: "SSM_DOCUMENT"
+ - arn:aws:iam::<account number>:role/<role>
+ ConcurrentExecutionRatePercentage: 10
+ MaximumAutomaticAttempts: 10
+ RetryAttemptSeconds: 600