diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/README.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/README.md new file mode 100644 index 00000000..5d80ec79 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/README.md @@ -0,0 +1,53 @@ +# Q CLI Project Context Setup + +This directory contains configuration files to provide automatic project context for Q CLI sessions. + +## Files + +- **`project-context.md`** - Comprehensive project overview, architecture, and development guidelines +- **`config.json`** - Q CLI configuration to auto-load project context +- **`README.md`** - This file + +## How It Works + +When you start a new Q CLI session in this project directory, the configuration will: + +1. **Auto-load project context** from `project-context.md` +2. **Set working directory** to the project root +3. **Apply safety guidelines** - Q will not modify files unless explicitly requested +4. **Provide architecture awareness** - Q understands the Step Functions workflow, Lambda functions, and infrastructure + +## Usage + +Simply run Q CLI from the project root: + +```bash +cd /Users/roficas/aws-infrastructure-reverse-engineering +q chat +``` + +Q will automatically have context about: +- ✅ System architecture (Step Functions, Lambda, DynamoDB, S3) +- ✅ Component relationships and dependencies +- ✅ Development guidelines and best practices +- ✅ Security considerations and IAM architecture +- ✅ Branch strategy (main vs mcp-server) + +## Safety Features + +The configuration includes safety instructions: +- 🛡️ **Read-only by default** - Q won't modify files without explicit permission +- 🛡️ **Confirmation required** - Q will ask before making changes +- 🛡️ **Impact explanation** - Q will explain consequences of proposed changes +- 🛡️ **Security focus** - Maintains security best practices for this security system + +## Project Overview Reminder + +This is a **serverless AWS security configuration analysis system** that: +- Processes security configurations via S3 uploads +- Uses Step Functions to orchestrate AI-powered analysis +- Generates security controls, IAM models, and IaC templates +- Leverages Amazon Bedrock for intelligent recommendations +- Maintains audit trails and compliance mappings + +The system is production-ready on the `main` branch, with experimental MCP server integration available on the `mcp-server` branch. diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/cli-agents/aws-security-agent.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/cli-agents/aws-security-agent.json new file mode 100644 index 00000000..e3b35551 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/cli-agents/aws-security-agent.json @@ -0,0 +1,23 @@ +{ + "name": "aws-security-agent", + "description": "AWS Security Configuration System project assistant", + "prompt": "You are working on the AWS Security Configuration System project. Before responding to any user query, read and understand the project context from .amazonq/project-context.md. This context contains critical information about the system architecture, components, and development guidelines. IMPORTANT: Do not apply any code changes unless explicitly requested by the user. Always ask for confirmation before modifying files and explain the impact of proposed changes. Do not deploy any code unless explicitly asked.", + "resources": [ + "file://.amazonq/rules/project-context.md", + "file://.amazonq/rules/security-system-guidelines.md" + ], + "allowedTools": [ + "fs_read", + "fs_write", + "execute_bash", + "use_aws" + ], + "toolsSettings": { + "fs_read": { + "allowedPaths": ["./"] + }, + "fs_write": { + "allowedPaths": ["./"] + } + } +} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/config.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/config.json new file mode 100644 index 00000000..583fc116 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/config.json @@ -0,0 +1,3 @@ +{ + "defaultAgent": "aws-security-agent" +} \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/rules/project-context.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/rules/project-context.md new file mode 100644 index 00000000..46a80828 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/rules/project-context.md @@ -0,0 +1,49 @@ +# Security Configuration System Rules + +## Working Environment +- **Work locally only** - do not attempt AWS deployments or account changes, unless explicitly asked +- Focus on code development, testing, and local validation +- Use existing test outputs and local files for analysis + +## Code Style & Implementation +- Follow minimal implementation principle - write only essential code +- Use existing Lambda layers and shared utilities +- Maintain consistency with current CDK stack structure +- Follow AWS security best practices with least privilege IAM + +## Architecture Constraints +- All Lambda functions must use Python 3.10 runtime +- Use existing DynamoDB table naming convention: `gensec-{TableName}` +- S3 buckets follow pattern: `gensec-{purpose}-{account}-{region}` +- Lambda functions use prefix: `gensec-{FunctionName}` + +## Development Guidelines +- Test changes in decomposed architecture (current active system) +- Use existing Lambda layers: common, bedrock, dynamodb-operations, validation, requests, web-scraping +- Environment variables must reference CDK-managed resource names +- All resources must include gensec tags + +## Output and Testing Standards +- All generated outputs must be saved to `tests/output` directory +- All test files and test data must be placed in `tests/` directory +- Scripts should default to `tests/output` for generated content +- Maintain organized subdirectories within tests for different output types + +## Bedrock Integration +- Use Strands Agent (GenSecAgent) when USE_STRANDS_AGENT=true +- Support both direct model calls and agent-based processing +- Implement pagination for large parameter sets +- Log all AI interactions for debugging + +## Data Flow Requirements +- Security profiles and service requests trigger Step Functions workflow +- All outputs stored in S3 with structured paths +- DynamoDB used for tracking, validation, and service documentation +- Support both individual file processing and batch operations + +## Current Development Priorities +- Implement pagination for Bedrock calls with large parameter sets +- Replace web scraping with MCP server integration +- Develop AgentCore to centralize Bedrock interactions +- Improve validation logic to reduce false positives +- Add SQS integration: S3→SQS→StepFunctions \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/rules/security-system-guidelines.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/rules/security-system-guidelines.md new file mode 100644 index 00000000..98b2e549 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.amazonq/rules/security-system-guidelines.md @@ -0,0 +1,29 @@ +# Security Configuration System Guidelines + +## 🚨 CRITICAL: READ-ONLY BY DEFAULT +- **DO NOT modify files** unless explicitly requested +- **Ask confirmation** before any changes +- **Explain impact** of proposed changes +- **Preserve functionality** unless specifically changing it + +## Project Context +**Serverless security configuration analysis system** that automates AWS service security recommendations using AI. Processes service configurations and generates security controls, IAM models, and infrastructure templates through Step Functions workflow. + +## Architecture Components +- **Workflow**: gensec-SecurityConfigWorkflow (ValidateAndCollectServiceData → AnalyzeSecurityRequirements → GenerateSecurityControls → GenerateIaCTemplate → GenerateServiceProfile → GenerateIAMModel) +- **Lambda Functions**: SecurityProfileProcessor, AWSServiceDocumentationManager, AnalyzeSecurityRequirements, GenerateSecurityControls, GenerateIaCTemplate, GenerateIAMModel, GenerateServiceProfile +- **Storage**: DynamoDB (SecurityControlLibrary, ServiceRequestTracking, AWSService* tables), S3 (input/output/documentation) + +## Development Rules +- **scripts/**: Development utilities (gitignored, NOT deployed) +- **tests/output/**: Downloaded S3 artifacts (gitignored) +- **Production code**: lambda/, cdk/, config-example/ +- Use existing Lambda layers: common, bedrock, dynamodb-operations, validation, requests, web-scraping +- All resources use gensec- prefix and tags +- Python 3.9 runtime for all Lambda functions + +## Security Requirements +- Follow AWS security best practices with least privilege IAM +- This system processes sensitive security data - prioritize security, auditability, and least-privilege +- Environment variables must reference CDK-managed resource names +- Support both Strands Agent and direct Bedrock model calls \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.gitignore b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.gitignore new file mode 100644 index 00000000..865a8fce --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/.gitignore @@ -0,0 +1,95 @@ +# CDK +cdk/cdk.context.json +cdk/npm-debug.log* +cdk/yarn-debug.log* +cdk/yarn-error.log* +cdk/.nyc_output +cdk/coverage/ +cdk/lib/*.js +cdk/lib/*.d.ts +cdk/test/*.js +cdk/test/*.d.ts + +# Lambda +lambda/**/*.zip +lambda/**/node_modules/ +lambda/**/__pycache__/ +lambda/**/*.pyc +lambda/**/.env + +# Lambda Layers - Ignore all dependencies, keep only our custom modules +layers/**/python/boto3/ +layers/**/python/botocore/ +layers/**/python/dateutil/ +layers/**/python/urllib3/ +layers/**/python/requests/ +layers/**/python/beautifulsoup4/ +layers/**/python/bs4/ +layers/**/python/lxml/ +layers/**/python/html5lib/ +layers/**/python/certifi/ +layers/**/python/charset_normalizer/ +layers/**/python/idna/ +layers/**/python/jmespath/ +layers/**/python/s3transfer/ +layers/**/python/soupsieve/ +layers/**/python/webencodings/ +layers/**/python/six.py +layers/**/python/typing_extensions.py +layers/**/python/bin/ +layers/**/python/**/ +layers/**/__pycache__/ +layers/**/*.pyc +layers/**/*.pyo +layers/**/*.egg-info/ +layers/**/build/ +layers/**/dist/ +# Keep our custom layer modules +!layers/**/python/dynamodb_operations.py +!layers/**/python/json_processing.py +!layers/**/python/s3_operations.py +!layers/**/python/validation.py +!layers/**/python/bedrock_client.py + +# AWS +.aws/ +*.pem +*.key +.kiro/ + +# IDE +.vscode/ +.idea/ +*.swp +*.swo +*~ + +# OS +.DS_Store +Thumbs.db + +# Logs +*.log +logs/ + +# Temporary files +tmp/ +temp/ +*.tmp + +# Sensitive data +secrets/ +*.secret +*.credentials + +# compiled resources +**/dist/ +cdk/cdk.out/ +**/node_modules/ + +# nodejs +**/package-lock.json + +# Working scripts (not part of solution) +tests/output/ +lambda-legacy/ \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/README.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/README.md new file mode 100644 index 00000000..0fab7a17 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/README.md @@ -0,0 +1,391 @@ +# Security Configuration System + +A serverless application that automates security configuration analysis and recommendations using AWS services and Bedrock AI integration. The system processes service configurations, generates security controls, IAM models, and infrastructure templates. + +## Business Value & Impact + +**Accelerate AWS Service Adoption**: Transform service approval from 12 weeks to 3 validation sessions through AI-powered automation. + +### Key Benefits +- **Time Savings**: Automated security control generation and compliance mapping +- **Enhanced Security**: Comprehensive coverage of security domains and threat vectors +- **Compliance Assurance**: Automatic alignment with regulatory frameworks (NIST 800-53, etc.) +- **Consistency**: Standardized security controls across all approved services +- **Accelerated Threat Modeling**: Pre-approved services with associated threat vectors for faster workload assessments + +### Process Innovation +1. Input security profile, compliance needs, and AWS service selection +2. AI analyzes against AWS documentation and best practices +3. Generate tailored detective, preventive, and proactive controls +4. Review and approve generated controls and templates +5. Automated deployment of approved artifacts + +### Workload-Level Impact + +By using pre-approved services with associated controls and threat vectors, customers can: + +- **Rapid Assessment**: Quickly evaluate new workloads against known security baselines +- **Efficient Gap Analysis**: Identify potential vulnerabilities and compliance gaps more efficiently +- **Proven Controls**: Implement security controls with confidence based on AI analysis +- **Focused Threat Modeling**: Concentrate efforts on workload-specific risks rather than underlying service security +- **Continuous Improvement**: AI learns from approvals and refinements, improving recommendations over time + +## Architecture Overview + +![GenSec System Architecture](docs/blog/GenSec.png) + +## Core Components + +### Step Functions Workflow (gensec-SecurityConfigWorkflow) +1. **ValidateAndCollectServiceData** + - Collects AWS service documentation + - Validates service capabilities + - Stores documentation for reference + +2. **AnalyzeSecurityRequirements** + - Processes security configurations + - Integrates with Bedrock AI + - Generates initial analysis + +3. **GenerateSecurityControls** + - Creates security control recommendations + - Maps to compliance requirements + - Provides implementation guidance + +4. **GenerateIaCTemplate** + - Creates infrastructure templates + - Implements security controls + - Supports multiple IaC formats + +5. **GenerateServiceProfile** + - Documents service capabilities + - Maps security features + - Provides configuration guidance + +6. **GenerateIAMModel** + - Creates IAM permission models + - Implements least privilege + - Maps service actions + +### Lambda Functions + +The system uses 7 Lambda functions in a decomposed architecture. For detailed documentation of each function, see [docs/lambda-functions/](docs/lambda-functions/). + +| Function | Purpose | Memory | Timeout | Documentation | +|----------|---------|--------|---------|---------------| +| SecurityProfileProcessor | S3 event processing & workflow orchestration | 128 MB | 3 min | [Details](docs/lambda-functions/SecurityProfileProcessor.md) | +| AWSServiceDocumentationManager | AWS service documentation collection | 1024 MB | 15 min | [Details](docs/lambda-functions/AWSServiceDocumentationManager.md) | +| AnalyzeSecurityRequirements | AI-powered security analysis | 1024 MB | 15 min | [Details](docs/lambda-functions/AnalyzeSecurityRequirements.md) | +| GenerateSecurityControls | Security control generation | 1024 MB | 15 min | [Details](docs/lambda-functions/GenerateSecurityControls.md) | +| GenerateIaCTemplate | Infrastructure template generation | 1024 MB | 15 min | [Details](docs/lambda-functions/GenerateIaCTemplate.md) | +| GenerateIAMModel | IAM permission model generation | 1024 MB | 15 min | [Details](docs/lambda-functions/GenerateIAMModel.md) | +| GenerateServiceProfile | Service capability documentation | 1024 MB | 15 min | [Details](docs/lambda-functions/GenerateServiceProfile.md) | + +### Storage Resources + +#### DynamoDB Tables +1. **Security Control Library** (gensec-SecurityControlLibrary) + - Stores security control definitions + - Maps compliance requirements + - Tracks implementation status + +2. **Service Request Tracking** (gensec-ServiceRequestTracking) + - Tracks processing requests + - Maintains audit history + - Enables request tracing + +3. **AWS Service Actions** (gensec-AWSServiceActions) + - AWS service action definitions + - IAM permission mappings + +4. **AWS Service Parameters** (gensec-AWSServiceParameters) + - Service parameter documentation + - Configuration validation + +5. **AWS Service Inventory** (gensec-AWSServiceInventory) + - Service metadata and capabilities + +6. **AWS Service Resources** (gensec-AWSServiceResources) + - Resource type definitions + +7. **Security Standards Library** (gensec-SecurityStandardsLibrary) + - Compliance framework mappings + +8. **Service Profile Library** (gensec-ServiceProfileLibrary) + - Service capability templates + +9. **AWS Config Managed Rules** (gensec-AWSConfigManagedRules) + - AWS Config managed rule definitions + - Service-based rule categorization + - Security compliance rule mappings + +#### S3 Buckets +1. **Input Profiles** (gensec-security-input-profiles-${account}-${region}) + - Stores service configurations + - Triggers processing workflow via S3 events + - Maintains version history + - Supports security-profile/ and service-request/ prefixes + +2. **Configuration Outputs** (gensec-security-config-outputs-${account}-${region}) + - Stores processing results + - Maintains documentation + - Stores generated artifacts + +### Config Rules Management + +The system includes AWS Config managed rules for security control recommendations: + +```bash +# Load AWS Config managed rules into DynamoDB +cd scripts/config-rules +python3 load_config_rules.py + +# View baseline rules (696 rules from AWS documentation) +cat aws_config_manage_rules_baseline.json +``` + +**Files:** +- `scripts/config-rules/load_config_rules.py` - Extracts rules from AWS documentation and loads into DynamoDB +- `scripts/config-rules/aws_config_manage_rules_baseline.json` - Read-only baseline reference (696 rules) + +**Features:** +- Extracts rules directly from AWS Config documentation +- No hardcoded rules - dynamically discovers services +- Service-based categorization via GSI +- Fallback to baseline file if documentation unavailable + +## System Outputs + +The security configuration system generates comprehensive outputs tailored for different teams and use cases: + +| Output Type | Format | Purpose & Description | Primary Users | +|-------------|--------|----------------------|---------------| +| **Service Research Profile** (Equifax form) | Markdown | • Comprehensive security documentation of AWS service
• Details on data protection, network/access controls, compliance
• Operational guidelines and best practices | • Security Architects
• Cloud Teams
• Compliance Teams | +| **IAM Review Module** (Equifax request) | JSON/Markdown | • Detailed IAM configurations and policies
• Permission sets and role analysis
• Best practices and implementation guidance
• Approval requirements and workflows | • IAM Team
• Security Team
• Cloud Platform Team | +| **AWS Service Configuration Recommendations** | JSON | • Security configuration guidance
• Service-specific security parameters
• Compliance mappings
• Implementation considerations | • Security Architects
• Cloud Teams
• Implementation Teams | +| **Security Controls** (checks) | JSON | • Proactive controls (CI/CD pipeline checks)
• Preventive (SCPs IAM policy at the Org level)
• Detective controls (Custom AWS Config rules) | • Security Teams
• Compliance Teams
• Operations Teams | +| **IaC Templates** | YAML/JSON | • CloudFormation / Terraform templates
• Pre-configured security settings
• Resource and parameters definitions | • DevOps Teams
• Cloud Engineers
• Implementation Teams | +| **Security Control Library** | DynamoDB Table | • Approved configurations storage
• Implementation status
• Approval history
• Compliance and threat mappings
• Configuration and control selection rational | • All Teams
• Auditors
• Security Teams | +| **Service Request Tracking** | DynamoDB Table | • Configuration request history
• Processing status
• Approval tracking
• Version control | • Operations Teams
• Security Teams
• Requestors | + +## Getting Started + +### Prerequisites +- AWS Account with appropriate permissions +- Node.js ≥ 14.x (for CDK) +- Python 3.9 (for Lambda functions) +- AWS CDK CLI + +Warning: Before deploying, make sure to build Lambda Layers +```bash +# Set up Lambda Layers +cd layers +./build-all-layers.sh +``` + +### Deployment +```bash +# Install CDK dependencies +cd cdk +npm install + +# Build TypeScript +npm run build + +# Bootstrap CDK (first time only) +cdk bootstrap + +# Deploy infrastructure (defaults to us-east-1) +cdk deploy +``` + +### Testing the System +```bash +# Upload service mappings configuration (required for documentation collection) +aws s3 cp config-example/service-mappings.json s3://gensec-security-input-profiles-${ACCOUNT}-${REGION}/configuration/ + +# To update service mappings with latest AWS services, run: +cd scripts/service-mapping && python3 extract_service_mappings.py + +# Upload test security profile +aws s3 cp security-profile.json s3://gensec-security-input-profiles-${ACCOUNT}-${REGION}/security-profile/ + +# Upload test service request +aws s3 cp service-request.json s3://gensec-security-input-profiles-${ACCOUNT}-${REGION}/service-request/ + +# Monitor execution (decomposed workflow) +aws stepfunctions list-executions \ + --state-machine-arn arn:aws:states:${REGION}:${ACCOUNT}:stateMachine:gensec-SecurityConfigWorkflow + +# Check results +aws s3 ls s3://gensec-security-config-outputs-${ACCOUNT}-${REGION}/ + +# Download outputs locally +./scripts/download_outputs.py + +# Validate outputs for a service +cd scripts/output-validation +./validate_service.sh ACM +``` + +## Project Structure + +``` +security-project/ +├── cdk/ # Infrastructure as Code +│ ├── bin/ # CDK app entry point +│ ├── lib/ # Stack definitions +│ │ ├── security-system-stack.ts +│ │ └── lambda-layers.ts +│ └── test/ # Infrastructure tests +├── lambda/ # Current Lambda function code (decomposed architecture) +│ ├── AWSServiceDocumentationManager/ +│ │ ├── lambda_function.py +│ │ └── requirements.txt +│ ├── AnalyzeSecurityRequirements/ +│ │ ├── lambda_function.py +│ │ └── requirements.txt +│ ├── GenerateSecurityControls/ +│ │ ├── lambda_function.py +│ │ └── requirements.txt +│ ├── GenerateIaCTemplate/ +│ │ ├── lambda_function.py +│ │ └── requirements.txt +│ ├── GenerateIAMModel/ +│ │ ├── lambda_function.py +│ │ └── requirements.txt +│ ├── GenerateServiceProfile/ +│ │ ├── lambda_function.py +│ │ └── requirements.txt +│ └── SecurityProfileProcessor/ +│ ├── lambda_function.py +│ └── requirements.txt +├── lambda-legacy/ # Legacy Lambda functions (archived) +│ ├── [old]SecurityConfigurationHandler/ +│ │ ├── lambda_function.py +│ │ └── requirements.txt +│ └── [old]SecurityProfileProcessor/ +│ ├── lambda_function.py +│ └── requirements.txt +├── layers/ # Lambda layers for shared code +│ ├── bedrock-layer/ # Bedrock AI client with comprehensive logging +│ ├── common-layer/ # boto3, botocore, s3_operations +│ ├── dynamodb-operations-layer/ # DynamoDB operations +│ ├── requests-layer/ # HTTP operations +│ ├── validation-layer/ # validation, json_processing, yaml +│ └── web-scraping-layer/ # beautifulsoup4, lxml +├── scripts/ # Supporting utility scripts +│ ├── download_outputs.py # Download S3 outputs locally +│ ├── output-validation/ # Validation automation +│ └── config-rules/ # AWS Config rules management +│ ├── load_config_rules.py # Load Config rules into DynamoDB +│ └── aws_config_manage_rules_baseline.json # Baseline reference (696 rules) +├── config-example/ # Example configurations and sample files +├── tests/ # Test implementations and test files +│ └── output/ # Downloaded outputs (gitignored) +└── docs/ # Detailed documentation + +``` + +**Note:** The `tests/output/` directory is excluded from version control (.gitignore) as it contains downloaded artifacts from S3 buckets. + +## Documentation + +- [Business Value & Impact](docs/BUSINESS_VALUE.md) - Executive summary and ROI analysis +- [Architecture Details](docs/ARCHITECTURE.md) - Detailed system architecture +- [Lambda Functions](docs/lambda-functions/) - Individual function documentation +- [Deployment Guide](docs/DEPLOYMENT.md) - Deployment instructions +- [Development Guide](docs/DEVELOPMENT.md) - Development guidelines + +## IAM Permissions Architecture + +### Design Philosophy +All IAM permissions are defined directly in the main CDK stack (`cdk/lib/security-system-stack.ts`) following these principles: + +- **Principle of Least Privilege**: Each role has only the minimum permissions required +- **Resource-Specific Scoping**: Permissions are scoped to specific resources, not wildcards +- **Function-Specific Access**: CloudWatch logs are scoped to individual Lambda function log groups +- **Clear Documentation**: Each permission block includes detailed comments explaining purpose + +### Role Overview + +#### 1. DocumentationManagerRole +**Purpose**: Collects AWS service documentation from external sources +- **CloudWatch Logs**: Function-specific log group access +- **S3**: Read/write access to documentation, input, and output buckets +- **DynamoDB**: Full access to service documentation tables (Actions, Parameters, Inventory, Resources) +- **Bedrock**: Model invocation for AI processing of documentation +- **VPC**: Network access for external documentation URL requests + +#### 2. SecurityConfigurationHandlerRole +**Purpose**: Main AI-powered security analysis and configuration generation +- **CloudWatch Logs**: Function-specific log group access +- **Bedrock**: Full AI access (foundation models, inference profiles, agents, knowledge bases) +- **DynamoDB**: Full access to all security and service tables +- **S3**: Read/write access to all system buckets +- **VPC**: Network access for potential external integrations + +#### 3. StepFunctionsWorkflowRole +**Purpose**: Orchestrates the security configuration workflow +- **Lambda**: Invoke permissions for all workflow Lambda functions +- **CloudWatch Logs**: Full logging access for workflow monitoring +- **X-Ray**: Distributed tracing for performance monitoring + +#### 4. SecurityProfileProcessorRole +**Purpose**: Processes S3 uploads and triggers workflows +- **CloudWatch Logs**: Function-specific log group access +- **S3**: Read/write access to input and output buckets +- **Step Functions**: Start and monitor workflow executions + +### Bedrock Model Access +The system supports both foundation models and inference profiles: +- **Foundation Models**: `arn:aws:bedrock:region::foundation-model/*` +- **Inference Profiles**: `arn:aws:bedrock:region:account:inference-profile/*` + +This dual approach ensures compatibility with models like Nova Pro that require inference profiles while maintaining access to directly invokable models. + +### Permission Maintenance +- All permissions are centralized in `security-system-stack.ts` +- Each permission block includes detailed comments +- Resource ARNs use CDK references for automatic updates +- Legacy table access is maintained for backward compatibility + +## Contributing + +1. Review the [Development Guide](docs/DEVELOPMENT.md) +2. Set up your development environment +3. Make your changes +4. Add/update tests +5. Submit a pull request + +### Development Guidelines + +#### Working Directory Structure +- **Production code**: `lambda/`, `cdk/`, `config-example/` +- **Development tools**: `scripts/` (gitignored) +- **Permanent docs**: `docs/` +- **Test files**: `tests/` + +#### File Organization Rules +- **scripts/**: Development utilities, temporary files (NOT deployed) +- **tests/output/**: Downloaded S3 artifacts (gitignored) +- **config-example/**: Sample configurations for deployment +- **docs/**: Permanent project documentation + +#### Testing Guidelines +- All test implementations should be stored in the `tests/` folder +- Example configurations belong in `config-example/` +- Test structure should mirror the main project structure +- Use `./scripts/download_outputs.py` to get latest outputs +- Use `./scripts/output-validation/validate_service.sh ` to validate outputs + +## License + +This project is licensed under the MIT License - see the LICENSE file for details. + +## Support + +For detailed information about: +- System architecture: See [ARCHITECTURE.md](docs/ARCHITECTURE.md) +- Deployment process: See [DEPLOYMENT.md](docs/DEPLOYMENT.md) +- Development guidelines: See [DEVELOPMENT.md](docs/DEVELOPMENT.md) diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/README.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/README.md new file mode 100644 index 00000000..a19de06c --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/README.md @@ -0,0 +1,288 @@ +# Security Configuration System - CDK Infrastructure + +This directory contains the AWS CDK infrastructure code for the security configuration system. + +## Directory Structure + +``` +cdk/ +├── bin/ +│ └── app.ts # CDK app entry point +├── lib/ +│ └── security-system-stack.ts # Main infrastructure stack +├── test/ +│ └── security-system.test.ts # Infrastructure tests +├── cdk.json # CDK configuration +├── package.json # Project dependencies +└── tsconfig.json # TypeScript configuration +``` + +## Prerequisites + +- Node.js >= 14.x +- AWS CDK CLI >= 2.x +- TypeScript >= 4.x +- AWS credentials configured + +```bash +# Install CDK CLI +npm install -g aws-cdk + +# Install project dependencies +npm install +``` + +## Infrastructure Components + +### 1. Lambda Functions + +#### Security Configuration Handler +```typescript +new lambda.Function(this, 'SecurityConfigurationHandler', { + functionName: '2SecurityConfigurationHandler', + runtime: lambda.Runtime.PYTHON_3_9, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/2SecurityConfigurationHandler'), + timeout: Duration.minutes(15), + memorySize: 1024, + environment: { + BEDROCK_AGENT_ID: 'YWZMJLEXED', + // ... other environment variables + } +}); +``` + +#### Security Profile Processor +```typescript +new lambda.Function(this, 'SecurityProfileProcessor', { + functionName: '2SecurityProfileProcessor', + runtime: lambda.Runtime.PYTHON_3_9, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/2SecurityProfileProcessor'), + timeout: Duration.seconds(3), + memorySize: 128 +}); +``` + +### 2. Step Functions Workflow + +```typescript +new stepfunctions.StateMachine(this, 'SecurityConfigWorkflow', { + stateMachineName: '2SecurityConfigWorkflow', + definition: processSecurityProfileTask + .addCatch(handleError) + .next(success), + logs: { + destination: stepFunctionsLogGroup, + level: stepfunctions.LogLevel.ERROR + } +}); +``` + +### 3. Storage Resources + +#### DynamoDB Tables +```typescript +new dynamodb.Table(this, 'SecurityControlLibrary', { + tableName: '2SecurityControlLibrary', + partitionKey: { name: 'control_id', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED +}); +``` + +#### S3 Buckets +```typescript +new s3.Bucket(this, 'SecurityConfigOutputs', { + bucketName: '2security-config-outputs', + encryption: s3.BucketEncryption.S3_MANAGED, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + versioned: true +}); +``` + +## Deployment + +### Development Environment +```bash +# Install dependencies +npm install + +# Build TypeScript +npm run build + +# Run tests +npm test + +# Deploy to AWS +cdk deploy +``` + +### Production Deployment +```bash +# Deploy with specific context +cdk deploy --context environment=production + +# Deploy with approval +cdk deploy --require-approval never +``` + +### Multiple Environments +```bash +# Deploy to staging +cdk deploy -c environment=staging + +# Deploy to production +cdk deploy -c environment=production +``` + +## Configuration + +### Context Variables +```json +{ + "environment": "production", + "aws-region": "us-east-1", + "bedrock-agent-id": "YWZMJLEXED" +} +``` + +### Environment-Specific Configuration +```typescript +const environment = this.node.tryGetContext('environment') || 'development'; +const config = require(`../config/${environment}.json`); +``` + +## Testing + +### Unit Tests +```bash +# Run all tests +npm test + +# Run specific test +npm test -- -t 'SecuritySystemStack' +``` + +### Integration Tests +```bash +# Deploy test stack +cdk deploy --app "npx ts-node test/integ.security-system.ts" +``` + +## Security Best Practices + +1. **IAM Roles** + - Use least privilege principle + - Scope permissions to specific resources + - Use condition statements + +2. **Resource Encryption** + - Enable encryption at rest + - Use KMS keys where appropriate + - Enable SSL/TLS for data in transit + +3. **Monitoring** + - Enable CloudWatch logs + - Set up metric alarms + - Configure audit logging + +## Monitoring and Logging + +### CloudWatch Logs +```typescript +new logs.LogGroup(this, 'SecurityConfigHandlerLogs', { + logGroupName: '/aws/lambda/2SecurityConfigurationHandler', + retention: logs.RetentionDays.TWO_WEEKS, + removalPolicy: cdk.RemovalPolicy.DESTROY +}); +``` + +### Metrics and Alarms +```typescript +new cloudwatch.Alarm(this, 'SecurityConfigHandlerErrors', { + metric: securityConfigHandler.metricErrors(), + threshold: 1, + evaluationPeriods: 1, + alarmDescription: 'Security configuration handler error rate' +}); +``` + +## Cost Optimization + +1. **Lambda Configuration** + - Optimize memory allocation + - Set appropriate timeouts + - Use provisioned concurrency when needed + +2. **DynamoDB** + - Use on-demand capacity + - Enable auto-scaling + - Implement TTL where appropriate + +3. **S3** + - Configure lifecycle policies + - Use appropriate storage classes + - Enable intelligent tiering + +## Troubleshooting + +### Common Issues + +1. **Deployment Failures** + ```bash + # Check deployment status + cdk doctor + + # List all resources + cdk list + + # Show differences + cdk diff + ``` + +2. **Runtime Errors** + - Check CloudWatch logs + - Verify IAM permissions + - Validate environment variables + +3. **State Machine Issues** + - Check execution history + - Verify Lambda permissions + - Check input/output mapping + +## Contributing + +1. **Code Style** + - Follow TypeScript best practices + - Use meaningful construct IDs + - Add comments for complex logic + +2. **Testing** + - Write unit tests + - Add integration tests + - Test with multiple environments + +3. **Documentation** + - Update README.md + - Document context parameters + - Add JSDoc comments + +## Useful Commands + +```bash +# CDK commands +cdk synth # Generate CloudFormation template +cdk diff # Show changes +cdk deploy # Deploy stack +cdk destroy # Remove stack + +# Development +npm run build # Compile TypeScript +npm run watch # Watch for changes +npm run test # Run tests + +# Maintenance +cdk doctor # Check CDK environment +cdk bootstrap # Bootstrap environment +``` diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/bin/app.ts b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/bin/app.ts new file mode 100644 index 00000000..d55205af --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/bin/app.ts @@ -0,0 +1,20 @@ +#!/usr/bin/env node +import 'source-map-support/register'; +import * as cdk from 'aws-cdk-lib'; +import { SecuritySystemStack } from '../lib/security-system-stack'; + +const app = new cdk.App(); + +// Get environment context or use default +const environment = app.node.tryGetContext('environment') || 'production'; + +const stack = new SecuritySystemStack(app, `SecuritySystem-${environment}`, { + env: { + account: process.env.CDK_DEFAULT_ACCOUNT, + region: 'us-east-1' // Changed to us-east-1 for Nova Pro deployment + }, + description: 'Security Configuration System Infrastructure' +}); + +// Add the gensec tag to all resources in the stack +cdk.Tags.of(stack).add('Project', 'gensec'); diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/cdk.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/cdk.json new file mode 100644 index 00000000..d77501b7 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/cdk.json @@ -0,0 +1,47 @@ +{ + "app": "npx ts-node --prefer-ts-exts bin/app.ts", + "watch": { + "include": [ + "**" + ], + "exclude": [ + "README.md", + "cdk*.json", + "**/*.d.ts", + "**/*.js", + "tsconfig.json", + "package*.json", + "yarn.lock", + "node_modules", + "test" + ] + }, + "context": { + "@aws-cdk/aws-lambda:recognizeLayerVersion": true, + "@aws-cdk/core:checkSecretUsage": true, + "@aws-cdk/core:target-partitions": [ + "aws", + "aws-cn" + ], + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true, + "@aws-cdk/aws-iam:minimizePolicies": true, + "@aws-cdk/core:validateSnapshotRemovalPolicy": true, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": true, + "@aws-cdk/core:enablePartitionLiterals": true, + "@aws-cdk/aws-events:eventsTargetQueueSseKeyArn": true, + "@aws-cdk/aws-iam:standardizedServicePrincipals": true, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true, + "@aws-cdk/aws-route53-patters:useCertificate": true, + "@aws-cdk/customresources:installLatestAwsSdkDefault": false, + "environment": "production", + "aws-region": "us-east-1", + "bedrock-agent-id": "YWZMJLEXED" + } +} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lambda-optimization.patch b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lambda-optimization.patch new file mode 100644 index 00000000..4d76ce9a --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lambda-optimization.patch @@ -0,0 +1,46 @@ +# Patch for security-system-stack.ts +# Update Lambda functions with better timeout and memory settings + +# For SecurityConfigurationHandler (line ~584): +const securityConfigHandler = new lambda.Function(this, 'SecurityConfigurationHandler', { + functionName: 'gensec-SecurityConfigurationHandler', + runtime: lambda.Runtime.PYTHON_3_9, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/2SecurityConfigurationHandler'), + timeout: cdk.Duration.minutes(15), # Keep existing + memorySize: 3008, # Increase from 1024 to 3008 MB + reservedConcurrentExecutions: 5, # Limit concurrency to avoid throttling + environment: { + BEDROCK_MAX_RETRIES: '5', + CHUNK_SIZE: '200000', + ENABLE_PARAMETER_FILTERING: 'true' + }, + vpc, + vpcSubnets: { + subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, + }, + securityGroups: [lambdaSecurityGroup], + role: securityConfigHandlerRole, +}); + +# For DocumentationManager (line ~427): +const documentationManager = new lambda.Function(this, 'DocumentationManager', { + functionName: 'gensec-AWSServiceDocumentationManager', + runtime: lambda.Runtime.PYTHON_3_9, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/AWSServiceDocumentationManager'), + timeout: cdk.Duration.minutes(15), # Keep existing + memorySize: 2048, # Increase from 1024 to 2048 MB + reservedConcurrentExecutions: 3, # Limit concurrency + environment: { + MAX_PARAMETERS_PER_SERVICE: '200', + MAX_ACTIONS_PER_SERVICE: '300', + ENABLE_SECURITY_FILTERING: 'true' + }, + vpc, + vpcSubnets: { + subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, + }, + securityGroups: [lambdaSecurityGroup], + role: documentationManagerRole, +}); diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lib/lambda-layers.ts b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lib/lambda-layers.ts new file mode 100644 index 00000000..8a4e7c0b --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lib/lambda-layers.ts @@ -0,0 +1,78 @@ +import * as cdk from 'aws-cdk-lib'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import { Construct } from 'constructs'; + +export class LambdaLayers { + public readonly commonLayer: lambda.LayerVersion; + public readonly requestsLayer: lambda.LayerVersion; + public readonly webScrapingLayer: lambda.LayerVersion; + public readonly bedrockLayer: lambda.LayerVersion; + public readonly dynamodbOperationsLayer: lambda.LayerVersion; + public readonly validationLayer: lambda.LayerVersion; + public readonly mcpToolsLayer: lambda.LayerVersion; + + constructor(scope: Construct, id: string) { + // Common layer with boto3, botocore, python-dateutil, and s3_operations + // These are commonly used across all Lambda functions + this.commonLayer = new lambda.LayerVersion(scope, `${id}CommonLayer`, { + layerVersionName: 'gensec-common-dependencies', + code: lambda.Code.fromAsset('../layers/common-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'Common dependencies: boto3, botocore, python-dateutil, s3_operations', + }); + + // Requests layer for HTTP operations + // Used by SecurityConfigurationHandler and AWSServiceDocumentationManager + this.requestsLayer = new lambda.LayerVersion(scope, `${id}RequestsLayer`, { + layerVersionName: 'gensec-requests-dependencies', + code: lambda.Code.fromAsset('../layers/requests-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'HTTP dependencies: requests, urllib3', + }); + + // Web scraping layer for documentation collection + // Used specifically by AWSServiceDocumentationManager + this.webScrapingLayer = new lambda.LayerVersion(scope, `${id}WebScrapingLayer`, { + layerVersionName: 'gensec-web-scraping-dependencies', + code: lambda.Code.fromAsset('../layers/web-scraping-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'Web scraping dependencies: beautifulsoup4, lxml, html5lib', + }); + + // Bedrock layer for AI model interactions + // Used by all security analysis Lambda functions + this.bedrockLayer = new lambda.LayerVersion(scope, `${id}BedrockLayer`, { + layerVersionName: 'gensec-bedrock-client', + code: lambda.Code.fromAsset('../layers/bedrock-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'Bedrock client for AI model interactions', + }); + + // DynamoDB operations layer + // Common DynamoDB functions used across multiple Lambda functions + this.dynamodbOperationsLayer = new lambda.LayerVersion(scope, `${id}DynamodbOperationsLayer`, { + layerVersionName: 'gensec-dynamodb-operations', + code: lambda.Code.fromAsset('../layers/dynamodb-operations-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'Common DynamoDB operations: queries, parsing, storage', + }); + + // Validation layer with json_processing + // Common validation functions for parameters, actions, configurations, and JSON processing + this.validationLayer = new lambda.LayerVersion(scope, `${id}ValidationLayer`, { + layerVersionName: 'gensec-validation', + code: lambda.Code.fromAsset('../layers/validation-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'Validation functions: parameters, actions, configurations, json_processing', + }); + + // MCP tools layer for AWS Documentation MCP Server integration + // Used by AWSServiceDocumentationManager for structured documentation access + this.mcpToolsLayer = new lambda.LayerVersion(scope, `${id}McpToolsLayer`, { + layerVersionName: 'gensec-mcp-tools', + code: lambda.Code.fromAsset('../layers/mcp-tools-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'MCP tools for AWS Documentation MCP Server integration', + }); + } +} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lib/security-system-stack.ts b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lib/security-system-stack.ts new file mode 100644 index 00000000..f4692df3 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/lib/security-system-stack.ts @@ -0,0 +1,1331 @@ +import * as cdk from 'aws-cdk-lib'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as s3n from 'aws-cdk-lib/aws-s3-notifications'; +import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; +import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; +import * as stepfunctions from 'aws-cdk-lib/aws-stepfunctions'; +import * as stepfunctionsTasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import * as ec2 from 'aws-cdk-lib/aws-ec2'; +import * as cr from 'aws-cdk-lib/custom-resources'; +import * as bedrock from 'aws-cdk-lib/aws-bedrock'; +import { Construct } from 'constructs'; +import { LambdaLayers } from './lambda-layers'; + +export class SecuritySystemStack extends cdk.Stack { + constructor(scope: Construct, id: string, props?: cdk.StackProps) { + super(scope, id, props); + + // Add gensec tag to all resources in this stack + cdk.Tags.of(this).add('gensec', 'true'); + cdk.Tags.of(this).add('Project', 'SecurityConfigurationSystem'); + cdk.Tags.of(this).add('Environment', 'production'); + + // Initialize Lambda layers + const layers = new LambdaLayers(this, 'SecuritySystemLayers'); + + // S3 Buckets - Consistent naming without version suffixes + const outputBucket = new s3.Bucket(this, 'SecurityConfigOutputs', { + bucketName: `gensec-security-config-outputs-${this.account}-${this.region}`, + versioned: true, + encryption: s3.BucketEncryption.S3_MANAGED, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(outputBucket).add('gensec', 'true'); + cdk.Tags.of(outputBucket).add('ResourceType', 'S3Bucket'); + cdk.Tags.of(outputBucket).add('Purpose', 'SecurityConfigOutputs'); + + const inputBucket = new s3.Bucket(this, 'SecurityInputProfiles', { + bucketName: `gensec-security-input-profiles-${this.account}-${this.region}`, + versioned: true, + encryption: s3.BucketEncryption.S3_MANAGED, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(inputBucket).add('gensec', 'true'); + cdk.Tags.of(inputBucket).add('ResourceType', 'S3Bucket'); + cdk.Tags.of(inputBucket).add('Purpose', 'SecurityInputProfiles'); + + // Documentation bucket for AWS service documentation + const documentationBucket = new s3.Bucket(this, 'ServiceDocumentation', { + bucketName: `gensec-aws-service-documentation-${this.account}-${this.region}`, + versioned: true, + encryption: s3.BucketEncryption.S3_MANAGED, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(documentationBucket).add('gensec', 'true'); + cdk.Tags.of(documentationBucket).add('ResourceType', 'S3Bucket'); + cdk.Tags.of(documentationBucket).add('Purpose', 'ServiceDocumentation'); + + // Deploy service mappings configuration file to input bucket + new s3deploy.BucketDeployment(this, 'ServiceMappingsDeployment', { + sources: [s3deploy.Source.asset('../config-example')], + destinationBucket: inputBucket, + destinationKeyPrefix: 'configuration/', + include: ['service-mappings.json'], + retainOnDelete: false, + }); + + // DynamoDB Tables - Reverse engineered from existing AWS account + + // Primary Security Control Library (current active table) + const controlLibraryTable = new dynamodb.Table(this, 'SecurityControlLibrary2', { + tableName: 'gensec-SecurityControlLibrary', + partitionKey: { name: 'configuration_id', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'service_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(controlLibraryTable).add('gensec', 'true'); + cdk.Tags.of(controlLibraryTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(controlLibraryTable).add('Purpose', 'PrimarySecurityControlLibrary'); + + // Primary Service Request Tracking (current active table) + const serviceTrackingTable = new dynamodb.Table(this, 'ServiceRequestTracking2', { + tableName: 'gensec-ServiceRequestTracking', + partitionKey: { name: 'requestId', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'service_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(serviceTrackingTable).add('gensec', 'true'); + cdk.Tags.of(serviceTrackingTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(serviceTrackingTable).add('Purpose', 'PrimaryServiceRequestTracking'); + + // AWS Service Actions Documentation Table + const serviceActionsTable = new dynamodb.Table(this, 'AWSServiceActions', { + tableName: 'gensec-AWSServiceActions', + partitionKey: { name: 'service_id', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'action_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(serviceActionsTable).add('gensec', 'true'); + cdk.Tags.of(serviceActionsTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(serviceActionsTable).add('Purpose', 'AWSServiceActionsDocumentation'); + + // AWS Service Parameters Documentation Table + const serviceParametersTable = new dynamodb.Table(this, 'AWSServiceParameters', { + tableName: 'gensec-AWSServiceParameters', + partitionKey: { name: 'service_id', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'parameter_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(serviceParametersTable).add('gensec', 'true'); + cdk.Tags.of(serviceParametersTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(serviceParametersTable).add('Purpose', 'AWSServiceParametersDocumentation'); + + // AWS Service Inventory Table (discovered but empty) + const serviceInventoryTable = new dynamodb.Table(this, 'AWSServiceInventory', { + tableName: 'gensec-AWSServiceInventory', + partitionKey: { name: 'service_id', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'service_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(serviceInventoryTable).add('gensec', 'true'); + cdk.Tags.of(serviceInventoryTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(serviceInventoryTable).add('Purpose', 'AWSServiceInventory'); + + // Add GSI for service inventory + serviceInventoryTable.addGlobalSecondaryIndex({ + indexName: 'ServiceNameIndex', + partitionKey: { name: 'service_name', type: dynamodb.AttributeType.STRING }, + projectionType: dynamodb.ProjectionType.ALL, + }); + + // AWS Service Resources Table (additional table found in AWS) + const serviceResourcesTable = new dynamodb.Table(this, 'AWSServiceResources', { + tableName: 'gensec-AWSServiceResources', + partitionKey: { name: 'service_id', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'resource_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(serviceResourcesTable).add('gensec', 'true'); + cdk.Tags.of(serviceResourcesTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(serviceResourcesTable).add('Purpose', 'AWSServiceResourcesDocumentation'); + + // Security Standards Library Table (additional table found in AWS) + const securityStandardsLibraryTable = new dynamodb.Table(this, 'SecurityStandardsLibrary', { + tableName: 'gensec-SecurityStandardsLibrary', + partitionKey: { name: 'standard_id', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'control_id', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(securityStandardsLibraryTable).add('gensec', 'true'); + cdk.Tags.of(securityStandardsLibraryTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(securityStandardsLibraryTable).add('Purpose', 'SecurityStandardsLibrary'); + + // Service Profile Library Table (additional table found in AWS) + const serviceProfileLibraryTable = new dynamodb.Table(this, 'ServiceProfileLibrary', { + tableName: 'gensec-ServiceProfileLibrary', + partitionKey: { name: 'profile_id', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'service_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(serviceProfileLibraryTable).add('gensec', 'true'); + cdk.Tags.of(serviceProfileLibraryTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(serviceProfileLibraryTable).add('Purpose', 'ServiceProfileLibrary'); + + // AWS Config Managed Rules Table + const configManagedRulesTable = new dynamodb.Table(this, 'AWSConfigManagedRules', { + tableName: 'gensec-AWSConfigManagedRules', + partitionKey: { name: 'rule_name', type: dynamodb.AttributeType.STRING }, + sortKey: { name: 'service_name', type: dynamodb.AttributeType.STRING }, + billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, + encryption: dynamodb.TableEncryption.AWS_MANAGED, + pointInTimeRecovery: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); + cdk.Tags.of(configManagedRulesTable).add('gensec', 'true'); + cdk.Tags.of(configManagedRulesTable).add('ResourceType', 'DynamoDBTable'); + cdk.Tags.of(configManagedRulesTable).add('Purpose', 'AWSConfigManagedRules'); + + // Add GSI for service-based queries + configManagedRulesTable.addGlobalSecondaryIndex({ + indexName: 'ServiceNameIndex', + partitionKey: { name: 'service_name', type: dynamodb.AttributeType.STRING }, + projectionType: dynamodb.ProjectionType.ALL, + }); + + // Security Profile Processor Lambda Role with proper permissions + const securityProfileProcessorRole = new iam.Role(this, 'SecurityProfileProcessorRole', { + roleName: 'gensec-SecurityProfileProcessorRole', + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + managedPolicies: [ + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'), + ], + }); + cdk.Tags.of(securityProfileProcessorRole).add('gensec', 'true'); + cdk.Tags.of(securityProfileProcessorRole).add('ResourceType', 'IAMRole'); + cdk.Tags.of(securityProfileProcessorRole).add('Purpose', 'SecurityProfileProcessorRole'); + + // Add explicit CloudWatch Logs permissions (scoped to this function's log group) + securityProfileProcessorRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:PutLogEvents', + ], + resources: [ + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/gensec-SecurityProfileProcessor:*`, + ], + })); + + // Add S3 permissions for SecurityProfileProcessor Lambda (gensec-SecurityProfileProcessor) + securityProfileProcessorRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 's3:GetObject', + 's3:PutObject', + 's3:ListBucket', + ], + resources: [ + // CDK-managed buckets (proper resource references) + inputBucket.bucketArn, + `${inputBucket.bucketArn}/*`, + outputBucket.bucketArn, + `${outputBucket.bucketArn}/*`, + documentationBucket.bucketArn, + `${documentationBucket.bucketArn}/*`, + ], + })); + + // Add Step Functions permissions for SecurityProfileProcessor Lambda + securityProfileProcessorRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'states:StartExecution', + 'states:DescribeExecution', + 'states:StopExecution', + ], + resources: [ + // Will be set after stateMachine is created + `arn:aws:states:${this.region}:${this.account}:stateMachine:gensec-SecurityConfigWorkflow`, + `arn:aws:states:${this.region}:${this.account}:stateMachine:gensec-SecurityConfigWorkflow:*`, + ], + })); + + // Add DynamoDB permissions for SecurityProfileProcessor Lambda (gensec-SecurityProfileProcessor) + securityProfileProcessorRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'dynamodb:GetItem', + 'dynamodb:PutItem', + 'dynamodb:Query', + 'dynamodb:Scan', + 'dynamodb:UpdateItem', + ], + resources: [ + // Primary security tables (for tracking and control) + controlLibraryTable.tableArn, + `${controlLibraryTable.tableArn}/index/*`, + serviceTrackingTable.tableArn, + `${serviceTrackingTable.tableArn}/index/*`, + + // Service profile and standards tables (for validation) + serviceProfileLibraryTable.tableArn, + `${serviceProfileLibraryTable.tableArn}/index/*`, + securityStandardsLibraryTable.tableArn, + `${securityStandardsLibraryTable.tableArn}/index/*`, + ], + })); + + // ======================================================================== + // IAM ROLES AND PERMISSIONS + // ======================================================================== + // + // This section defines all IAM roles and their permissions for the security + // configuration system. Each role follows the principle of least privilege. + // + // Role Overview: + // 1. SecurityProfileProcessorRole - Processes S3 uploads, triggers workflows + // 2. DocumentationManagerRole - Collects AWS service documentation + // 3. SecurityConfigurationHandlerRole - Main AI processing and analysis + // 4. StepFunctionsWorkflowRole - Orchestrates the workflow execution + // + // Permission Categories: + // - CloudWatch Logs: Function-specific log group access + // - S3: Bucket-specific read/write access + // - DynamoDB: Table-specific CRUD operations + // - Bedrock: AI model invocation (foundation models with direct access) + // - Step Functions: Workflow execution control + // - VPC: Network access for external API calls + // ======================================================================== + + // Documentation Manager Lambda Role with comprehensive permissions + const documentationManagerRole = new iam.Role(this, 'DocumentationManagerRole', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + managedPolicies: [ + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'), + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'), + ], + }); + cdk.Tags.of(documentationManagerRole).add('gensec', 'true'); + cdk.Tags.of(documentationManagerRole).add('ResourceType', 'IAMRole'); + cdk.Tags.of(documentationManagerRole).add('Purpose', 'DocumentationManagerRole'); + + // Add explicit CloudWatch Logs permissions (scoped to this function's log group) + documentationManagerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:PutLogEvents', + ], + resources: [ + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/gensec-AWSServiceDocumentationManager:*`, + ], + })); + + // Add S3 permissions for DocumentationManager Lambda (gensec-AWSServiceDocumentationManager) + documentationManagerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 's3:PutObject', + 's3:GetObject', + 's3:ListBucket', + ], + resources: [ + // CDK-managed buckets (proper resource references) + inputBucket.bucketArn, + `${inputBucket.bucketArn}/*`, + outputBucket.bucketArn, + `${outputBucket.bucketArn}/*`, + documentationBucket.bucketArn, + `${documentationBucket.bucketArn}/*`, + ], + })); + + // Add DynamoDB permissions for DocumentationManager Lambda (gensec-AWSServiceDocumentationManager) + documentationManagerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'dynamodb:PutItem', + 'dynamodb:GetItem', + 'dynamodb:Query', + 'dynamodb:Scan', + 'dynamodb:UpdateItem', + 'dynamodb:DeleteItem', + ], + resources: [ + // AWS service documentation tables (CDK-managed) + serviceActionsTable.tableArn, + `${serviceActionsTable.tableArn}/index/*`, + serviceParametersTable.tableArn, + `${serviceParametersTable.tableArn}/index/*`, + serviceInventoryTable.tableArn, + `${serviceInventoryTable.tableArn}/index/*`, + serviceResourcesTable.tableArn, + `${serviceResourcesTable.tableArn}/index/*`, + + // Additional service and security tables + securityStandardsLibraryTable.tableArn, + `${securityStandardsLibraryTable.tableArn}/index/*`, + serviceProfileLibraryTable.tableArn, + `${serviceProfileLibraryTable.tableArn}/index/*`, + ], + })); + + // ------------------------------------------------------------------------ + // BEDROCK PERMISSIONS - ALL REGIONS SUPPORT + // ------------------------------------------------------------------------ + // Allows access to Bedrock models across all AWS regions for maximum + // model availability and future-proofing as new models are released + // in different regions (e.g., Nova Pro in us-east-1, Claude in us-west-2) + // ------------------------------------------------------------------------ + + // DocumentationManagerRole - Scoped Bedrock Access + documentationManagerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'bedrock:InvokeModel', + 'bedrock:InvokeModelWithResponseStream', + ], + resources: [ + // Foundation models (direct access) + `arn:aws:bedrock:*::foundation-model/*`, + // Inference profiles (for models like Nova Pro) + `arn:aws:bedrock:*:${this.account}:inference-profile/*`, + ], + })); + + // Additional Bedrock permissions for agent operations + documentationManagerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'bedrock:InvokeAgent', + 'bedrock:GetAgent', + 'bedrock:GetAgentAlias', + ], + resources: [ + `arn:aws:bedrock:*:${this.account}:agent/*`, + `arn:aws:bedrock:*:${this.account}:agent-alias/*/*`, + ], + })); + + // VPC for Lambda functions that need external internet access + const vpc = new ec2.Vpc(this, 'SecuritySystemVPC', { + maxAzs: 2, + natGateways: 1, + subnetConfiguration: [ + { + cidrMask: 24, + name: 'Public', + subnetType: ec2.SubnetType.PUBLIC, + }, + { + cidrMask: 24, + name: 'Private', + subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, + }, + ], + }); + cdk.Tags.of(vpc).add('gensec', 'true'); + cdk.Tags.of(vpc).add('ResourceType', 'VPC'); + cdk.Tags.of(vpc).add('Purpose', 'SecuritySystemVPC'); + + // VPC Endpoints for AWS services to reduce NAT Gateway costs + vpc.addGatewayEndpoint('S3Endpoint', { + service: ec2.GatewayVpcEndpointAwsService.S3, + }); + + vpc.addInterfaceEndpoint('DynamoDBEndpoint', { + service: ec2.InterfaceVpcEndpointAwsService.DYNAMODB, + privateDnsEnabled: false, // DynamoDB doesn't support private DNS + }); + + vpc.addInterfaceEndpoint('BedrockRuntimeEndpoint', { + service: ec2.InterfaceVpcEndpointAwsService.BEDROCK_RUNTIME, + }); + + // Security Group for Lambda functions + const lambdaSecurityGroup = new ec2.SecurityGroup(this, 'LambdaSecurityGroup', { + vpc, + description: 'Security group for Security System Lambda functions', + allowAllOutbound: true, + }); + cdk.Tags.of(lambdaSecurityGroup).add('gensec', 'true'); + cdk.Tags.of(lambdaSecurityGroup).add('ResourceType', 'SecurityGroup'); + cdk.Tags.of(lambdaSecurityGroup).add('Purpose', 'LambdaSecurityGroup'); + + // ------------------------------------------------------------------------ + // SHARED BEDROCK CLIENT LAYER + // ------------------------------------------------------------------------ + // Centralized Bedrock client with model switching and comprehensive logging + // ------------------------------------------------------------------------ + + const bedrockLayer = new lambda.LayerVersion(this, 'BedrockClientLayer', { + layerVersionName: 'gensec-bedrock-client-layer', + code: lambda.Code.fromAsset('../layers/bedrock-layer'), + compatibleRuntimes: [lambda.Runtime.PYTHON_3_10], + description: 'Centralized Bedrock client with model switching and comprehensive logging' + }); + + // ------------------------------------------------------------------------ + // STRANDS BEDROCK AGENT + // ------------------------------------------------------------------------ + // Creates the Strands Agent for AWS security configuration analysis + // ------------------------------------------------------------------------ + + // IAM role for Strands Agent + const strandsAgentRole = new iam.Role(this, 'StrandsAgentRole', { + assumedBy: new iam.ServicePrincipal('bedrock.amazonaws.com'), + description: 'IAM role for Strands Bedrock Agent', + managedPolicies: [ + iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonBedrockFullAccess') + ] + }); + + // GenSec Bedrock Agent + const strandsAgent = new bedrock.CfnAgent(this, 'GenSecAgent', { + agentName: 'GenSecAgent', // Meaningful name aligned with project + description: 'GenSec Agent for AWS security configuration analysis and generation', + foundationModel: 'us.anthropic.claude-sonnet-4-20250514-v1:0', // Use Claude 4 (matches bedrock layer) + instruction: `You are a specialized agent for analyzing AWS service documentation and generating security configurations. + +When you receive a prompt with [Model: model-name] prefix, use that as guidance for your response style and capabilities: +- [Model: claude-4]: Use advanced reasoning and detailed analysis +- [Model: nova-pro]: Focus on concise, practical responses + +Your primary tasks: +1. Extract IAM actions from AWS service authorization documentation +2. Extract CloudFormation parameters from AWS documentation +3. Generate security controls and recommendations +4. Create infrastructure as code templates +5. Generate IAM models and policies + +Always return responses in valid JSON format when requested.`, + agentResourceRoleArn: strandsAgentRole.roleArn, + idleSessionTtlInSeconds: 1800, // 30 minutes + }); + + // Strands Agent Alias + const strandsAgentAlias = new bedrock.CfnAgentAlias(this, 'StrandsAgentAlias', { + agentId: strandsAgent.attrAgentId, + agentAliasName: 'PROD', + description: 'Production alias for Strands Agent' + }); + + // Output the Agent ID and Alias ID for reference + new cdk.CfnOutput(this, 'GenSecAgentId', { + value: strandsAgent.attrAgentId, + description: 'GenSec Agent ID' + }); + + new cdk.CfnOutput(this, 'GenSecAgentAliasId', { + value: strandsAgentAlias.attrAgentAliasId, + description: 'GenSec Agent Alias ID' + }); + + const documentationManager = new lambda.Function(this, 'DocumentationManager', { + functionName: 'gensec-AWSServiceDocumentationManager', + runtime: lambda.Runtime.PYTHON_3_10, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/AWSServiceDocumentationManager'), + timeout: cdk.Duration.minutes(15), + memorySize: 1024, + role: documentationManagerRole, + vpc: vpc, + vpcSubnets: { + subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, + }, + securityGroups: [lambdaSecurityGroup], + layers: [ + layers.commonLayer, + layers.requestsLayer, + layers.webScrapingLayer, + layers.mcpToolsLayer, // Add MCP tools layer + bedrockLayer, // Add centralized Bedrock client layer + ], + environment: { + // Strands Agent Configuration + USE_STRANDS_AGENT: 'false', // Set to 'true' to enable Strands Agent + STRANDS_AGENT_ID: strandsAgent.attrAgentId, + STRANDS_AGENT_ALIAS_ID: strandsAgentAlias.attrAgentAliasId, + + // MCP Configuration + USE_MCP_DOCUMENTATION: 'false', // Set to 'true' to enable MCP (requires MCP server setup) + MCP_SERVER_PATH: 'uvx', // Path to MCP server executable + + // DynamoDB table names (CDK-managed) + DYNAMODB_TABLE_SERVICE_ACTIONS: serviceActionsTable.tableName, + DYNAMODB_TABLE_SERVICE_PARAMETERS: serviceParametersTable.tableName, + DYNAMODB_TABLE_SERVICE_INVENTORY: serviceInventoryTable.tableName, + DYNAMODB_TABLE_SERVICE_RESOURCES: serviceResourcesTable.tableName, + DYNAMODB_TABLE_SECURITY_STANDARDS: securityStandardsLibraryTable.tableName, + DYNAMODB_TABLE_SERVICE_PROFILES: serviceProfileLibraryTable.tableName, + + // Documentation configuration + DOCUMENTATION_TABLE_PREFIX: 'AWSService', + DOCUMENTATION_BUCKET: documentationBucket.bucketName, + + // S3 buckets (CDK-managed) + S3_INPUT_BUCKET: inputBucket.bucketName, + S3_OUTPUT_BUCKET: outputBucket.bucketName, + S3_DOCUMENTATION_BUCKET: documentationBucket.bucketName, + + // Logging level + LOG_LEVEL: 'INFO', + }, + }); + cdk.Tags.of(documentationManager).add('gensec', 'true'); + cdk.Tags.of(documentationManager).add('ResourceType', 'LambdaFunction'); + cdk.Tags.of(documentationManager).add('Purpose', 'AWSServiceDocumentationManager'); + + // ------------------------------------------------------------------------ + // SECURITY CONFIGURATION HANDLER ROLE + // ------------------------------------------------------------------------ + // Main processing role for AI-powered security analysis and configuration + // generation. Requires access to Bedrock AI, DynamoDB tables, and S3. + // ------------------------------------------------------------------------ + + const securityConfigHandlerRole = new iam.Role(this, 'SecurityConfigHandlerRole', { + roleName: 'gensec-SecurityConfigurationHandlerRole', + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + managedPolicies: [ + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'), + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'), + ], + }); + cdk.Tags.of(securityConfigHandlerRole).add('gensec', 'true'); + cdk.Tags.of(securityConfigHandlerRole).add('ResourceType', 'IAMRole'); + cdk.Tags.of(securityConfigHandlerRole).add('Purpose', 'SecurityConfigurationHandlerRole'); + + // CloudWatch Logs - Function-specific log group access for all decomposed functions + securityConfigHandlerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:PutLogEvents', + ], + resources: [ + // Decomposed Lambda function log groups + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/gensec-AnalyzeSecurityRequirements:*`, + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/gensec-GenerateSecurityControls:*`, + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/gensec-GenerateIaCTemplate:*`, + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/gensec-GenerateIAMModel:*`, + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/gensec-GenerateServiceProfile:*`, + ], + })); + + // SecurityConfigurationHandlerRole - Scoped Bedrock Access + securityConfigHandlerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'bedrock:InvokeModel', + 'bedrock:InvokeModelWithResponseStream', + ], + resources: [ + // Foundation models (direct access) + `arn:aws:bedrock:*::foundation-model/*`, + // Inference profiles (for models like Nova Pro) + `arn:aws:bedrock:*:${this.account}:inference-profile/*`, + ], + })); + + // Additional Bedrock permissions for agent operations + securityConfigHandlerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'bedrock:InvokeAgent', + 'bedrock:GetAgent', + 'bedrock:GetAgentAlias', + 'bedrock:ListKnowledgeBases', + 'bedrock:GetKnowledgeBase', + 'bedrock:RetrieveAndGenerate', + ], + resources: [ + `arn:aws:bedrock:*:${this.account}:agent/*`, + `arn:aws:bedrock:*:${this.account}:agent-alias/*/*`, + `arn:aws:bedrock:*:${this.account}:knowledge-base/*`, + ], + })); + + + // DynamoDB - Scoped access to specific security configuration tables + securityConfigHandlerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'dynamodb:GetItem', + 'dynamodb:PutItem', + 'dynamodb:Query', + 'dynamodb:Scan', + 'dynamodb:UpdateItem', + 'dynamodb:DeleteItem', + 'dynamodb:BatchGetItem', + 'dynamodb:BatchWriteItem', + ], + resources: [ + // Core Security Tables + controlLibraryTable.tableArn, // Security control definitions + `${controlLibraryTable.tableArn}/index/*`, + serviceTrackingTable.tableArn, // Request tracking and audit + `${serviceTrackingTable.tableArn}/index/*`, + + // AWS Service Documentation Tables + serviceActionsTable.tableArn, // AWS service actions catalog + `${serviceActionsTable.tableArn}/index/*`, + serviceParametersTable.tableArn, // Service parameter definitions + `${serviceParametersTable.tableArn}/index/*`, + serviceInventoryTable.tableArn, // Service inventory and metadata + `${serviceInventoryTable.tableArn}/index/*`, + serviceResourcesTable.tableArn, // Service resource mappings + `${serviceResourcesTable.tableArn}/index/*`, + + // Security Standards and Profiles + securityStandardsLibraryTable.tableArn, // Security standards library + `${securityStandardsLibraryTable.tableArn}/index/*`, + serviceProfileLibraryTable.tableArn, // Service profile templates + `${serviceProfileLibraryTable.tableArn}/index/*`, + configManagedRulesTable.tableArn, // AWS Config managed rules + `${configManagedRulesTable.tableArn}/index/*`, + ], + })); + + // S3 - Read/write access to all system buckets + securityConfigHandlerRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 's3:GetObject', // Read objects from buckets + 's3:PutObject', // Write results and artifacts + 's3:ListBucket', // List bucket contents + ], + resources: [ + // System Buckets + outputBucket.bucketArn, // Generated security configurations + `${outputBucket.bucketArn}/*`, + inputBucket.bucketArn, // Input security profiles + `${inputBucket.bucketArn}/*`, + documentationBucket.bucketArn, // AWS service documentation + `${documentationBucket.bucketArn}/*`, + ], + })); + + // ======================================================================== + // NEW DECOMPOSED LAMBDA FUNCTIONS FOR TESTING + // ======================================================================== + + // 1. AnalyzeSecurityRequirements Lambda + const analyzeSecurityRequirementsLambda = new lambda.Function(this, 'AnalyzeSecurityRequirements', { + functionName: 'gensec-AnalyzeSecurityRequirements', + runtime: lambda.Runtime.PYTHON_3_10, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/AnalyzeSecurityRequirements'), + timeout: cdk.Duration.minutes(15), + memorySize: 1024, + role: securityConfigHandlerRole, + layers: [ + layers.commonLayer, + layers.dynamodbOperationsLayer, + layers.validationLayer, + bedrockLayer, + ], + environment: { + // Strands Agent Configuration + USE_STRANDS_AGENT: 'false', // Set to 'true' to enable Strands Agent + STRANDS_AGENT_ID: strandsAgent.attrAgentId, + STRANDS_AGENT_ALIAS_ID: strandsAgentAlias.attrAgentAliasId, + + DYNAMODB_TABLE_CONTROL_LIBRARY: controlLibraryTable.tableName, + DYNAMODB_TABLE_SERVICE_TRACKING: serviceTrackingTable.tableName, + DYNAMODB_TABLE_SERVICE_ACTIONS: serviceActionsTable.tableName, + DYNAMODB_TABLE_SERVICE_PARAMETERS: serviceParametersTable.tableName, + DYNAMODB_TABLE_CONFIG_MANAGED_RULES: configManagedRulesTable.tableName, + S3_OUTPUT_BUCKET: outputBucket.bucketName, + S3_INPUT_BUCKET: inputBucket.bucketName, + S3_DOCUMENTATION_BUCKET: documentationBucket.bucketName, + }, + }); + + // 2. GenerateSecurityControls Lambda + const generateSecurityControlsLambda = new lambda.Function(this, 'GenerateSecurityControls', { + functionName: 'gensec-GenerateSecurityControls', + runtime: lambda.Runtime.PYTHON_3_10, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/GenerateSecurityControls'), + timeout: cdk.Duration.minutes(15), + memorySize: 1024, + role: securityConfigHandlerRole, + layers: [ + layers.commonLayer, + layers.dynamodbOperationsLayer, + layers.validationLayer, + bedrockLayer, + ], + environment: { + // Strands Agent Configuration + USE_STRANDS_AGENT: 'false', // Set to 'true' to enable Strands Agent + STRANDS_AGENT_ID: strandsAgent.attrAgentId, + STRANDS_AGENT_ALIAS_ID: strandsAgentAlias.attrAgentAliasId, + + DYNAMODB_TABLE_CONTROL_LIBRARY: controlLibraryTable.tableName, + DYNAMODB_TABLE_SERVICE_ACTIONS: serviceActionsTable.tableName, + DYNAMODB_TABLE_SERVICE_PARAMETERS: serviceParametersTable.tableName, + S3_OUTPUT_BUCKET: outputBucket.bucketName, + S3_INPUT_BUCKET: inputBucket.bucketName, + S3_DOCUMENTATION_BUCKET: documentationBucket.bucketName, + }, + }); + + // 3. GenerateIaCTemplate Lambda + const generateIaCTemplateLambda = new lambda.Function(this, 'GenerateIaCTemplate', { + functionName: 'gensec-GenerateIaCTemplate', + runtime: lambda.Runtime.PYTHON_3_10, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/GenerateIaCTemplate'), + timeout: cdk.Duration.minutes(15), + memorySize: 1024, + role: securityConfigHandlerRole, + layers: [ + layers.commonLayer, + layers.dynamodbOperationsLayer, + layers.validationLayer, + bedrockLayer, + ], + environment: { + // Strands Agent Configuration + USE_STRANDS_AGENT: 'false', // Set to 'true' to enable Strands Agent + STRANDS_AGENT_ID: strandsAgent.attrAgentId, + STRANDS_AGENT_ALIAS_ID: strandsAgentAlias.attrAgentAliasId, + + DYNAMODB_TABLE_CONTROL_LIBRARY: controlLibraryTable.tableName, + DYNAMODB_TABLE_SERVICE_PARAMETERS: serviceParametersTable.tableName, + S3_OUTPUT_BUCKET: outputBucket.bucketName, + S3_INPUT_BUCKET: inputBucket.bucketName, + S3_DOCUMENTATION_BUCKET: documentationBucket.bucketName, + }, + }); + + // 4. GenerateIAMModel Lambda + const generateIAMModelLambda = new lambda.Function(this, 'GenerateIAMModel', { + functionName: 'gensec-GenerateIAMModel', + runtime: lambda.Runtime.PYTHON_3_10, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/GenerateIAMModel'), + timeout: cdk.Duration.minutes(15), + memorySize: 1024, + role: securityConfigHandlerRole, + layers: [ + layers.commonLayer, + layers.dynamodbOperationsLayer, + layers.validationLayer, + bedrockLayer, + ], + environment: { + // Strands Agent Configuration + USE_STRANDS_AGENT: 'false', // Set to 'true' to enable Strands Agent + STRANDS_AGENT_ID: strandsAgent.attrAgentId, + STRANDS_AGENT_ALIAS_ID: strandsAgentAlias.attrAgentAliasId, + + DYNAMODB_TABLE_SERVICE_ACTIONS: serviceActionsTable.tableName, + S3_OUTPUT_BUCKET: outputBucket.bucketName, + S3_INPUT_BUCKET: inputBucket.bucketName, + S3_DOCUMENTATION_BUCKET: documentationBucket.bucketName, + }, + }); + + // 5. GenerateServiceProfile Lambda + const generateServiceProfileLambda = new lambda.Function(this, 'GenerateServiceProfile', { + functionName: 'gensec-GenerateServiceProfile', + runtime: lambda.Runtime.PYTHON_3_10, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/GenerateServiceProfile'), + timeout: cdk.Duration.minutes(15), + memorySize: 1024, + role: securityConfigHandlerRole, + layers: [ + layers.commonLayer, + layers.dynamodbOperationsLayer, + layers.validationLayer, + bedrockLayer, + ], + environment: { + // Strands Agent Configuration + USE_STRANDS_AGENT: 'false', // Set to 'true' to enable Strands Agent + STRANDS_AGENT_ID: strandsAgent.attrAgentId, + STRANDS_AGENT_ALIAS_ID: strandsAgentAlias.attrAgentAliasId, + + DYNAMODB_TABLE_SERVICE_ACTIONS: serviceActionsTable.tableName, + DYNAMODB_TABLE_SERVICE_PARAMETERS: serviceParametersTable.tableName, + S3_OUTPUT_BUCKET: outputBucket.bucketName, + S3_INPUT_BUCKET: inputBucket.bucketName, + S3_DOCUMENTATION_BUCKET: documentationBucket.bucketName, + }, + }); + + // Add tags to all new Lambda functions + [analyzeSecurityRequirementsLambda, generateSecurityControlsLambda, generateIaCTemplateLambda, + generateIAMModelLambda, generateServiceProfileLambda].forEach(func => { + cdk.Tags.of(func).add('gensec', 'true'); + cdk.Tags.of(func).add('ResourceType', 'LambdaFunction'); + cdk.Tags.of(func).add('Purpose', 'DecomposedSecurityFunction'); + }); + + // Grant documentation manager permissions to documentation bucket + // Permissions are handled in the role definition above + + // ======================================================================== + // STEP FUNCTIONS WORKFLOW (DECOMPOSED ARCHITECTURE) + // ======================================================================== + + // Create log group for Step Functions + const stepFunctionsLogGroup = new logs.LogGroup(this, 'StepFunctionsLogGroup', { + logGroupName: '/aws/vendedlogs/states/gensec-SecurityConfigWorkflow-Logs', + retention: logs.RetentionDays.TWO_WEEKS, + removalPolicy: cdk.RemovalPolicy.DESTROY, + }); + cdk.Tags.of(stepFunctionsLogGroup).add('gensec', 'true'); + cdk.Tags.of(stepFunctionsLogGroup).add('ResourceType', 'LogGroup'); + cdk.Tags.of(stepFunctionsLogGroup).add('Purpose', 'StepFunctionsLogGroup'); + + // Step Functions Role with proper permissions (matching AWS) + const stepFunctionsRole = new iam.Role(this, 'StepFunctionsRole', { + roleName: 'gensec-SecurityConfigWorkflowRole', + assumedBy: new iam.ServicePrincipal('states.amazonaws.com'), + managedPolicies: [ + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaRole'), + ], + }); + cdk.Tags.of(stepFunctionsRole).add('gensec', 'true'); + cdk.Tags.of(stepFunctionsRole).add('ResourceType', 'IAMRole'); + cdk.Tags.of(stepFunctionsRole).add('Purpose', 'StepFunctionsRole'); + + // Lambda invoke permissions will be added after all Lambda functions are created + + // Add CloudWatch Logs permissions for Step Functions (scoped to Step Functions log groups) + stepFunctionsRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:PutLogEvents', + 'logs:DescribeLogGroups', + 'logs:DescribeLogStreams', + ], + resources: [ + stepFunctionsLogGroup.logGroupArn, + `${stepFunctionsLogGroup.logGroupArn}:*`, + ], + })); + + // Add X-Ray permissions for Step Functions tracing (scoped to this account/region) + stepFunctionsRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'xray:PutTraceSegments', + 'xray:PutTelemetryRecords', + ], + resources: [ + `arn:aws:xray:${this.region}:${this.account}:trace/*`, + ], + })); + + // X-Ray sampling rules (global resources) + stepFunctionsRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'xray:GetSamplingRules', + 'xray:GetSamplingTargets', + ], + resources: ['*'], // These are global resources without specific ARNs + })); + + // Add Lambda invoke permissions for Step Functions workflow + stepFunctionsRole.addToPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'lambda:InvokeFunction', + ], + resources: [ + documentationManager.functionArn, + // OLD: securityConfigHandler.functionArn, // COMMENTED OUT - replaced by decomposed functions + // decomposed Lambda functions + analyzeSecurityRequirementsLambda.functionArn, + generateSecurityControlsLambda.functionArn, + generateIaCTemplateLambda.functionArn, + generateIAMModelLambda.functionArn, + generateServiceProfileLambda.functionArn, + ], + })); + + // Create Step Functions tasks using the decomposed Lambda functions + const analyzeRequirements = new stepfunctionsTasks.LambdaInvoke(this, 'AnalyzeRequirementsTask', { + lambdaFunction: analyzeSecurityRequirementsLambda, + resultPath: '$.analysisResult', + payload: stepfunctions.TaskInput.fromObject({ + 'securityProfile.$': '$.securityProfile', + 'serviceRequest.$': '$.serviceRequest', + serviceDocumentation: { + 'statusCode.$': '$.serviceDocumentation.Payload.statusCode', + body: { + 'service_id.$': '$.serviceDocumentation.Payload.body.service_id', + 'actions_count.$': '$.serviceDocumentation.Payload.body.actions_count', + 'parameters_count.$': '$.serviceDocumentation.Payload.body.parameters_count', + 'message.$': '$.serviceDocumentation.Payload.body.message', + 'warnings.$': '$.serviceDocumentation.Payload.body.warnings', + 's3_locations.$': '$.serviceDocumentation.Payload.body.s3_locations', + 'status.$': '$.serviceDocumentation.Payload.body.status', + }, + }, + }), + }); + + const generateSecurityControls = new stepfunctionsTasks.LambdaInvoke(this, 'GenerateSecurityControlsTask', { + lambdaFunction: generateSecurityControlsLambda, + resultPath: '$.controlsResult', + payload: stepfunctions.TaskInput.fromObject({ + 'requestId.$': '$.serviceRequest.requestId', + 'serviceId.$': '$.serviceRequest.serviceId', + 'analysisResult.$': '$.analysisResult', + serviceDocumentation: { + 'statusCode.$': '$.serviceDocumentation.Payload.statusCode', + body: { + 'service_id.$': '$.serviceDocumentation.Payload.body.service_id', + 'actions_count.$': '$.serviceDocumentation.Payload.body.actions_count', + 'parameters_count.$': '$.serviceDocumentation.Payload.body.parameters_count', + 's3_locations.$': '$.serviceDocumentation.Payload.body.s3_locations', + 'status.$': '$.serviceDocumentation.Payload.body.status', + }, + }, + }), + }); + + const generateIaCTemplate = new stepfunctionsTasks.LambdaInvoke(this, 'GenerateIaCTemplateTask', { + lambdaFunction: generateIaCTemplateLambda, + resultPath: '$.templateResult', + payload: stepfunctions.TaskInput.fromObject({ + 'requestId.$': '$.serviceRequest.requestId', + 'serviceId.$': '$.serviceRequest.serviceId', + 'analysisResult.$': '$.analysisResult', + 'controlsResult.$': '$.controlsResult', + serviceDocumentation: { + 'statusCode.$': '$.serviceDocumentation.Payload.statusCode', + body: { + 'service_id.$': '$.serviceDocumentation.Payload.body.service_id', + 'actions_count.$': '$.serviceDocumentation.Payload.body.actions_count', + 'parameters_count.$': '$.serviceDocumentation.Payload.body.parameters_count', + 's3_locations.$': '$.serviceDocumentation.Payload.body.s3_locations', + 'status.$': '$.serviceDocumentation.Payload.body.status', + }, + }, + }), + }); + + const generateServiceProfile = new stepfunctionsTasks.LambdaInvoke(this, 'GenerateServiceProfileTask', { + lambdaFunction: generateServiceProfileLambda, + resultPath: '$.profileResult', + payload: stepfunctions.TaskInput.fromObject({ + 'requestId.$': '$.serviceRequest.requestId', + 'serviceId.$': '$.serviceRequest.serviceId', + serviceDocumentation: { + 'statusCode.$': '$.serviceDocumentation.Payload.statusCode', + body: { + 'service_id.$': '$.serviceDocumentation.Payload.body.service_id', + 'actions_count.$': '$.serviceDocumentation.Payload.body.actions_count', + 'parameters_count.$': '$.serviceDocumentation.Payload.body.parameters_count', + 's3_locations.$': '$.serviceDocumentation.Payload.body.s3_locations', + 'status.$': '$.serviceDocumentation.Payload.body.status', + }, + }, + }), + }); + + const generateIAMModel = new stepfunctionsTasks.LambdaInvoke(this, 'GenerateIAMModelTask', { + lambdaFunction: generateIAMModelLambda, + resultPath: '$.iamModelResult', + payload: stepfunctions.TaskInput.fromObject({ + 'requestId.$': '$.serviceRequest.requestId', + 'serviceId.$': '$.serviceRequest.serviceId', + serviceDocumentation: { + 'statusCode.$': '$.serviceDocumentation.Payload.statusCode', + body: { + 'service_id.$': '$.serviceDocumentation.Payload.body.service_id', + 'actions_count.$': '$.serviceDocumentation.Payload.body.actions_count', + 'parameters_count.$': '$.serviceDocumentation.Payload.body.parameters_count', + 's3_locations.$': '$.serviceDocumentation.Payload.body.s3_locations', + 'status.$': '$.serviceDocumentation.Payload.body.status', + }, + }, + }), + }); + + const workflowSucceeded = new stepfunctions.Succeed(this, 'WorkflowSucceeded'); + const workflowFailed = new stepfunctions.Fail(this, 'WorkflowFailed', { + error: 'WorkflowFailure', + cause: ' workflow execution failed. Check the execution history and CloudWatch logs for details.', + }); + + // Create separate service documentation failed state + const serviceDocumentationFailed = new stepfunctions.Fail(this, 'ServiceDocumentationFailed', { + error: 'ServiceDocumentationFailure', + cause: 'Service documentation validation failed. Service documentation must have either valid actions or parameters.', + }); + + // Create separate ValidateAndCollectServiceData for new workflow + const validateAndCollectData = new stepfunctionsTasks.LambdaInvoke(this, 'ValidateAndCollectServiceData', { + lambdaFunction: documentationManager, + resultPath: '$.serviceDocumentation', + payload: stepfunctions.TaskInput.fromObject({ + action: 'ValidateAndCollectServiceData', + input: { + 'serviceId.$': '$.serviceRequest.serviceId', + 'service.$': '$.serviceRequest.services[0].serviceName', + }, + }), + }); + + // Create Choice state for service documentation check (reuse existing logic) + const checkServiceDocumentation = new stepfunctions.Choice(this, 'CheckServiceDocumentation') + .when(stepfunctions.Condition.or( + stepfunctions.Condition.and( + stepfunctions.Condition.numberEquals('$.serviceDocumentation.Payload.statusCode', 200), + stepfunctions.Condition.numberGreaterThan('$.serviceDocumentation.Payload.body.actions_count', 0) + ), + stepfunctions.Condition.and( + stepfunctions.Condition.numberEquals('$.serviceDocumentation.Payload.statusCode', 200), + stepfunctions.Condition.numberGreaterThan('$.serviceDocumentation.Payload.body.parameters_count', 0) + ), + stepfunctions.Condition.and( + stepfunctions.Condition.numberEquals('$.serviceDocumentation.Payload.statusCode', 200), + stepfunctions.Condition.stringEquals('$.serviceDocumentation.Payload.body.status', 'SUCCESS') + ) + ), analyzeRequirements) + .otherwise(serviceDocumentationFailed); + + // Configure error handling and retries for new tasks + // Configure error handling and retries + const retryConfig = { + errors: [ + 'States.TaskFailed', + 'Lambda.ServiceException', + 'Lambda.AWSLambdaException', + 'Lambda.SdkClientException', + ], + interval: cdk.Duration.seconds(2), + maxAttempts: 3, + backoffRate: 2, + }; + + [validateAndCollectData, analyzeRequirements, generateSecurityControls, generateIaCTemplate, + generateServiceProfile, generateIAMModel].forEach(task => { + task.addRetry(retryConfig); + task.addCatch(workflowFailed, { resultPath: '$.error' }); + }); + + // Create new Step Functions workflow definition + const setDefaultLogLevel = new stepfunctions.Pass(this, 'SetDefaultLogLevel', { + parameters: { + 'logLevel': 'INFO', + 'securityProfile.$': '$.securityProfile', + 'serviceRequest.$': '$.serviceRequest' + } + }); + + const debugState = new stepfunctions.Pass(this, 'DebugState', { + parameters: { + debug: { + 'timestamp.$': '$$.State.EnteredTime', + inputData: { + 'securityProfile.$': '$.securityProfile', + 'serviceRequest.$': '$.serviceRequest', + 'serviceDocumentation.$': '$.serviceDocumentation', + }, + }, + }, + resultPath: '$.debug', + }); + + const validateInputData = new stepfunctions.Pass(this, 'ValidateInputData', { + inputPath: '$', + }); + + const definition = setDefaultLogLevel + .next(validateAndCollectData) + .next(debugState) + .next(validateInputData) + .next(checkServiceDocumentation); + + analyzeRequirements + .next(generateSecurityControls) + .next(generateIaCTemplate) + .next(generateServiceProfile) + .next(generateIAMModel) + .next(workflowSucceeded); + + // Create Step Functions state machine + const stateMachine = new stepfunctions.StateMachine(this, 'SecurityConfigWorkflow', { + stateMachineName: 'gensec-SecurityConfigWorkflow', + definition: definition, + timeout: cdk.Duration.minutes(30), + tracingEnabled: true, + role: stepFunctionsRole, // Reuse existing role with updated permissions + logs: { + destination: stepFunctionsLogGroup, + level: stepfunctions.LogLevel.ALL, + includeExecutionData: false, + }, + }); + cdk.Tags.of(stateMachine).add('gensec', 'true'); + cdk.Tags.of(stateMachine).add('ResourceType', 'StateMachine'); + cdk.Tags.of(stateMachine).add('Purpose', 'SecurityConfigWorkflow'); + + // ======================================================================== + // IAM PERMISSIONS SUMMARY - LEAST PRIVILEGE IMPLEMENTATION + // ======================================================================== + // All IAM roles follow strict least privilege with resource-scoped access: + // + // ✅ DocumentationManagerRole: + // - CloudWatch Logs: /aws/lambda/gensec-AWSServiceDocumentationManager:* + // - S3: Specific bucket ARNs (input, output, documentation) + // - DynamoDB: Service documentation tables only with specific actions + // - Bedrock: InvokeModel on foundation-model/* and inference-profile/* + // - Bedrock Agent: InvokeAgent, GetAgent, GetAgentAlias on account resources + // - VPC: Managed policy for external documentation access + // + // ✅ SecurityConfigurationHandlerRole (shared by 5 decomposed functions): + // - CloudWatch Logs: Function-specific log groups for each decomposed function + // - Bedrock: InvokeModel + agent operations on account-scoped resources + // - DynamoDB: Specific CRUD actions on all security/service tables + indexes + // - S3: GetObject, PutObject, ListBucket on system buckets only + // + // ✅ StepFunctionsWorkflowRole: + // - Lambda: InvokeFunction on specific workflow function ARNs + // - CloudWatch Logs: Step Functions log group only + // - X-Ray: PutTraceSegments on account traces + global sampling rules + // + // ✅ SecurityProfileProcessorRole: + // - CloudWatch Logs: /aws/lambda/gensec-SecurityProfileProcessor:* + // - S3: Specific bucket ARNs (input, output, documentation) + // - Step Functions: StartExecution, DescribeExecution on workflow ARN + // - DynamoDB: Specific actions on security control and tracking tables + // ======================================================================== + + // Security Profile Processor Lambda (needs state machine ARN) + const securityProfileProcessor = new lambda.Function(this, 'SecurityProfileProcessor', { + functionName: 'gensec-SecurityProfileProcessor', + runtime: lambda.Runtime.PYTHON_3_10, + handler: 'lambda_function.lambda_handler', + code: lambda.Code.fromAsset('../lambda/SecurityProfileProcessor'), + timeout: cdk.Duration.minutes(3), + memorySize: 128, + role: securityProfileProcessorRole, + layers: [ + layers.commonLayer, + ], + environment: { + // Step Functions State Machine ARN + STATE_MACHINE_ARN: stateMachine.stateMachineArn, + + // Primary DynamoDB tables (current active tables) + DYNAMODB_TABLE_CONTROL_LIBRARY: controlLibraryTable.tableName, + DYNAMODB_TABLE_SERVICE_TRACKING: serviceTrackingTable.tableName, + + // Service profile and standards tables + DYNAMODB_TABLE_SERVICE_PROFILES: serviceProfileLibraryTable.tableName, + DYNAMODB_TABLE_SECURITY_STANDARDS: securityStandardsLibraryTable.tableName, + + // S3 buckets (CDK-managed) + S3_INPUT_BUCKET: inputBucket.bucketName, + S3_OUTPUT_BUCKET: outputBucket.bucketName, + S3_DOCUMENTATION_BUCKET: documentationBucket.bucketName, + }, + }); + cdk.Tags.of(securityProfileProcessor).add('gensec', 'true'); + cdk.Tags.of(securityProfileProcessor).add('ResourceType', 'LambdaFunction'); + cdk.Tags.of(securityProfileProcessor).add('Purpose', 'SecurityProfileProcessor'); + + // Add S3 trigger for SecurityProfileProcessor + inputBucket.addEventNotification( + s3.EventType.OBJECT_CREATED, + new s3n.LambdaDestination(securityProfileProcessor) + ); + + // Grant permissions for SecurityProfileProcessor + inputBucket.grantReadWrite(securityProfileProcessor); + // stateMachine.grantStartExecution(securityProfileProcessor); // OLD - commented out + stateMachine.grantStartExecution(securityProfileProcessor); + + // Add CloudWatch metrics and alarms + new cdk.CfnOutput(this, 'StateMachineArn', { + value: stateMachine.stateMachineArn, + description: 'Security Configuration Workflow State Machine ARN (Decomposed Architecture)', + }); + + new cdk.CfnOutput(this, 'VpcId', { + value: vpc.vpcId, + description: 'VPC ID for Security System', + }); + + new cdk.CfnOutput(this, 'SecurityGroupId', { + value: lambdaSecurityGroup.securityGroupId, + description: 'Security Group ID for Lambda functions', + }); + + new cdk.CfnOutput(this, 'ControlLibraryTableName', { + value: controlLibraryTable.tableName, + description: 'Primary Security Control Library DynamoDB Table Name', + }); + + new cdk.CfnOutput(this, 'ServiceTrackingTableName', { + value: serviceTrackingTable.tableName, + description: 'Primary Service Request Tracking DynamoDB Table Name', + }); + + new cdk.CfnOutput(this, 'ServiceActionsTableName', { + value: serviceActionsTable.tableName, + description: 'AWS Service Actions Documentation DynamoDB Table Name', + }); + + new cdk.CfnOutput(this, 'ServiceParametersTableName', { + value: serviceParametersTable.tableName, + description: 'AWS Service Parameters Documentation DynamoDB Table Name', + }); + + new cdk.CfnOutput(this, 'ServiceInventoryTableName', { + value: serviceInventoryTable.tableName, + description: 'AWS Service Inventory DynamoDB Table Name', + }); + + new cdk.CfnOutput(this, 'ServiceResourcesTableName', { + value: serviceResourcesTable.tableName, + description: 'AWS Service Resources Documentation DynamoDB Table Name', + }); + + new cdk.CfnOutput(this, 'SecurityStandardsLibraryTableName', { + value: securityStandardsLibraryTable.tableName, + description: 'Security Standards Library DynamoDB Table Name', + }); + + new cdk.CfnOutput(this, 'ServiceProfileLibraryTableName', { + value: serviceProfileLibraryTable.tableName, + description: 'Service Profile Library DynamoDB Table Name', + }); + } +} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/package.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/package.json new file mode 100644 index 00000000..96096050 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/package.json @@ -0,0 +1,27 @@ +{ + "name": "security-configuration-system", + "version": "1.0.0", + "description": "Security Configuration System Infrastructure", + "main": "bin/app.js", + "scripts": { + "build": "tsc", + "watch": "tsc -w", + "test": "jest", + "cdk": "cdk", + "deploy": "cdk deploy", + "diff": "cdk diff" + }, + "dependencies": { + "aws-cdk-lib": "^2.0.0", + "constructs": "^10.0.0", + "source-map-support": "^0.5.21" + }, + "devDependencies": { + "@types/jest": "^29.0.0", + "@types/node": "^20.0.0", + "jest": "^29.0.0", + "ts-jest": "^29.0.0", + "ts-node": "^10.0.0", + "typescript": "^5.0.0" + } +} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/tsconfig.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/tsconfig.json new file mode 100644 index 00000000..3c5edd81 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/cdk/tsconfig.json @@ -0,0 +1,33 @@ +{ + "compilerOptions": { + "target": "ES2020", + "module": "commonjs", + "lib": [ + "es2020", + "dom" + ], + "declaration": true, + "strict": true, + "noImplicitAny": true, + "strictNullChecks": true, + "noImplicitThis": true, + "alwaysStrict": true, + "noUnusedLocals": false, + "noUnusedParameters": false, + "noImplicitReturns": true, + "noFallthroughCasesInSwitch": false, + "inlineSourceMap": true, + "inlineSources": true, + "experimentalDecorators": true, + "strictPropertyInitialization": false, + "typeRoots": [ + "./node_modules/@types" + ], + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "cdk.out", + "dist" + ] +} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/security-profile/PROF-2025-002.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/security-profile/PROF-2025-002.json new file mode 100644 index 00000000..820dc3fd --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/security-profile/PROF-2025-002.json @@ -0,0 +1,246 @@ +{ + "profile_id": "PROF-2025-001", + "organization_details": { + "name": "Example Organization", + "environment": "Production", + "aws_accounts": ["320"] + }, + "security_operations": { + "logging": { + "centralized_logging": true, + "log_retention_period": 365, + "logging_solution": "CloudWatch", + "third_party_integration": { + "name": "Splunk", + "enabled": true + } + }, + "monitoring": { + "security_monitoring": true, + "monitoring_solution": "SecurityHub", + "alert_notifications": true, + "incident_response": { + "automated_response": true, + "notification_channels": ["email", "slack"] + } + }, + "secrets_management": { + "solution": "AWS Secrets Manager", + "rotation_enabled": true, + "rotation_frequency_days": 90 + }, + "access_management": { + "mfa_required": true, + "password_policy": { + "minimum_length": 14, + "require_symbols": true, + "require_numbers": true, + "require_uppercase": true, + "require_lowercase": true, + "password_expiration_days": 90 + } + }, + "encryption": { + "data_at_rest": true, + "data_in_transit": true, + "key_rotation": true, + "kms_required": true + } + }, + "security_controls": { + "detective": { + "enabled": true, + "controls": ["AWS Config", "CloudTrail", "GuardDuty"] + }, + "preventive": { + "enabled": true, + "controls": ["IAM", "Security Groups", "NACLs"] + }, + "proactive": { + "enabled": true, + "controls": ["AWS Config Rules", "Security Hub"] + } + }, + "security_requirements": { + "encryption_requirements": { + "at_rest": true, + "in_transit": true, + "key_management": "AWS KMS", + "encryption_algorithms": ["AES-256", "RSA-2048"], + "key_rotation_frequency": 365, + "hsm_required": true, + "fips_140_2_level": 3, + "customer_managed_keys": true, + "cross_region_key_replication": true + }, + "access_requirements": { + "mfa": true, + "ip_restrictions": true, + "least_privilege": true, + "privileged_access_management": true, + "session_timeout": 30, + "concurrent_session_limit": 1, + "geo_blocking": true, + "time_based_access": true, + "break_glass_procedures": true, + "zero_trust_architecture": true, + "certificate_based_auth": true, + "biometric_authentication": false + }, + "monitoring_requirements": { + "logging": true, + "alerting": true, + "audit_trail": true, + "real_time_monitoring": true, + "behavioral_analytics": true, + "threat_intelligence": true, + "siem_integration": true, + "log_integrity_protection": true, + "continuous_compliance_monitoring": true, + "insider_threat_detection": true, + "anomaly_detection": true, + "security_orchestration": true + }, + "data_protection_requirements": { + "data_classification": true, + "data_loss_prevention": true, + "data_masking": true, + "tokenization": true, + "data_residency": true, + "cross_border_restrictions": true, + "right_to_be_forgotten": true, + "data_retention_policies": true, + "secure_data_destruction": true, + "backup_encryption": true, + "database_activity_monitoring": true + }, + "network_security_requirements": { + "network_segmentation": true, + "micro_segmentation": true, + "vpc_flow_logs": true, + "intrusion_detection": true, + "intrusion_prevention": true, + "web_application_firewall": true, + "ddos_protection": true, + "dns_filtering": true, + "ssl_tls_inspection": true, + "network_access_control": true, + "vpn_required": true, + "private_connectivity": true + }, + "application_security_requirements": { + "secure_coding_standards": true, + "static_code_analysis": true, + "dynamic_application_testing": true, + "dependency_scanning": true, + "container_security": true, + "api_security": true, + "input_validation": true, + "output_encoding": true, + "session_management": true, + "error_handling": true, + "security_headers": true, + "rate_limiting": true + }, + "infrastructure_security_requirements": { + "hardened_images": true, + "patch_management": true, + "vulnerability_scanning": true, + "configuration_management": true, + "immutable_infrastructure": true, + "secrets_scanning": true, + "infrastructure_as_code": true, + "security_baselines": true, + "endpoint_protection": true, + "privileged_account_management": true, + "asset_inventory": true, + "change_management": true + }, + "business_continuity_requirements": { + "disaster_recovery": true, + "backup_strategy": true, + "rpo_minutes": 15, + "rto_minutes": 60, + "cross_region_replication": true, + "failover_testing": true, + "incident_response_plan": true, + "crisis_communication": true, + "business_impact_analysis": true, + "recovery_procedures": true, + "alternate_processing_sites": true + }, + "third_party_security_requirements": { + "vendor_risk_assessment": true, + "security_questionnaires": true, + "penetration_testing": true, + "security_certifications": true, + "data_processing_agreements": true, + "right_to_audit": true, + "incident_notification": true, + "secure_integration": true, + "api_security_standards": true, + "supply_chain_security": true + }, + "financial_specific_requirements": { + "payment_card_security": true, + "anti_money_laundering": true, + "fraud_detection": true, + "transaction_monitoring": true, + "customer_due_diligence": true, + "sanctions_screening": true, + "market_data_protection": true, + "trading_system_security": true, + "regulatory_reporting": true, + "audit_trail_completeness": true, + "non_repudiation": true, + "time_synchronization": true, + "segregation_of_duties": true, + "maker_checker_controls": true, + "financial_crime_prevention": true + }, + "privacy_requirements": { + "gdpr_compliance": true, + "ccpa_compliance": true, + "privacy_by_design": true, + "consent_management": true, + "data_subject_rights": true, + "privacy_impact_assessment": true, + "cross_border_data_transfer": true, + "anonymization": true, + "pseudonymization": true, + "privacy_notices": true + }, + "operational_security_requirements": { + "security_awareness_training": true, + "phishing_simulation": true, + "security_metrics": true, + "security_dashboard": true, + "threat_hunting": true, + "red_team_exercises": true, + "tabletop_exercises": true, + "security_governance": true, + "risk_management": true, + "security_policies": true, + "procedure_documentation": true, + "security_reviews": true + } + }, + "compliance_requirements": { + "primary_framework": "NIST-800-53", + "additional_frameworks": ["PCI-DSS", "ISO-27001"], + "requirements": { + "data_classification": "sensitive", + "regulatory_regions": ["us-east-1"], + "audit_frequency": "quarterly" + } + }, + "threat_model": { + "framework": "STRIDE", + "threat_vectors": [ + "data_exfiltration", + "unauthorized_access", + "privilege_escalation" + ], + "risk_level": "high" + } +} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-mappings.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-mappings.json new file mode 100644 index 00000000..778834d7 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-mappings.json @@ -0,0 +1,5031 @@ +{ + "metadata": { + "description": "AWS Service mappings for CloudFormation resource types and IAM service authorization", + "last_updated": "2025-11-05 18:16:44 UTC", + "total_services": 263, + "usage": "This file maps AWS service IDs to their CloudFormation resource types and IAM service names for documentation collection", + "version": "1.0.0" + }, + "services": { + "accessanalyzer": { + "cloudformation_prefix": "AWS::AccessAnalyzer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AccessAnalyzer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "accessanalyzer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html" + ], + "service_id": "accessanalyzer", + "service_page": "./AWS_AccessAnalyzer.html" + }, + "acmpca": { + "cloudformation_prefix": "AWS::ACMPCA::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ACMPCA.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "acmpca", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonacmpca.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_acmpca.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsacmpca.html" + ], + "service_id": "acmpca", + "service_page": "./AWS_ACMPCA.html" + }, + "aiops": { + "cloudformation_prefix": "AWS::AIOps::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AIOps.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "aiops", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonaiops.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_aiops.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaiops.html" + ], + "service_id": "aiops", + "service_page": "./AWS_AIOps.html" + }, + "amazonmq": { + "cloudformation_prefix": "AWS::AmazonMQ::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AmazonMQ.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amazonmq", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonamazonmq.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmq.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamazonmq.html" + ], + "service_id": "amazonmq", + "service_page": "./AWS_AmazonMQ.html" + }, + "amazonq": { + "cloudformation_prefix": "AWS::Q::", + "common_actions": [], + "documentation_urls": [], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amazonq", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonq.html" + ], + "service_id": "amazonq", + "service_page": null + }, + "amplify": { + "cloudformation_prefix": "AWS::Amplify::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Amplify.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amplify", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonamplify.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amplify.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html" + ], + "service_id": "amplify", + "service_page": "./AWS_Amplify.html" + }, + "amplifyuibuilder": { + "cloudformation_prefix": "AWS::AmplifyUIBuilder::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AmplifyUIBuilder.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amplifyuibuilder", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonamplifyuibuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amplifyuibuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyuibuilder.html" + ], + "service_id": "amplifyuibuilder", + "service_page": "./AWS_AmplifyUIBuilder.html" + }, + "apigateway": { + "cloudformation_prefix": "AWS::ApiGateway::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApiGateway.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apigateway", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html" + ], + "service_id": "apigateway", + "service_page": "./AWS_ApiGateway.html" + }, + "apigatewayv2": { + "cloudformation_prefix": "AWS::ApiGatewayV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApiGatewayV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apigateway", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apigateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapigateway.html" + ], + "service_id": "apigatewayv2", + "service_page": "./AWS_ApiGatewayV2.html" + }, + "appconfig": { + "cloudformation_prefix": "AWS::AppConfig::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppConfig.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appconfig", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappconfig.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appconfig.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html" + ], + "service_id": "appconfig", + "service_page": "./AWS_AppConfig.html" + }, + "appflow": { + "cloudformation_prefix": "AWS::AppFlow::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppFlow.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appflow", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appflow.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappflow.html" + ], + "service_id": "appflow", + "service_page": "./AWS_AppFlow.html" + }, + "appintegrations": { + "cloudformation_prefix": "AWS::AppIntegrations::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppIntegrations.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appintegrations", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappintegrations.html" + ], + "service_id": "appintegrations", + "service_page": "./AWS_AppIntegrations.html" + }, + "applicationautoscaling": { + "cloudformation_prefix": "AWS::ApplicationAutoScaling::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApplicationAutoScaling.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "application-autoscaling", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapplication-autoscaling.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_application-autoscaling.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplication-autoscaling.html" + ], + "service_id": "applicationautoscaling", + "service_page": "./AWS_ApplicationAutoScaling.html" + }, + "applicationinsights": { + "cloudformation_prefix": "AWS::ApplicationInsights::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApplicationInsights.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "applicationinsights", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapplicationinsights.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationinsights.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationinsights.html" + ], + "service_id": "applicationinsights", + "service_page": "./AWS_ApplicationInsights.html" + }, + "applicationsignals": { + "cloudformation_prefix": "AWS::ApplicationSignals::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApplicationSignals.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "applicationsignals", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapplicationsignals.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationsignals.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationsignals.html" + ], + "service_id": "applicationsignals", + "service_page": "./AWS_ApplicationSignals.html" + }, + "appmesh": { + "cloudformation_prefix": "AWS::AppMesh::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppMesh.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appmesh", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappmesh.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appmesh.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html" + ], + "service_id": "appmesh", + "service_page": "./AWS_AppMesh.html" + }, + "apprunner": { + "cloudformation_prefix": "AWS::AppRunner::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppRunner.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apprunner", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapprunner.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apprunner.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html" + ], + "service_id": "apprunner", + "service_page": "./AWS_AppRunner.html" + }, + "appstream": { + "cloudformation_prefix": "AWS::AppStream::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppStream.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appstream", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappstream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appstream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappstream.html" + ], + "service_id": "appstream", + "service_page": "./AWS_AppStream.html" + }, + "appsync": { + "cloudformation_prefix": "AWS::AppSync::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppSync.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appsync", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappsync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appsync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html" + ], + "service_id": "appsync", + "service_page": "./AWS_AppSync.html" + }, + "apptest": { + "cloudformation_prefix": "AWS::AppTest::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppTest.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apptest", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapptest.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apptest.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapptest.html" + ], + "service_id": "apptest", + "service_page": "./AWS_AppTest.html" + }, + "aps": { + "cloudformation_prefix": "AWS::APS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_APS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "aps", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonaps.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_aps.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaps.html" + ], + "service_id": "aps", + "service_page": "./AWS_APS.html" + }, + "arcregionswitch": { + "cloudformation_prefix": "AWS::ARCRegionSwitch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ARCRegionSwitch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "arcregionswitch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonarcregionswitch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_arcregionswitch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsarcregionswitch.html" + ], + "service_id": "arcregionswitch", + "service_page": "./AWS_ARCRegionSwitch.html" + }, + "arczonalshift": { + "cloudformation_prefix": "AWS::ARCZonalShift::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ARCZonalShift.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "arczonalshift", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonarczonalshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_arczonalshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsarczonalshift.html" + ], + "service_id": "arczonalshift", + "service_page": "./AWS_ARCZonalShift.html" + }, + "athena": { + "cloudformation_prefix": "AWS::Athena::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Athena.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "athena", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_athena.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsathena.html" + ], + "service_id": "athena", + "service_page": "./AWS_Athena.html" + }, + "auditmanager": { + "cloudformation_prefix": "AWS::AuditManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AuditManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "auditmanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonauditmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_auditmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html" + ], + "service_id": "auditmanager", + "service_page": "./AWS_AuditManager.html" + }, + "autoscaling": { + "cloudformation_prefix": "AWS::AutoScaling::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AutoScaling.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "autoscaling", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html" + ], + "service_id": "autoscaling", + "service_page": "./AWS_AutoScaling.html" + }, + "autoscalingplans": { + "cloudformation_prefix": "AWS::AutoScalingPlans::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AutoScalingPlans.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "autoscalingplans", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonautoscalingplans.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_autoscalingplans.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsautoscalingplans.html" + ], + "service_id": "autoscalingplans", + "service_page": "./AWS_AutoScalingPlans.html" + }, + "b2bi": { + "cloudformation_prefix": "AWS::B2BI::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_B2BI.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "b2bi", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonb2bi.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_b2bi.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsb2bi.html" + ], + "service_id": "b2bi", + "service_page": "./AWS_B2BI.html" + }, + "backup": { + "cloudformation_prefix": "AWS::Backup::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Backup.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "backup", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbackup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_backup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html" + ], + "service_id": "backup", + "service_page": "./AWS_Backup.html" + }, + "backupgateway": { + "cloudformation_prefix": "AWS::BackupGateway::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BackupGateway.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "backupgateway", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbackupgateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_backupgateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackupgateway.html" + ], + "service_id": "backupgateway", + "service_page": "./AWS_BackupGateway.html" + }, + "batch": { + "cloudformation_prefix": "AWS::Batch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Batch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "batch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbatch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_batch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html" + ], + "service_id": "batch", + "service_page": "./AWS_Batch.html" + }, + "bcmdataexports": { + "cloudformation_prefix": "AWS::BCMDataExports::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BCMDataExports.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "bcmdataexports", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbcmdataexports.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_bcmdataexports.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbcmdataexports.html" + ], + "service_id": "bcmdataexports", + "service_page": "./AWS_BCMDataExports.html" + }, + "bedrock": { + "cloudformation_prefix": "AWS::Bedrock::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Bedrock.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "bedrock", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_bedrock.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbedrock.html" + ], + "service_id": "bedrock", + "service_page": "./AWS_Bedrock.html" + }, + "bedrockagentcore": { + "cloudformation_prefix": "AWS::BedrockAgentCore::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BedrockAgentCore.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "bedrockagentcore", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_bedrockagentcore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbedrockagentcore.html" + ], + "service_id": "bedrockagentcore", + "service_page": "./AWS_BedrockAgentCore.html" + }, + "billing": { + "cloudformation_prefix": "AWS::Billing::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Billing.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "billing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbilling.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_billing.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbilling.html" + ], + "service_id": "billing", + "service_page": "./AWS_Billing.html" + }, + "billingconductor": { + "cloudformation_prefix": "AWS::BillingConductor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BillingConductor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "billingconductor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbillingconductor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_billingconductor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbillingconductor.html" + ], + "service_id": "billingconductor", + "service_page": "./AWS_BillingConductor.html" + }, + "budgets": { + "cloudformation_prefix": "AWS::Budgets::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Budgets.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "budgets", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbudgets.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_budgets.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgets.html" + ], + "service_id": "budgets", + "service_page": "./AWS_Budgets.html" + }, + "cassandra": { + "cloudformation_prefix": "AWS::Cassandra::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Cassandra.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cassandra", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncassandra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cassandra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscassandra.html" + ], + "service_id": "cassandra", + "service_page": "./AWS_Cassandra.html" + }, + "ce": { + "cloudformation_prefix": "AWS::CE::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CE.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ce", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonce.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ce.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsce.html" + ], + "service_id": "ce", + "service_page": "./AWS_CE.html" + }, + "certificatemanager": { + "cloudformation_prefix": "AWS::CertificateManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CertificateManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "certificatemanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncertificatemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_certificatemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html" + ], + "service_id": "certificatemanager", + "service_page": "./AWS_CertificateManager.html" + }, + "chatbot": { + "cloudformation_prefix": "AWS::Chatbot::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Chatbot.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "chatbot", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchatbot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_chatbot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html" + ], + "service_id": "chatbot", + "service_page": "./AWS_Chatbot.html" + }, + "cleanrooms": { + "cloudformation_prefix": "AWS::CleanRooms::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CleanRooms.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cleanrooms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncleanrooms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cleanrooms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscleanrooms.html" + ], + "service_id": "cleanrooms", + "service_page": "./AWS_CleanRooms.html" + }, + "cleanroomsml": { + "cloudformation_prefix": "AWS::CleanRoomsML::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CleanRoomsML.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cleanroomsml", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncleanroomsml.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cleanroomsml.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscleanroomsml.html" + ], + "service_id": "cleanroomsml", + "service_page": "./AWS_CleanRoomsML.html" + }, + "cloud9": { + "cloudformation_prefix": "AWS::Cloud9::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Cloud9.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloud9", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloud9.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloud9.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html" + ], + "service_id": "cloud9", + "service_page": "./AWS_Cloud9.html" + }, + "cloudformation": { + "cloudformation_prefix": "AWS::CloudFormation::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudFormation.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudformation", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html" + ], + "service_id": "cloudformation", + "service_page": "./AWS_CloudFormation.html" + }, + "cloudfront": { + "cloudformation_prefix": "AWS::CloudFront::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudFront.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudfront", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudfront.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudfront.html" + ], + "service_id": "cloudfront", + "service_page": "./AWS_CloudFront.html" + }, + "cloudtrail": { + "cloudformation_prefix": "AWS::CloudTrail::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudTrail.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudtrail", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudtrail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudtrail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudtrail.html" + ], + "service_id": "cloudtrail", + "service_page": "./AWS_CloudTrail.html" + }, + "cloudwatch": { + "cloudformation_prefix": "AWS::CloudWatch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudWatch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudwatch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudwatch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudwatch.html" + ], + "service_id": "cloudwatch", + "service_page": "./AWS_CloudWatch.html" + }, + "codeartifact": { + "cloudformation_prefix": "AWS::CodeArtifact::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeArtifact.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codeartifact", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeartifact.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codeartifact.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html" + ], + "service_id": "codeartifact", + "service_page": "./AWS_CodeArtifact.html" + }, + "codebuild": { + "cloudformation_prefix": "AWS::CodeBuild::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeBuild.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codebuild", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodebuild.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codebuild.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodebuild.html" + ], + "service_id": "codebuild", + "service_page": "./AWS_CodeBuild.html" + }, + "codecommit": { + "cloudformation_prefix": "AWS::CodeCommit::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeCommit.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codecommit", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodecommit.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codecommit.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodecommit.html" + ], + "service_id": "codecommit", + "service_page": "./AWS_CodeCommit.html" + }, + "codeconnections": { + "cloudformation_prefix": "AWS::CodeConnections::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeConnections.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codeconnections", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codeconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeconnections.html" + ], + "service_id": "codeconnections", + "service_page": "./AWS_CodeConnections.html" + }, + "codedeploy": { + "cloudformation_prefix": "AWS::CodeDeploy::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeDeploy.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codedeploy", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodedeploy.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codedeploy.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html" + ], + "service_id": "codedeploy", + "service_page": "./AWS_CodeDeploy.html" + }, + "codeguruprofiler": { + "cloudformation_prefix": "AWS::CodeGuruProfiler::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeGuruProfiler.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codeguruprofiler", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codeguruprofiler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeguruprofiler.html" + ], + "service_id": "codeguruprofiler", + "service_page": "./AWS_CodeGuruProfiler.html" + }, + "codegurureviewer": { + "cloudformation_prefix": "AWS::CodeGuruReviewer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeGuruReviewer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codegurureviewer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codegurureviewer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodegurureviewer.html" + ], + "service_id": "codegurureviewer", + "service_page": "./AWS_CodeGuruReviewer.html" + }, + "codepipeline": { + "cloudformation_prefix": "AWS::CodePipeline::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodePipeline.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codepipeline", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodepipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codepipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodepipeline.html" + ], + "service_id": "codepipeline", + "service_page": "./AWS_CodePipeline.html" + }, + "codestar": { + "cloudformation_prefix": "AWS::CodeStar::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeStar.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codestar", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodestar.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codestar.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html" + ], + "service_id": "codestar", + "service_page": "./AWS_CodeStar.html" + }, + "codestarconnections": { + "cloudformation_prefix": "AWS::CodeStarConnections::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeStarConnections.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codestarconnections", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodestarconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codestarconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html" + ], + "service_id": "codestarconnections", + "service_page": "./AWS_CodeStarConnections.html" + }, + "codestarnotifications": { + "cloudformation_prefix": "AWS::CodeStarNotifications::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeStarNotifications.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codestarnotifications", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodestarnotifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codestarnotifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html" + ], + "service_id": "codestarnotifications", + "service_page": "./AWS_CodeStarNotifications.html" + }, + "cognito": { + "cloudformation_prefix": "AWS::Cognito::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Cognito.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cognito", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognito.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cognito.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscognito.html" + ], + "service_id": "cognito", + "service_page": "./AWS_Cognito.html" + }, + "comprehend": { + "cloudformation_prefix": "AWS::Comprehend::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Comprehend.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "comprehend", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehend.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_comprehend.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomprehend.html" + ], + "service_id": "comprehend", + "service_page": "./AWS_Comprehend.html" + }, + "config": { + "cloudformation_prefix": "AWS::Config::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Config.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "config", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconfig.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_config.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html" + ], + "service_id": "config", + "service_page": "./AWS_Config.html" + }, + "connect": { + "cloudformation_prefix": "AWS::Connect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Connect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "connect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_connect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnect.html" + ], + "service_id": "connect", + "service_page": "./AWS_Connect.html" + }, + "connectcampaigns": { + "cloudformation_prefix": "AWS::ConnectCampaigns::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ConnectCampaigns.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "connectcampaigns", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcampaigns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_connectcampaigns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectcampaigns.html" + ], + "service_id": "connectcampaigns", + "service_page": "./AWS_ConnectCampaigns.html" + }, + "connectcampaignsv2": { + "cloudformation_prefix": "AWS::ConnectCampaignsV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ConnectCampaignsV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "connectcampaignsv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcampaignsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_connectcampaignsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectcampaignsv2.html" + ], + "service_id": "connectcampaignsv2", + "service_page": "./AWS_ConnectCampaignsV2.html" + }, + "controltower": { + "cloudformation_prefix": "AWS::ControlTower::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ControlTower.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "controltower", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncontroltower.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_controltower.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscontroltower.html" + ], + "service_id": "controltower", + "service_page": "./AWS_ControlTower.html" + }, + "cur": { + "cloudformation_prefix": "AWS::CUR::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CUR.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cur", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncur.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cur.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscur.html" + ], + "service_id": "cur", + "service_page": "./AWS_CUR.html" + }, + "customerprofiles": { + "cloudformation_prefix": "AWS::CustomerProfiles::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CustomerProfiles.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "customerprofiles", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncustomerprofiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_customerprofiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscustomerprofiles.html" + ], + "service_id": "customerprofiles", + "service_page": "./AWS_CustomerProfiles.html" + }, + "databrew": { + "cloudformation_prefix": "AWS::DataBrew::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataBrew.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "databrew", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatabrew.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_databrew.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabrew.html" + ], + "service_id": "databrew", + "service_page": "./AWS_DataBrew.html" + }, + "datapipeline": { + "cloudformation_prefix": "AWS::DataPipeline::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataPipeline.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "datapipeline", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatapipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datapipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatapipeline.html" + ], + "service_id": "datapipeline", + "service_page": "./AWS_DataPipeline.html" + }, + "datasync": { + "cloudformation_prefix": "AWS::DataSync::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataSync.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "datasync", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatasync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datasync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html" + ], + "service_id": "datasync", + "service_page": "./AWS_DataSync.html" + }, + "datazone": { + "cloudformation_prefix": "AWS::DataZone::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataZone.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "datazone", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatazone.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datazone.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatazone.html" + ], + "service_id": "datazone", + "service_page": "./AWS_DataZone.html" + }, + "dax": { + "cloudformation_prefix": "AWS::DAX::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DAX.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dax", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondax.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dax.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdax.html" + ], + "service_id": "dax", + "service_page": "./AWS_DAX.html" + }, + "deadline": { + "cloudformation_prefix": "AWS::Deadline::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Deadline.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "deadline", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondeadline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_deadline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeadline.html" + ], + "service_id": "deadline", + "service_page": "./AWS_Deadline.html" + }, + "detective": { + "cloudformation_prefix": "AWS::Detective::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Detective.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "detective", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_detective.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdetective.html" + ], + "service_id": "detective", + "service_page": "./AWS_Detective.html" + }, + "devicefarm": { + "cloudformation_prefix": "AWS::DeviceFarm::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DeviceFarm.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "devicefarm", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevicefarm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_devicefarm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html" + ], + "service_id": "devicefarm", + "service_page": "./AWS_DeviceFarm.html" + }, + "devopsguru": { + "cloudformation_prefix": "AWS::DevOpsGuru::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DevOpsGuru.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "devopsguru", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_devopsguru.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevopsguru.html" + ], + "service_id": "devopsguru", + "service_page": "./AWS_DevOpsGuru.html" + }, + "directoryservice": { + "cloudformation_prefix": "AWS::DirectoryService::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DirectoryService.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "directoryservice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondirectoryservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_directoryservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservice.html" + ], + "service_id": "directoryservice", + "service_page": "./AWS_DirectoryService.html" + }, + "dlm": { + "cloudformation_prefix": "AWS::DLM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DLM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dlm", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondlm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dlm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdlm.html" + ], + "service_id": "dlm", + "service_page": "./AWS_DLM.html" + }, + "dms": { + "cloudformation_prefix": "AWS::DMS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DMS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdms.html" + ], + "service_id": "dms", + "service_page": "./AWS_DMS.html" + }, + "docdb": { + "cloudformation_prefix": "AWS::DocDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DocDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "docdb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondocdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_docdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdocdb.html" + ], + "service_id": "docdb", + "service_page": "./AWS_DocDB.html" + }, + "docdbelastic": { + "cloudformation_prefix": "AWS::DocDBElastic::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DocDBElastic.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "docdbelastic", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondocdbelastic.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_docdbelastic.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdocdbelastic.html" + ], + "service_id": "docdbelastic", + "service_page": "./AWS_DocDBElastic.html" + }, + "dsql": { + "cloudformation_prefix": "AWS::DSQL::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DSQL.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dsql", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondsql.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dsql.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdsql.html" + ], + "service_id": "dsql", + "service_page": "./AWS_DSQL.html" + }, + "dynamodb": { + "cloudformation_prefix": "AWS::DynamoDB::", + "common_actions": [ + "CreateTable", + "DeleteTable", + "DescribeTable", + "PutItem", + "GetItem", + "UpdateItem", + "DeleteItem" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DynamoDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dynamodb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dynamodb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdynamodb.html" + ], + "service_id": "dynamodb", + "service_page": "./AWS_DynamoDB.html" + }, + "ec2": { + "cloudformation_prefix": "AWS::EC2::", + "common_actions": [ + "RunInstances", + "TerminateInstances", + "DescribeInstances", + "CreateVpc", + "DeleteVpc" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EC2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ec2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ec2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsec2.html" + ], + "service_id": "ec2", + "service_page": "./AWS_EC2.html" + }, + "ecr": { + "cloudformation_prefix": "AWS::ECR::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ECR.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ecr", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonecr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ecr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsecr.html" + ], + "service_id": "ecr", + "service_page": "./AWS_ECR.html" + }, + "ecs": { + "cloudformation_prefix": "AWS::ECS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ECS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ecs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonecs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ecs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsecs.html" + ], + "service_id": "ecs", + "service_page": "./AWS_ECS.html" + }, + "efs": { + "cloudformation_prefix": "AWS::EFS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EFS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "efs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonefs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_efs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsefs.html" + ], + "service_id": "efs", + "service_page": "./AWS_EFS.html" + }, + "eks": { + "cloudformation_prefix": "AWS::EKS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EKS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "eks", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneks.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_eks.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awseks.html" + ], + "service_id": "eks", + "service_page": "./AWS_EKS.html" + }, + "elasticache": { + "cloudformation_prefix": "AWS::ElastiCache::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElastiCache.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticache", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticache.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticache.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticache.html" + ], + "service_id": "elasticache", + "service_page": "./AWS_ElastiCache.html" + }, + "elasticbeanstalk": { + "cloudformation_prefix": "AWS::ElasticBeanstalk::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElasticBeanstalk.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticbeanstalk", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticbeanstalk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticbeanstalk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticbeanstalk.html" + ], + "service_id": "elasticbeanstalk", + "service_page": "./AWS_ElasticBeanstalk.html" + }, + "elasticloadbalancing": { + "cloudformation_prefix": "AWS::ElasticLoadBalancing::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElasticLoadBalancing.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticloadbalancing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancing.html" + ], + "service_id": "elasticloadbalancing", + "service_page": "./AWS_ElasticLoadBalancing.html" + }, + "elasticloadbalancingv2": { + "cloudformation_prefix": "AWS::ElasticLoadBalancingV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElasticLoadBalancingV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticloadbalancing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancingv2.html" + ], + "service_id": "elasticloadbalancingv2", + "service_page": "./AWS_ElasticLoadBalancingV2.html" + }, + "elasticsearch": { + "cloudformation_prefix": "AWS::Elasticsearch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Elasticsearch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticsearch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticsearch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticsearch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticsearch.html" + ], + "service_id": "elasticsearch", + "service_page": "./AWS_Elasticsearch.html" + }, + "emr": { + "cloudformation_prefix": "AWS::EMR::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EMR.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "emr", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_emr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsemr.html" + ], + "service_id": "emr", + "service_page": "./AWS_EMR.html" + }, + "emrcontainers": { + "cloudformation_prefix": "AWS::EMRContainers::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EMRContainers.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "emrcontainers", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemrcontainers.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_emrcontainers.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsemrcontainers.html" + ], + "service_id": "emrcontainers", + "service_page": "./AWS_EMRContainers.html" + }, + "emrserverless": { + "cloudformation_prefix": "AWS::EMRServerless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EMRServerless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "emrserverless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemrserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_emrserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsemrserverless.html" + ], + "service_id": "emrserverless", + "service_page": "./AWS_EMRServerless.html" + }, + "entityresolution": { + "cloudformation_prefix": "AWS::EntityResolution::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EntityResolution.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "entityresolution", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonentityresolution.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_entityresolution.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsentityresolution.html" + ], + "service_id": "entityresolution", + "service_page": "./AWS_EntityResolution.html" + }, + "events": { + "cloudformation_prefix": "AWS::Events::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Events.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "events", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonevents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_events.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsevents.html" + ], + "service_id": "events", + "service_page": "./AWS_Events.html" + }, + "eventschemas": { + "cloudformation_prefix": "AWS::EventSchemas::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EventSchemas.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "eventschemas", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventschemas.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_eventschemas.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awseventschemas.html" + ], + "service_id": "eventschemas", + "service_page": "./AWS_EventSchemas.html" + }, + "evidently": { + "cloudformation_prefix": "AWS::Evidently::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Evidently.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "evidently", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonevidently.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_evidently.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsevidently.html" + ], + "service_id": "evidently", + "service_page": "./AWS_Evidently.html" + }, + "evs": { + "cloudformation_prefix": "AWS::EVS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EVS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "evs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonevs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_evs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsevs.html" + ], + "service_id": "evs", + "service_page": "./AWS_EVS.html" + }, + "finspace": { + "cloudformation_prefix": "AWS::FinSpace::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FinSpace.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "finspace", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfinspace.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_finspace.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfinspace.html" + ], + "service_id": "finspace", + "service_page": "./AWS_FinSpace.html" + }, + "fis": { + "cloudformation_prefix": "AWS::FIS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FIS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "fis", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfis.html" + ], + "service_id": "fis", + "service_page": "./AWS_FIS.html" + }, + "fms": { + "cloudformation_prefix": "AWS::FMS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FMS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "fms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfms.html" + ], + "service_id": "fms", + "service_page": "./AWS_FMS.html" + }, + "forecast": { + "cloudformation_prefix": "AWS::Forecast::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Forecast.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "forecast", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonforecast.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_forecast.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsforecast.html" + ], + "service_id": "forecast", + "service_page": "./AWS_Forecast.html" + }, + "frauddetector": { + "cloudformation_prefix": "AWS::FraudDetector::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FraudDetector.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "frauddetector", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_frauddetector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfrauddetector.html" + ], + "service_id": "frauddetector", + "service_page": "./AWS_FraudDetector.html" + }, + "fsx": { + "cloudformation_prefix": "AWS::FSx::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FSx.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "fsx", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fsx.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfsx.html" + ], + "service_id": "fsx", + "service_page": "./AWS_FSx.html" + }, + "gamelift": { + "cloudformation_prefix": "AWS::GameLift::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GameLift.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "gamelift", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_gamelift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgamelift.html" + ], + "service_id": "gamelift", + "service_page": "./AWS_GameLift.html" + }, + "gameliftstreams": { + "cloudformation_prefix": "AWS::GameLiftStreams::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GameLiftStreams.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "gameliftstreams", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongameliftstreams.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_gameliftstreams.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgameliftstreams.html" + ], + "service_id": "gameliftstreams", + "service_page": "./AWS_GameLiftStreams.html" + }, + "globalaccelerator": { + "cloudformation_prefix": "AWS::GlobalAccelerator::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GlobalAccelerator.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "globalaccelerator", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonglobalaccelerator.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_globalaccelerator.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglobalaccelerator.html" + ], + "service_id": "globalaccelerator", + "service_page": "./AWS_GlobalAccelerator.html" + }, + "glue": { + "cloudformation_prefix": "AWS::Glue::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Glue.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "glue", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonglue.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_glue.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html" + ], + "service_id": "glue", + "service_page": "./AWS_Glue.html" + }, + "grafana": { + "cloudformation_prefix": "AWS::Grafana::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Grafana.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "grafana", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongrafana.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_grafana.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgrafana.html" + ], + "service_id": "grafana", + "service_page": "./AWS_Grafana.html" + }, + "greengrass": { + "cloudformation_prefix": "AWS::Greengrass::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Greengrass.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "greengrass", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongreengrass.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_greengrass.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgreengrass.html" + ], + "service_id": "greengrass", + "service_page": "./AWS_Greengrass.html" + }, + "greengrassv2": { + "cloudformation_prefix": "AWS::GreengrassV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GreengrassV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "greengrassv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongreengrassv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_greengrassv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgreengrassv2.html" + ], + "service_id": "greengrassv2", + "service_page": "./AWS_GreengrassV2.html" + }, + "groundstation": { + "cloudformation_prefix": "AWS::GroundStation::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GroundStation.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "groundstation", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongroundstation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_groundstation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html" + ], + "service_id": "groundstation", + "service_page": "./AWS_GroundStation.html" + }, + "guardduty": { + "cloudformation_prefix": "AWS::GuardDuty::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GuardDuty.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "guardduty", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonguardduty.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_guardduty.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsguardduty.html" + ], + "service_id": "guardduty", + "service_page": "./AWS_GuardDuty.html" + }, + "healthimaging": { + "cloudformation_prefix": "AWS::HealthImaging::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_HealthImaging.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "healthimaging", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthimaging.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_healthimaging.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html" + ], + "service_id": "healthimaging", + "service_page": "./AWS_HealthImaging.html" + }, + "healthlake": { + "cloudformation_prefix": "AWS::HealthLake::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_HealthLake.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "healthlake", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_healthlake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html" + ], + "service_id": "healthlake", + "service_page": "./AWS_HealthLake.html" + }, + "iam": { + "cloudformation_prefix": "AWS::IAM::", + "common_actions": [ + "CreateRole", + "DeleteRole", + "AttachRolePolicy", + "DetachRolePolicy", + "CreatePolicy" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IAM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iam", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiam.html" + ], + "service_id": "iam", + "service_page": "./AWS_IAM.html" + }, + "identitystore": { + "cloudformation_prefix": "AWS::IdentityStore::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IdentityStore.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "identitystore", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonidentitystore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_identitystore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html" + ], + "service_id": "identitystore", + "service_page": "./AWS_IdentityStore.html" + }, + "imagebuilder": { + "cloudformation_prefix": "AWS::ImageBuilder::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ImageBuilder.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "imagebuilder", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonimagebuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_imagebuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsimagebuilder.html" + ], + "service_id": "imagebuilder", + "service_page": "./AWS_ImageBuilder.html" + }, + "inspector": { + "cloudformation_prefix": "AWS::Inspector::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Inspector.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "inspector", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_inspector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinspector.html" + ], + "service_id": "inspector", + "service_page": "./AWS_Inspector.html" + }, + "inspectorv2": { + "cloudformation_prefix": "AWS::InspectorV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_InspectorV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "inspectorv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspectorv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_inspectorv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinspectorv2.html" + ], + "service_id": "inspectorv2", + "service_page": "./AWS_InspectorV2.html" + }, + "internetmonitor": { + "cloudformation_prefix": "AWS::InternetMonitor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_InternetMonitor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "internetmonitor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninternetmonitor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_internetmonitor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinternetmonitor.html" + ], + "service_id": "internetmonitor", + "service_page": "./AWS_InternetMonitor.html" + }, + "invoicing": { + "cloudformation_prefix": "AWS::Invoicing::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Invoicing.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "invoicing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninvoicing.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_invoicing.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinvoicing.html" + ], + "service_id": "invoicing", + "service_page": "./AWS_Invoicing.html" + }, + "iot": { + "cloudformation_prefix": "AWS::IoT::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoT.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iot", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html" + ], + "service_id": "iot", + "service_page": "./AWS_IoT.html" + }, + "iotanalytics": { + "cloudformation_prefix": "AWS::IoTAnalytics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTAnalytics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotanalytics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html" + ], + "service_id": "iotanalytics", + "service_page": "./AWS_IoTAnalytics.html" + }, + "iotcoredeviceadvisor": { + "cloudformation_prefix": "AWS::IoTCoreDeviceAdvisor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTCoreDeviceAdvisor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotcoredeviceadvisor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotcoredeviceadvisor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotcoredeviceadvisor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoredeviceadvisor.html" + ], + "service_id": "iotcoredeviceadvisor", + "service_page": "./AWS_IoTCoreDeviceAdvisor.html" + }, + "iotevents": { + "cloudformation_prefix": "AWS::IoTEvents::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTEvents.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotevents", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotevents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotevents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotevents.html" + ], + "service_id": "iotevents", + "service_page": "./AWS_IoTEvents.html" + }, + "iotfleethub": { + "cloudformation_prefix": "AWS::IoTFleetHub::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTFleetHub.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotfleethub", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotfleethub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotfleethub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleethub.html" + ], + "service_id": "iotfleethub", + "service_page": "./AWS_IoTFleetHub.html" + }, + "iotfleetwise": { + "cloudformation_prefix": "AWS::IoTFleetWise::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTFleetWise.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotfleetwise", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotfleetwise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotfleetwise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html" + ], + "service_id": "iotfleetwise", + "service_page": "./AWS_IoTFleetWise.html" + }, + "iotmanagedintegrations": { + "cloudformation_prefix": "AWS::IoTManagedIntegrations::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTManagedIntegrations.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotmanagedintegrations", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotmanagedintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotmanagedintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotmanagedintegrations.html" + ], + "service_id": "iotmanagedintegrations", + "service_page": "./AWS_IoTManagedIntegrations.html" + }, + "iotsitewise": { + "cloudformation_prefix": "AWS::IoTSiteWise::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTSiteWise.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotsitewise", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotsitewise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotsitewise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html" + ], + "service_id": "iotsitewise", + "service_page": "./AWS_IoTSiteWise.html" + }, + "iottwinmaker": { + "cloudformation_prefix": "AWS::IoTTwinMaker::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTTwinMaker.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iottwinmaker", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniottwinmaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iottwinmaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html" + ], + "service_id": "iottwinmaker", + "service_page": "./AWS_IoTTwinMaker.html" + }, + "iotwireless": { + "cloudformation_prefix": "AWS::IoTWireless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTWireless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotwireless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotwireless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotwireless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html" + ], + "service_id": "iotwireless", + "service_page": "./AWS_IoTWireless.html" + }, + "ivs": { + "cloudformation_prefix": "AWS::IVS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IVS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ivs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonivs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ivs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsivs.html" + ], + "service_id": "ivs", + "service_page": "./AWS_IVS.html" + }, + "ivschat": { + "cloudformation_prefix": "AWS::IVSChat::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IVSChat.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ivschat", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonivschat.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ivschat.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsivschat.html" + ], + "service_id": "ivschat", + "service_page": "./AWS_IVSChat.html" + }, + "kafkaconnect": { + "cloudformation_prefix": "AWS::KafkaConnect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KafkaConnect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kafkaconnect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkafkaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kafkaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskafkaconnect.html" + ], + "service_id": "kafkaconnect", + "service_page": "./AWS_KafkaConnect.html" + }, + "kendra": { + "cloudformation_prefix": "AWS::Kendra::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Kendra.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kendra", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kendra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskendra.html" + ], + "service_id": "kendra", + "service_page": "./AWS_Kendra.html" + }, + "kendraranking": { + "cloudformation_prefix": "AWS::KendraRanking::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KendraRanking.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kendraranking", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendraranking.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kendraranking.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskendraranking.html" + ], + "service_id": "kendraranking", + "service_page": "./AWS_KendraRanking.html" + }, + "kinesis": { + "cloudformation_prefix": "AWS::Kinesis::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Kinesis.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesis", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesis.html" + ], + "service_id": "kinesis", + "service_page": "./AWS_Kinesis.html" + }, + "kinesisanalytics": { + "cloudformation_prefix": "AWS::KinesisAnalytics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisAnalytics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisanalytics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisanalytics.html" + ], + "service_id": "kinesisanalytics", + "service_page": "./AWS_KinesisAnalytics.html" + }, + "kinesisanalyticsv2": { + "cloudformation_prefix": "AWS::KinesisAnalyticsV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisAnalyticsV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisanalyticsv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisanalyticsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisanalyticsv2.html" + ], + "service_id": "kinesisanalyticsv2", + "service_page": "./AWS_KinesisAnalyticsV2.html" + }, + "kinesisfirehose": { + "cloudformation_prefix": "AWS::KinesisFirehose::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisFirehose.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisfirehose", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisfirehose.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisfirehose.html" + ], + "service_id": "kinesisfirehose", + "service_page": "./AWS_KinesisFirehose.html" + }, + "kinesisvideo": { + "cloudformation_prefix": "AWS::KinesisVideo::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisVideo.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisvideo", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisvideo.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisvideo.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisvideo.html" + ], + "service_id": "kinesisvideo", + "service_page": "./AWS_KinesisVideo.html" + }, + "kms": { + "cloudformation_prefix": "AWS::KMS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KMS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskms.html" + ], + "service_id": "kms", + "service_page": "./AWS_KMS.html" + }, + "lakeformation": { + "cloudformation_prefix": "AWS::LakeFormation::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LakeFormation.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lakeformation", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlakeformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lakeformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslakeformation.html" + ], + "service_id": "lakeformation", + "service_page": "./AWS_LakeFormation.html" + }, + "lambda": { + "cloudformation_prefix": "AWS::Lambda::", + "common_actions": [ + "CreateFunction", + "DeleteFunction", + "InvokeFunction", + "UpdateFunctionCode", + "GetFunction" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Lambda.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lambda", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html" + ], + "service_id": "lambda", + "service_page": "./AWS_Lambda.html" + }, + "launchwizard": { + "cloudformation_prefix": "AWS::LaunchWizard::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LaunchWizard.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "launchwizard", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlaunchwizard.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_launchwizard.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslaunchwizard.html" + ], + "service_id": "launchwizard", + "service_page": "./AWS_LaunchWizard.html" + }, + "lex": { + "cloudformation_prefix": "AWS::Lex::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Lex.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lex", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlex.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lex.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslex.html" + ], + "service_id": "lex", + "service_page": "./AWS_Lex.html" + }, + "licensemanager": { + "cloudformation_prefix": "AWS::LicenseManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LicenseManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "licensemanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlicensemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_licensemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html" + ], + "service_id": "licensemanager", + "service_page": "./AWS_LicenseManager.html" + }, + "lightsail": { + "cloudformation_prefix": "AWS::Lightsail::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Lightsail.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lightsail", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lightsail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslightsail.html" + ], + "service_id": "lightsail", + "service_page": "./AWS_Lightsail.html" + }, + "location": { + "cloudformation_prefix": "AWS::Location::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Location.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "location", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_location.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslocation.html" + ], + "service_id": "location", + "service_page": "./AWS_Location.html" + }, + "logs": { + "cloudformation_prefix": "AWS::Logs::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Logs.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "logs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlogs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_logs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslogs.html" + ], + "service_id": "logs", + "service_page": "./AWS_Logs.html" + }, + "lookoutequipment": { + "cloudformation_prefix": "AWS::LookoutEquipment::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LookoutEquipment.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lookoutequipment", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutequipment.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lookoutequipment.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslookoutequipment.html" + ], + "service_id": "lookoutequipment", + "service_page": "./AWS_LookoutEquipment.html" + }, + "lookoutmetrics": { + "cloudformation_prefix": "AWS::LookoutMetrics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LookoutMetrics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lookoutmetrics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutmetrics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lookoutmetrics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslookoutmetrics.html" + ], + "service_id": "lookoutmetrics", + "service_page": "./AWS_LookoutMetrics.html" + }, + "lookoutvision": { + "cloudformation_prefix": "AWS::LookoutVision::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LookoutVision.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lookoutvision", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutvision.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lookoutvision.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslookoutvision.html" + ], + "service_id": "lookoutvision", + "service_page": "./AWS_LookoutVision.html" + }, + "m2": { + "cloudformation_prefix": "AWS::M2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_M2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "m2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonm2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_m2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsm2.html" + ], + "service_id": "m2", + "service_page": "./AWS_M2.html" + }, + "macie": { + "cloudformation_prefix": "AWS::Macie::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Macie.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "macie", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacie.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_macie.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmacie.html" + ], + "service_id": "macie", + "service_page": "./AWS_Macie.html" + }, + "managedblockchain": { + "cloudformation_prefix": "AWS::ManagedBlockchain::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ManagedBlockchain.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "managedblockchain", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_managedblockchain.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmanagedblockchain.html" + ], + "service_id": "managedblockchain", + "service_page": "./AWS_ManagedBlockchain.html" + }, + "mediaconnect": { + "cloudformation_prefix": "AWS::MediaConnect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaConnect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediaconnect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediaconnect.html" + ], + "service_id": "mediaconnect", + "service_page": "./AWS_MediaConnect.html" + }, + "mediaconvert": { + "cloudformation_prefix": "AWS::MediaConvert::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaConvert.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediaconvert", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediaconvert.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediaconvert.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediaconvert.html" + ], + "service_id": "mediaconvert", + "service_page": "./AWS_MediaConvert.html" + }, + "medialive": { + "cloudformation_prefix": "AWS::MediaLive::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaLive.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "medialive", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmedialive.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_medialive.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmedialive.html" + ], + "service_id": "medialive", + "service_page": "./AWS_MediaLive.html" + }, + "mediapackage": { + "cloudformation_prefix": "AWS::MediaPackage::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaPackage.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediapackage", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediapackage.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediapackage.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediapackage.html" + ], + "service_id": "mediapackage", + "service_page": "./AWS_MediaPackage.html" + }, + "mediapackagev2": { + "cloudformation_prefix": "AWS::MediaPackageV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaPackageV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediapackagev2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediapackagev2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediapackagev2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediapackagev2.html" + ], + "service_id": "mediapackagev2", + "service_page": "./AWS_MediaPackageV2.html" + }, + "mediastore": { + "cloudformation_prefix": "AWS::MediaStore::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaStore.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediastore", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediastore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediastore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediastore.html" + ], + "service_id": "mediastore", + "service_page": "./AWS_MediaStore.html" + }, + "mediatailor": { + "cloudformation_prefix": "AWS::MediaTailor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaTailor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediatailor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediatailor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediatailor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediatailor.html" + ], + "service_id": "mediatailor", + "service_page": "./AWS_MediaTailor.html" + }, + "memorydb": { + "cloudformation_prefix": "AWS::MemoryDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MemoryDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "memorydb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmemorydb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_memorydb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmemorydb.html" + ], + "service_id": "memorydb", + "service_page": "./AWS_MemoryDB.html" + }, + "mpa": { + "cloudformation_prefix": "AWS::MPA::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MPA.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mpa", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmpa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mpa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmpa.html" + ], + "service_id": "mpa", + "service_page": "./AWS_MPA.html" + }, + "msk": { + "cloudformation_prefix": "AWS::MSK::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MSK.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "msk", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmsk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_msk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmsk.html" + ], + "service_id": "msk", + "service_page": "./AWS_MSK.html" + }, + "mwaa": { + "cloudformation_prefix": "AWS::MWAA::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MWAA.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mwaa", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmwaa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mwaa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmwaa.html" + ], + "service_id": "mwaa", + "service_page": "./AWS_MWAA.html" + }, + "neptune": { + "cloudformation_prefix": "AWS::Neptune::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Neptune.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "neptune", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptune.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_neptune.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsneptune.html" + ], + "service_id": "neptune", + "service_page": "./AWS_Neptune.html" + }, + "neptunegraph": { + "cloudformation_prefix": "AWS::NeptuneGraph::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NeptuneGraph.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "neptunegraph", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptunegraph.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_neptunegraph.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsneptunegraph.html" + ], + "service_id": "neptunegraph", + "service_page": "./AWS_NeptuneGraph.html" + }, + "networkfirewall": { + "cloudformation_prefix": "AWS::NetworkFirewall::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NetworkFirewall.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "networkfirewall", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnetworkfirewall.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkfirewall.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html" + ], + "service_id": "networkfirewall", + "service_page": "./AWS_NetworkFirewall.html" + }, + "networkmanager": { + "cloudformation_prefix": "AWS::NetworkManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NetworkManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "networkmanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnetworkmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkmanager.html" + ], + "service_id": "networkmanager", + "service_page": "./AWS_NetworkManager.html" + }, + "notifications": { + "cloudformation_prefix": "AWS::Notifications::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Notifications.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "notifications", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnotifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_notifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnotifications.html" + ], + "service_id": "notifications", + "service_page": "./AWS_Notifications.html" + }, + "notificationscontacts": { + "cloudformation_prefix": "AWS::NotificationsContacts::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NotificationsContacts.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "notificationscontacts", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnotificationscontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_notificationscontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnotificationscontacts.html" + ], + "service_id": "notificationscontacts", + "service_page": "./AWS_NotificationsContacts.html" + }, + "oam": { + "cloudformation_prefix": "AWS::Oam::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Oam.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "oam", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonoam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_oam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsoam.html" + ], + "service_id": "oam", + "service_page": "./AWS_Oam.html" + }, + "observabilityadmin": { + "cloudformation_prefix": "AWS::ObservabilityAdmin::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ObservabilityAdmin.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "observabilityadmin", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonobservabilityadmin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_observabilityadmin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsobservabilityadmin.html" + ], + "service_id": "observabilityadmin", + "service_page": "./AWS_ObservabilityAdmin.html" + }, + "odb": { + "cloudformation_prefix": "AWS::ODB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ODB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "odb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonodb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_odb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsodb.html" + ], + "service_id": "odb", + "service_page": "./AWS_ODB.html" + }, + "omics": { + "cloudformation_prefix": "AWS::Omics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Omics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "omics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonomics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_omics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsomics.html" + ], + "service_id": "omics", + "service_page": "./AWS_Omics.html" + }, + "opensearchserverless": { + "cloudformation_prefix": "AWS::OpenSearchServerless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_OpenSearchServerless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "opensearchserverless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_opensearchserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopensearchserverless.html" + ], + "service_id": "opensearchserverless", + "service_page": "./AWS_OpenSearchServerless.html" + }, + "opensearchservice": { + "cloudformation_prefix": "AWS::OpenSearchService::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_OpenSearchService.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "opensearchservice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_opensearchservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopensearchservice.html" + ], + "service_id": "opensearchservice", + "service_page": "./AWS_OpenSearchService.html" + }, + "organizations": { + "cloudformation_prefix": "AWS::Organizations::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Organizations.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "organizations", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonorganizations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_organizations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html" + ], + "service_id": "organizations", + "service_page": "./AWS_Organizations.html" + }, + "osis": { + "cloudformation_prefix": "AWS::OSIS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_OSIS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "osis", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonosis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_osis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsosis.html" + ], + "service_id": "osis", + "service_page": "./AWS_OSIS.html" + }, + "panorama": { + "cloudformation_prefix": "AWS::Panorama::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Panorama.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "panorama", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpanorama.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_panorama.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html" + ], + "service_id": "panorama", + "service_page": "./AWS_Panorama.html" + }, + "paymentcryptography": { + "cloudformation_prefix": "AWS::PaymentCryptography::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PaymentCryptography.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "paymentcryptography", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpaymentcryptography.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_paymentcryptography.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html" + ], + "service_id": "paymentcryptography", + "service_page": "./AWS_PaymentCryptography.html" + }, + "pcaconnectorad": { + "cloudformation_prefix": "AWS::PCAConnectorAD::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PCAConnectorAD.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pcaconnectorad", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpcaconnectorad.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pcaconnectorad.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspcaconnectorad.html" + ], + "service_id": "pcaconnectorad", + "service_page": "./AWS_PCAConnectorAD.html" + }, + "pcaconnectorscep": { + "cloudformation_prefix": "AWS::PCAConnectorSCEP::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PCAConnectorSCEP.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pcaconnectorscep", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpcaconnectorscep.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pcaconnectorscep.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspcaconnectorscep.html" + ], + "service_id": "pcaconnectorscep", + "service_page": "./AWS_PCAConnectorSCEP.html" + }, + "pcs": { + "cloudformation_prefix": "AWS::PCS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PCS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pcs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpcs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pcs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspcs.html" + ], + "service_id": "pcs", + "service_page": "./AWS_PCS.html" + }, + "personalize": { + "cloudformation_prefix": "AWS::Personalize::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Personalize.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "personalize", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpersonalize.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_personalize.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspersonalize.html" + ], + "service_id": "personalize", + "service_page": "./AWS_Personalize.html" + }, + "pinpoint": { + "cloudformation_prefix": "AWS::Pinpoint::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Pinpoint.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pinpoint", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpoint.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pinpoint.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspinpoint.html" + ], + "service_id": "pinpoint", + "service_page": "./AWS_Pinpoint.html" + }, + "pinpointemail": { + "cloudformation_prefix": "AWS::PinpointEmail::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PinpointEmail.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pinpointemail", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointemail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pinpointemail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspinpointemail.html" + ], + "service_id": "pinpointemail", + "service_page": "./AWS_PinpointEmail.html" + }, + "pipes": { + "cloudformation_prefix": "AWS::Pipes::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Pipes.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pipes", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpipes.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pipes.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspipes.html" + ], + "service_id": "pipes", + "service_page": "./AWS_Pipes.html" + }, + "proton": { + "cloudformation_prefix": "AWS::Proton::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Proton.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "proton", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonproton.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_proton.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html" + ], + "service_id": "proton", + "service_page": "./AWS_Proton.html" + }, + "q": { + "cloudformation_prefix": "AWS::Q::", + "common_actions": [], + "documentation_urls": [], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "q", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonq.html" + ], + "service_id": "q", + "service_page": null + }, + "qbusiness": { + "cloudformation_prefix": "AWS::QBusiness::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_QBusiness.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "qbusiness", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqbusiness.html" + ], + "service_id": "qbusiness", + "service_page": "./AWS_QBusiness.html" + }, + "qldb": { + "cloudformation_prefix": "AWS::QLDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_QLDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "qldb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqldb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_qldb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsqldb.html" + ], + "service_id": "qldb", + "service_page": "./AWS_QLDB.html" + }, + "quicksight": { + "cloudformation_prefix": "AWS::QuickSight::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_QuickSight.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "quicksight", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_quicksight.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsquicksight.html" + ], + "service_id": "quicksight", + "service_page": "./AWS_QuickSight.html" + }, + "ram": { + "cloudformation_prefix": "AWS::RAM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RAM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ram", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonram.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ram.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsram.html" + ], + "service_id": "ram", + "service_page": "./AWS_RAM.html" + }, + "rbin": { + "cloudformation_prefix": "AWS::Rbin::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Rbin.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rbin", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrbin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rbin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrbin.html" + ], + "service_id": "rbin", + "service_page": "./AWS_Rbin.html" + }, + "rds": { + "cloudformation_prefix": "AWS::RDS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RDS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rds", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rds.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrds.html" + ], + "service_id": "rds", + "service_page": "./AWS_RDS.html" + }, + "redshift": { + "cloudformation_prefix": "AWS::Redshift::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Redshift.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "redshift", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_redshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsredshift.html" + ], + "service_id": "redshift", + "service_page": "./AWS_Redshift.html" + }, + "redshiftserverless": { + "cloudformation_prefix": "AWS::RedshiftServerless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RedshiftServerless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "redshiftserverless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_redshiftserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsredshiftserverless.html" + ], + "service_id": "redshiftserverless", + "service_page": "./AWS_RedshiftServerless.html" + }, + "refactorspaces": { + "cloudformation_prefix": "AWS::RefactorSpaces::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RefactorSpaces.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "refactorspaces", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrefactorspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_refactorspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrefactorspaces.html" + ], + "service_id": "refactorspaces", + "service_page": "./AWS_RefactorSpaces.html" + }, + "rekognition": { + "cloudformation_prefix": "AWS::Rekognition::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Rekognition.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rekognition", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rekognition.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrekognition.html" + ], + "service_id": "rekognition", + "service_page": "./AWS_Rekognition.html" + }, + "resiliencehub": { + "cloudformation_prefix": "AWS::ResilienceHub::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ResilienceHub.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "resiliencehub", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresiliencehub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_resiliencehub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresiliencehub.html" + ], + "service_id": "resiliencehub", + "service_page": "./AWS_ResilienceHub.html" + }, + "resourceexplorer2": { + "cloudformation_prefix": "AWS::ResourceExplorer2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ResourceExplorer2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "resourceexplorer2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourceexplorer2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_resourceexplorer2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceexplorer2.html" + ], + "service_id": "resourceexplorer2", + "service_page": "./AWS_ResourceExplorer2.html" + }, + "resourcegroups": { + "cloudformation_prefix": "AWS::ResourceGroups::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ResourceGroups.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "resourcegroups", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegroups.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_resourcegroups.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html" + ], + "service_id": "resourcegroups", + "service_page": "./AWS_ResourceGroups.html" + }, + "rolesanywhere": { + "cloudformation_prefix": "AWS::RolesAnywhere::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RolesAnywhere.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rolesanywhere", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrolesanywhere.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rolesanywhere.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrolesanywhere.html" + ], + "service_id": "rolesanywhere", + "service_page": "./AWS_RolesAnywhere.html" + }, + "route53": { + "cloudformation_prefix": "AWS::Route53::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53.html" + ], + "service_id": "route53", + "service_page": "./AWS_Route53.html" + }, + "route53profiles": { + "cloudformation_prefix": "AWS::Route53Profiles::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53Profiles.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53profiles", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53profiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53profiles.html" + ], + "service_id": "route53profiles", + "service_page": "./AWS_Route53Profiles.html" + }, + "route53recoverycontrol": { + "cloudformation_prefix": "AWS::Route53RecoveryControl::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53RecoveryControl.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53recoverycontrol", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoverycontrol.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53recoverycontrol.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53recoverycontrol.html" + ], + "service_id": "route53recoverycontrol", + "service_page": "./AWS_Route53RecoveryControl.html" + }, + "route53recoveryreadiness": { + "cloudformation_prefix": "AWS::Route53RecoveryReadiness::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53RecoveryReadiness.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53recoveryreadiness", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoveryreadiness.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53recoveryreadiness.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53recoveryreadiness.html" + ], + "service_id": "route53recoveryreadiness", + "service_page": "./AWS_Route53RecoveryReadiness.html" + }, + "route53resolver": { + "cloudformation_prefix": "AWS::Route53Resolver::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53Resolver.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53resolver", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53resolver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53resolver.html" + ], + "service_id": "route53resolver", + "service_page": "./AWS_Route53Resolver.html" + }, + "rtbfabric": { + "cloudformation_prefix": "AWS::RTBFabric::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RTBFabric.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rtbfabric", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrtbfabric.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rtbfabric.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrtbfabric.html" + ], + "service_id": "rtbfabric", + "service_page": "./AWS_RTBFabric.html" + }, + "rum": { + "cloudformation_prefix": "AWS::RUM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RUM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rum", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrum.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rum.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrum.html" + ], + "service_id": "rum", + "service_page": "./AWS_RUM.html" + }, + "s3": { + "cloudformation_prefix": "AWS::S3::", + "common_actions": [ + "CreateBucket", + "DeleteBucket", + "GetObject", + "PutObject", + "DeleteObject", + "ListBucket" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3.html" + ], + "service_id": "s3", + "service_page": "./AWS_S3.html" + }, + "s3express": { + "cloudformation_prefix": "AWS::S3Express::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Express.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3express", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3express.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3express.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3express.html" + ], + "service_id": "s3express", + "service_page": "./AWS_S3Express.html" + }, + "s3objectlambda": { + "cloudformation_prefix": "AWS::S3ObjectLambda::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3ObjectLambda.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3objectlambda", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3objectlambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3objectlambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3objectlambda.html" + ], + "service_id": "s3objectlambda", + "service_page": "./AWS_S3ObjectLambda.html" + }, + "s3outposts": { + "cloudformation_prefix": "AWS::S3Outposts::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Outposts.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3outposts", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3outposts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3outposts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3outposts.html" + ], + "service_id": "s3outposts", + "service_page": "./AWS_S3Outposts.html" + }, + "s3tables": { + "cloudformation_prefix": "AWS::S3Tables::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Tables.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3tables", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3tables.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3tables.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3tables.html" + ], + "service_id": "s3tables", + "service_page": "./AWS_S3Tables.html" + }, + "s3vectors": { + "cloudformation_prefix": "AWS::S3Vectors::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Vectors.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3vectors", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3vectors.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3vectors.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3vectors.html" + ], + "service_id": "s3vectors", + "service_page": "./AWS_S3Vectors.html" + }, + "sagemaker": { + "cloudformation_prefix": "AWS::SageMaker::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SageMaker.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sagemaker", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sagemaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssagemaker.html" + ], + "service_id": "sagemaker", + "service_page": "./AWS_SageMaker.html" + }, + "scheduler": { + "cloudformation_prefix": "AWS::Scheduler::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Scheduler.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "scheduler", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonscheduler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_scheduler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsscheduler.html" + ], + "service_id": "scheduler", + "service_page": "./AWS_Scheduler.html" + }, + "sdb": { + "cloudformation_prefix": "AWS::SDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sdb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssdb.html" + ], + "service_id": "sdb", + "service_page": "./AWS_SDB.html" + }, + "secretsmanager": { + "cloudformation_prefix": "AWS::SecretsManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SecretsManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "secretsmanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecretsmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_secretsmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html" + ], + "service_id": "secretsmanager", + "service_page": "./AWS_SecretsManager.html" + }, + "securityhub": { + "cloudformation_prefix": "AWS::SecurityHub::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SecurityHub.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "securityhub", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecurityhub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_securityhub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html" + ], + "service_id": "securityhub", + "service_page": "./AWS_SecurityHub.html" + }, + "securitylake": { + "cloudformation_prefix": "AWS::SecurityLake::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SecurityLake.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "securitylake", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecuritylake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_securitylake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritylake.html" + ], + "service_id": "securitylake", + "service_page": "./AWS_SecurityLake.html" + }, + "servicecatalog": { + "cloudformation_prefix": "AWS::ServiceCatalog::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ServiceCatalog.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "servicecatalog", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonservicecatalog.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicecatalog.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html" + ], + "service_id": "servicecatalog", + "service_page": "./AWS_ServiceCatalog.html" + }, + "servicecatalogappregistry": { + "cloudformation_prefix": "AWS::ServiceCatalogAppRegistry::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ServiceCatalogAppRegistry.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "servicecatalogappregistry", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonservicecatalogappregistry.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicecatalogappregistry.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalogappregistry.html" + ], + "service_id": "servicecatalogappregistry", + "service_page": "./AWS_ServiceCatalogAppRegistry.html" + }, + "servicediscovery": { + "cloudformation_prefix": "AWS::ServiceDiscovery::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ServiceDiscovery.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "servicediscovery", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonservicediscovery.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicediscovery.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicediscovery.html" + ], + "service_id": "servicediscovery", + "service_page": "./AWS_ServiceDiscovery.html" + }, + "ses": { + "cloudformation_prefix": "AWS::SES::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SES.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ses", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ses.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsses.html" + ], + "service_id": "ses", + "service_page": "./AWS_SES.html" + }, + "shield": { + "cloudformation_prefix": "AWS::Shield::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Shield.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "shield", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonshield.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_shield.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html" + ], + "service_id": "shield", + "service_page": "./AWS_Shield.html" + }, + "signer": { + "cloudformation_prefix": "AWS::Signer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Signer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "signer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsigner.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_signer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html" + ], + "service_id": "signer", + "service_page": "./AWS_Signer.html" + }, + "simspaceweaver": { + "cloudformation_prefix": "AWS::SimSpaceWeaver::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SimSpaceWeaver.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "simspaceweaver", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimspaceweaver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_simspaceweaver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssimspaceweaver.html" + ], + "service_id": "simspaceweaver", + "service_page": "./AWS_SimSpaceWeaver.html" + }, + "smsvoice": { + "cloudformation_prefix": "AWS::SMSVOICE::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SMSVOICE.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "smsvoice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsmsvoice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_smsvoice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssmsvoice.html" + ], + "service_id": "smsvoice", + "service_page": "./AWS_SMSVOICE.html" + }, + "sns": { + "cloudformation_prefix": "AWS::SNS::", + "common_actions": [ + "CreateTopic", + "DeleteTopic", + "Publish", + "Subscribe", + "Unsubscribe" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SNS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sns", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssns.html" + ], + "service_id": "sns", + "service_page": "./AWS_SNS.html" + }, + "sqs": { + "cloudformation_prefix": "AWS::SQS::", + "common_actions": [ + "CreateQueue", + "DeleteQueue", + "SendMessage", + "ReceiveMessage", + "DeleteMessage" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SQS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sqs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sqs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssqs.html" + ], + "service_id": "sqs", + "service_page": "./AWS_SQS.html" + }, + "ssm": { + "cloudformation_prefix": "AWS::SSM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssm", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssm.html" + ], + "service_id": "ssm", + "service_page": "./AWS_SSM.html" + }, + "ssmcontacts": { + "cloudformation_prefix": "AWS::SSMContacts::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMContacts.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmcontacts", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmcontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmcontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmcontacts.html" + ], + "service_id": "ssmcontacts", + "service_page": "./AWS_SSMContacts.html" + }, + "ssmguiconnect": { + "cloudformation_prefix": "AWS::SSMGuiConnect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMGuiConnect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmguiconnect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmguiconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmguiconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmguiconnect.html" + ], + "service_id": "ssmguiconnect", + "service_page": "./AWS_SSMGuiConnect.html" + }, + "ssmincidents": { + "cloudformation_prefix": "AWS::SSMIncidents::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMIncidents.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmincidents", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmincidents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmincidents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmincidents.html" + ], + "service_id": "ssmincidents", + "service_page": "./AWS_SSMIncidents.html" + }, + "ssmquicksetup": { + "cloudformation_prefix": "AWS::SSMQuickSetup::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMQuickSetup.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmquicksetup", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmquicksetup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmquicksetup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmquicksetup.html" + ], + "service_id": "ssmquicksetup", + "service_page": "./AWS_SSMQuickSetup.html" + }, + "sso": { + "cloudformation_prefix": "AWS::SSO::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSO.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sso", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsso.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sso.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssso.html" + ], + "service_id": "sso", + "service_page": "./AWS_SSO.html" + }, + "stepfunctions": { + "cloudformation_prefix": "AWS::StepFunctions::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_StepFunctions.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "states", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html" + ], + "service_id": "stepfunctions", + "service_page": "./AWS_StepFunctions.html" + }, + "supportapp": { + "cloudformation_prefix": "AWS::SupportApp::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SupportApp.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "supportapp", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsupportapp.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_supportapp.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupportapp.html" + ], + "service_id": "supportapp", + "service_page": "./AWS_SupportApp.html" + }, + "synthetics": { + "cloudformation_prefix": "AWS::Synthetics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Synthetics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "synthetics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsynthetics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_synthetics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssynthetics.html" + ], + "service_id": "synthetics", + "service_page": "./AWS_Synthetics.html" + }, + "systemsmanagersap": { + "cloudformation_prefix": "AWS::SystemsManagerSAP::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SystemsManagerSAP.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "systemsmanagersap", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsystemsmanagersap.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_systemsmanagersap.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagersap.html" + ], + "service_id": "systemsmanagersap", + "service_page": "./AWS_SystemsManagerSAP.html" + }, + "timestream": { + "cloudformation_prefix": "AWS::Timestream::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Timestream.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "timestream", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontimestream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_timestream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstimestream.html" + ], + "service_id": "timestream", + "service_page": "./AWS_Timestream.html" + }, + "transfer": { + "cloudformation_prefix": "AWS::Transfer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Transfer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "transfer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontransfer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_transfer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransfer.html" + ], + "service_id": "transfer", + "service_page": "./AWS_Transfer.html" + }, + "verifiedpermissions": { + "cloudformation_prefix": "AWS::VerifiedPermissions::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_VerifiedPermissions.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "verifiedpermissions", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonverifiedpermissions.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_verifiedpermissions.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsverifiedpermissions.html" + ], + "service_id": "verifiedpermissions", + "service_page": "./AWS_VerifiedPermissions.html" + }, + "voiceid": { + "cloudformation_prefix": "AWS::VoiceID::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_VoiceID.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "voiceid", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvoiceid.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_voiceid.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsvoiceid.html" + ], + "service_id": "voiceid", + "service_page": "./AWS_VoiceID.html" + }, + "vpclattice": { + "cloudformation_prefix": "AWS::VpcLattice::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_VpcLattice.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "vpclattice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvpclattice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_vpclattice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsvpclattice.html" + ], + "service_id": "vpclattice", + "service_page": "./AWS_VpcLattice.html" + }, + "waf": { + "cloudformation_prefix": "AWS::WAF::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WAF.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "waf", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwaf.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_waf.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswaf.html" + ], + "service_id": "waf", + "service_page": "./AWS_WAF.html" + }, + "wafregional": { + "cloudformation_prefix": "AWS::WAFRegional::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WAFRegional.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "wafregional", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwafregional.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_wafregional.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafregional.html" + ], + "service_id": "wafregional", + "service_page": "./AWS_WAFRegional.html" + }, + "wafv2": { + "cloudformation_prefix": "AWS::WAFv2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WAFv2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "wafv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwafv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_wafv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html" + ], + "service_id": "wafv2", + "service_page": "./AWS_WAFv2.html" + }, + "wisdom": { + "cloudformation_prefix": "AWS::Wisdom::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Wisdom.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "wisdom", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwisdom.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_wisdom.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswisdom.html" + ], + "service_id": "wisdom", + "service_page": "./AWS_Wisdom.html" + }, + "workspaces": { + "cloudformation_prefix": "AWS::WorkSpaces::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WorkSpaces.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "workspaces", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_workspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsworkspaces.html" + ], + "service_id": "workspaces", + "service_page": "./AWS_WorkSpaces.html" + }, + "workspacesthinclient": { + "cloudformation_prefix": "AWS::WorkSpacesThinClient::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WorkSpacesThinClient.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "workspacesthinclient", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesthinclient.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_workspacesthinclient.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsworkspacesthinclient.html" + ], + "service_id": "workspacesthinclient", + "service_page": "./AWS_WorkSpacesThinClient.html" + }, + "workspacesweb": { + "cloudformation_prefix": "AWS::WorkSpacesWeb::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WorkSpacesWeb.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "workspacesweb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesweb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_workspacesweb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsworkspacesweb.html" + ], + "service_id": "workspacesweb", + "service_page": "./AWS_WorkSpacesWeb.html" + }, + "xray": { + "cloudformation_prefix": "AWS::XRay::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_XRay.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "xray", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonxray.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_xray.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsxray.html" + ], + "service_id": "xray", + "service_page": "./AWS_XRay.html" + } + } +} \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-SNS.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-SNS.json new file mode 100644 index 00000000..7213a349 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-SNS.json @@ -0,0 +1,15 @@ +{ + "requestId": "REQ-2025-027", + "serviceId": "SNS", + "timestamp": "2024-05-20T12:00:00Z", + "requestor": { + "id": "user789", + "role": "Security Engineer", + "team": "Cloud Security" + }, + "services": [ + { + "serviceName": "Amazon SNS" + } + ] + } \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-ec2.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-ec2.json new file mode 100644 index 00000000..99ce0867 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-ec2.json @@ -0,0 +1,15 @@ +{ + "requestId": "REQ-2025-027", + "serviceId": "EC2", + "timestamp": "2024-05-20T12:00:00Z", + "requestor": { + "id": "user789", + "role": "Security Engineer", + "team": "Cloud Security" + }, + "services": [ + { + "serviceName": "Amazon EC2" + } + ] + } \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-quicksight.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-quicksight.json new file mode 100644 index 00000000..2f997dee --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/config-example/service-request/service-request-quicksight.json @@ -0,0 +1,15 @@ +{ + "requestId": "REQ-2025-027", + "serviceId": "QuickSight", + "timestamp": "2024-05-20T12:00:00Z", + "requestor": { + "id": "user789", + "role": "Security Engineer", + "team": "Cloud Security" + }, + "services": [ + { + "serviceName": "Amazon QuickSight" + } + ] + } \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/docs/blog/GenSec.png b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/docs/blog/GenSec.png new file mode 100644 index 00000000..d93d35bb Binary files /dev/null and b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/docs/blog/GenSec.png differ diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/docs/blog/README.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/docs/blog/README.md new file mode 100644 index 00000000..0c6de6ba --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/docs/blog/README.md @@ -0,0 +1,834 @@ +# AI-Powered Security Pattern Library: Automating Cloud Security Controls on AWS + +*Published on: [Date] | Reading time: 15 minutes* + +**Tags:** Security, AI/ML, Automation, Compliance, DevSecOps, Amazon Bedrock, AWS Lambda, Step Functions + +--- + +## Introduction + +In today's rapidly evolving cloud landscape, organizations face a significant challenge: maintaining consistent and up-to-date security controls across their environments. Manual security pattern management is not only time-consuming but also prone to errors. Many customers require 12 to 18 weeks to approve an AWS Service for general availability with the necessary patterns and controls. As compliance requirements grow and cloud adoption accelerates, there's an urgent need for automated, standardized, yet flexible security solutions. + +This blog post introduces an innovative AI-powered security pattern library that revolutionizes how organizations approach cloud security on AWS. By leveraging artificial intelligence and key AWS services, this solution automates the generation and management of security controls, dramatically reducing implementation time and ensuring consistent compliance across diverse cloud environments. + +## Background: The Challenge of Manual Security Pattern Management + +Security patterns and controls are essential components of a robust cloud security strategy. They provide standardized approaches to securing resources and ensuring compliance with various regulatory requirements. However, as cloud environments grow in complexity and scale, manually managing these patterns becomes increasingly challenging. + +Organizations struggle with: + +- **Inconsistent application of security controls** across different teams and projects, fostering shadow IT behavior +- **Long lead times** for approving and implementing new AWS services (often 12-18 weeks) +- **Difficulty in keeping up** with evolving compliance requirements +- **Balancing standardization** with the need for customization in diverse use cases +- **Need for safe "sandbox accounts"**, allowing business units to safely explore new services and innovate + +Currently, companies rely on their own Cloud Service Enablement programs, which streamline security compliance by taking a comprehensive, service-centric approach to cloud infrastructure. This innovative program handles multiple critical functions, including identifying potential security threats, establishing secure configuration baselines, and coordinating approvals across teams. The program also manages the implementation of least privilege access, develops configuration and verification code, and conducts thorough proof-of-concept testing. + +This systematic approach requires various stakeholders in a collaborative framework, from control owners and internal auditors to cloud platform engineering teams and developers. The program needs to support self-service models through Infrastructure as Code (IaC) and Cloud Platforms (CP), providing teams with secure-by-default code delivery and comprehensive baseline configurations. And keep the controls current as services are updated. + +These challenges highlight the need for an intelligent, automated approach to security pattern management that can adapt to changing requirements while maintaining consistency and compliance. + +## Solution Overview: GenSEC - AI-Powered Security Configuration System + +Our AI-powered security pattern library, **GenSEC** (Generative Security Configuration), leverages several key AWS services to create a comprehensive, automated solution: + +### Core AWS Services +1. **[Amazon Bedrock](https://aws.amazon.com/bedrock/)**: Powers AI-driven pattern recognition and control generation +2. **[Amazon DynamoDB](https://aws.amazon.com/dynamodb/)**: Stores pattern and control definitions, as well as the control inventory +3. **[AWS Step Functions](https://aws.amazon.com/step-functions/)**: Orchestrates the multi-step workflow process +4. **[AWS Lambda](https://aws.amazon.com/lambda/)**: Executes specialized functions for each stage of the process +5. **[Amazon S3](https://aws.amazon.com/s3/)**: Manages input configurations and output artifacts +6. **[AWS CloudFormation](https://aws.amazon.com/cloudformation/)/[CDK](https://aws.amazon.com/cdk/)**: Enables infrastructure deployment as code + +### System Architecture + +![GenSec System Architecture](GenSec.png) + +## System Outputs + +The security configuration system generates comprehensive outputs tailored for different teams and use cases: + +| Output Type | Format | Purpose & Description | Primary Users | +|-------------|--------|----------------------|---------------| +| **Service Research Profile** (Equifax form) | Markdown | • Comprehensive security documentation of AWS service
• Details on data protection, network/access controls, compliance
• Operational guidelines and best practices | • Security Architects
• Cloud Teams
• Compliance Teams | +| **IAM Review Module** (Equifax request) | JSON/Markdown | • Detailed IAM configurations and policies
• Permission sets and role analysis
• Best practices and implementation guidance
• Approval requirements and workflows | • IAM Team
• Security Team
• Cloud Platform Team | +| **AWS Service Configuration Recommendations** | JSON | • Security configuration guidance
• Service-specific security parameters
• Compliance mappings
• Implementation considerations | • Security Architects
• Cloud Teams
• Implementation Teams | +| **Security Controls** (checks) | JSON | • Proactive controls (CI/CD pipeline checks)
• Preventive (SCPs IAM policy at the Org level)
• Detective controls (Custom AWS Config rules) | • Security Teams
• Compliance Teams
• Operations Teams | +| **IaC Templates** | YAML/JSON | • CloudFormation / Terraform templates
• Pre-configured security settings
• Resource and parameters definitions | • DevOps Teams
• Cloud Engineers
• Implementation Teams | +| **Security Control Library** | DynamoDB Table | • Approved configurations storage
• Implementation status
• Approval history
• Compliance and threat mappings
• Configuration and control selection rational | • All Teams
• Auditors
• Security Teams | +| **Service Request Tracking** | DynamoDB Table | • Configuration request history
• Processing status
• Approval tracking
• Version control | • Operations Teams
• Security Teams
• Requestors | + +This solution enables organizations to: + +- **Automatically generate and maintain security controls** based on AWS service documentation and best practices +- **Provide self-service pattern customization** through AI-powered analysis of organizational requirements +- **Ensure compliance across diverse environments** with consistent, auditable control implementation +- **Continuously update** based on evolving security requirements and new AWS service features + +## Process Transformation: From Manual to AI-Driven + +The introduction of GenSEC to the Cloud Service Approval process fundamentally transforms how organizations approach security approval for new AWS services. This AI-driven automation significantly alters the traditional multi-team process by automating the analysis of security requirements. + +### Traditional Process vs. GenSEC-Enhanced Process + +| Traditional Approach | GenSEC-Enhanced Approach | +|---------------------|-------------------------| +| Manual research and documentation by sponsor teams | Automated analysis of AWS services against enterprise security requirements | +| Sequential routing through multiple approval teams | Automated generation of security controls with parallel processing | +| Manual creation of security controls and policies | AI-generated controls mapped to compliance frameworks | +| Weeks of back-and-forth between teams | Streamlined validation sessions with pre-generated artifacts | +| 12-18 week approval timeline | 3 validation sessions with maintained security rigor | + +### Key Process Improvements + +1. **Intelligent Analysis**: GenSEC automatically analyzes new AWS services against enterprise security requirements, producing intelligent assessments of security needs. + +2. **Automated Control Generation**: Rather than manual creation, GenSEC generates security controls, maps them to compliance frameworks, and creates customizable deployment templates. + +3. **Integrated Threat Modeling**: The system incorporates threat modeling capabilities into the assessment process, ensuring comprehensive security evaluation. + +4. **Consistent Implementation**: GenSEC produces necessary security controls and deployment templates based on enterprise standards, ensuring consistent implementation across the organization. + +5. **Continuous Learning**: AI learns from approvals and refinements, improving recommendations over time. + +While human oversight and decision-making remain crucial, especially for complex or high-risk services, GenSEC handles the time-consuming analysis and security control generation, transforming the approval process from a sequential, multi-team effort into a streamlined, data-driven approach. + +## Detailed System Walkthrough + +Based on our technical demonstration, let's walk through how GenSEC processes a service request from input to output. + +### Step 1: Input Processing + +The system requires two key inputs: + +#### Security Profile (JSON) +A comprehensive profile that captures the customer's security requirements: + +```json +{ + "organization_name": "Example Corp", + "environment_type": "production", + "security_operations": { + "logging": { + "centralized_logging": true, + "log_protection": true, + "retention_days": 365, + "cloudwatch_enabled": true, + "third_party_integration": "Splunk" + }, + "monitoring": { + "security_monitoring": true, + "automated_response": true + }, + "secrets_management": { + "rotation_enabled": true, + "rotation_frequency": "90_days" + }, + "access_management": { + "mfa_required": true, + "password_policy": "enterprise_standard" + } + }, + "security_controls": { + "detective": "AWS_Config", + "preventive": "SCPs_IAM", + "proactive": "CFN_Guard" + }, + "compliance_requirements": ["SOC2", "PCI_DSS", "GDPR"], + "threat_modeling": "STRIDE" +} +``` + +This profile is created through a series of interviews with the customer, understanding how they consume the cloud today and what decisions they've made in terms of logging, monitoring, secrets management, and access management. + +#### Service Request (JSON) +A simple request specifying which AWS service to analyze: + +```json +{ + "request_id": "REQ-2024-001", + "requester": "security-team", + "timestamp": "2024-01-15T10:30:00Z", + "service_name": "QuickSight" +} +``` + +### Step 2: AWS Service Documentation Collection + +The **AWSServiceDocumentationManager** Lambda function performs intelligent web crawling to collect comprehensive service documentation: + +```python +# Example of URL pattern construction for service documentation +def construct_documentation_urls(service_name): + base_urls = [ + f"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-{service_name.lower()}-*.html", + f"https://docs.aws.amazon.com/service-authorization/latest/reference/list_{service_name.lower()}.html" + ] + return base_urls +``` + +This function: +- Crawls AWS CloudFormation documentation for service parameters +- Extracts IAM actions from service authorization documentation +- Validates parameter names and types to prevent AI hallucinations +- Stores validated data in DynamoDB tables for guardrails + +**Key Innovation**: By pre-validating all parameters against official AWS documentation, we eliminate AI hallucinations where the system might generate non-existent parameters. + +### Step 3: AI-Powered Security Analysis + +The **AnalyzeSecurityRequirements** Lambda function uses Amazon Bedrock with Claude-4 to perform intelligent analysis: + +```python +def analyze_security_requirements(profile, service_data, documentation): + prompt = f""" + [Model: claude-4] As an AWS security engineer, analyze the following service configuration: + + Customer Profile: {profile} + Service: {service_data['service_name']} + Available Parameters: {documentation['parameters']} + Available Actions: {documentation['actions']} + + Generate security recommendations that: + 1. Align with the customer's compliance requirements + 2. Use only the validated parameters provided + 3. Consider the threat vectors relevant to this service + 4. Prioritize configurations based on risk level + """ + + response = bedrock_client.invoke_model( + modelId="us.anthropic.claude-sonnet-4-20250514-v1:0", + body=json.dumps({ + "anthropic_version": "bedrock-2023-05-31", + "messages": [{"role": "user", "content": prompt}], + "max_tokens": 4000 + }) + ) + + return parse_and_validate_response(response) +``` + +This analysis generates entries in the **Security Control Library** table: + +| Field | Description | Example | +|-------|-------------|---------| +| configuration_id | Unique identifier | CFG-QS-001 | +| service_name | AWS service | QuickSight | +| security_domain | Control category | Data Protection | +| threat_vector | Security risk | Unauthorized Access | +| priority | Risk level | High | +| rationale | Why this control is needed | Prevents data exposure | +| recommended_configuration | Specific settings | Enable encryption at rest | +| detective_controls | Monitoring rules | AWS Config rule | +| preventive_controls | Access restrictions | SCP policy | +| proactive_controls | Template validation | CFN Guard rule | + +### AWS Config Managed Rules Integration + +The system includes comprehensive AWS Config managed rules integration for enhanced security control recommendations: + +```python +def load_config_rules(): + """Load AWS Config managed rules from documentation""" + # Extract rules directly from AWS Config documentation + rules = extract_rules_from_documentation() + + # Store in DynamoDB with service-based categorization + for rule_name in rules: + service_name = extract_service_from_rule_name(rule_name) + store_rule({ + 'rule_name': rule_name, + 'service_name': service_name, + 'description': f'AWS Config managed rule for {service_name}' + }) +``` + +**Key Features:** +- **696 AWS Config managed rules** automatically extracted from AWS documentation +- **Service-based categorization** via DynamoDB GSI for efficient queries +- **Dynamic rule discovery** - no hardcoded rules, adapts to AWS updates +- **Baseline reference file** for fallback when documentation is unavailable + +The **gensec-AWSConfigManagedRules** table enables the system to: +1. Recommend appropriate Config rules for each service +2. Generate detective controls based on compliance requirements +3. Map security controls to specific AWS Config rules +4. Provide service-specific rule recommendations + +### Step 4: Security Controls Generation + +The **GenerateSecurityControls** Lambda function creates specific implementation code: + +#### Detective Controls (AWS Config Rules) +```python +def generate_config_rule(configuration): + if configuration['managed_rule_exists']: + return { + "rule_type": "managed", + "rule_name": configuration['managed_rule_name'], + "parameters": configuration['rule_parameters'] + } + else: + return { + "rule_type": "custom", + "lambda_code": generate_custom_rule_code(configuration), + "rule_parameters": configuration['rule_parameters'] + } +``` + +#### Preventive Controls (Service Control Policies) +```python +def generate_scp_policy(configuration): + # Only generate SCPs for high-priority configurations + if configuration['priority'] == 'High': + return { + "policy_document": { + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Deny", + "Action": configuration['restricted_actions'], + "Resource": "*", + "Condition": configuration['conditions'] + }] + } + } + return None +``` + +#### Proactive Controls (CloudFormation Guard Rules) +```python +def generate_cfn_guard_rule(configuration): + return f""" + rule {configuration['rule_name']} {{ + Resources.*[ Type == 'AWS::{configuration['service']}::{configuration['resource_type']}' ] {{ + Properties.{configuration['parameter_name']} == {configuration['required_value']} + << + Violation: {configuration['violation_message']} + >> + }} + }} + """ +``` + +### Step 5: Infrastructure Template Generation + +The **GenerateIaCTemplate** Lambda function creates deployment-ready templates: + +```yaml +# Example CloudFormation template output +AWSTemplateFormatVersion: '2010-09-09' +Description: 'Security-hardened QuickSight configuration' + +Resources: + QuickSightDataSet: + Type: AWS::QuickSight::DataSet + Properties: + DataSetId: !Sub '${AWS::StackName}-dataset' + Name: 'Secure Dataset' + PhysicalTableMap: + PhysicalTable1: + S3Source: + DataSourceArn: !Ref SecureDataSource + InputColumns: !Ref DataColumns + RowLevelPermissionDataSet: + Arn: !GetAtt RowLevelPermissions.Arn + PermissionPolicy: GRANT_ACCESS + + SecureDataSource: + Type: AWS::QuickSight::DataSource + Properties: + Type: S3 + SslProperties: + DisableSsl: false + VpcConnectionProperties: + VpcConnectionArn: !Ref VPCConnection +``` + +### Step 6: IAM Model Generation + +The **GenerateIAMModel** Lambda function creates least-privilege IAM policies: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "quicksight:CreateDataSet", + "quicksight:DescribeDataSet", + "quicksight:UpdateDataSet" + ], + "Resource": "arn:aws:quicksight:*:*:dataset/${aws:userid}/*", + "Condition": { + "StringEquals": { + "quicksight:RowLevelPermissionTagKey": "Department" + } + } + } + ] +} +``` + +## Getting Started: Implementation Guide + +### Prerequisites + +Before implementing GenSEC, ensure you have: + +- **AWS Account** with appropriate permissions for Bedrock, Lambda, Step Functions, DynamoDB, and S3 +- **Amazon Bedrock access** with model permissions for Claude 3 Sonnet or similar foundation models +- **AWS CDK CLI** installed (Node.js ≥ 14.x) +- **Python 3.9** for Lambda function development +- **Basic understanding** of cloud security concepts and AWS services + +### Step-by-Step Implementation + +#### 1. Clone and Deploy the Infrastructure + +```bash +# Clone the repository +git clone https://github.com/your-org/gensec-security-system.git +cd gensec-security-system + +# Install CDK dependencies +cd cdk +npm install + +# Build TypeScript +npm run build + +# Bootstrap CDK (first time only) +cdk bootstrap + +# Deploy infrastructure (customize region as needed) +cdk deploy --region us-east-1 +``` + +#### 2. Upload Service Mappings Configuration + +Upload the service mappings file to enable AWS service documentation collection: + +```bash +# Upload service mappings (required for documentation collection) +aws s3 cp config-example/service-mappings.json s3://gensec-security-input-profiles-${ACCOUNT}-${REGION}/configuration/ +``` + +This file contains mappings of AWS services to their CloudFormation resource types and IAM service names, enabling the system to collect accurate documentation for each service. + +**Note**: To update the service mappings with the latest AWS services, run: +```bash +cd scripts/service-mapping && python3 extract_service_mappings.py +``` + +#### 3. Configure Your Security Profile + +Create your organization's security profile based on the template: + +```bash +# Copy example configuration +cp config-example/security-profile/PROF-2025-001.json my-security-profile.json + +# Edit the profile to match your requirements +# Focus on: +# - Compliance frameworks (SOC2, PCI_DSS, GDPR, etc.) +# - Logging and monitoring preferences +# - Security control preferences (AWS Config, SCPs, etc.) +# - Environment type (production, development, sandbox) +``` + +#### 3. Test with a Sample Service + +```bash +# Upload your security profile +aws s3 cp my-security-profile.json \ + s3://gensec-security-input-profiles-${ACCOUNT}-${REGION}/security-profile/ + +# Create a service request +echo '{ + "request_id": "REQ-2024-001", + "requester": "your-team", + "timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'", + "service_name": "S3" +}' > service-request.json + +# Upload service request to trigger processing +aws s3 cp service-request.json \ + s3://gensec-security-input-profiles-${ACCOUNT}-${REGION}/service-request/ +``` + +#### 4. Monitor Execution and Results + +```bash +# Monitor Step Functions execution +aws stepfunctions list-executions \ + --state-machine-arn arn:aws:states:${REGION}:${ACCOUNT}:stateMachine:gensec-SecurityConfigWorkflow + +# Check processing results +aws s3 ls s3://gensec-security-config-outputs-${ACCOUNT}-${REGION}/ + +# Download results for review +./scripts/download_outputs.py + +# Validate generated controls +cd scripts/output-validation +./validate_service.sh S3 +``` + +#### 5. Review and Approve Generated Controls + +The system generates a comprehensive security control library entry for each service. Review the generated controls in your DynamoDB table: + +```bash +# Query the Security Control Library +aws dynamodb scan \ + --table-name gensec-SecurityControlLibrary \ + --filter-expression "service_name = :service" \ + --expression-attribute-values '{":service":{"S":"S3"}}' +``` + +Each control entry includes: +- **Rationale**: Why this control is needed +- **Implementation guidance**: How to implement the control +- **Compliance mapping**: Which frameworks this addresses +- **Priority level**: Risk-based prioritization +- **Generated code**: Ready-to-deploy templates and policies + +## Practical Examples and Use Cases + +### Use Case 1: Implementing Security Controls for Amazon S3 + +**Scenario**: A financial services company needs to implement S3 with PCI DSS compliance. + +**Input Profile Highlights**: +```json +{ + "compliance_requirements": ["PCI_DSS", "SOC2"], + "environment_type": "production", + "security_controls": { + "detective": "AWS_Config", + "preventive": "SCPs_IAM" + } +} +``` + +**Generated Controls**: +1. **Detective Control**: AWS Config rule for S3 bucket encryption +2. **Preventive Control**: SCP preventing unencrypted bucket creation +3. **Proactive Control**: CloudFormation Guard rule validating encryption settings +4. **IAM Model**: Least-privilege policies for S3 access + +**Results**: +- Reduced implementation time from 6 weeks to 3 days +- Consistent security posture across all S3 deployments +- Automated compliance validation + +### Use Case 2: Multi-Account Security Standardization + +**Scenario**: A healthcare organization with 50+ AWS accounts needs consistent security controls. + +**Implementation**: +- Single security profile applied across all accounts +- Automated control deployment via AWS Organizations +- Centralized monitoring through Security Hub integration + +**Results**: +- 95% reduction in security configuration drift +- Standardized compliance reporting across all accounts +- Faster onboarding of new AWS services + +### Use Case 3: DevOps Team Self-Service + +**Scenario**: Development teams need to quickly adopt new AWS services while maintaining security standards. + +**Implementation**: +- Self-service portal integrated with GenSEC +- Automated approval workflow for low-risk services +- Exception handling for high-risk configurations + +**Results**: +- Developer productivity increased by 40% +- Security review time reduced from weeks to hours +- Maintained security compliance across all deployments + +## Best Practices and Implementation Guidelines + +### Start Small, Iterate Fast + +Begin with a minimal set of essential services and expand gradually: + +1. **Phase 1**: Core services (S3, EC2, Lambda, RDS) +2. **Phase 2**: Networking services (VPC, CloudFront, Route 53) +3. **Phase 3**: Advanced services (AI/ML, Analytics, IoT) + +Implement a minimum viable pattern set that addresses immediate security compliance gaps and covers the majority of use cases. Gather valuable feedback quickly and refine your automation process iteratively. + +### Integration with Existing Workflows + +Rather than creating new processes, focus on integrating GenSEC with your current workflows: + +- **ITSM Integration**: Connect with ServiceNow, Jira, or similar tools for approval workflows +- **CI/CD Pipeline Integration**: Embed security validation in deployment pipelines +- **Existing Approval Processes**: Enhance current service approval workflows with AI-generated insights + +### Customer-Centric Pattern Development + +Prioritize reducing service approval timelines and enhancing user experience: + +- **Feedback Mechanisms**: Implement user feedback collection for continuous improvement +- **Usage Analytics**: Track pattern adoption rates and effectiveness +- **Performance Metrics**: Monitor reduction in approval times and security incidents + +### Governance and Risk Management + +Implement lightweight but effective governance: + +- **Approval Workflows**: Clear processes for pattern modifications and exceptions +- **Ownership Structure**: Define roles and responsibilities for pattern maintenance +- **Automated Testing**: Validate pattern updates before deployment +- **Documentation Standards**: Maintain comprehensive, searchable pattern documentation + +### Security and Compliance + +Ensure the system itself meets security standards: + +- **Least Privilege Access**: Apply principle of least privilege to all system components +- **Audit Logging**: Comprehensive logging of all system activities +- **Data Protection**: Encrypt sensitive data at rest and in transit +- **Regular Reviews**: Periodic security assessments of the system + +## Common Pitfalls to Avoid + +### Over-Complexity in Pattern Design + +**Problem**: Creating overly complex patterns that are difficult to maintain and understand. + +**Solution**: +- Start with simple, well-understood patterns +- Use modular design principles +- Provide clear documentation and examples +- Regular pattern reviews and simplification + +### Insufficient Testing of Generated Controls + +**Problem**: Deploying AI-generated controls without proper validation. + +**Solution**: +- Implement automated testing for all generated controls +- Use staging environments for validation +- Establish rollback procedures +- Monitor control effectiveness post-deployment + +### Lack of Version Control and Change Management + +**Problem**: Inconsistencies due to poor version control of patterns and configurations. + +**Solution**: +- Implement Git-based version control for all patterns +- Use semantic versioning for pattern releases +- Maintain change logs and impact assessments +- Automated deployment pipelines with approval gates + +### Inadequate Monitoring and Feedback + +**Problem**: Deploying the system without proper monitoring of effectiveness and user satisfaction. + +**Solution**: +- Implement comprehensive monitoring dashboards +- Regular user feedback collection +- Performance metrics tracking +- Continuous improvement processes + +### Security Control Conflicts + +**Problem**: Different patterns generating conflicting security controls. + +**Solution**: +- Implement conflict detection algorithms +- Establish pattern precedence rules +- Regular pattern compatibility testing +- Clear escalation procedures for conflicts + +## Advanced Features and Customization + +### Custom Security Control Types + +GenSEC supports extensible security control types beyond the standard detective, preventive, and proactive controls: + +```python +# Example: Custom compliance control for GDPR +def generate_gdpr_control(service_config): + return { + "control_type": "compliance", + "framework": "GDPR", + "requirements": ["data_minimization", "consent_management"], + "implementation": generate_gdpr_implementation(service_config) + } +``` + +### Third-Party Tool Integration + +The system can be extended to support various third-party security tools: + +- **Wiz**: Cloud security posture management +- **Prisma Cloud**: Comprehensive cloud security platform +- **OPA (Open Policy Agent)**: Policy-as-code implementation +- **HashiCorp Sentinel**: Policy-as-code for Terraform + +### Multi-Cloud Support + +While initially designed for AWS, the architecture supports extension to other cloud providers: + +```python +# Example: Azure service analysis +def analyze_azure_service(service_name, security_profile): + azure_docs = collect_azure_documentation(service_name) + return generate_azure_controls(azure_docs, security_profile) +``` + +## Future Enhancements and Roadmap + +### Planned Features + +1. **Real-time Compliance Monitoring**: Continuous assessment of deployed resources against generated controls +2. **Machine Learning Optimization**: Learning from control effectiveness to improve future recommendations +3. **Natural Language Interface**: Chat-based interaction for security control queries and modifications +4. **Integration Marketplace**: Pre-built integrations with popular security and DevOps tools +5. **Multi-Cloud Support**: Extension to Azure, Google Cloud, and other cloud providers + +### Community Contributions + +We encourage community contributions in several areas: + +- **New Service Patterns**: Contributions for additional AWS services +- **Compliance Frameworks**: Support for additional regulatory requirements +- **Tool Integrations**: Connectors for popular security and DevOps tools +- **Documentation**: Improvements to guides and examples + +## Operational Cost Analysis + +Understanding the operational costs of GenSEC is crucial for organizations planning to implement this solution. Based on real-world deployment data from our production environment, here's a comprehensive cost breakdown: + +### Cost Per Execution + +The system has an **actual cost of $3.61 per successful execution** with the current Claude 4 configuration: + +| Service | Cost per Execution | Percentage | +|---------|-------------------|------------| +| **Bedrock AI (Claude 4)** | $3.60 | 99.6% | +| **Lambda Functions** | $0.013 | 0.4% | +| **Step Functions** | $0.0002 | 0.0% | +| **DynamoDB** | $0.00004 | 0.0% | +| **S3** | $0.00001 | 0.0% | +| **TOTAL** | **$3.61** | 100% | + +### Monthly Cost Projections + +| Service Approvals | Monthly Cost | Annual Cost | +|------------------|--------------|-------------| +| 10 services | $36 | $433 | +| 50 services | $181 | $2,167 | +| 100 services | $361 | $4,334 | +| 500 services | $1,807 | $21,679 | + +### ROI Analysis: Automated vs Manual Process + +The cost savings compared to manual security approval processes are substantial: + +- **Manual process cost**: ~$6,000 per service approval (3-4 weeks of security architect time) +- **GenSEC automated cost**: $3.61 per service approval +- **Cost reduction**: 99.94% savings per approval +- **Time reduction**: From 12-18 weeks to 20 minutes + +**Example ROI for 100 annual service approvals:** +- **Manual cost**: $600,000 annually +- **GenSEC cost**: $361 annually +- **Net savings**: $599,639 annually + + +### Business Impact + +For organizations currently spending $600,000 annually on manual security approvals (100 services), GenSEC provides: +- **99.94% cost reduction** in operational expenses +- **95% time reduction** in approval cycles +- **Consistent security posture** across all approved services +- **Scalable solution** that grows with organizational needs + +The system pays for itself after the first service approval, making it an extremely cost-effective solution for any organization managing cloud security at scale. + +## Conclusion + +The AI-powered security pattern library represents a significant leap forward in cloud security management. By automating the generation and maintenance of security controls, this solution addresses the critical challenges of consistency, speed, and adaptability in cloud environments. + +**Key Benefits Achieved**: +- **95% reduction** in security control implementation time +- **Consistent compliance** across diverse cloud environments +- **Automated adaptation** to new AWS services and features +- **Self-service capabilities** for development teams +- **Comprehensive audit trails** for compliance reporting + +**Business Impact**: +- Faster time-to-market for new applications +- Reduced security review bottlenecks +- Improved compliance posture +- Enhanced developer productivity +- Lower operational overhead + +### Getting Started Today + +Ready to transform your cloud security approach? Here's how to begin: + +1. **Download the Code**: Access the complete GenSEC implementation from our GitHub repository +2. **Start with a Pilot**: Implement the system for a small set of core AWS services +3. **Customize for Your Needs**: Adapt the security profiles and controls to match your requirements +4. **Scale Gradually**: Expand to additional services and use cases based on initial success +5. **Engage with AWS**: Consider AWS Professional Services for customization and enterprise deployment + +### Professional Services and Support + +For organizations requiring customized implementation or enterprise-scale deployment: + +- **AWS Professional Services**: Expert consultation and implementation support +- **Custom Pattern Development**: Tailored security patterns for specific industry requirements +- **Integration Services**: Connection with existing security and compliance tools +- **Training and Enablement**: Team training on system operation and maintenance + +### Resources and Next Steps + +- **GitHub Repository**: [Complete source code and documentation] +- **AWS Architecture Center**: [Reference architectures and best practices] +- **AWS Security Blog**: [Latest updates and security insights] +- **Community Forum**: [Connect with other users and contributors] + +As cloud environments continue to evolve, embracing AI-driven security solutions like GenSEC will be crucial for maintaining robust, compliant, and efficient cloud operations. The future of cloud security is automated, intelligent, and adaptive – and that future is available today. + +--- + +*This solution demonstrates the power of combining AWS services with artificial intelligence to solve complex organizational challenges. By automating security pattern management, organizations can focus on innovation while maintaining the highest security standards.* + +## About the Authors + +**[Author Name]** is a Senior Solutions Architect at AWS, specializing in cloud security and AI/ML solutions. With over [X] years of experience in enterprise security architecture, [Author] helps organizations implement scalable, secure cloud solutions. + +**[Co-Author Name]** is a Principal Security Architect at AWS Professional Services, focusing on automated security controls and compliance frameworks for enterprise customers. + +## Learn More + +### Related AWS Services +- [Amazon Bedrock](https://aws.amazon.com/bedrock/) - Build and scale generative AI applications +- [AWS Step Functions](https://aws.amazon.com/step-functions/) - Coordinate distributed applications +- [Amazon DynamoDB](https://aws.amazon.com/dynamodb/) - Fast, flexible NoSQL database +- [AWS Lambda](https://aws.amazon.com/lambda/) - Run code without thinking about servers + +### Additional Resources +- [AWS Security Blog](https://aws.amazon.com/blogs/security/) +- [AWS Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/) +- [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) +- [AWS Security Hub](https://aws.amazon.com/security-hub/) + +### Related Posts +- "Automating Security Compliance with AWS Config" +- "Building AI-Powered Solutions with Amazon Bedrock" +- "Implementing Zero Trust Architecture on AWS" diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AWSServiceDocumentationManager/lambda_function.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AWSServiceDocumentationManager/lambda_function.py new file mode 100644 index 00000000..47194656 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AWSServiceDocumentationManager/lambda_function.py @@ -0,0 +1,852 @@ +import boto3 +import requests +from bs4 import BeautifulSoup +import json +import logging +import os +import re +from datetime import datetime +from botocore.exceptions import ClientError +import time +from urllib.parse import urljoin +from bedrock_client import get_bedrock_client +from content_processor import ContentProcessor +from mcp_documentation_collector import MCPDocumentationCollector + +# Configure logging +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +class AWSServiceDocumentationCollector: + def __init__(self): + self.dynamodb = boto3.client('dynamodb') + self.s3 = boto3.client('s3') + + # Initialize centralized Bedrock client + self.bedrock_client = get_bedrock_client('claude-4') # Change between 'nova-pro' and 'claude' to switch models + + # Initialize MCP documentation collector + self.mcp_collector = MCPDocumentationCollector() + self.use_mcp = os.environ.get('USE_MCP_DOCUMENTATION', 'false').lower() == 'true' # Disable MCP by default until server is available + + self.documentation_bucket = os.environ['DOCUMENTATION_BUCKET'] + self.input_bucket = os.environ.get('S3_INPUT_BUCKET', self.documentation_bucket) + self.service_actions_table = os.environ['DYNAMODB_TABLE_SERVICE_ACTIONS'] + self.service_parameters_table = os.environ['DYNAMODB_TABLE_SERVICE_PARAMETERS'] + self.service_inventory_table = os.environ['DYNAMODB_TABLE_SERVICE_INVENTORY'] + + # Load service mappings from S3 + self.service_mappings = self._load_service_mappings() + + # Request session with retry logic + self.session = requests.Session() + self.session.headers.update({ + 'User-Agent': 'AWS-Documentation-Collector/1.0' + }) + + def _load_service_mappings(self): + """Load service mappings from S3 configuration file""" + try: + logger.info("Loading service mappings from S3...") + + # Try to load from input bucket first, fallback to documentation bucket + buckets_to_try = [self.input_bucket, self.documentation_bucket] + + for bucket in buckets_to_try: + try: + response = self.s3.get_object( + Bucket=bucket, + Key='configuration/service-mappings.json' + ) + + mappings_data = json.loads(response['Body'].read().decode('utf-8')) + logger.info(f"Successfully loaded service mappings from {bucket}") + + # Extract just the services section for backward compatibility + if 'services' in mappings_data: + return mappings_data['services'] + else: + return mappings_data + + except ClientError as e: + if e.response['Error']['Code'] == 'NoSuchKey': + logger.warning(f"Service mappings not found in {bucket}") + continue + else: + logger.warning(f"Error loading from {bucket}: {str(e)}") + continue + + # Fallback to hardcoded mappings if S3 load fails + logger.warning("Could not load service mappings from S3, using fallback mappings") + return self._get_fallback_service_mappings() + + except Exception as e: + logger.error(f"Error loading service mappings: {str(e)}") + return self._get_fallback_service_mappings() + + def _get_fallback_service_mappings(self): + """Fallback service mappings if S3 load fails""" + return { + 'dynamodb': { + 'resource_types': ['dynamodb-table', 'dynamodb-globaltable'], + 'iam_service_name': 'dynamodb' + }, + 'lambda': { + 'resource_types': ['lambda-function', 'lambda-layerversion'], + 'iam_service_name': 'lambda' + }, + 's3': { + 'resource_types': ['s3-bucket', 's3-bucketpolicy'], + 'iam_service_name': 's3' + }, + 'ec2': { + 'resource_types': ['ec2-instance', 'ec2-vpc', 'ec2-subnet', 'ec2-securitygroup'], + 'iam_service_name': 'ec2' + }, + 'iam': { + 'resource_types': ['iam-role', 'iam-policy', 'iam-user'], + 'iam_service_name': 'iam' + }, + 'sns': { + 'resource_types': ['sns-topic', 'sns-subscription'], + 'iam_service_name': 'sns' + }, + 'sqs': { + 'resource_types': ['sqs-queue', 'sqs-queuepolicy'], + 'iam_service_name': 'sqs' + } + } + + def _make_request(self, url, max_retries=3, timeout=30): + """Make HTTP request with retry logic""" + for attempt in range(max_retries): + try: + logger.info(f"Attempting to fetch {url} (attempt {attempt + 1}/{max_retries})") + response = self.session.get(url, timeout=timeout) + + if response.status_code == 200: + return response + elif response.status_code in [301, 302]: + # Handle redirects + redirect_url = response.headers.get('Location') + if redirect_url: + logger.info(f"Following redirect to: {redirect_url}") + return self._make_request(redirect_url, max_retries - attempt - 1, timeout) + else: + logger.warning(f"HTTP {response.status_code} for {url}") + + except requests.exceptions.Timeout: + logger.warning(f"Timeout for {url} on attempt {attempt + 1}") + except requests.exceptions.RequestException as e: + logger.warning(f"Request error for {url} on attempt {attempt + 1}: {str(e)}") + + if attempt < max_retries - 1: + time.sleep(2 ** attempt) # Exponential backoff + + return None + + def _generate_service_url_patterns(self, service_id): + """Generate smart URL patterns for AWS service documentation""" + service_id_lower = service_id.lower() + + # Generate standard patterns + patterns = [] + + # Pattern 1: list_amazon{service} (most common) + patterns.append(f"https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazon{service_id_lower}.html") + + # Pattern 2: list_{service} (for services without amazon prefix) + patterns.append(f"https://docs.aws.amazon.com/service-authorization/latest/reference/list_{service_id_lower}.html") + + # Pattern 3: list_aws{service} (for AWS-prefixed services) + patterns.append(f"https://docs.aws.amazon.com/service-authorization/latest/reference/list_aws{service_id_lower}.html") + + return patterns + + def collect_service_actions(self, service_id): + """Collect IAM actions using MCP server or fallback to web scraping""" + try: + logger.info(f"Collecting actions for service: {service_id}") + + # Try MCP first if enabled + if self.use_mcp: + logger.info(f"Using MCP server for {service_id} actions") + mcp_actions = self.mcp_collector.collect_service_actions_mcp(service_id) + if mcp_actions: + logger.info(f"Successfully collected {len(mcp_actions)} actions via MCP") + return mcp_actions + else: + logger.warning(f"MCP failed for {service_id}, falling back to web scraping") + + # Fallback to web scraping + logger.info(f"Using web scraping fallback for {service_id} actions") + all_actions = self._extract_actions_with_ai_v2(service_id) + + logger.info(f"Total actions collected for {service_id}: {len(all_actions)}") + return all_actions + + except Exception as e: + logger.error(f"Error collecting actions for service {service_id}: {str(e)}") + return [] + + # def _extract_actions_from_html(self, html_content, service_id, source_url): + # """Extract actions from HTML content""" + # soup = BeautifulSoup(html_content, 'html.parser') + # actions = [] + # + # # Find the actions table - handle both old and new AWS documentation formats + # tables = soup.find_all('table') + # actions_table = None + # + # for table in tables: + # # Check if this table contains actions + # thead = table.find('thead') + # if thead: + # headers = [th.text.strip().lower() for th in thead.find_all('th')] + # if 'actions' in headers: + # actions_table = table + # break + # + # # Fallback: check first row for headers + # rows = table.find_all('tr') + # if rows: + # first_row_headers = [th.text.strip().lower() for th in rows[0].find_all(['th', 'td'])] + # if 'actions' in first_row_headers: + # actions_table = table + # break + # + # if not actions_table: + # logger.warning(f"No actions table found for {service_id}") + # return [] + # + # # Parse the table structure + # tbody = actions_table.find('tbody') or actions_table + # rows = tbody.find_all('tr') + # + # if not rows: + # logger.warning(f"No table rows found for {service_id}") + # return [] + # + # # Get headers from thead or first row + # thead = actions_table.find('thead') + # if thead: + # header_row = thead.find('tr') + # data_rows = rows + # else: + # header_row = rows[0] + # data_rows = rows[1:] + # + # headers = [th.text.strip().lower() for th in header_row.find_all(['th', 'td'])] + # + # # Find column indices + # action_col = None + # description_col = None + # access_level_col = None + # resource_types_col = None + # condition_keys_col = None + # dependent_actions_col = None + # + # for i, header in enumerate(headers): + # if 'actions' in header or 'action' in header: + # action_col = i + # elif 'description' in header: + # description_col = i + # elif 'access level' in header or 'accesslevel' in header: + # access_level_col = i + # elif 'resource types' in header or 'resourcetypes' in header: + # resource_types_col = i + # elif 'condition keys' in header or 'conditionkeys' in header: + # condition_keys_col = i + # elif 'dependent actions' in header or 'dependentactions' in header: + # dependent_actions_col = i + # + # if action_col is None: + # logger.warning(f"No actions column found for {service_id}") + # return [] + # + # # Extract actions from rows + # for row in data_rows: + # cols = row.find_all(['td', 'th']) + # if len(cols) <= action_col: + # continue + # + # action_name = self._extract_cell_text(cols, action_col) + # if not action_name or action_name.strip() == '': + # continue + # + # action = { + # 'service_id': service_id, + # 'action_name': action_name, + # 'description': self._extract_cell_text(cols, description_col), + # 'access_level': self._extract_cell_text(cols, access_level_col), + # 'resource_types': self._extract_list_from_cell(cols, resource_types_col), + # 'condition_keys': self._extract_list_from_cell(cols, condition_keys_col), + # 'dependent_actions': self._extract_list_from_cell(cols, dependent_actions_col), + # 'last_updated': datetime.now().isoformat(), + # 'source_url': source_url + # } + # + # actions.append(action) + # + # # No AI fallback needed since main function uses AI as primary method + # return actions + + # def _extract_cell_text(self, cols, index): + # """Extract text from table cell at given index""" + # if index is None or index >= len(cols): + # return '' + # return cols[index].get_text(strip=True) + # + # def _extract_list_from_cell(self, cols, index): + # """Extract list items from table cell, handling various separators""" + # if index is None or index >= len(cols): + # return [] + # + # text = cols[index].get_text(strip=True) + # if not text or text == '-': + # return [] + # + # # Split by common separators and clean up + # items = [] + # for separator in [',', '\n', ';']: + # if separator in text: + # items = [item.strip() for item in text.split(separator) if item.strip()] + # break + # + # if not items and text: + # items = [text] + # + # return [item for item in items if item and item != '-'] + + def collect_service_parameters(self, service_id): + """Collect CloudFormation parameters using MCP server or fallback to web scraping""" + try: + logger.info(f"Collecting parameters for service: {service_id}") + + # Try MCP first if enabled + if self.use_mcp: + logger.info(f"Using MCP server for {service_id} parameters") + mcp_parameters = self.mcp_collector.collect_service_parameters_mcp(service_id) + if mcp_parameters: + logger.info(f"Successfully collected {len(mcp_parameters)} parameters via MCP") + return mcp_parameters + else: + logger.warning(f"MCP failed for {service_id}, falling back to web scraping") + + # Fallback to web scraping + logger.info(f"Using web scraping fallback for {service_id} parameters") + all_parameters = self._extract_parameters_with_ai(service_id) + + return all_parameters + + except Exception as e: + logger.error(f"Error collecting parameters for service {service_id}: {str(e)}") + logger.error("Full traceback: ", exc_info=True) + return [] + + + def store_documentation(self, service_id, data_type, data): + """Store collected documentation in DynamoDB and S3""" + try: + # Determine the correct table name based on data type + if data_type == 'Actions': + table_name = self.service_actions_table + elif data_type == 'Parameters': + table_name = self.service_parameters_table + else: + table_name = self.service_inventory_table + + logger.info(f"Storing {len(data)} items in DynamoDB table {table_name}") + + for item in data: + try: + logger.info(f'item: {str(item)}') + dynamodb_item = self._convert_to_dynamodb_item(item) + self.dynamodb.put_item( + TableName=table_name, + Item=dynamodb_item + ) + except Exception as e: + logger.error(f"Error storing item in DynamoDB: {str(e)}") + continue + + # Store in S3 + timestamp = datetime.now().strftime('%Y%m%d') + s3_key = f"{service_id}/{data_type}/raw_data_{timestamp}.json" + + self.s3.put_object( + Bucket=self.documentation_bucket, + Key=s3_key, + Body=json.dumps(data, indent=2), + ContentType='application/json' + ) + + logger.info(f"Stored documentation in S3: {s3_key}") + + except Exception as e: + logger.error(f"Error storing documentation: {str(e)}") + raise + + def _convert_to_dynamodb_item(self, item): + """Convert Python dict to DynamoDB format""" + dynamodb_item = {} + for key, value in item.items(): + if isinstance(value, str): + dynamodb_item[key] = {'S': value} + elif isinstance(value, bool): + dynamodb_item[key] = {'BOOL': value} + elif isinstance(value, (int, float)): + dynamodb_item[key] = {'N': str(value)} + elif isinstance(value, list): + if value: + dynamodb_item[key] = {'L': [{'S': str(v)} for v in value if v]} + else: + dynamodb_item[key] = {'L': []} + elif isinstance(value, dict): + dynamodb_item[key] = {'M': self._convert_to_dynamodb_item(value)} + elif value is None: + continue + return dynamodb_item + + def _fetch_cloudformation_pages_for_ai(self, service_id): + """Fetch CloudFormation documentation pages for AI processing""" + # Get resource types from loaded service mappings + service_config = self.service_mappings.get(service_id.lower(), {}) + resource_types = service_config.get('resource_types', [service_id.lower()]) + html_contents = [] + + for resource_type in resource_types: + url = f"https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-{resource_type}.html" + try: + response = self._make_request(url) + if response and response.status_code == 200: + html_contents.append({ + 'resource_type': resource_type, + 'url': url, + 'content': response.text + }) + except Exception as e: + logger.warning(f"Failed to fetch {url}: {str(e)}") + + return html_contents + + def _parse_ai_json_response(self, ai_response, context="response"): + """Parse AI JSON response directly""" + try: + # Remove any leading/trailing whitespace + cleaned = ai_response.strip() + return json.loads(cleaned) + except json.JSONDecodeError as e: + logger.error(f"Failed to parse AI {context} as JSON: {str(e)}") + logger.error(f"Response was: \n{ai_response}") + return None + + def _invoke_bedrock(self, prompt): + """Centralized Bedrock invocation using shared client""" + try: + # max_tokens is configured in the bedrock client layer, not passed as parameter + return self.bedrock_client.invoke(prompt) + except Exception as e: + logger.error(f"Error invoking Bedrock: {str(e)}") + raise + + def _extract_actions_with_ai_v2(self, service_id): + """Use AI to extract actions from service authorization URLs with content chunking""" + all_actions = [] + + logger.info(f"Starting AI action extraction for {service_id}") + + # Get URLs from service_mappings + service_config = self.service_mappings.get(service_id.lower(), {}) + urls = service_config.get('service_authorization_urls', []) + + # If no URLs in service_mappings, fall back to generated patterns + if not urls: + urls = self._generate_service_url_patterns(service_id) + + for url in urls: + try: + logger.info(f"Processing URL: {url}") + + # Fetch individual page + response = self._make_request(url) + if not response or response.status_code != 200: + logger.warning(f"Failed to fetch {url}") + continue + + # Skip if redirected to main reference page (invalid service URL) + if 'reference.html' in response.url or response.url.endswith('/reference/'): + logger.info(f"Skipping redirected URL (invalid service): {url} -> {response.url}") + continue + + # Extract and clean content more aggressively + text_content = ContentProcessor.extract_section_content(response.text, 'actions') + logger.info(f"Extracted text content: {len(text_content)} characters") + + # Check if content needs chunking (>50k chars) + if len(text_content) > 50000: + logger.info(f"Content too large ({len(text_content)} chars), using chunking approach") + actions_data = self._extract_actions_with_chunking(service_id, text_content, url) + else: + actions_data = self._extract_actions_single_call(service_id, text_content, url) + + if not actions_data: + continue + + logger.info(f"Successfully parsed {len(actions_data)} actions from AI response") + + # Add metadata to each action + for action in actions_data: + action.update({ + 'service_id': service_id, + 'service_action': f"{service_id.lower()}:{action.get('action_name', '')}", + 'last_updated': datetime.now().isoformat(), + 'extraction_method': 'ai', + 'source_url': url + }) + all_actions.append(action) + + logger.info(f"Extracted {len(actions_data)} actions from {url}") + + except Exception as e: + logger.error(f"Error using AI to extract actions from {url}: {str(e)}") + continue + + logger.info(f"AI action extraction completed for {service_id}. Total actions extracted: {len(all_actions)}") + return all_actions + + def _extract_actions_single_call(self, service_id, text_content, url): + """Extract actions with single AI call""" + prompt = f"""Extract IAM actions from AWS service authorization documentation. Return ONLY valid JSON array. + +Service: {service_id} + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: action_name (string), description (string), access_level (string), resource_types (array), condition_keys (array), dependent_actions (array) +- Use proper JSON formatting with double quotes +- Arrays can be empty [] if no data +- No trailing commas + +Format: [{{"action_name":"CreateTopic","description":"Creates a topic","access_level":"Write","resource_types":["topic"],"condition_keys":[],"dependent_actions":[]}}] + +Documentation: +{text_content}""" + + ai_response = self._invoke_bedrock(prompt) + return self._parse_ai_json_response(ai_response, "actions response") + + def _extract_actions_with_chunking(self, service_id, text_content, url): + """Extract actions using smart chunking that preserves complete entries""" + # Split by logical boundaries (table rows, action entries) - reduced chunk size for better performance + chunks = ContentProcessor.smart_chunk_content(text_content, 40000, ['Action:', 'action:', '\n\n', '. ']) + all_actions = [] + + logger.info(f"Processing {len(chunks)} smart chunks for {service_id}") + + for i, chunk in enumerate(chunks): + try: + logger.info(f"Processing chunk {i+1}/{len(chunks)} ({len(chunk)} chars)") + + prompt = f"""Extract IAM actions from this AWS documentation chunk. Return ONLY valid JSON array. + +Service: {service_id} +Chunk: {i+1}/{len(chunks)} + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: action_name (string), description (string), access_level (string), resource_types (array), condition_keys (array), dependent_actions (array) +- Use proper JSON formatting with double quotes +- Arrays can be empty [] if no data +- No trailing commas + +Format: [{{"action_name":"CreateTopic","description":"Creates a topic","access_level":"Write","resource_types":["topic"],"condition_keys":[],"dependent_actions":[]}}] + +Documentation chunk: +{chunk}""" + + ai_response = self._invoke_bedrock(prompt) + chunk_actions = self._parse_ai_json_response(ai_response, f"chunk {i+1} response") + + if chunk_actions: + all_actions.extend(chunk_actions) + logger.info(f"Extracted {len(chunk_actions)} actions from chunk {i+1}") + + except Exception as e: + logger.error(f"Error processing chunk {i+1}: {str(e)}") + continue + + # Deduplicate actions by action_name + seen_actions = set() + unique_actions = [] + for action in all_actions: + action_name = action.get('action_name', '') + if action_name and action_name not in seen_actions: + seen_actions.add(action_name) + unique_actions.append(action) + + logger.info(f"Deduplicated {len(all_actions)} actions to {len(unique_actions)} unique actions") + return unique_actions + + + def _extract_parameters_with_ai(self, service_id): + """Use AI to extract parameters from CloudFormation HTML content with chunking""" + all_parameters = [] + + logger.info(f"Starting AI parameter extraction for {service_id}") + + # Get resource types from loaded service mappings + service_config = self.service_mappings.get(service_id.lower(), {}) + resource_types = service_config.get('resource_types', [service_id.lower()]) + + for resource_type in resource_types: + try: + logger.info(f"Processing resource type: {resource_type}") + + # Fetch individual page + url = f"https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-{resource_type}.html" + response = self._make_request(url) + if not response or response.status_code != 200: + logger.warning(f"Failed to fetch {url}") + continue + + # Extract and clean content more aggressively + text_content = ContentProcessor.extract_section_content(response.text, 'parameters') + logger.info(f"Extracted text content: {len(text_content)} characters") + + # Check if content needs chunking (>80k chars for parameters) + if len(text_content) > 80000: + logger.info(f"Content too large ({len(text_content)} chars), using chunking approach") + parameters_data = self._extract_parameters_with_chunking(service_id, resource_type, text_content, url) + else: + parameters_data = self._extract_parameters_single_call(service_id, resource_type, text_content, url) + + if not parameters_data: + continue + + logger.info(f"Successfully parsed {len(parameters_data)} parameters from AI response") + + # Add metadata to each parameter + for param in parameters_data: + param.update({ + 'service_id': service_id, + 'last_updated': datetime.now().isoformat(), + 'extraction_method': 'ai', + 'source_url': url + }) + all_parameters.append(param) + + logger.info(f"Extracted {len(parameters_data)} parameters for {resource_type}") + + except Exception as e: + logger.error(f"Error using AI to extract parameters for {resource_type}: {str(e)}") + + logger.info(f"AI parameter extraction completed for {service_id}. Total parameters extracted: {len(all_parameters)}") + return all_parameters + + def _extract_parameters_single_call(self, service_id, resource_type, text_content, url): + """Extract parameters with single AI call""" + prompt = f"""Extract CloudFormation properties from documentation. Return ONLY valid JSON array. + +Service: {service_id} +Resource: {resource_type} + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: parameter_name (string), description (string), type (string), required (boolean) +- Use proper JSON formatting with double quotes +- Boolean values must be true or false (not strings) +- No trailing commas + +Format: [{{"parameter_name":"ExampleParam","description":"Example description","type":"String","required":true}}] + +Documentation: +{text_content}""" + + ai_response = self._invoke_bedrock(prompt) + return self._parse_ai_json_response(ai_response, "parameters response") + + def _extract_parameters_with_chunking(self, service_id, resource_type, text_content, url): + """Extract parameters using smart chunking that preserves complete entries""" + # Split by logical boundaries (properties, parameter definitions) + chunks = ContentProcessor.smart_chunk_content(text_content, 60000, ['Type:', 'Required:', 'Properties', '\n\n', '. ']) + all_parameters = [] + + logger.info(f"Processing {len(chunks)} smart chunks for {resource_type}") + + for i, chunk in enumerate(chunks): + try: + logger.info(f"Processing chunk {i+1}/{len(chunks)} ({len(chunk)} chars)") + + prompt = f"""Extract CloudFormation properties from this documentation chunk. Return ONLY valid JSON array. + +Service: {service_id} +Resource: {resource_type} +Chunk: {i+1}/{len(chunks)} + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: parameter_name (string), description (string), type (string), required (boolean) +- Use proper JSON formatting with double quotes +- Boolean values must be true or false (not strings) +- No trailing commas + +Format: [{{"parameter_name":"ExampleParam","description":"Example description","type":"String","required":true}}] + +Documentation chunk: +{chunk}""" + + ai_response = self._invoke_bedrock(prompt) + chunk_parameters = self._parse_ai_json_response(ai_response, f"chunk {i+1} response") + + if chunk_parameters: + all_parameters.extend(chunk_parameters) + logger.info(f"Extracted {len(chunk_parameters)} parameters from chunk {i+1}") + + except Exception as e: + logger.error(f"Error processing chunk {i+1}: {str(e)}") + continue + + # Deduplicate parameters by parameter_name + seen_parameters = set() + unique_parameters = [] + for param in all_parameters: + param_name = param.get('parameter_name', '') + if param_name and param_name not in seen_parameters: + seen_parameters.add(param_name) + unique_parameters.append(param) + + logger.info(f"Deduplicated {len(all_parameters)} parameters to {len(unique_parameters)} unique parameters") + return unique_parameters + +def lambda_handler(event, context): + """Lambda handler to collect and store AWS service documentation""" + try: + # Set log level from event if provided + log_level = event.get('logLevel', 'INFO').upper() + if hasattr(logging, log_level): + logger.setLevel(getattr(logging, log_level)) + logger.info(f"Log level set to {log_level}") + + logger.info(f"Received event: {json.dumps(event)}") + + # Extract action and input data + action = event.get('action') + input_data = event.get('input', {}) + service_id = input_data.get('serviceId') or input_data.get('service_id') + + if not service_id: + raise ValueError("service_id is required") + + collector = AWSServiceDocumentationCollector() + actions = [] + parameters = [] + actions_found = False + parameters_found = False + warnings = [] + + # Get service configuration to check capabilities + service_config = collector.service_mappings.get(service_id.lower(), {}) + has_iam_actions = service_config.get('has_iam_actions', True) + has_cloudformation_resources = service_config.get('has_cloudformation_resources', True) + + # Collect Actions (only if service has IAM actions) + if has_iam_actions: + try: + actions = collector.collect_service_actions(service_id) + if actions: + actions_found = True + collector.store_documentation(service_id, 'Actions', actions) + logger.info(f"Stored {len(actions)} actions for {service_id}") + else: + warnings.append("No actions found") + except Exception as e: + logger.error(f"Error collecting actions: {str(e)}") + warnings.append(f"Error collecting actions: {str(e)}") + else: + logger.warning(f"Skipping actions collection for {service_id} - service has no IAM actions") + actions_found = True # Consider as success since it's expected + + # Collect Parameters (only if service has CloudFormation resources) + if has_cloudformation_resources: + try: + parameters = collector.collect_service_parameters(service_id) + if parameters: + parameters_found = True + collector.store_documentation(service_id, 'Parameters', parameters) + logger.info(f"Stored {len(parameters)} parameters for {service_id}") + else: + warnings.append("No parameters found") + except Exception as e: + logger.error(f"Error collecting parameters: {str(e)}") + warnings.append(f"Error collecting parameters: {str(e)}") + else: + logger.warning(f"Skipping parameters collection for {service_id} - service has no CloudFormation resources") + parameters_found = True # Consider as success since it's expected + # Create timestamp and S3 locations + timestamp = datetime.now().strftime('%Y%m%d') + s3_locations = { + 'actions': f"s3://{collector.documentation_bucket}/{service_id}/Actions/raw_data_{timestamp}.json", + 'parameters': f"s3://{collector.documentation_bucket}/{service_id}/Parameters/raw_data_{timestamp}.json" + } + + # Determine status - success if at least one type of documentation is found + if actions_found or parameters_found: + status = 'SUCCESS' + else: + status = 'FAILURE' + error_message = f"No documentation found for {service_id}. Both actions and parameters extraction failed." + logger.error(error_message) + + return { + 'statusCode': 500, + 'body': { + 'error': error_message, + 'service_id': service_id, + 'status': status, + 'actions_count': 0, + 'parameters_count': 0, + 'warnings': warnings + } + } + + # Prepare response with actual data included for Step Functions processing + response_body = { + 'service_id': service_id, + 'actions_count': len(actions), + 'parameters_count': len(parameters), + # 'actions': actions, # Include actual actions data + # 'parameters': parameters, # Include actual parameters data + 'message': f"Documentation collection completed for {service_id}", + 'warnings': warnings if warnings else None, + 's3_locations': s3_locations, + 'status': status, + 'metadata': { + 'timestamp': timestamp, + 'actions_processed': actions_found, + 'parameters_processed': parameters_found, + 'documentation_bucket': collector.documentation_bucket + } + } + + logger.info(f"Processing completed for {service_id} with status: {status}") + + return { + 'statusCode': 200, + 'body': response_body + } + + except Exception as e: + logger.error(f"Error in lambda_handler: {str(e)}") + logger.error("Full traceback: ", exc_info=True) + + return { + 'statusCode': 500, + 'body': { + 'error': str(e), + 'details': 'Check CloudWatch logs for more information', + 'service_id': service_id if 'service_id' in locals() else None, + 'status': 'ERROR', + 'documentation_bucket': collector.documentation_bucket if 'collector' in locals() else None + } + } diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AWSServiceDocumentationManager/mcp_documentation_collector.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AWSServiceDocumentationManager/mcp_documentation_collector.py new file mode 100644 index 00000000..973b0067 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AWSServiceDocumentationManager/mcp_documentation_collector.py @@ -0,0 +1,310 @@ +""" +MCP-Enhanced AWS Service Documentation Collector +Replaces web scraping with AWS Documentation MCP Server integration +""" +import json +import logging +import os +from datetime import datetime +from typing import Dict, List, Any, Optional +from bedrock_client import get_bedrock_client + +logger = logging.getLogger() + +class MCPDocumentationCollector: + """Enhanced documentation collector using MCP server""" + + def __init__(self): + # Initialize MCP client + try: + from mcp_tools import get_mcp_client + self.mcp_client = get_mcp_client() + self.use_mcp = True + logger.info("MCP Documentation Collector initialized successfully") + except ImportError: + logger.warning("MCP tools not available - falling back to web scraping") + self.mcp_client = None + self.use_mcp = False + + # Initialize Bedrock client for AI processing + self.bedrock_client = get_bedrock_client('claude-4') + + def collect_service_actions_mcp(self, service_id: str) -> List[Dict[str, Any]]: + """Collect IAM actions using MCP server""" + if not self.use_mcp: + logger.warning("MCP not available, cannot collect actions via MCP") + return [] + + try: + logger.info(f"Collecting actions for {service_id} using MCP") + + # Get service documentation via MCP + service_docs = self.mcp_client.get_service_documentation(service_id) + + if not service_docs: + logger.warning(f"No MCP documentation found for {service_id}") + return [] + + # Extract actions using AI from MCP documentation + actions = self._extract_actions_from_mcp_docs(service_id, service_docs) + + logger.info(f"Extracted {len(actions)} actions for {service_id} via MCP") + return actions + + except Exception as e: + logger.error(f"Error collecting MCP actions for {service_id}: {str(e)}") + return [] + + def collect_service_parameters_mcp(self, service_id: str) -> List[Dict[str, Any]]: + """Collect CloudFormation parameters using MCP server""" + if not self.use_mcp: + logger.warning("MCP not available, cannot collect parameters via MCP") + return [] + + try: + logger.info(f"Collecting parameters for {service_id} using MCP") + + # Search for CloudFormation documentation via MCP + cf_docs = self.mcp_client.search_documentation( + f"{service_id} CloudFormation properties parameters", + service_id + ) + + if not cf_docs: + logger.warning(f"No MCP CloudFormation documentation found for {service_id}") + return [] + + # Extract parameters using AI from MCP documentation + parameters = self._extract_parameters_from_mcp_docs(service_id, cf_docs) + + logger.info(f"Extracted {len(parameters)} parameters for {service_id} via MCP") + return parameters + + except Exception as e: + logger.error(f"Error collecting MCP parameters for {service_id}: {str(e)}") + return [] + + def _extract_actions_from_mcp_docs(self, service_id: str, mcp_docs: Dict[str, Any]) -> List[Dict[str, Any]]: + """Extract IAM actions from MCP documentation using AI""" + try: + # Convert MCP docs to text for AI processing + docs_text = self._mcp_docs_to_text(mcp_docs) + + if len(docs_text) > 80000: + # Use chunking for large documents + return self._extract_actions_with_chunking_mcp(service_id, docs_text) + else: + # Single AI call for smaller documents + return self._extract_actions_single_call_mcp(service_id, docs_text) + + except Exception as e: + logger.error(f"Error extracting actions from MCP docs: {str(e)}") + return [] + + def _extract_parameters_from_mcp_docs(self, service_id: str, mcp_docs: List[Dict[str, Any]]) -> List[Dict[str, Any]]: + """Extract CloudFormation parameters from MCP documentation using AI""" + try: + # Convert MCP docs to text for AI processing + docs_text = "" + for doc in mcp_docs: + docs_text += self._mcp_docs_to_text(doc) + "\\n\\n" + + if len(docs_text) > 80000: + # Use chunking for large documents + return self._extract_parameters_with_chunking_mcp(service_id, docs_text) + else: + # Single AI call for smaller documents + return self._extract_parameters_single_call_mcp(service_id, docs_text) + + except Exception as e: + logger.error(f"Error extracting parameters from MCP docs: {str(e)}") + return [] + + def _mcp_docs_to_text(self, docs: Any) -> str: + """Convert MCP documentation to text format""" + if isinstance(docs, str): + return docs + elif isinstance(docs, dict): + # Extract relevant text fields from MCP response + text_parts = [] + + # Common MCP response fields + for field in ['content', 'text', 'description', 'body', 'documentation']: + if field in docs: + text_parts.append(str(docs[field])) + + # If no standard fields, convert entire dict to string + if not text_parts: + text_parts.append(json.dumps(docs, indent=2)) + + return "\\n".join(text_parts) + elif isinstance(docs, list): + return "\\n".join([self._mcp_docs_to_text(item) for item in docs]) + else: + return str(docs) + + def _extract_actions_single_call_mcp(self, service_id: str, docs_text: str) -> List[Dict[str, Any]]: + """Extract actions with single AI call from MCP docs""" + prompt = f"""Extract IAM actions from AWS service documentation obtained via MCP server. Return ONLY valid JSON array. + +Service: {service_id} +Source: AWS Documentation MCP Server + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: action_name (string), description (string), access_level (string), resource_types (array), condition_keys (array), dependent_actions (array) +- Use proper JSON formatting with double quotes +- Arrays can be empty [] if no data +- No trailing commas + +Format: [{{"action_name":"CreateTopic","description":"Creates a topic","access_level":"Write","resource_types":["topic"],"condition_keys":[],"dependent_actions":[]}}] + +MCP Documentation: +{docs_text}""" + + try: + ai_response = self.bedrock_client.invoke(prompt) + return self._parse_ai_json_response(ai_response, "MCP actions response") + except Exception as e: + logger.error(f"Error in single call MCP actions extraction: {str(e)}") + return [] + + def _extract_parameters_single_call_mcp(self, service_id: str, docs_text: str) -> List[Dict[str, Any]]: + """Extract parameters with single AI call from MCP docs""" + prompt = f"""Extract CloudFormation properties from AWS documentation obtained via MCP server. Return ONLY valid JSON array. + +Service: {service_id} +Source: AWS Documentation MCP Server + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: parameter_name (string), description (string), type (string), required (boolean) +- Use proper JSON formatting with double quotes +- Boolean values must be true or false (not strings) +- No trailing commas + +Format: [{{"parameter_name":"ExampleParam","description":"Example description","type":"String","required":true}}] + +MCP Documentation: +{docs_text}""" + + try: + ai_response = self.bedrock_client.invoke(prompt) + return self._parse_ai_json_response(ai_response, "MCP parameters response") + except Exception as e: + logger.error(f"Error in single call MCP parameters extraction: {str(e)}") + return [] + + def _extract_actions_with_chunking_mcp(self, service_id: str, docs_text: str) -> List[Dict[str, Any]]: + """Extract actions using chunking from MCP docs""" + from content_processor import ContentProcessor + + chunks = ContentProcessor.smart_chunk_content(docs_text, 40000, ['Action:', 'action:', '\\n\\n', '. ']) + all_actions = [] + + logger.info(f"Processing {len(chunks)} MCP chunks for {service_id} actions") + + for i, chunk in enumerate(chunks): + try: + prompt = f"""Extract IAM actions from this AWS MCP documentation chunk. Return ONLY valid JSON array. + +Service: {service_id} +Source: AWS Documentation MCP Server +Chunk: {i+1}/{len(chunks)} + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: action_name (string), description (string), access_level (string), resource_types (array), condition_keys (array), dependent_actions (array) +- Use proper JSON formatting with double quotes +- Arrays can be empty [] if no data +- No trailing commas + +Format: [{{"action_name":"CreateTopic","description":"Creates a topic","access_level":"Write","resource_types":["topic"],"condition_keys":[],"dependent_actions":[]}}] + +MCP Documentation chunk: +{chunk}""" + + ai_response = self.bedrock_client.invoke(prompt) + chunk_actions = self._parse_ai_json_response(ai_response, f"MCP chunk {i+1} response") + + if chunk_actions: + all_actions.extend(chunk_actions) + logger.info(f"Extracted {len(chunk_actions)} actions from MCP chunk {i+1}") + + except Exception as e: + logger.error(f"Error processing MCP chunk {i+1}: {str(e)}") + continue + + # Deduplicate actions + seen_actions = set() + unique_actions = [] + for action in all_actions: + action_name = action.get('action_name', '') + if action_name and action_name not in seen_actions: + seen_actions.add(action_name) + unique_actions.append(action) + + logger.info(f"Deduplicated {len(all_actions)} MCP actions to {len(unique_actions)} unique actions") + return unique_actions + + def _extract_parameters_with_chunking_mcp(self, service_id: str, docs_text: str) -> List[Dict[str, Any]]: + """Extract parameters using chunking from MCP docs""" + from content_processor import ContentProcessor + + chunks = ContentProcessor.smart_chunk_content(docs_text, 60000, ['Type:', 'Required:', 'Properties', '\\n\\n', '. ']) + all_parameters = [] + + logger.info(f"Processing {len(chunks)} MCP chunks for {service_id} parameters") + + for i, chunk in enumerate(chunks): + try: + prompt = f"""Extract CloudFormation properties from this AWS MCP documentation chunk. Return ONLY valid JSON array. + +Service: {service_id} +Source: AWS Documentation MCP Server +Chunk: {i+1}/{len(chunks)} + +Requirements: +- Return ONLY the JSON array, no markdown, no explanations +- Each object must have: parameter_name (string), description (string), type (string), required (boolean) +- Use proper JSON formatting with double quotes +- Boolean values must be true or false (not strings) +- No trailing commas + +Format: [{{"parameter_name":"ExampleParam","description":"Example description","type":"String","required":true}}] + +MCP Documentation chunk: +{chunk}""" + + ai_response = self.bedrock_client.invoke(prompt) + chunk_parameters = self._parse_ai_json_response(ai_response, f"MCP chunk {i+1} response") + + if chunk_parameters: + all_parameters.extend(chunk_parameters) + logger.info(f"Extracted {len(chunk_parameters)} parameters from MCP chunk {i+1}") + + except Exception as e: + logger.error(f"Error processing MCP chunk {i+1}: {str(e)}") + continue + + # Deduplicate parameters + seen_parameters = set() + unique_parameters = [] + for param in all_parameters: + param_name = param.get('parameter_name', '') + if param_name and param_name not in seen_parameters: + seen_parameters.add(param_name) + unique_parameters.append(param) + + logger.info(f"Deduplicated {len(all_parameters)} MCP parameters to {len(unique_parameters)} unique parameters") + return unique_parameters + + def _parse_ai_json_response(self, ai_response: str, context: str = "response") -> Optional[List[Dict[str, Any]]]: + """Parse AI JSON response""" + try: + cleaned = ai_response.strip() + return json.loads(cleaned) + except json.JSONDecodeError as e: + logger.error(f"Failed to parse AI {context} as JSON: {str(e)}") + logger.error(f"Response was: \\n{ai_response}") + return None \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AnalyzeSecurityRequirements/lambda_function.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AnalyzeSecurityRequirements/lambda_function.py new file mode 100644 index 00000000..83a7c7f2 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/AnalyzeSecurityRequirements/lambda_function.py @@ -0,0 +1,487 @@ +""" +AnalyzeSecurityRequirements Lambda Function +Analyzes security requirements and generates recommendations using Bedrock AI +""" +import json +import boto3 +import os +import logging +from datetime import datetime +from bedrock_client import get_bedrock_client +from dynamodb_operations import ( + get_service_actions_from_dynamodb, + get_service_parameters_from_dynamodb, + store_control_library, + update_service_tracking +) +from json_processing import clean_and_extract_json +from validation import validate_input +from typing import List, Dict, Optional, Any + +# Set up logging +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +# Environment variables +CONTROL_LIBRARY_TABLE = os.environ['DYNAMODB_TABLE_CONTROL_LIBRARY'] +SERVICE_TRACKING_TABLE = os.environ['DYNAMODB_TABLE_SERVICE_TRACKING'] +SERVICE_ACTIONS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_ACTIONS', 'gensec-AWSServiceActions') +SERVICE_PARAMETERS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_PARAMETERS', 'gensec-AWSServiceParameters') +CONFIG_MANAGED_RULES_TABLE = os.environ.get('DYNAMODB_TABLE_CONFIG_MANAGED_RULES', 'gensec-AWSConfigManagedRules') + +# Initialize Bedrock client +bedrock_client = get_bedrock_client('claude-4') + +def analyze_security_requirements(input_data): + """ + Analyze security requirements with validated service data and generate recommendations. + + Args: + input_data (dict): Contains security profile, service request, and service documentation + + Returns: + dict: Analysis results with status code and recommendations or error details + + Raises: + ValueError: If required inputs are missing or ir invalid + """ + try: + logger.info(f"Starting security requirements analysis") + logger.debug(f"Received input data: {json.dumps(input_data)}") + + # Extract and validate input data with detailed logging + security_profile = input_data.get('securityProfile') + if not security_profile: + logger.error("Missing securityProfile in input data") + raise ValueError("securityProfile is required") + + service_request = input_data.get('serviceRequest') + if not service_request: + logger.error("Missing serviceRequest in input data") + raise ValueError("serviceRequest is required") + + service_documentation = input_data.get('serviceDocumentation') + if not service_documentation: + logger.error("Missing serviceDocumentation in input data") + raise ValueError("serviceDocumentation is required") + + # Log the structure of service_documentation + logger.info(f"Service documentation keys: {list(service_documentation.keys())}") + + # Extract validated data with logging + service_doc_body = service_documentation.get('body', {}) + if not service_doc_body: + logger.error("Missing body in service documentation") + raise ValueError("Service documentation body is required") + + logger.info(f"Service documentation body keys: {list(service_doc_body.keys())}") + + # Get service_id for DynamoDB queries + service_id = service_request.get('serviceId') + if not service_id: + raise ValueError("serviceId is required") + + logger.info(f"Processing service_id: {service_id}") + + # Query DynamoDB for service actions and parameters + validated_actions = get_service_actions_from_dynamodb(service_id, SERVICE_ACTIONS_TABLE) + validated_parameters = get_service_parameters_from_dynamodb(service_id, SERVICE_PARAMETERS_TABLE) + + logger.info(f"Found {len(validated_parameters)} parameters and {len(validated_actions)} actions for {service_id}") + + if not validated_parameters and not validated_actions: + logger.error(f"No validated parameters or actions found for service_id: {service_id}") + logger.info(f"Available tables: Actions={SERVICE_ACTIONS_TABLE}, Parameters={SERVICE_PARAMETERS_TABLE}") + raise ValueError(f"No validated parameters or actions available for service {service_id}") + + # Log what we have available + if not validated_actions: + logger.warning(f"No actions available for {service_request.get('serviceId', 'unknown service')}, proceeding with parameters only") + if not validated_parameters: + logger.warning(f"No parameters available for {service_request.get('serviceId', 'unknown service')}, proceeding with actions only") + + # Create enhanced prompt with validation + try: + prompt = create_analysis_prompt_with_validation( + security_profile=security_profile, + service_request=service_request, + validated_actions=validated_actions, + validated_parameters=validated_parameters + ) + except Exception as e: + logger.error(f"Error creating analysis prompt: {str(e)}") + raise ValueError(f"Failed to create analysis prompt: {str(e)}") + + # Get Bedrock response with pagination + try: + logger.info("Invoking Bedrock for analysis") + full_response = invoke_bedrock_agent_with_pagination(prompt) + + if not full_response: + raise ValueError("No valid response from Bedrock") + + logger.debug(f"Bedrock response: {json.dumps(full_response)}") + except Exception as e: + logger.error(f"Error invoking Bedrock: {str(e)}") + raise ValueError(f"Failed to get response from Bedrock: {str(e)}") + + # Verify the response has the expected structure + if not isinstance(full_response, dict) or 'recommendations' not in full_response: + logger.error("Invalid response format from Bedrock") + logger.error(f"Response: {json.dumps(full_response)}") + raise ValueError("Invalid response format: missing recommendations") + + recommendations = full_response.get('recommendations', []) + if not recommendations: + logger.error("No recommendations found in Bedrock response") + raise ValueError("No recommendations found in response") + + logger.info(f"Received {len(recommendations)} recommendations from Bedrock") + + # Validate recommendations against known valid parameters + validated_recommendations = [] + for idx, rec in enumerate(recommendations): + try: + logger.debug(f"Processing recommendation {idx + 1}: {json.dumps(rec)}") + + settings = rec.get('recommended_configuration', {}).get('settings', {}) + valid_settings = {} + + # Validate each parameter in the recommendation + for param_name, param_value in settings.items(): + if param_name in [p.get('parameter_name') for p in validated_parameters]: + valid_settings[param_name] = param_value + logger.debug(f"Valid parameter found: {param_name}") + else: + logger.warning(f"Invalid parameter '{param_name}' in recommendation {idx + 1}") + + # Include recommendation if it has valid settings OR if service has no parameters + if valid_settings or not validated_parameters: + if valid_settings: + rec['recommended_configuration']['settings'] = valid_settings + elif not validated_parameters: + logger.warning(f"Service has no CloudFormation parameters - accepting recommendation {idx + 1} without parameter validation") + validated_recommendations.append(rec) + logger.info(f"Validated recommendation {idx + 1} with {len(valid_settings)} valid settings") + else: + logger.warning(f"Skipping recommendation {idx + 1} as it contains no valid parameters") + + except Exception as e: + logger.error(f"Error processing recommendation {idx + 1}: {str(e)}") + continue + + if not validated_recommendations: + logger.error("No valid recommendations after parameter validation") + logger.error(f"Original recommendations: {json.dumps(recommendations)}") + logger.error(f"Validated parameters: {json.dumps(validated_parameters)}") + raise ValueError("No valid recommendations after parameter validation") + + logger.info(f"Successfully validated {len(validated_recommendations)} recommendations") + + # Store validated recommendations + try: + store_control_library(validated_recommendations, service_request, CONTROL_LIBRARY_TABLE) + update_service_tracking(service_request, SERVICE_TRACKING_TABLE) + logger.info("Successfully stored recommendations and updated tracking") + except Exception as e: + logger.error(f"Error storing recommendations: {str(e)}") + # Continue execution even if storage fails + + # Prepare successful response + response = { + 'statusCode': 200, + 'analyzedRequirements': validated_recommendations, + 'metadata': { + 'totalRecommendations': len(validated_recommendations), + 'validatedParameters': len(validated_parameters), + 'validatedActions': len(validated_actions), + 'timestamp': datetime.utcnow().isoformat() + } + } + + logger.info("Successfully completed security requirements analysis") + return response + + except ValueError as ve: + logger.error(f"Validation error: {str(ve)}") + raise ve # Re-raise to fail Step Functions execution + except Exception as e: + logger.error(f"Unexpected error: {str(e)}", exc_info=True) + raise e # Re-raise to fail Step Functions execution + +def invoke_bedrock_agent_with_pagination(prompt, max_pages=3): + """ + Invoke Bedrock with pagination support for very large responses. + """ + try: + full_response = "" + current_prompt = prompt["prompt"] if isinstance(prompt, dict) else prompt + + for page in range(max_pages): + logger.info(f"Invoking Bedrock for page {page + 1}/{max_pages}") + try: + # Create proper prompt format + formatted_prompt = { + "prompt": current_prompt + } + + response = bedrock_client.invoke(current_prompt) + + if response: + if isinstance(response, str): + full_response = response + else: + full_response = json.dumps(response) + + if "To be continued" not in full_response: + logger.info("Response complete, ending pagination") + break + + logger.info("Response incomplete, continuing to next page") + current_prompt = "Continue from where you left off:" + else: + logger.warning(f"No valid response received for page {page + 1}") + break + + except Exception as e: + logger.error(f"Error during pagination (page {page + 1}): {str(e)}") + break + + if not full_response: + return None + + try: + if isinstance(full_response, str): + return json.loads(full_response) + return full_response + except json.JSONDecodeError as je: + logger.error(f"Failed to parse response as JSON: {str(je)}") + return None + + except Exception as e: + logger.error(f"Error in pagination: {str(e)}") + return None + +def get_service_specific_rules(service_name: str) -> List[str]: + """ + Returns AWS Config managed rules specific to a service from DynamoDB + + Args: + service_name (str): AWS service name + + Returns: + List[str]: List of AWS Config managed rules specific to the service + """ + try: + from dynamodb_operations import query_dynamodb_by_gsi + + # Query by service name using GSI + service_rules = query_dynamodb_by_gsi( + table_name=CONFIG_MANAGED_RULES_TABLE, + index_name='ServiceNameIndex', + key_name='service_name', + key_value=service_name.lower() + ) + + rule_names = [item['rule_name'] for item in service_rules] + logger.info(f"Found {len(rule_names)} managed rules for service {service_name}") + return rule_names + + except Exception as e: + logger.error(f"Error querying service-specific rules: {str(e)}") + return [] + +def create_analysis_prompt_with_validation(security_profile: dict, + service_request: dict, + validated_actions: list, + validated_parameters: list) -> dict: + """ + Create enhanced prompt for security analysis using validated parameters and actions. + + Args: + security_profile (dict): Security profile containing requirements and controls + service_request (dict): Service request details + validated_actions (list): List of validated AWS service actions + validated_parameters (list): List of validated AWS service parameters + + Returns: + dict: Formatted prompt for Bedrock with validation constraints + + Raises: + ValueError: If required inputs are missing or invalid + """ + try: + # Input validation - allow empty lists but not None values + if security_profile is None or service_request is None or validated_actions is None or validated_parameters is None: + raise ValueError("All input parameters are required") + + # Extract service name + services = service_request.get('services', []) + if not services: + logger.warning("No services found in service_request") + service_name = service_request.get('serviceId', 'Unknown Service') + else: + service_name = services[0].get('serviceName', 'Unknown Service') + + logger.info(f"Processing service: {service_name}") + + # Get service-specific AWS Config managed rules + service_rules = get_service_specific_rules(service_name) + + # Format validated parameters and actions + valid_params_text = "\n".join([ + f"- {param.get('parameter_name')}: {param.get('description')} (Type: {param.get('type')})" + for param in validated_parameters + if param.get('parameter_name') and param.get('description') + ]) + + valid_actions_text = "\n".join([ + f"- {action.get('action_name')}: {action.get('description')} (Access Level: {action.get('access_level')})" + for action in validated_actions + if action.get('action_name') and action.get('description') + ]) + + # Format managed rules text + service_rules_text = "\n".join([f"- {rule}" for rule in service_rules]) + + # Extract security requirements + security_requirements = security_profile.get('security_requirements', {}) + + prompt = { + "prompt": f"""Generate security configuration recommendations for {service_name} based on AWS best practices and security requirements. + +VERIFIED AWS CONFIG MANAGED RULES - USE ONLY THESE: +{service_rules_text} + +VALID PARAMETERS - USE ONLY THESE: +{valid_params_text} + +VALID ACTIONS - USE ONLY THESE: +{valid_actions_text} + +SECURITY REQUIREMENTS TO ADDRESS: +{json.dumps(security_requirements, indent=2)} + +Service Request Context: +{json.dumps(service_request, indent=2)} + +Full Security Profile Context: +{json.dumps(security_profile, indent=2)} + +CRITICAL INSTRUCTIONS: +1. Use ONLY the verified AWS Config managed rules listed above. +2. If suggesting a custom rule (when no managed rule exists): + - Clearly label it as "CUSTOM:" + - Explain why a custom rule is needed + - Provide detailed implementation guidance +3. Focus on service-specific security configurations that directly address requirements +4. Use ONLY the validated parameters and actions provided +5. Map recommendations to specific security requirements +6. Include relevant compliance mappings (NIST, PCI, ISO) +7. DO NOT suggest non-existent managed rules +8. DO NOT use parameters or actions not in the validated lists +9. Return ONLY the JSON object below +10. Do NOT include markdown formatting (no ```json or ```) +11. Do NOT include any explanatory text before or after +12. Use \\n for line breaks in code strings +13. Ensure all quotes are properly escaped + +Return recommendations in this EXACT format: +{{ + "recommendations": [ + {{ + "configuration_id": "CONF-{service_name.split()[0].upper()}-2025-001", + "configuration_short_name": "Clear, specific name", + "configuration_rationale": {{ + "requirement": "How this addresses security requirements", + "impact_if_not_implemented": "Specific security impact" + }}, + "configuration_priority": "VERY HIGH|HIGH|MEDIUM|LOW", + "service_name": "{service_name}", + "security_domain": "Access Control|Data Protection|Network Security|etc", + "consolidated_requirements": "Requirements addressed by this configuration", + "threat_vector": ["Specific threats mitigated"], + "recommended_configuration": {{ + "settings": {{ + # ONLY use validated parameters here + }} + }}, + "configuration_AWS_URL": "AWS documentation URL", + "detective_control": {{ + "details": {{ + "managed_config_rule": "VERIFIED-MANAGED-RULE or CUSTOM:description", + "security_hub_control": "SecurityHub control ID", + "compliance_mapping": {{ + "nist_800_53": "Control ID", + "pci_dss": "Requirement ID", + "iso_27001": "Control ID" + }} + }} + }}, + "preventive_control": {{ + "details": {{ + "scp_policy": {{ + # Only for VERY HIGH priority, using validated actions + }} + }} + }}, + "proactive_control": {{ + "details": {{ + "sentinel_policy": "Specific Sentinel policy" + }} + }} + }} + ] +}} + +VALIDATION RULES: +1. Each setting must use exact parameter names from validated list +2. Each action must exist in validated actions list +3. Detective controls must use verified managed rules or be labeled as custom +4. Every recommendation must map to specific security requirements +5. Parameter values must match their documented types +6. URLs must point to valid AWS documentation +7. Each recommendation should focus on one specific configuration + +8. Settings in recommended_configuration MUST match validated parameter names +9. Actions in preventive controls MUST come from the validated actions list + +Example of valid parameter usage: +If you have a validated parameter "BucketVersioning": +- DO: "settings": {{"BucketVersioning": "Enabled"}} +- DON'T: "settings": {{"versioning": true}} or any variation not matching the exact parameter name + +Remember: The goal is to create parameter-driven recommendations that map to security requirements, not the other way around. +""" +# Final Validation: +# Before returning recommendations, verify that: +# 1. Each setting uses exact parameter names from the validated list +# 2. All actions referenced exist in the validated actions list +# 3. Every recommendation addresses specific security requirements +# 4. Parameter values match their documented types +# 5. URLs point to relevant AWS documentation +# 6. Each recommendation focuses on one specific parameter configurationRemember: Return ONLY the JSON object - no additional text or markdown formatting. + } + + logger.info("Successfully created analysis prompt with validated rules and parameters") + return prompt + + except Exception as e: + logger.error(f"Error creating analysis prompt: {str(e)}", exc_info=True) + raise ValueError(f"Failed to create analysis prompt: {str(e)}") + +def lambda_handler(event, context): + """Lambda handler for analyzing security requirements""" + try: + logger.info("Starting AnalyzeSecurityRequirements Lambda") + logger.info(f"Received event: {json.dumps(event)}") + + # Analyze requirements directly (the analyze_security_requirements function has its own validation) + result = analyze_security_requirements(event) + + logger.info("Successfully completed security requirements analysis") + return result + + except Exception as e: + logger.error(f"Error in AnalyzeSecurityRequirements: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateIAMModel/lambda_function.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateIAMModel/lambda_function.py new file mode 100644 index 00000000..5a6b4669 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateIAMModel/lambda_function.py @@ -0,0 +1,443 @@ +""" +GenerateIAMModel Lambda Function +Generates IAM models with validated actions for AWS services +""" +import json +import boto3 +import os +import logging +from datetime import datetime +from bedrock_client import get_bedrock_client +from dynamodb_operations import get_service_actions_from_dynamodb +from s3_operations import store_output_in_s3 +from validation import ( + build_action_validation_set, + validate_input +) +from json_processing import extract_json_from_content, convert_json_to_markdown + +# Set up logging +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +# Environment variables +SERVICE_ACTIONS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_ACTIONS', 'gensec-AWSServiceActions') +OUTPUT_BUCKET = os.environ.get('S3_OUTPUT_BUCKET', os.environ.get('S3_DOCUMENTATION_BUCKET')) + +# Initialize Bedrock client +bedrock_client = get_bedrock_client('claude-4') + +# Initialize S3 client +s3_client = boto3.client('s3') + +def generate_iam_model(input_data): + """Generate IAM model with validated actions for a specific AWS service""" + try: + logger.info("Starting IAM model generation with action validation") + + # Extract required input data + service_id = input_data.get('serviceId') + if not service_id: + raise ValueError("serviceId is required in input") + + # Query DynamoDB for validated actions + validated_actions = get_service_actions_from_dynamodb(service_id, SERVICE_ACTIONS_TABLE) + if not validated_actions: + raise ValueError("No validated actions found in service documentation") + + # Limit actions to prevent Bedrock timeouts (max 30 actions per request) + # MAX_ACTIONS = 30 + # if len(validated_actions) > MAX_ACTIONS: + # logger.warning(f"Too many actions ({len(validated_actions)}), limiting to {MAX_ACTIONS} to prevent timeout") + # validated_actions = validated_actions[:MAX_ACTIONS] + + logger.info(f"Processing {len(validated_actions)} validated actions for service {service_id}") + + # Create comprehensive action validation sets + valid_action_names = build_action_validation_set(validated_actions) + + logger.debug(f'valid_action_names (sample): {list(valid_action_names)[:10]}') + + valid_action_details = { + action['action_name']: { + 'description': action['description'], + 'accessLevel': action['accessLevel'] + } for action in validated_actions + } + + # Map service ID to full name + service_name = get_service_full_name(service_id) + logger.info(f"Generating validated IAM model for service: {service_name}") + + # Create enhanced prompt with validated actions + prompt = create_iam_model_prompt_with_validation( + service_name, + validated_actions + ) + + # Invoke Bedrock with validation prompt + logger.info("Calling Bedrock with validated action prompt") + + response = bedrock_client.invoke(prompt) + + if not response: + raise ValueError("Failed to generate IAM model") + + # Parse and validate the Bedrock response + iam_model_json = extract_json_from_content(response) + if not iam_model_json: + raise ValueError("Failed to extract valid JSON from Bedrock response") + + # Validate generated IAM model actions + validated_model = validate_iam_model_actions( + iam_model_json, + valid_action_names, + valid_action_details + ) + + if not validated_model: + raise ValueError("No valid actions found in generated IAM model") + + logger.info(f"Successfully validated IAM model for {service_name}") + + # Generate markdown version with validated content + markdown_content = convert_iam_model_to_markdown(validated_model) + + # Store both JSON and markdown versions + store_iam_model_outputs(service_id, validated_model, markdown_content) + + # Create business use cases prompt + business_prompt = create_bedrock_prompt(service_name, validated_actions) + + # Invoke Bedrock with business use cases prompt + logger.info("Calling Bedrock with business use cases prompt") + + business_response = bedrock_client.invoke(business_prompt) + + if not business_response: + raise ValueError("Failed to generate business use cases") + + # Parse business use cases response + business_json = extract_json_from_content(business_response) + if not business_json: + raise ValueError("Failed to extract valid JSON from business use cases response") + + logger.info(f"Successfully generated business use cases for {service_name}") + + # Store business use cases + business_markdown = convert_json_to_markdown(business_json, f"{service_name} Business Use Cases") + store_business_use_cases(service_id, business_json, business_markdown) + + return { + "statusCode": 200, + "body": { + "serviceId": service_id, + "serviceName": service_name, + "outputs": { + "json": f"{service_id}/iam-models/iam_model.json", + "markdown": f"{service_id}/iam-models/iam_model.md", + "business_use_cases": f"{service_id}/iam-models/business_use_cases.json", + "business_use_cases_md": f"{service_id}/iam-models/business_use_cases.md" + }, + "statistics": { + "total_actions": len(validated_model['actions']), + "validated_actions": len([a for a in validated_model['actions'] + if a['action_name'] in [act['action_name'] for act in validated_actions]]) + } + } + } + + except ValueError as ve: + logger.error(f"Validation error in IAM model generation: {str(ve)}") + raise ve # Re-raise to fail Step Functions execution + except Exception as e: + logger.error(f"Error generating IAM model: {str(e)}") + raise e # Re-raise to fail Step Functions execution + +def create_iam_model_prompt_with_validation(service_name, validated_actions): + """Create enhanced prompt with validated actions""" + try: + # Create a concise list of just action names to avoid token limit + action_names = [action['action_name'] for action in validated_actions] + actions_list = ", ".join(action_names) + + logger.info(f"Creating IAM model prompt for {service_name} with {len(action_names)} actions") + + return { + "prompt": f"""Generate an IAM model for AWS {service_name} using ONLY these {len(action_names)} validated actions: + +{actions_list} + +CRITICAL INSTRUCTIONS: +- Return ONLY the JSON object below +- Do NOT include markdown formatting (no ```json or ```) +- Do NOT include any explanatory text before or after +- Use \\n for line breaks in code strings +- Ensure all quotes are properly escaped + +{{ + "serviceName": "{service_name.upper()}", + "servicePrefix": "{service_name.lower()}", + "actions": [ + {{ + "action_name": "ActionName", + "description": "Grants permission to [action description]", + "accessLevel": "Read|Write|List|Tagging|Permissions Management", + "recommendedRestrictions": {{ + "scpRestricted": false, + "developerRestricted": false, + "authorizedRoles": ["Admin", "{service_name}Manager"] + }} + }} + ] +}} + +Include ALL {len(action_names)} actions from the list above. + +Return the JSON object starting with {{ and ending with }}. Nothing else.""" + } + + except Exception as e: + logger.error(f"Error creating IAM model prompt: {str(e)}") + raise e + +# temp function to be evaluated +def create_bedrock_prompt(service_name, validated_actions): + """Create intelligent prompt for Bedrock with validated actions""" + + service_display = service_name.replace('-', ' ').title() + actions_list = ", ".join([action['action_name'] for action in validated_actions]) + + return f""" +You are an AWS IAM expert. Generate comprehensive, business-ready IAM use cases for {service_display} using ONLY these validated actions: + +{actions_list} + +Generate a JSON response with this exact structure: +{{ + "purpose": "Business purpose of using {service_display} (2-3 sentences)", + "scope": "High-level implementation scope and success criteria (2-3 sentences)", + "use_cases": [ + {{ + "identity_type": "TF Service Account", + "persona": "Terraform Automation", + "activities": ["List 4-5 specific {service_display} infrastructure automation activities"], + "iam_permissions": ["List specific IAM permissions from the documentation with proper resource scoping"], + "notes": "Implementation notes and considerations" + }}, + {{ + "identity_type": "Application Service Account", + "persona": "{service_display} Application", + "activities": ["List 4-5 specific {service_display} application activities"], + "iam_permissions": ["List specific IAM permissions for application access with resource scoping"], + "notes": "Application-specific considerations" + }}, + {{ + "identity_type": "Application Service Account", + "persona": "{service_display} Power User", + "activities": ["List 4-5 advanced {service_display} power user activities"], + "iam_permissions": ["List extended IAM permissions for power users"], + "notes": "Power user considerations" + }}, + {{ + "identity_type": "Human", + "persona": "Operations Team", + "activities": ["List 4-5 operational {service_display} monitoring/troubleshooting activities"], + "iam_permissions": ["List operational IAM permissions (read-only focus)"], + "notes": "Operational considerations" + }}, + {{ + "identity_type": "Human", + "persona": "Developer", + "activities": ["List 4-5 development {service_display} activities"], + "iam_permissions": ["List development IAM permissions (limited scope)"], + "notes": "Development considerations" + }}, + {{ + "identity_type": "Human", + "persona": "{service_display} Administrator", + "activities": ["List 4-5 administrative {service_display} activities"], + "iam_permissions": ["List administrative IAM permissions"], + "notes": "Administrative considerations" + }} + ], + "constraints": [ + "List 4-6 realistic service-specific limits, quotas, and considerations from AWS documentation" + ] +}} + +CRITICAL Requirements: +1. Use ONLY the {len(validated_actions)} validated {service_display} IAM actions listed above +2. Include proper resource ARN patterns where applicable (e.g., arn:aws:{service_name}:region:account:resource/*) +3. Base all activities on actual {service_display} capabilities from the action list +4. Include realistic business use cases that organizations actually implement +5. Provide specific, actionable IAM permissions with proper resource-level scoping +6. Return ONLY valid JSON, no additional text or explanations +7. Use the exact IAM action names from the validated actions list +""" + +def validate_iam_model_actions(model, valid_action_names, valid_action_details): + """Validate IAM model actions against documented AWS actions""" + try: + + if not isinstance(model, dict) or 'actions' not in model: + logger.error("Invalid IAM model structure") + return None + + validated_actions = [] + + for action in model['actions']: + action_name = action.get('action_name') + + # Only validate against action_name (without prefix) to avoid duplicates + if action_name not in valid_action_details: + logger.warning(f"Skipping invalid action: {action_name}") + continue + + # Validate action details + valid_details = valid_action_details[action_name] + + # Ensure description and access level match documented values + action['description'] = valid_details['description'] + action['accessLevel'] = valid_details['accessLevel'] + + # Add validated action + validated_actions.append(action) + + if not validated_actions: + logger.error("No valid actions found after validation") + return None + + # Create validated model + validated_model = { + "serviceName": model['serviceName'], + "servicePrefix": model['servicePrefix'], + "actions": validated_actions + } + + logger.info(f"Successfully validated {len(validated_actions)} actions") + return validated_model + + except Exception as e: + logger.error(f"Error validating IAM model actions: {str(e)}") + return None + +def get_service_full_name(service_id): + """Map service ID to full name""" + service_names = { + 'sqs': 'Amazon Simple Queue Service', + 's3': 'Amazon Simple Storage Service', + 'ec2': 'Amazon Elastic Compute Cloud', + 'rds': 'Amazon Relational Database Service', + 'lambda': 'AWS Lambda', + 'dynamodb': 'Amazon DynamoDB' + } + return service_names.get(service_id, service_id.upper()) + +def convert_iam_model_to_markdown(iam_model_json): + """Convert IAM model JSON to markdown format""" + try: + service_name = iam_model_json.get('serviceName', 'Unknown Service') + md = f"# IAM Model: {service_name}\n\n" + + # Service Overview + md += "## Service Overview\n\n" + md += f"**Service Name:** {service_name}\n" + md += f"**Service Prefix:** {iam_model_json.get('servicePrefix', 'N/A')}\n\n" + + # Actions + if 'actions' in iam_model_json: + md += "## IAM Actions\n\n" + + # Group actions by access level + actions_by_level = {} + for action in iam_model_json['actions']: + level = action.get('accessLevel', 'Unknown') + if level not in actions_by_level: + actions_by_level[level] = [] + actions_by_level[level].append(action) + + for level, actions in actions_by_level.items(): + md += f"### {level} Actions\n\n" + for action in actions: + md += f"#### {action.get('action_name', 'Unknown Action')}\n\n" + md += f"**Description:** {action.get('description', 'N/A')}\n\n" + + if 'recommendedRestrictions' in action: + restrictions = action['recommendedRestrictions'] + md += "**Recommended Restrictions:**\n" + md += f"- SCP Restricted: {restrictions.get('scpRestricted', 'N/A')}\n" + md += f"- Developer Restricted: {restrictions.get('developerRestricted', 'N/A')}\n" + if 'authorizedRoles' in restrictions: + md += f"- Authorized Roles: {', '.join(restrictions['authorizedRoles'])}\n" + md += "\n" + + return md + + except Exception as e: + logger.error(f"Error converting IAM model to markdown: {str(e)}") + return f"# Error generating markdown\n\nError: {str(e)}\n" + +def store_iam_model_outputs(service_id, iam_model_json, markdown_content): + """Store both JSON and markdown outputs of IAM model in S3""" + try: + # Store JSON version + s3_client.put_object( + Bucket=OUTPUT_BUCKET, + Key=f"{service_id}/iam-models/iam_model.json", + Body=json.dumps(iam_model_json, indent=2), + ContentType='application/json' + ) + + # Store markdown version + s3_client.put_object( + Bucket=OUTPUT_BUCKET, + Key=f"{service_id}/iam-models/iam_model.md", + Body=markdown_content, + ContentType='text/markdown' + ) + + logger.info(f"Stored IAM model outputs for service: {service_id}") + + except Exception as e: + logger.error(f"Error storing IAM model outputs: {str(e)}") + raise + +def store_business_use_cases(service_id, business_json, business_markdown): + """Store business use cases JSON and markdown in S3""" + try: + # Store JSON + s3_client.put_object( + Bucket=OUTPUT_BUCKET, + Key=f"{service_id}/iam-models/business_use_cases.json", + Body=json.dumps(business_json, indent=2), + ContentType='application/json' + ) + + # Store markdown + s3_client.put_object( + Bucket=OUTPUT_BUCKET, + Key=f"{service_id}/iam-models/business_use_cases.md", + Body=business_markdown, + ContentType='text/markdown' + ) + + logger.info(f"Stored business use cases for service: {service_id}") + + except Exception as e: + logger.error(f"Error storing business use cases: {str(e)}") + raise + +def lambda_handler(event, context): + """Lambda handler for generating IAM models""" + try: + logger.info("Starting GenerateIAMModel Lambda") + + result = generate_iam_model(event) + + logger.info("Successfully completed IAM model generation") + return result + + except Exception as e: + logger.error(f"Error in GenerateIAMModel: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateIaCTemplate/lambda_function.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateIaCTemplate/lambda_function.py new file mode 100644 index 00000000..ab2fb0d7 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateIaCTemplate/lambda_function.py @@ -0,0 +1,334 @@ +""" +GenerateIaCTemplate Lambda Function +Generates Infrastructure as Code templates based on security controls +""" +import json +import boto3 +import os +import logging +import re +import yaml +from datetime import datetime +from bedrock_client import get_bedrock_client +from dynamodb_operations import ( + get_service_parameters_from_dynamodb, + get_configurations_from_dynamodb +) +from s3_operations import store_output_in_s3 +from validation import validate_input + +# Set up logging +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +# Environment variables +CONTROL_LIBRARY_TABLE = os.environ['DYNAMODB_TABLE_CONTROL_LIBRARY'] +SERVICE_PARAMETERS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_PARAMETERS', 'gensec-AWSServiceParameters') + +# Initialize Bedrock client +bedrock_client = get_bedrock_client('claude-4') + +def generate_iac_template(input_data): + """Generate IaC templates with parameter validation""" + try: + # Validate input + if not validate_input(input_data): + raise ValueError("Invalid input data") + + # Extract service documentation + service_documentation = input_data.get('serviceDocumentation', {}) + if not isinstance(service_documentation, dict): + raise ValueError("Invalid service documentation format") + + # Get service_id for DynamoDB queries + service_id = input_data.get('serviceId') + if not service_id: + raise ValueError("serviceId is required") + + # Query DynamoDB for validated parameters + validated_parameters = get_service_parameters_from_dynamodb(service_id, SERVICE_PARAMETERS_TABLE) + + if not validated_parameters: + logger.warning("No valid parameters found in service documentation") + + # Get configurations + configurations = get_configurations_from_dynamodb( + input_data.get('requestId'), + input_data.get('serviceId'), + CONTROL_LIBRARY_TABLE + ) + + if not configurations: + raise ValueError("No configurations found in DynamoDB") + + generated_templates = [] + + for service_name, configs in configurations.items(): + logger.info(f"Generating IAC Template for service name ({service_name}, configs ({configs}))") + # Create enhanced prompt with parameter validation + prompt = create_iac_prompt_with_validation( + service_name, + configs, + validated_parameters + ) + + # Generate templates + response = bedrock_client.invoke(prompt) + if not response: + logger.warning(f"No response from Bedrock for service: {service_name}") + continue + + # Extract and validate templates + templates = extract_template_content(response) + if not templates: + logger.warning(f"No valid templates extracted for service: {service_name}") + continue + + # Process templates for both string and dictionary formats + logger.info(f"Processing templates - type: {type(templates)}") + + for template_type in ['terraform', 'cloudformation']: + template_code = None + template_data = None + + logger.info(f"Processing template_type: {template_type}") + + if isinstance(templates, dict) and template_type in templates: + logger.info(f"Found {template_type} in templates dict") + template_obj = templates[template_type] + + if isinstance(template_obj, dict) and 'code' in template_obj: + logger.info(f"Found {template_type} with code structure") + template_code = template_obj['code'] + template_data = template_obj + else: + logger.info(f"Using {template_type} object directly as code") + template_code = template_obj + template_data = template_obj + else: + logger.info(f"No {template_type} found in templates") + + logger.info(f"template code ({template_code}), template data ({template_data})") + + # Validate and store if template found + if template_code and template_data: + is_valid, invalid_params = validate_iac_parameters( + template_code, + validated_parameters, + service_name + ) + + if is_valid: + try: + output_key = store_output_in_s3( + f'{service_id}/iac-templates/{template_type}', + template_data, + os.environ['S3_OUTPUT_BUCKET'] + ) + + generated_templates.append({ + "type": template_type.capitalize(), + "service": service_name, + "location": output_key + }) + except Exception as s3_error: + logger.error(f"Failed to store {template_type} template in S3: {str(s3_error)}") + raise Exception(f"S3 storage failed for {template_type} template: {str(s3_error)}") + else: + logger.error(f"Invalid parameters in {template_type} template for {service_name}: {invalid_params}") + raise Exception(f"Template validation failed for {template_type}: Invalid parameters {invalid_params}") + else: + logger.error(f"Failed to extract {template_type} template for {service_name}") + + if not generated_templates: + raise Exception("No valid templates were generated - all templates failed validation or extraction") + + return { + 'statusCode': 200, + 'message': f"Generated {len(generated_templates)} validated templates", + 'templates': generated_templates + } + + except ValueError as ve: + logger.error(f"Validation error: {str(ve)}") + raise ve # Re-raise to fail Step Functions execution + except Exception as e: + logger.error(f"Error generating IaC templates: {str(e)}") + raise e # Re-raise to fail Step Functions execution + +def create_iac_prompt_with_validation(service_name, configurations, validated_parameters): + """Create IaC prompt with parameter validation""" + try: + # Format valid parameters for prompt + valid_params_text = "\n".join([ + f"- {param['parameter_name']}: {param['description']} (Type: {param['type']})" + for param in validated_parameters + ]) + + prompt = f"""Generate Infrastructure as Code templates for {service_name}. + Use ONLY these validated parameters: + {valid_params_text} + + Service: {service_name} + Configurations: {json.dumps(configurations, indent=2)} + + CRITICAL INSTRUCTIONS: + - Return ONLY the JSON object below + - Do NOT include markdown formatting (no ```json or ```) + - Do NOT include any explanatory text before or after + - Use \\n for line breaks in code strings + - Ensure all quotes are properly escaped + + Important: + 1. Use ONLY the validated parameters listed above + 2. Do NOT include any parameters not in the list + 3. Ensure all parameter types match the documented types + 4. Include proper error handling for parameters + + {{ + "terraform": {{ + "filename": "template.tf", + "code": "Complete Terraform template" + }}, + "cloudformation": {{ + "filename": "template.yaml", + "code": "Complete CloudFormation template" + }} + }} + + Return the JSON object starting with {{ and ending with }}. Nothing else.""" + # 5. Provide ONLY the requested content. Do NOT include any introductory text like "Here are the..." or trailing summaries. Start directly with the content. + return {"prompt": prompt} + + except Exception as e: + logger.error(f"Error creating IaC prompt: {str(e)}") + raise e + +def extract_template_content(response_body): + """ + Enhanced response content extraction with multiple strategies + """ + try: + logger.info("Attempting to extract template content") + logger.debug(f'response_body type: {type(response_body)}') + + # If response_body is a string, try to parse as JSON + if isinstance(response_body, str): + logger.info("Response is string, attempting JSON parse") + logger.info(f"First 500 chars of response: {response_body[:500]}") + try: + parsed_json = json.loads(response_body) + logger.info(f'parsed json: {parsed_json}') + if isinstance(parsed_json, dict) and all(k in parsed_json for k in ['terraform', 'cloudformation']): + logger.info("Successfully parsed JSON templates from string") + return parsed_json + except json.JSONDecodeError as e: + logger.warning(f"Failed to parse JSON from string: {e}") + logger.warning(f"Error at position {e.pos}: '{response_body[max(0, e.pos-10):e.pos+10]}'") + # Fix by using eval() on the malformed JSON (treats it as Python dict literal) + try: + # Replace the malformed JSON structure with proper Python dict syntax + fixed_response = response_body.replace('": "', '": """').replace('"\n }', '"""\n }').replace('"\n}', '"""\n}') + parsed_dict = eval(fixed_response) + if isinstance(parsed_dict, dict) and all(k in parsed_dict for k in ['terraform', 'cloudformation']): + logger.info("Successfully parsed using eval with triple quotes") + return parsed_dict + except Exception as e2: + logger.warning(f"Failed to parse with eval: {e2}") + return None + + # If response_body is dict, check for Bedrock response format + elif isinstance(response_body, dict): + # Check for content[0].text format (Bedrock response) + if 'content' in response_body: + content = response_body['content'] + if isinstance(content, list) and len(content) > 0: + first_content = content[0] + if isinstance(first_content, dict) and 'text' in first_content: + text_content = first_content['text'] + logger.info(f"Found text content, parsing as JSON (length: {len(text_content)})") + try: + parsed_json = json.loads(text_content) + if isinstance(parsed_json, dict) and all(k in parsed_json for k in ['terraform', 'cloudformation']): + logger.info("Successfully parsed JSON templates from Bedrock response") + return parsed_json + except json.JSONDecodeError as e: + logger.warning(f"Failed to parse JSON from text content: {e}") + + # Check if it's already a template dict + elif all(k in response_body for k in ['terraform', 'cloudformation']): + logger.info("Response is already template dict") + return response_body + + logger.warning("No valid templates found in response") + return None + + except Exception as e: + logger.error(f"Error extracting template content: {str(e)}") + return None + +def validate_iac_parameters(template_content, valid_parameters, service_name): + """Validate IaC template parameters against AWS service documentation""" + try: + logger.info(f"Validating IaC parameters for {service_name}") + + # Create set of valid parameter names for quick lookup + valid_param_set = {param['parameter_name'] for param in valid_parameters} + + # Extract parameters from template + if isinstance(template_content, str): + # For Terraform + if '.tf' in template_content: + params = re.findall(r'variable\s+"([^"]+)"', template_content) + # For Terraform, normalize both sets by removing underscores and converting to lowercase + normalized_valid_params = {p.replace('_', '').lower() for p in valid_param_set} + invalid_params = [p for p in params if p.replace('_', '').lower() not in normalized_valid_params] + # For CloudFormation + else: + try: + template_dict = yaml.safe_load(template_content) + params = list(template_dict.get('Parameters', {}).keys()) + # For CloudFormation, use exact matching + invalid_params = [p for p in params if p not in valid_param_set] + except: + params = [] + invalid_params = [] + else: + params = [] + invalid_params = [] + + # Check parameters + if invalid_params: + logger.warning(f"Invalid parameters found in template: {invalid_params}") + return False, invalid_params + + return True, [] + + except Exception as e: + logger.error(f"Error validating IaC parameters: {str(e)}") + return False, [] + +def validate_input(input_data): + """Validate the input parameters""" + try: + if not input_data or not isinstance(input_data, dict): + return False + required_fields = ['requestId', 'serviceId'] + return all(input_data.get(field) for field in required_fields) + except Exception as e: + logger.error(f"Error validating input: {str(e)}") + return False + +def lambda_handler(event, context): + """Lambda handler for generating IaC templates""" + try: + logger.info("Starting GenerateIaCTemplate Lambda") + + result = generate_iac_template(event) + + logger.info("Successfully completed IaC template generation") + return result + + except Exception as e: + logger.error(f"Error in GenerateIaCTemplate: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateSecurityControls/lambda_function.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateSecurityControls/lambda_function.py new file mode 100644 index 00000000..a246f00a --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateSecurityControls/lambda_function.py @@ -0,0 +1,720 @@ +""" +GenerateSecurityControls Lambda Function +Generates security controls based on analyzed requirements +""" +import json +import boto3 +import os +import logging +import time +import concurrent.futures +import random +import re +from datetime import datetime +from functools import wraps +from typing import List, Dict +from botocore.exceptions import ClientError +from bedrock_client import get_bedrock_client +from dynamodb_operations import ( + get_service_actions_from_dynamodb, + get_service_parameters_from_dynamodb, + get_configurations_from_dynamodb +) +from s3_operations import store_control_file +from validation import build_action_validation_set +from json_processing import clean_and_extract_json + +# Set up logging +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +# Environment variables +CONTROL_LIBRARY_TABLE = os.environ['DYNAMODB_TABLE_CONTROL_LIBRARY'] +SERVICE_ACTIONS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_ACTIONS', 'gensec-AWSServiceActions') +SERVICE_PARAMETERS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_PARAMETERS', 'gensec-AWSServiceParameters') + +# Initialize Bedrock client +bedrock_client = get_bedrock_client('claude-4') + +# Constants for Bedrock configuration +BEDROCK_MAX_RETRIES = 5 +BEDROCK_INITIAL_DELAY = 2 +BEDROCK_MAX_DELAY = 32 + +# Initialize S3 client +s3_client = boto3.client('s3') + +def generate_security_controls(input_data): + """ + Generate security controls with parallel processing, enhanced error handling, and resource management. + """ + try: + # Validate input + request_id = input_data.get('requestId') + service_id = input_data.get('serviceId') + service_documentation = input_data.get('serviceDocumentation', {}) + + if not request_id or not service_id: + raise ValueError("Missing required input parameters: requestId or serviceId") + + # Query DynamoDB for service actions and parameters + validated_actions = get_service_actions_from_dynamodb(service_id, SERVICE_ACTIONS_TABLE) + validated_parameters = get_service_parameters_from_dynamodb(service_id, SERVICE_PARAMETERS_TABLE) + + # Create comprehensive action validation sets + valid_action_names = build_action_validation_set(validated_actions) + valid_parameter_names = {param['parameter_name'] for param in validated_parameters} + + logger.info(f"Found {len(valid_action_names)} valid actions and {len(valid_parameter_names)} valid parameters") + + configurations = get_configurations_from_dynamodb(request_id, service_id, CONTROL_LIBRARY_TABLE) + + # Convert configurations to list if it's a dict + if isinstance(configurations, dict): + # Flatten the dict of lists into a single list + flat_configs = [] + for service_configs in configurations.values(): + if isinstance(service_configs, list): + flat_configs.extend(service_configs) + configurations = flat_configs + + if not configurations: + raise ValueError("No configurations found in DynamoDB") + + logger.info(f"Processing {len(configurations)} configurations") + + # Validate configuration structure + if not isinstance(configurations, list): + raise ValueError(f"Invalid configurations type: {type(configurations)}") + + if not all(isinstance(config, dict) for config in configurations): + raise ValueError("Invalid configuration structure received from DynamoDB") + + generated_files = [] + start_time = time.time() + max_execution_time = 240 # 4 minutes + time_buffer = 60 # 1 minute buffer + + processing_stats = { + 'total_configs': len(configurations), + 'processed': 0, + 'successful': 0, + 'failed': 0, + 'skipped': 0 + } + + for index, config in enumerate(configurations): + logger.debug(f"Processing configuration {index + 1}/{len(configurations)}") + logger.debug(f"Configuration type: {type(config)}") + logger.debug(f"Configuration content: {json.dumps(config)}") + + # Check remaining time with more precision + current_time = time.time() + elapsed_time = current_time - start_time + remaining_time = max_execution_time - elapsed_time + + if remaining_time < time_buffer: + logger.warning( + f"Approaching Lambda timeout after {elapsed_time:.2f}s. " + f"Processed {processing_stats['processed']} configurations. " + f"Successful: {processing_stats['successful']}, " + f"Failed: {processing_stats['failed']}" + ) + break + + try: + # Validate configuration + if not isinstance(config, dict): + logger.warning(f"Invalid configuration type at index {index}: {type(config)}") + processing_stats['failed'] += 1 + processing_stats['skipped'] += 1 + continue + + config_id = config.get('configuration_id') + if not config_id: + logger.warning(f"Missing configuration_id at index {index}") + processing_stats['failed'] += 1 + processing_stats['skipped'] += 1 + continue + + logger.info(f"Processing configuration {index + 1}/{len(configurations)}: {config_id}") + + # Validate configuration parameters against known valid parameters + # Skip validation if service has no CloudFormation parameters + settings = config.get('recommended_configuration', {}).get('settings', {}) + if valid_parameter_names: # Only validate if service has parameters + invalid_params = [param for param in settings.keys() + if param not in valid_parameter_names] + + if invalid_params: + logger.warning(f"Configuration {config_id} uses invalid parameters: {invalid_params}") + processing_stats['skipped'] += 1 + continue + else: + logger.warning(f"Service has no CloudFormation parameters - skipping parameter validation for {config_id}") + + # Create prompt using existing function + try: + prompt = create_controls_prompt(config, validated_actions, validated_parameters) + except Exception as e: + logger.error(f"Error creating controls prompt for {config_id}: {str(e)}") + logger.error(f"Config causing error: {json.dumps(config)}") + processing_stats['failed'] += 1 + continue + + # Invoke Bedrock with retry logic and enhanced error handling + try: + response = bedrock_client.invoke( + prompt, + max_retries=BEDROCK_MAX_RETRIES, + initial_delay=BEDROCK_INITIAL_DELAY + ) + logger.debug(f'*** bedrock response: {str(response)} ***') + except ClientError as ce: + if ce.response['Error']['Code'] == 'ThrottlingException': + logger.warning(f"Bedrock throttling for configuration {config_id}, skipping...") + processing_stats['failed'] += 1 + processing_stats['skipped'] += 1 + continue + raise + except Exception as e: + logger.error(f"Error invoking Bedrock for {config_id}: {str(e)}") + processing_stats['failed'] += 1 + continue + + # Parse the response using existing function + controls = parse_controls_response(response) + + if not controls: + logger.warning(f"No controls generated for configuration: {config_id}") + processing_stats['failed'] += 1 + continue + + # Validate generated controls + controls = validate_generated_controls( + controls, + valid_parameter_names, + valid_action_names, + config + ) + + if not controls: + logger.warning(f"No valid controls generated for configuration: {config_id}") + processing_stats['failed'] += 1 + continue + + logger.info(f"Generated controls for {config_id}, proceeding with parallel file storage") + + # Track files generated for this configuration + config_files = [] + + # Process controls in parallel using threads with enhanced resource management + with concurrent.futures.ThreadPoolExecutor(max_workers=3) as executor: + futures = [] + try: + # Define control types to process + control_types = { + 'detective_controls': 'detective_controls', + 'preventive_controls': 'preventive_controls', + 'proactive_controls': 'proactive_controls' + } + + # Submit all control types for processing + for control_type, path in control_types.items(): + if control_type in controls: + file_key = f"{service_id}/{path}/{config_id}/{controls[control_type]['filename']}" + logger.info(f"Submitting {control_type} file: {file_key}") + futures.append(executor.submit( + store_control_file, + file_key, + controls[control_type]['code'], + os.environ['S3_OUTPUT_BUCKET'] + )) + + # Wait for all files to be stored with timeout + for future in concurrent.futures.as_completed(futures, timeout=30): + try: + result = future.result() + if result: + generated_files.append(result) + config_files.append(result) + logger.info(f"Successfully stored file: {result}") + except Exception as e: + logger.error(f"Error in file storage thread: {str(e)}") + processing_stats['failed'] += 1 + except concurrent.futures.TimeoutError: + logger.error(f"Timeout waiting for file storage threads for configuration {config_id}") + # Cancel any remaining futures + for future in futures: + future.cancel() + processing_stats['failed'] += 1 + finally: + # Ensure all threads are cleaned up + executor.shutdown(wait=False) + + if config_files: + processing_stats['successful'] += 1 + else: + processing_stats['failed'] += 1 + + logger.info( + f"Completed processing configuration: {config_id} - " + f"Generated {len(config_files)} files " + f"(Elapsed time: {time.time() - start_time:.2f}s)" + ) + processing_stats['processed'] += 1 + + # Add small delay between configurations to avoid rate limiting + time.sleep(0.5) + + except Exception as e: + logger.error(f"Error processing configuration {config.get('configuration_id', 'UNKNOWN')}: {str(e)}") + processing_stats['failed'] += 1 + continue + + if not generated_files: + raise ValueError("No control files were generated") + + execution_time = time.time() - start_time + logger.info( + f"Processing completed in {execution_time:.2f}s: " + f"{json.dumps(processing_stats)}" + ) + + return { + 'statusCode': 200, + 'message': f"Generated {len(generated_files)} control files", + 'files': generated_files, + 'statistics': processing_stats, + 'processingTime': execution_time + } + + except ValueError as ve: + logger.error(f"Validation error: {str(ve)}") + raise ve # Re-raise to fail Step Functions execution + except ClientError as ce: + logger.error(f"AWS service error: {str(ce)}") + raise ce # Re-raise to fail Step Functions execution + except Exception as e: + logger.error(f"Error generating security controls: {str(e)}") + raise e # Re-raise to fail Step Functions execution + +def get_service_config_rules(service_name: str) -> List[Dict]: + """Get AWS Config managed rules for a specific service from DynamoDB""" + try: + from dynamodb_operations import query_dynamodb_by_gsi + + # Query by service name using GSI + service_rules = query_dynamodb_by_gsi( + table_name='gensec-AWSConfigManagedRules', + index_name='ServiceNameIndex', + key_name='service_name', + key_value=service_name.lower() + ) + + logger.info(f"Found {len(service_rules)} managed rules for service {service_name}") + return service_rules + + except Exception as e: + logger.error(f"Error querying Config rules for service {service_name}: {str(e)}") + return [] + +def create_controls_prompt(config, validated_actions, validated_parameters): + """Create prompt for security controls with validated data""" + try: + logger.debug(f"Creating prompt for config: {json.dumps(config)}") + + config_id = config.get('configuration_id') + service_name = config.get('service_name') + recommended_configuration = config.get('recommended_configuration', {}) + + if not config_id or not service_name: + raise ValueError("Missing required fields: configuration_id or service_name") + + # Parse recommended_configuration if needed + if isinstance(recommended_configuration, str): + try: + recommended_configuration = json.loads(recommended_configuration) + except json.JSONDecodeError: + logger.warning(f"Failed to parse recommended_configuration for {config_id}") + recommended_configuration = {} + + # Get available Config managed rules for this service + config_rules = get_service_config_rules(service_name) + + # Format validated parameters for prompt + valid_params_text = "\n".join([ + f"- {param['parameter_name']}: {param['description']} (Type: {param['type']})" + for param in validated_parameters + ]) + + # Format validated actions for prompt + valid_actions_text = "\n".join([ + f"- {action['action_name']}: {action['description']} (Level: {action['accessLevel']})" + for action in validated_actions + ]) + + # Format available Config rules for prompt + config_rules_text = "" + if config_rules: + config_rules_text = "\n".join([ + f"- {rule['rule_name']}: {rule.get('description', 'No description available')}" + for rule in config_rules + ]) + else: + config_rules_text = "No managed Config rules available for this service" + logger.warning(f"No Config managed rules found for {service_name}") + + prompt = f""" + As an AWS Security Engineer, generate specific code implementations for detective, preventive, and proactive controls based on this exact configuration. + Use ONLY the validated parameters and actions listed below. + + Configuration ID: {config_id} + Service: {service_name} + Recommended Configuration: + {json.dumps(recommended_configuration, indent=2)} + + VALID PARAMETERS - USE ONLY THESE: + {valid_params_text} + + VALID ACTIONS - USE ONLY THESE: + {valid_actions_text} + + AVAILABLE AWS CONFIG MANAGED RULES FOR {service_name.upper()}: + {config_rules_text} + + CRITICAL INSTRUCTIONS: + - Return ONLY the JSON object below + - Do NOT include markdown formatting (no ```json or ```) + - Do NOT include any explanatory text before or after + - Use \\n for line breaks in code strings + - Ensure all quotes are properly escaped + + Generate THREE separate code files (one for each control type) that specifically implement this configuration: + + 1. Detective Controls - AWS Config Rules: + FIRST, check if any of the available managed rules above can validate this configuration. + If a suitable managed rule exists, use it: + ```python + def create_config_rule_{config_id}(): + # Use the appropriate managed rule from the list above + return {{ + "ConfigRuleName": "{config_id}-config-rule", + "Source": {{ + "Owner": "AWS", + "SourceIdentifier": "MANAGED_RULE_NAME_FROM_LIST_ABOVE" + }}, + "Scope": {{ + "ComplianceResourceTypes": ["{service_name}"] + }}, + "InputParameters": {{ + # Parameters must match recommended_configuration values + }} + }} + ``` + + ONLY create a custom rule if NO managed rule from the list above can validate this configuration: + ```python + def evaluate_compliance_{config_id}(configuration_item, rule_parameters): + # Evaluation logic must check recommended_configuration values + if not matches_recommended_config(configuration_item): + return "NON_COMPLIANT" + return "COMPLIANT" + ``` + + 2. Preventive Controls - Service Control Policies (ONLY if configuration is critical or very high): + ```json + {{ + "Version": "2012-10-17", + "Statement": [ + {{ + "Sid": "{config_id}_preventive", + "Effect": "Deny", + "Action": [ + # Actions that would violate this specific configuration + ], + "Resource": [ + # Resources specified in the configuration + ], + "Condition": {{ + # Conditions must match recommended_configuration values + }} + }} + ] + }} + ``` + + 3. Proactive Controls - Hashicorp Sentinel Policies: + Generate well-commented HCL code with clear explanations for each section. + Include comments explaining the policy purpose, imports, parameters, filters, rules, and main enforcement. + Follow the example below: + ```hcl + # Policy to enforce {config_id} requirements + # Ensures {service_name} meets security configuration standards + + # Import the tfplan/v2 module + import "tfplan/v2" as tfplan + + # Define required parameters based on the configuration + param required_values default = {json.dumps(recommended_configuration.get('settings', {}))} + + # Get all {service_name} resources from the plan + {service_name.lower().replace(' ', '_')}_resources = filter tfplan.resource_changes as _, rc {{ + rc.type is "aws_{service_name.lower().replace(' ', '_')}" and + (rc.change.actions contains "create" or rc.change.actions is ["update"]) + }} + + # Rule to validate specific configuration settings + {service_name.lower().replace(' ', '_')}_config_check = rule {{ + all {service_name.lower().replace(' ', '_')}_resources as _, resource {{ + # Add specific validation checks here based on recommended_configuration + resource.change.after.[settings] is required_values.[settings] + }} + }} + + # Main rule that enforces all checks + main = rule {{ + {service_name.lower().replace(' ', '_')}_config_check + }} + ``` + + {{ + "detective_controls": {{ + "configuration_id": "{config_id}", + "filename": "{config_id}_config_rule.py", + "code": "Complete Python code for the Config rule", + "control_id": "DET-{service_name[:3].upper()}-{datetime.now().strftime('%Y')}-{config_id[-3:]}", + "description": "What this control checks", + "implementation_guide": "Step by step instructions" + }}, + "preventive_controls": {{ + "configuration_id": "{config_id}", + "filename": "{config_id}_scp.json", + "code": "Complete SCP JSON policy", + "control_id": "PRE-{service_name[:3].upper()}-{datetime.now().strftime('%Y')}-{config_id[-3:]}", + "description": "What this control checks", + "implementation_guide": "Step by step instructions" + }}, + "proactive_controls": {{ + "configuration_id": "{config_id}", + "filename": "{config_id}_sentinel.hcl", + "code": "Complete Sentinel policy code following the exact format provided (number 3 above)", + "control_id": "PRO-{service_name[:3].upper()}-{datetime.now().strftime('%Y')}-{config_id[-3:]}", + "description": "What this control checks", + "implementation_guide": "Step by step instructions" + }} + }} + + Important Guidelines: + - Generate controls that SPECIFICALLY validate this configuration + - Use EXACT values from the recommended_configuration + - Create rules that check SPECIFIC settings + - Ensure controls are DIRECTLY related to this configuration + - For Sentinel policies: + * Use tfplan/v2 import + * Include proper resource filtering + * Define parameters for configuration values + * Use specific resource types (aws_rds_instance, aws_s3_bucket, etc.) + * Add descriptive comments + * Follow the exact format provided + - Do NOT create generic controls + - Do NOT use placeholder values + + Return the JSON object starting with {{ and ending with }}. Nothing else. + """ + + logger.debug(f"Generated prompt for configuration {config_id}") + return {"prompt": prompt} + + except Exception as e: + logger.error(f"Error creating controls prompt: {str(e)}") + logger.error(f"Problematic config: {json.dumps(config)}") + raise + +def parse_controls_response(response): + """ + Parse and validate the response for security controls with enhanced Sentinel policy validation. + """ + try: + # Handle string JSON responses (from Claude) + if isinstance(response, str): + try: + response = json.loads(response) + logger.info("Successfully parsed string JSON response") + except json.JSONDecodeError as e: + logger.error(f"Failed to parse JSON string: {str(e)}") + logger.error(f"Response content: {response[:500]}...") + raise ValueError("Invalid JSON string response") + + # Validate basic structure + required_control_types = ['detective_controls', 'preventive_controls', 'proactive_controls'] + logger.debug(f"*** required_control_types {str(required_control_types)}") + for control_type in required_control_types: + if control_type not in response: + logger.error(f"Missing required control type: {control_type}") + raise ValueError(f"Missing {control_type} in response") + + # Validate and enhance Sentinel policy + if 'proactive_controls' in response: + sentinel_policy = response['proactive_controls'].get('code', '') + logger.debug(f"*** sentinel_policy {str(sentinel_policy)}") + if not validate_sentinel_policy(sentinel_policy): + logger.warning("Invalid Sentinel policy format, attempting to fix...") + fixed_policy = fix_sentinel_policy(sentinel_policy, response['proactive_controls'].get('configuration_id', '')) + response['proactive_controls']['code'] = fixed_policy + + return response + + except Exception as e: + logger.error(f"Error parsing controls response: {str(e)}") + raise + +def fix_sentinel_policy(policy_code, configuration_id): + """ + Attempt to fix common issues in Sentinel policies. + """ + try: + # Extract the resource type from the policy + resource_type_match = re.search(r'aws_\w+', policy_code) + resource_type = resource_type_match.group(0) if resource_type_match else "aws_resource" + + # Create a fixed policy with proper structure + fixed_policy = f"""# Policy to enforce {configuration_id} requirements + # Ensures {resource_type} meets security configuration standards + + # Import the tfplan/v2 module + import "tfplan/v2" as tfplan + + # Define required parameters + param required_values default = {{}} + + # Get all {resource_type} resources from the plan + {resource_type}_resources = filter tfplan.resource_changes as _, rc {{ + rc.type is "{resource_type}" and + (rc.change.actions contains "create" or rc.change.actions is ["update"]) + }} + + # Rule to validate specific configuration settings + {resource_type}_config_check = rule {{ + all {resource_type}_resources as _, resource {{ + # Configuration validation + resource.change.after.settings is required_values.settings + }} + }} + + # Main rule that enforces all checks + main = rule {{ + {resource_type}_config_check + }}""" + return fixed_policy + + except Exception as e: + logger.error(f"Error fixing Sentinel policy: {str(e)}") + return policy_code + +def validate_sentinel_policy(policy_code): + """ + Validate the Sentinel policy structure and content. + """ + try: + required_elements = [ + 'import "tfplan/v2"', + 'param', + 'filter tfplan.resource_changes', + 'rule {', + 'main = rule' + ] + + # Check for required elements + missing_elements = [elem for elem in required_elements if elem not in policy_code] + if missing_elements: + logger.warning(f"Sentinel policy missing required elements: {missing_elements}") + return False + + # Validate basic structure + if not policy_code.strip().startswith('#'): + logger.warning("Sentinel policy should start with comments") + return False + + # Check for proper resource filtering + if 'rc.change.actions' not in policy_code: + logger.warning("Sentinel policy missing proper resource change filtering") + return False + + return True + + except Exception as e: + logger.error(f"Error validating Sentinel policy: {str(e)}") + return False + +def validate_generated_controls(controls, valid_parameter_names, valid_action_names, original_config): + """Validate generated controls against valid parameters and actions""" + try: + if not isinstance(controls, dict): + logger.error("Invalid controls format") + return None + + for control_type, control in controls.items(): + if control_type == 'detective_controls': + if not validate_control_parameters(control.get('code', ''), + valid_parameter_names, + original_config): + logger.warning(f"Invalid parameters in detective control") + + elif control_type == 'preventive_controls': + if not validate_control_actions(control.get('code', ''), + valid_action_names): + logger.warning(f"Invalid actions in preventive control") + + elif control_type == 'proactive_controls': + if not validate_control_parameters(control.get('code', ''), + valid_parameter_names, + original_config): + logger.warning(f"Invalid parameters in proactive control") + + return controls + + except Exception as e: + logger.error(f"Error validating controls: {str(e)}") + return None + +def validate_control_parameters(control_code, valid_parameters, config): + """Validate control code only uses valid parameters""" + try: + # Basic validation - check if control code contains valid parameter names + for param_name in valid_parameters: + if param_name in control_code: + return True + return True # Allow controls even if no specific parameters found + + except Exception as e: + logger.error(f"Error validating control parameters: {str(e)}") + return True + +def validate_control_actions(control_code, valid_actions): + """Validate control code only uses valid actions""" + try: + # Basic validation - check if control code contains valid action names + for action_name in valid_actions: + if action_name in control_code: + return True + return True # Allow controls even if no specific actions found + + except Exception as e: + logger.error(f"Error validating control actions: {str(e)}") + return True + +def lambda_handler(event, context): + """Lambda handler for generating security controls""" + try: + logger.info("Starting GenerateSecurityControls Lambda") + + # Generate controls + result = generate_security_controls(event) + + logger.info("Successfully completed security controls generation") + return result + + except Exception as e: + logger.error(f"Error in GenerateSecurityControls: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateServiceProfile/lambda_function.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateServiceProfile/lambda_function.py new file mode 100644 index 00000000..1c8a9798 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/GenerateServiceProfile/lambda_function.py @@ -0,0 +1,356 @@ +""" +GenerateServiceProfile Lambda Function +Generates service profiles using validated AWS service documentation +""" +import json +import boto3 +import os +import logging +from datetime import datetime +from bedrock_client import get_bedrock_client +from dynamodb_operations import ( + get_service_actions_from_dynamodb, + get_service_parameters_from_dynamodb +) +from s3_operations import store_output_in_s3 +from validation import validate_input +from json_processing import extract_json_from_content, convert_json_to_markdown + +# Set up logging +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +# Environment variables +SERVICE_ACTIONS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_ACTIONS', 'gensec-AWSServiceActions') +SERVICE_PARAMETERS_TABLE = os.environ.get('DYNAMODB_TABLE_SERVICE_PARAMETERS', 'gensec-AWSServiceParameters') +OUTPUT_BUCKET = os.environ.get('S3_OUTPUT_BUCKET', os.environ.get('S3_DOCUMENTATION_BUCKET')) + +# Initialize Bedrock client +bedrock_client = get_bedrock_client('claude-4') + +# Initialize S3 client +s3_client = boto3.client('s3') + +def generate_service_profile(input_data): + """Generate service profile using validated AWS service documentation""" + try: + logger.info("Starting service profile generation with validation") + + # Extract required input data + service_id = input_data.get('serviceId') + if not service_id: + raise ValueError("serviceId is required in input") + + # Query DynamoDB for validated parameters and actions + validated_parameters = get_service_parameters_from_dynamodb(service_id, SERVICE_PARAMETERS_TABLE) + validated_actions = get_service_actions_from_dynamodb(service_id, SERVICE_ACTIONS_TABLE) + + if not validated_parameters and not validated_actions: + raise ValueError("No validated service documentation found") + + # Create validation sets for quick lookup + valid_param_details = { + param['parameter_name']: { + 'description': param['description'], + 'type': param['type'] + } for param in validated_parameters + } + + valid_action_details = { + action['action_name']: { + 'description': action['description'], + 'accessLevel': action['accessLevel'] + } for action in validated_actions + } + + # Map service ID to full name + service_name = get_service_full_name(service_id) + logger.info(f"Generating validated profile for service: {service_name}") + + # Create enhanced prompt with validated information + prompt = create_service_profile_prompt_with_validation( + service_name, + validated_parameters, + validated_actions + ) + + # Generate profile using Bedrock + logger.info("Calling Bedrock with validated service information") + response = bedrock_client.invoke(prompt) + + if not response: + raise ValueError("Failed to generate service profile") + + # Parse and validate the profile + profile_json = extract_json_from_content(response) + if not profile_json: + raise ValueError("Failed to extract valid JSON from response") + + # Validate generated profile against service documentation + validated_profile = validate_service_profile_content( + profile_json, + valid_param_details, + valid_action_details + ) + + if not validated_profile: + raise ValueError("Failed to validate service profile content") + + # Generate markdown with validated content + markdown_content = convert_json_to_markdown(validated_profile, f"{service_name} Service Profile") + + # Store validated outputs + store_validated_profile_outputs(service_id, validated_profile, markdown_content) + + return { + "statusCode": 200, + "body": { + "serviceId": service_id, + "serviceName": service_name, + "outputs": { + "json": f"{service_id}/service-profiles/profile.json", + "markdown": f"{service_id}/service-profiles/profile.md" + }, + "validation": { + "parameters_validated": len(validated_parameters), + "actions_validated": len(validated_actions), + "validation_timestamp": datetime.utcnow().isoformat() + } + } + } + + except ValueError as ve: + logger.error(f"Validation error: {str(ve)}") + raise ve # Re-raise to fail Step Functions execution + except Exception as e: + logger.error(f"Error generating service profile: {str(e)}") + raise e # Re-raise to fail Step Functions execution + +def create_service_profile_prompt_with_validation(service_name, validated_parameters, validated_actions): + """Create enhanced prompt with validated service information""" + try: + # Format validated parameters and actions + param_capabilities = "\n".join([ + f"- {param['parameter_name']}: {param['description']} (Type: {param['type']})" + for param in validated_parameters + ]) + + action_capabilities = "\n".join([ + f"- {action['action_name']}: {action['description']} (Level: {action['accessLevel']})" + for action in validated_actions + ]) + # 5. Provide ONLY the requested content. Do NOT include any introductory text like "Here are the..." or trailing summaries. Start directly with the content. + return { + "prompt": f"""Generate a comprehensive service profile for AWS {service_name} based on these validated capabilities: + + Validated Parameters: + {param_capabilities} + + Validated Actions: + {action_capabilities} + + CRITICAL INSTRUCTIONS: + - Return ONLY the JSON object below + - Do NOT include markdown formatting (no ```json or ```) + - Do NOT include any explanatory text before or after + - Use \\n for line breaks in code strings + - Ensure all quotes are properly escaped + + IMPORTANT: + 1. Base the profile ONLY on these validated capabilities + 2. Do NOT include capabilities not supported by the parameters/actions + 3. Ensure all features mentioned are backed by documented parameters or actions + 4. Be precise about supported functionality + + {{ + "serviceName": "{service_name}", + "serviceDescription": {{ + "overview": "description based on validated capabilities", + "serviceType": "type of service", + "documentation": "AWS documentation link" + }}, + "dataProtection": {{ + "dataHandling": {{ + "processesCustomerData": true/false, + "storesCustomerData": true/false, + "explanation": "based on validated parameters" + }}, + "encryption": {{ + "atRest": {{ + "supported": true/false, + "methods": ["only validated encryption methods"], + "details": "based on validated parameters" + }}, + "inTransit": {{ + "supported": true/false, + "methods": ["only validated protocols"], + "details": "based on validated parameters" + }} + }} + }}, + "networkControls": {{ + "endpoints": ["only validated endpoints"], + "vpcSupport": true/false, + "publicExposure": {{ + "required": true/false, + "details": "based on validated configuration options" + }} + }}, + "accessControls": {{ + "iamSupport": {{ + "serviceRoles": ["only validated roles"], + "managedPolicies": ["only validated policies"] + }}, + "bestPractices": ["based on validated parameters and actions"] + }}, + "isolationControls": ["only validated isolation features"], + "managementOps": {{ + "logging": {{ + "cloudwatchSupport": true/false, + "cloudtrailSupport": true/false, + "details": "based on validated logging capabilities" + }}, + "monitoring": {{ + "metrics": ["only validated metrics"], + "details": "based on validated monitoring capabilities" + }} + }}, + "compliance": {{ + "certifications": ["relevant certifications"], + "details": "compliance details based on validated features" + }} + }} + + Return the JSON object starting with {{ and ending with }}. Nothing else.""" + } + except Exception as e: + logger.error(f"Error creating service profile prompt: {str(e)}") + raise e + +def validate_service_profile_content(profile, valid_param_details, valid_action_details): + """Validate service profile content against documented capabilities""" + try: + if not isinstance(profile, dict): + logger.error("Invalid profile structure") + return None + + # Validate encryption capabilities + encryption = profile.get('dataProtection', {}).get('encryption', {}) + if encryption: + # Validate encryption parameters + encryption_params = [p for p in valid_param_details.keys() + if 'encrypt' in p.lower() or 'kms' in p.lower()] + encryption['atRest']['supported'] = bool(encryption_params) + + # Validate network capabilities + network = profile.get('networkControls', {}) + if network: + # Validate VPC support + vpc_params = [p for p in valid_param_details.keys() + if 'vpc' in p.lower()] + network['vpcSupport'] = bool(vpc_params) + + # Validate IAM capabilities + access_controls = profile.get('accessControls', {}).get('iamSupport', {}) + if access_controls: + # Get IAM-related actions + iam_actions = [a for a in valid_action_details.keys() + if any(role in a.lower() for role in ['role', 'policy', 'permission'])] + access_controls['serviceRoles'] = list(set( + role for action in iam_actions + for role in extract_roles_from_action(action) + )) + + # Validate logging capabilities + logging = profile.get('managementOps', {}).get('logging', {}) + if logging: + # Check CloudWatch/CloudTrail parameters + logging['cloudwatchSupport'] = any('cloudwatch' in p.lower() + for p in valid_param_details.keys()) + logging['cloudtrailSupport'] = any('cloudtrail' in p.lower() + for p in valid_param_details.keys()) + + # Add validation metadata + profile['_metadata'] = { + "validation_timestamp": datetime.utcnow().isoformat(), + "validated_parameters": len(valid_param_details), + "validated_actions": len(valid_action_details) + } + + logger.info("Successfully validated service profile content") + return profile + + except Exception as e: + logger.error(f"Error validating service profile: {str(e)}") + return None + +def extract_roles_from_action(action_name): + """Extract role names from IAM action names""" + roles = [] + if 'role' in action_name.lower(): + role_parts = action_name.split(':') + if len(role_parts) > 1: + roles.append(role_parts[1]) + return roles + +def store_validated_profile_outputs(service_id, profile_json, markdown_content): + """Store validated service profile with metadata""" + + logger.debug(f'json: {profile_json}') + logger.debug(f'markdown: {markdown_content}') + + try: + # Add validation timestamp + profile_json['_metadata']['storage_timestamp'] = datetime.utcnow().isoformat() + + # Store JSON version + s3_client.put_object( + Bucket=OUTPUT_BUCKET, + Key=f"{service_id}/service-profiles/profile.json", + Body=json.dumps(profile_json, indent=2), + ContentType='application/json', + Metadata={ + "validated": "true", + "validation_date": profile_json['_metadata']['validation_timestamp'] + } + ) + + # Store markdown version + s3_client.put_object( + Bucket=OUTPUT_BUCKET, + Key=f"{service_id}/service-profiles/profile.md", + Body=markdown_content, + ContentType='text/markdown' + ) + + logger.info(f"Stored validated service profile for service: {service_id}") + + except Exception as e: + logger.error(f"Error storing validated profile outputs: {str(e)}") + raise + +def get_service_full_name(service_id): + """Map service ID to full name""" + service_names = { + 'sqs': 'Amazon Simple Queue Service', + 's3': 'Amazon Simple Storage Service', + 'ec2': 'Amazon Elastic Compute Cloud', + 'rds': 'Amazon Relational Database Service', + 'lambda': 'AWS Lambda', + 'dynamodb': 'Amazon DynamoDB' + } + return service_names.get(service_id, service_id.upper()) + +def lambda_handler(event, context): + """Lambda handler for generating service profiles""" + try: + logger.info("Starting GenerateServiceProfile Lambda") + + result = generate_service_profile(event) + + logger.info("Successfully completed service profile generation") + return result + + except Exception as e: + logger.error(f"Error in GenerateServiceProfile: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/SecurityProfileProcessor/lambda_function.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/SecurityProfileProcessor/lambda_function.py new file mode 100644 index 00000000..264d613e --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/lambda/SecurityProfileProcessor/lambda_function.py @@ -0,0 +1,288 @@ +import json +import boto3 +import os +import logging +from botocore.exceptions import ClientError + +# Set up logging +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +# Initialize AWS clients +s3_client = boto3.client('s3') +sfn_client = boto3.client('stepfunctions') + +# Environment variables +STATE_MACHINE_ARN = os.environ['STATE_MACHINE_ARN'] + +def lambda_handler(event, context): + """ + Enhanced Lambda handler with better error handling + """ + try: + # Process S3 event + bucket_name, file_key = parse_s3_event(event) + logger.info(f"Processing file: {file_key} from bucket: {bucket_name}") + + try: + # Read and validate the uploaded file + file_content = read_s3_file(bucket_name, file_key) + + # Process content + file_type, data = process_file_content(file_content, file_key) + + # Check for required files + if file_type == 'security_profile': + security_profile = data + service_request = check_for_service_request(bucket_name) + logger.info('Security profile loaded') + elif file_type == 'service_request': + service_request = data + security_profile = check_for_security_profile(bucket_name) + logger.info('Service request loaded') + + # Trigger Step Functions if both files exist + if security_profile and service_request: + trigger_step_functions(security_profile, service_request) + logger.info("Successfully triggered Step Functions execution") + else: + logger.info("Waiting for the other file to be uploaded") + + return { + 'statusCode': 200, + 'body': json.dumps('Processing completed successfully') + } + + except json.JSONDecodeError as e: + logger.error(f"JSON parsing error: {str(e)}") + return { + 'statusCode': 400, + 'body': json.dumps({ + 'error': 'Invalid JSON format', + 'details': str(e) + }) + } + + except Exception as e: + logger.error(f"Error in lambda execution: {str(e)}") + return { + 'statusCode': 500, + 'body': json.dumps({ + 'error': 'Internal server error', + 'details': str(e) + }) + } + +def parse_s3_event(event): + """ + Parse the S3 event to extract bucket name and file key. + """ + try: + logger.info(f"Parsing S3 event: {json.dumps(event)}") + + if not event.get('Records'): + logger.error("No Records found in event") + raise ValueError("Invalid S3 event structure") + + record = event['Records'][0] + + if not record.get('s3'): + logger.error("No s3 data found in record") + raise ValueError("Invalid S3 event structure") + + bucket_name = record['s3']['bucket']['name'] + file_key = record['s3']['object']['key'] + + logger.info(f"Successfully parsed S3 event - Bucket: {bucket_name}, Key: {file_key}") + + return bucket_name, file_key + + except KeyError as e: + logger.error(f"Error parsing S3 event: {str(e)}") + raise ValueError("Invalid S3 event structure") + except Exception as e: + logger.error(f"Unexpected error parsing S3 event: {str(e)}") + raise + +def check_for_security_profile(bucket): + """ + Check if a security profile file exists in the bucket. + """ + try: + response = s3_client.list_objects_v2( + Bucket=bucket, + Prefix='security-profile/' + ) + for obj in response.get('Contents', []): + if obj['Key'].endswith('.json'): + return read_s3_file(bucket, obj['Key']) + except ClientError as e: + logger.error(f"Error checking for security profile: {str(e)}") + return None + +def check_for_service_request(bucket): + """ + Check if a service request file exists in the bucket. + """ + try: + response = s3_client.list_objects_v2( + Bucket=bucket, + Prefix='service-request/' + ) + for obj in response.get('Contents', []): + if obj['Key'].endswith('.json'): + return read_s3_file(bucket, obj['Key']) + except ClientError as e: + logger.error(f"Error checking for service request: {str(e)}") + return None + +def trigger_step_functions(security_profile, service_request): + """ + Trigger the Step Functions state machine with the combined input. + """ + input_data = { + 'securityProfile': security_profile, + 'serviceRequest': service_request + } + + try: + response = sfn_client.start_execution( + stateMachineArn=STATE_MACHINE_ARN, + input=json.dumps(input_data) + ) + logger.info(f"Step Functions execution started: {response['executionArn']}") + except ClientError as e: + logger.error(f"Error starting Step Functions execution: {str(e)}") + raise + +def clean_json_content(content): + """ + Clean and validate JSON content + """ + try: + # Remove BOM if present + if content.startswith('\ufeff'): + content = content.replace('\ufeff', '') + + # Remove any leading/trailing whitespace + content = content.strip() + + # Handle potential comments (if any) + lines = content.split('\n') + cleaned_lines = [] + + for line in lines: + # Remove inline comments + if '//' in line: + line = line.split('//')[0] + # Remove whitespace + line = line.strip() + # Skip empty lines + if line: + cleaned_lines.append(line) + + content = '\n'.join(cleaned_lines) + + # Ensure content starts with { and ends with } + if not (content.startswith('{') and content.endswith('}')): + raise ValueError("Invalid JSON structure") + + # Remove trailing commas + content = content.replace(',}', '}') + content = content.replace(',\n}', '\n}') + + return content + + except Exception as e: + logger.error(f"Error cleaning JSON content: {str(e)}") + raise + +def read_s3_file(bucket, key): + """ + Enhanced S3 file reading with content validation + """ + try: + # Get the object from S3 + response = s3_client.get_object(Bucket=bucket, Key=key) + file_content = response['Body'].read().decode('utf-8') + + # Log the first part of the content for debugging + logger.debug(f"Raw file content (first 500 chars): {file_content[:500]}") + + # Clean the content + cleaned_content = clean_json_content(file_content) + + try: + # Parse the JSON content + parsed_content = json.loads(cleaned_content) + return parsed_content + + except json.JSONDecodeError as e: + logger.error(f"JSON parsing error: {str(e)}") + logger.error(f"Error location - Line: {e.lineno}, Column: {e.colno}, Char: {e.pos}") + logger.error(f"Problematic content around error: {cleaned_content[max(0, e.pos-50):min(len(cleaned_content), e.pos+50)]}") + raise + + except ClientError as e: + logger.error(f"Error reading from S3: {str(e)}") + raise + except Exception as e: + logger.error(f"Unexpected error reading file: {str(e)}") + raise + +def validate_file_content(content, file_type): + """ + Validate the structure of the file content + """ + try: + if not isinstance(content, dict): + raise ValueError(f"Invalid content structure for {file_type}") + + if file_type == 'security_profile': + required_fields = [ + 'profile_id', + 'security_requirements', + 'compliance_requirements' + ] + elif file_type == 'service_request': + required_fields = [ + 'requestId', + 'serviceId', + 'services' + ] + else: + raise ValueError(f"Unknown file type: {file_type}") + + missing_fields = [field for field in required_fields if field not in content] + if missing_fields: + raise ValueError(f"Missing required fields in {file_type}: {missing_fields}") + + return True + + except Exception as e: + logger.error(f"Validation error: {str(e)}") + return False + +def process_file_content(content, file_key): + """ + Enhanced file content processing with validation + """ + try: + # Determine file type + if 'security-profile' in file_key: + file_type = 'security_profile' + elif 'service-request' in file_key: + file_type = 'service_request' + else: + raise ValueError(f"Unknown file type: {file_key}") + + # Validate content + if not validate_file_content(content, file_type): + raise ValueError(f"Invalid {file_type} content structure") + + logger.info(f"Successfully processed {file_type} content") + return file_type, content + + except Exception as e: + logger.error(f"Error processing file content: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/README.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/README.md new file mode 100644 index 00000000..6206f49d --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/README.md @@ -0,0 +1,146 @@ +# Lambda Layers for Security System + +This directory contains Lambda layers that provide common dependencies for the security system Lambda functions. Using layers reduces deployment package sizes, improves cold start times, and enables better dependency management. + +## Layer Structure + +### 1. Common Layer (`common-layer/`) +**Purpose**: Provides core AWS SDK and utility dependencies used by all Lambda functions. + +**Dependencies**: +- `boto3>=1.28.0` - AWS SDK for Python +- `botocore>=1.31.0` - Low-level AWS service client library +- `python-dateutil>=2.8.2` - Date/time utilities + +**Used by**: +- SecurityConfigurationHandler +- SecurityProfileProcessor +- AWSServiceDocumentationManager + +### 2. Requests Layer (`requests-layer/`) +**Purpose**: Provides HTTP client libraries for making external API calls. + +**Dependencies**: +- `requests>=2.31.0` - HTTP library for Python +- `urllib3>=1.26.16` - HTTP client library +- `certifi>=2023.7.22` - Certificate bundle +- `charset-normalizer>=3.2.0` - Character encoding detection +- `idna>=3.4` - Internationalized domain names + +**Used by**: +- SecurityConfigurationHandler +- AWSServiceDocumentationManager + +### 3. Web Scraping Layer (`web-scraping-layer/`) +**Purpose**: Provides web scraping and HTML parsing capabilities. + +**Dependencies**: +- `beautifulsoup4>=4.12.2` - HTML/XML parser +- `lxml>=4.9.3` - XML/HTML processing library +- `html5lib>=1.1` - HTML5 parser +- `soupsieve>=2.4.1` - CSS selector library +- `webencodings>=0.5.1` - Character encoding utilities + +**Used by**: +- AWSServiceDocumentationManager + +## Building Layers + +### Prerequisites +- Python 3.9 (matching Lambda runtime) +- pip package manager + +### Build Individual Layers + +```bash +# Build common layer +cd common-layer +./build.sh + +# Build requests layer +cd requests-layer +./build.sh + +# Build web scraping layer +cd web-scraping-layer +./build.sh +``` + +### Build All Layers +```bash +# From the layers directory +./build-all-layers.sh +``` + +## Layer Usage in CDK + +The layers are automatically configured in the CDK stack through the `LambdaLayers` class: + +```typescript +// Initialize layers +const layers = new LambdaLayers(this, 'SecuritySystemLayers'); + +// Use in Lambda function +const myFunction = new lambda.Function(this, 'MyFunction', { + // ... other properties + layers: [ + layers.commonLayer, + layers.requestsLayer, + // layers.webScrapingLayer, // if needed + ], +}); +``` + +## Lambda Function Mapping + +| Function | Common Layer | Requests Layer | Web Scraping Layer | +|----------|--------------|----------------|-------------------| +| SecurityConfigurationHandler | ✅ | ✅ | ❌ | +| SecurityProfileProcessor | ✅ | ❌ | ❌ | +| AWSServiceDocumentationManager | ✅ | ✅ | ✅ | + +## Benefits + +1. **Reduced Package Size**: Lambda functions no longer need to include common dependencies +2. **Faster Deployments**: Layers are cached and reused across deployments +3. **Better Cold Starts**: Smaller function packages load faster +4. **Dependency Management**: Centralized dependency management and versioning +5. **Code Reuse**: Common dependencies shared across multiple functions + +## Maintenance + +### Updating Dependencies +1. Update the `requirements.txt` file in the appropriate layer directory +2. Rebuild the layer using the build script +3. Deploy the updated CDK stack + +### Adding New Dependencies +1. Determine which layer the dependency belongs to (or create a new layer) +2. Add the dependency to the appropriate `requirements.txt` +3. Rebuild the layer +4. Update the Lambda function to use the layer if not already configured + +### Layer Size Limits +- Maximum layer size: 250 MB (unzipped) +- Maximum total size (function + layers): 250 MB (unzipped) +- Monitor layer sizes and split if necessary + +## Troubleshooting + +### Import Errors +If you encounter import errors after implementing layers: +1. Verify the dependency is included in the correct layer +2. Check that the Lambda function is configured to use the layer +3. Ensure the layer was built successfully + +### Layer Size Issues +If layers become too large: +1. Remove unnecessary files (tests, documentation, etc.) +2. Use `--no-deps` flag for specific packages if needed +3. Consider splitting large layers into smaller, more focused layers + +### Build Issues +If build scripts fail: +1. Ensure Python 3.9 is available +2. Check pip is installed and up to date +3. Verify write permissions in the layer directories diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/README.md b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/README.md new file mode 100644 index 00000000..e668d910 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/README.md @@ -0,0 +1,189 @@ +# Centralized Bedrock Client Layer + +This Lambda layer provides a centralized Bedrock client that standardizes model invocation across all Lambda functions in the security configuration system. + +## Features + +### 1. Model Switching +- **Easy model switching**: Change `DEFAULT_MODEL` constant to switch between models +- **Supported models**: Nova Pro, Claude 3.5 Sonnet, and Claude 4 +- **Model-specific configurations**: Each model has its own token limits and request formats + +### 2. Comprehensive Logging +- **Full prompt logging**: Complete prompts are logged (no truncation) +- **Model identification**: Logs show which model and model ID is being used +- **Full response logging**: Complete responses are logged (no truncation) +- **Extracted content logging**: Final extracted content is logged + +### 3. Token Limit Validation +- **Pre-validation**: Prompts are validated against model token limits before sending +- **Model-aware limits**: Each model has its specific token limits configured +- **Exception handling**: Clear error messages when prompts exceed limits + +### 4. Retry Logic +- **Exponential backoff**: Built-in retry logic with exponential backoff +- **Throttling handling**: Automatic retry on throttling exceptions +- **Error categorization**: Different handling for validation, access, and throttling errors + +## Usage + +### Basic Usage + +```python +from bedrock_client import get_bedrock_client + +# Get client with default model (Nova Pro) +client = get_bedrock_client() +response = client.invoke("Your prompt here") + +# Get client with specific model +claude_client = get_bedrock_client('claude') +response = claude_client.invoke("Your prompt here") +``` + +### Legacy Compatibility + +```python +from bedrock_client import invoke_bedrock_agent + +# This function maintains backward compatibility +response = invoke_bedrock_agent({"prompt": "Your prompt here"}) +``` + +## Model Configuration + +### Current Models + +1. **Nova Pro** (`nova-pro`) + - Model ID: `us.amazon.nova-pro-v1:0` + - Max tokens: 10,240 + - Default model + +2. **Claude 3.5 Sonnet** (`claude`) + - Model ID: `anthropic.claude-3-5-sonnet-20241022-v2:0` + - Max tokens: 200,000 + +3. **Claude 4** (`claude-4`) + - Model ID: `us.anthropic.claude-4-0-20250101-v1:0` + - Max tokens: 200,000 + +### Switching Models + +To switch the default model system-wide: + +1. Edit `layers/bedrock-layer/bedrock_client.py` +2. Change the `DEFAULT_MODEL` constant: + ```python + DEFAULT_MODEL = 'claude' # or 'nova-pro' + ``` +3. Redeploy the layer + +## Implementation Details + +### Token Limit Management +- Estimates tokens using 1 token ≈ 4 characters +- Reserves 20% of model limit for response +- Validates prompts before sending to avoid API errors + +### Request Format Handling +- **Nova Pro**: Uses `messages-v1` schema with `inferenceConfig` +- **Claude**: Uses `anthropic_version` with direct message format +- Automatic format selection based on model + +### Response Extraction +- Model-specific response parsing +- Handles different response structures automatically +- Comprehensive error logging for debugging + +### Error Handling +- **ValidationException**: Model configuration or access issues +- **AccessDeniedException**: IAM permission issues +- **ThrottlingException**: Rate limiting with automatic retry +- **ValueError**: Token limit or response parsing issues + +## Logging Output + +The client provides detailed logging at each step: + +``` +================================================================================ +BEDROCK INVOCATION - Model: nova-pro +Model ID: us.amazon.nova-pro-v1:0 +================================================================================ +PROMPT: +[Full prompt content here - no truncation] +================================================================================ +BEDROCK RESPONSE: +[Full JSON response - no truncation] +================================================================================ +EXTRACTED CONTENT: +[Final extracted text content - no truncation] +================================================================================ +``` + +## Testing + +Run the test suite to validate functionality: + +```bash +cd layers/bedrock-layer +python test_bedrock_client.py +``` + +Tests cover: +- Model switching +- Token validation +- Request body creation +- Error handling + +## Deployment + +1. **Build the layer**: + ```bash + ./scripts/deploy-bedrock-layer.sh + ``` + +2. **Deploy with CDK**: + ```bash + cd cdk + npm run build + cdk deploy + ``` + +## Migration from Old Code + +### Before (in each Lambda function) +```python +# Duplicated Bedrock client code +bedrock = boto3.client('bedrock-runtime') +MODEL_ID = 'amazon.nova-pro-v1:0' + +def invoke_bedrock_agent(prompt): + # 100+ lines of duplicated code + # Manual retry logic + # Manual response parsing + # Limited logging +``` + +### After (using centralized layer) +```python +from bedrock_client import get_bedrock_client + +# Single line initialization +bedrock_client = get_bedrock_client('nova-pro') + +def invoke_bedrock_agent(prompt): + # Simple delegation to centralized client + prompt_text = prompt.get("prompt") if isinstance(prompt, dict) else prompt + return bedrock_client.invoke(prompt_text) +``` + +## Benefits + +1. **Centralized Management**: Single place to manage Bedrock invocation logic +2. **Easy Model Switching**: Change one constant to switch models system-wide +3. **Comprehensive Logging**: Full visibility into prompts, responses, and model usage +4. **Token Safety**: Automatic validation prevents API errors +5. **Consistent Error Handling**: Standardized error handling across all functions +6. **Reduced Code Duplication**: Eliminates 100+ lines of duplicated code per function +7. **Better Maintainability**: Updates to Bedrock logic only need to be made in one place diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/build.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/build.sh new file mode 100755 index 00000000..275017dc --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/build.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +echo "Building Bedrock Layer..." +mkdir -p python + +if [ -f requirements.txt ]; then + echo "Installing dependencies..." + pip3 install -r requirements.txt -t python/ +fi + +echo "Bedrock Layer build complete!" +find python -name "*.py" | head -5 diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/python/bedrock_client.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/python/bedrock_client.py new file mode 100644 index 00000000..8dd1ae47 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/python/bedrock_client.py @@ -0,0 +1,276 @@ +""" +Bedrock Client Layer +Centralized Bedrock client for AI model interactions +""" +import json +import boto3 +import logging +import time +import random +import os +from botocore.exceptions import ClientError + +logger = logging.getLogger() + +class BedrockClient: + def __init__(self, model_type='claude-4'): + self.model_type = model_type + + # Configure Bedrock client with timeout settings + config = boto3.session.Config( + read_timeout=840, # 14 minutes (leave 1 min buffer for Lambda) + connect_timeout=60, # 1 minute + retries={'max_attempts': 3} + ) + self.bedrock_client = boto3.client('bedrock-runtime', config=config) + + # Model configurations - using inference profile for Claude Sonnet 4 + self.models = { + 'claude-4': { + 'model_id': 'us.anthropic.claude-sonnet-4-20250514-v1:0', # Cross-region inference profile + 'max_tokens': 50000, + 'temperature': 0.1 + }, + 'nova-pro': { + 'model_id': 'amazon.nova-pro-v1:0', + 'max_tokens': 5120, + 'temperature': 0.1 + } + } + + # Initialize MCP client if available + self.mcp_client = None + try: + from mcp_tools import get_mcp_client + self.mcp_client = get_mcp_client() + logger.info("MCP client initialized successfully") + except ImportError: + logger.info("MCP tools not available - using direct model calls only") + + def invoke(self, prompt, use_mcp_tools=False, max_retries=5, initial_delay=2): + """Invoke Bedrock model with retry logic and timeout handling""" + try: + # Handle both string and dict prompt formats + if isinstance(prompt, dict): + prompt_text = prompt.get("prompt", str(prompt)) + else: + prompt_text = str(prompt) + + # Log prompt details with size check + prompt_size = len(prompt_text) + if prompt_size > 200000: # >200k chars + logger.warning(f"Large prompt detected: {prompt_size} characters - may cause timeout") + + logger.info(f"GenSec Agent prompt (model: {self.model_type}, length: {prompt_size}): {prompt_text}") + + model_config = self.models.get(self.model_type) + if not model_config: + raise ValueError(f"Unsupported model type: {self.model_type}") + + # Prepare request body based on model type + if self.model_type == 'claude-4': + body = { + "anthropic_version": "bedrock-2023-05-31", + "max_tokens": model_config['max_tokens'], + "temperature": model_config['temperature'], + "messages": [ + { + "role": "user", + "content": prompt_text + } + ] + } + elif self.model_type == 'nova-pro': + body = { + "messages": [ + { + "role": "user", + "content": [{"text": prompt_text}] + } + ], + "inferenceConfig": { + "max_new_tokens": model_config['max_tokens'], + "temperature": model_config['temperature'] + } + } + + # Invoke with retry logic + for attempt in range(max_retries): + try: + start_time = time.time() + response = self.bedrock_client.invoke_model( + modelId=model_config['model_id'], + body=json.dumps(body), + contentType='application/json' + ) + + elapsed_time = time.time() - start_time + logger.info(f"Bedrock invocation completed in {elapsed_time:.2f} seconds") + + response_body = json.loads(response['body'].read()) + + # Extract content based on model type + if self.model_type == 'claude-4': + if 'content' in response_body and response_body['content']: + result = response_body['content'][0]['text'] + logger.info(f"Bedrock response (length: {len(result)}): {result}") + return result + elif self.model_type == 'nova-pro': + if 'output' in response_body and 'message' in response_body['output']: + result = response_body['output']['message']['content'][0]['text'] + logger.info(f"Bedrock response (length: {len(result)}): {result}") + return result + + logger.info(f"Bedrock response (raw): {str(response_body)}") + return response_body + + except ClientError as e: + error_code = e.response['Error']['Code'] + if error_code == 'ThrottlingException': + if attempt < max_retries - 1: + delay = initial_delay * (2 ** attempt) + random.uniform(0, 1) + logger.warning(f"Throttled, retrying in {delay:.2f}s (attempt {attempt + 1})") + time.sleep(delay) + continue + elif error_code == 'ValidationException': + logger.error(f"Validation error: {str(e)} - prompt may be too large") + raise ValueError(f"Prompt validation failed: {str(e)}") + raise + except Exception as e: + if "timeout" in str(e).lower() or "timed out" in str(e).lower(): + logger.error(f"Timeout on attempt {attempt + 1}: {str(e)}") + if attempt < max_retries - 1: + delay = initial_delay * (2 ** attempt) + logger.warning(f"Retrying after timeout in {delay:.2f}s") + time.sleep(delay) + continue + raise + + except Exception as e: + logger.error(f"Error invoking Bedrock: {str(e)}") + raise + +class BedrockAgentClient: + def __init__(self, model_type='claude-4'): + self.bedrock_agent = boto3.client('bedrock-agent-runtime') + # Get agent configuration from environment variables + self.agent_id = os.environ.get('STRANDS_AGENT_ID') + self.agent_alias_id = os.environ.get('STRANDS_AGENT_ALIAS_ID') + + if not self.agent_id or not self.agent_alias_id: + raise ValueError("STRANDS_AGENT_ID and STRANDS_AGENT_ALIAS_ID environment variables must be set") + self.model_type = model_type + + def invoke(self, prompt, use_mcp_tools=False, max_retries=5, initial_delay=5): + """Invoke Strands Agent with optional MCP tools""" + try: + # Handle both string and dict prompt formats + if isinstance(prompt, dict): + prompt_text = prompt.get("prompt", str(prompt)) + else: + prompt_text = str(prompt) + + # Enhanced prompt with model preference and MCP tools context + model_context = f"[Model: {self.model_type}]" + if use_mcp_tools: + model_context += " [MCP: enabled]" + enhanced_prompt = f"{model_context} {prompt_text}" + + # Generate session ID + session_id = f"session-{int(time.time())}-{random.randint(1000, 9999)}" + + logger.info(f"GenSec Agent prompt (model: {self.model_type}, MCP: {use_mcp_tools}, length: {len(enhanced_prompt)}): {enhanced_prompt}") + + # Prepare invoke parameters + invoke_params = { + 'agentId': self.agent_id, + 'agentAliasId': self.agent_alias_id, + 'sessionId': session_id, + 'inputText': enhanced_prompt + } + + # Add MCP tools if requested + if use_mcp_tools: + try: + from mcp_tools import get_mcp_tools + invoke_params['toolConfig'] = get_mcp_tools() + logger.info("Added MCP tools to agent invocation") + except ImportError: + logger.warning("MCP tools not available") + + # Invoke with aggressive retry logic for throttling + for attempt in range(max_retries): + try: + response = self.bedrock_agent.invoke_agent(**invoke_params) + result = self._extract_agent_response(response) + logger.info(f"GenSec Agent response (length: {len(result)}): {result}") + return result + + except ClientError as e: + error_code = e.response['Error']['Code'] + if error_code == 'ValidationException': + logger.error(f"Agent validation error: {str(e)}") + raise ValueError(f"Agent configuration error: {str(e)}") + elif error_code in ['ThrottlingException', 'TooManyRequestsException']: + if attempt < max_retries - 1: + # Aggressive exponential backoff for throttling + delay = initial_delay * (3 ** attempt) + random.uniform(1, 5) + logger.warning(f"Agent throttled, retrying in {delay:.2f}s (attempt {attempt + 1}/{max_retries})") + time.sleep(delay) + continue + else: + logger.error(f"Max retries exceeded for throttling. Consider reducing request frequency.") + raise + raise + except Exception as e: + # Catch any other exceptions (including from response extraction) + if "throttling" in str(e).lower() and attempt < max_retries - 1: + delay = initial_delay * (3 ** attempt) + random.uniform(1, 5) + logger.warning(f"Throttling during response processing, retrying in {delay:.2f}s (attempt {attempt + 1}/{max_retries})") + time.sleep(delay) + continue + raise + + except Exception as e: + logger.error(f"Error invoking GenSec Agent: {str(e)}") + raise + + def _extract_agent_response(self, response): + """Extract text from agent response stream""" + try: + # Handle streaming response from bedrock-agent-runtime + if 'completion' in response: + completion = response['completion'] + + # Process the event stream + full_response = "" + for event in completion: + if 'chunk' in event: + chunk = event['chunk'] + if 'bytes' in chunk: + # Decode the bytes to get the actual text + chunk_text = chunk['bytes'].decode('utf-8') + full_response += chunk_text + + return full_response.strip() + + # Fallback to string representation if structure is different + return str(response) + + except Exception as e: + logger.error(f"Error extracting agent response: {str(e)}") + logger.error(f"Response structure: {response}") + # Return the string representation as fallback + return str(response) + +def get_bedrock_client(model_type='claude-4'): + """Factory function - transparent agent integration""" + # Check if Strands Agent should be used (via environment variable) + use_strands_agent = os.environ.get('USE_STRANDS_AGENT', 'false').lower() == 'true' + + if use_strands_agent: + logger.info(f"Using Strands Agent with model preference: {model_type}") + return BedrockAgentClient(model_type) # Agent with model preference + else: + logger.info(f"Using direct Bedrock model: {model_type}") + return BedrockClient(model_type) # Direct model invocation diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/python/mcp_tools.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/python/mcp_tools.py new file mode 100644 index 00000000..23368398 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/bedrock-layer/python/mcp_tools.py @@ -0,0 +1,75 @@ +""" +MCP Tools for Strands Agent +Provides MCP tool definitions as parameters for agent invocation +""" + +def get_mcp_tools(): + """Get MCP tools definition for Strands Agent""" + return { + "tools": [ + { + "toolSpec": { + "name": "search_aws_documentation", + "description": "Search AWS documentation for specific topics", + "inputSchema": { + "json": { + "type": "object", + "properties": { + "search_phrase": { + "type": "string", + "description": "Search phrase for AWS documentation" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results", + "default": 5 + } + }, + "required": ["search_phrase"] + } + } + } + }, + { + "toolSpec": { + "name": "read_aws_documentation", + "description": "Read specific AWS documentation page", + "inputSchema": { + "json": { + "type": "object", + "properties": { + "url": { + "type": "string", + "description": "URL of AWS documentation page to read" + } + }, + "required": ["url"] + } + } + } + } + ] + } + +def handle_tool_use(tool_name, tool_input): + """Handle MCP tool invocation""" + import subprocess + import json + + if tool_name == "search_aws_documentation": + result = subprocess.run([ + 'mcp', 'call', 'awslabs.aws-documentation-mcp-server', 'search_documentation', + '--args', json.dumps(tool_input) + ], capture_output=True, text=True, timeout=30) + + return json.loads(result.stdout) if result.returncode == 0 else {"error": result.stderr} + + elif tool_name == "read_aws_documentation": + result = subprocess.run([ + 'mcp', 'call', 'awslabs.aws-documentation-mcp-server', 'read_documentation', + '--args', json.dumps(tool_input) + ], capture_output=True, text=True, timeout=30) + + return json.loads(result.stdout) if result.returncode == 0 else {"error": result.stderr} + + return {"error": f"Unknown tool: {tool_name}"} diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/build-all-layers.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/build-all-layers.sh new file mode 100755 index 00000000..7705effc --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/build-all-layers.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -e + +echo "Building all layers..." + +for layer in */; do + if [ -f "$layer/requirements.txt" ]; then + echo "Building $layer" + cd "$layer" + mkdir -p python + pip install -r requirements.txt -t python/ 2>/dev/null || true + cd .. + elif [ -f "$layer/build.sh" ]; then + echo "Building $layer with custom build script" + cd "$layer" + ./build.sh + cd .. + fi +done + +echo "All layers built. Run 'cdk deploy' to deploy." diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/build.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/build.sh new file mode 100755 index 00000000..2e16722e --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/build.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +# Build script for common layer +set -e + +echo "Building common layer..." + +# Clean previous build +rm -rf python/ + +# Create python directory +mkdir -p python/ + +# Install dependencies +pip3 install -r requirements.txt -t python/ + +# Remove unnecessary files to reduce layer size +find python/ -type d -name "__pycache__" -exec rm -rf {} + 2>/dev/null || true +find python/ -name "*.pyc" -delete 2>/dev/null || true +find python/ -name "*.pyo" -delete 2>/dev/null || true +find python/ -name "*.dist-info" -exec rm -rf {} + 2>/dev/null || true +find python/ -name "*.egg-info" -exec rm -rf {} + 2>/dev/null || true + +echo "Common layer build complete!" +echo "Layer contents:" +ls -la python/ diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/python/content_processor.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/python/content_processor.py new file mode 100644 index 00000000..26489ab2 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/python/content_processor.py @@ -0,0 +1,156 @@ +""" +Generic content processing utilities for AWS documentation extraction +""" +from bs4 import BeautifulSoup +import logging + +logger = logging.getLogger(__name__) + +class ContentProcessor: + """Generic content processing for AWS documentation""" + + @staticmethod + def extract_section_content(html_content, section_type='actions'): + """Extract complete sections from HTML without truncation""" + soup = BeautifulSoup(html_content, 'html.parser') + + # Remove unnecessary elements + for element in soup(['script', 'style', 'nav', 'header', 'footer', 'aside', 'form', 'button', 'input']): + element.decompose() + + if section_type == 'actions': + return ContentProcessor._extract_actions_section(soup) + elif section_type == 'parameters': + return ContentProcessor._extract_parameters_section(soup, html_content) + else: + return soup.get_text(separator=' ', strip=True) + + @staticmethod + def _extract_actions_section(soup): + """Extract complete actions table or section""" + # Find actions table + actions_table = None + tables = soup.find_all('table') + + for table in tables: + headers = table.find_all(['th', 'td'])[:10] + header_text = ' '.join([h.get_text().lower() for h in headers]) + if 'actions' in header_text and ('description' in header_text or 'access level' in header_text): + actions_table = table + break + + if actions_table: + # Extract complete table with parent context + parent_section = actions_table.find_parent(['section', 'div', 'main']) + if parent_section: + text_content = parent_section.get_text(separator=' ', strip=True) + else: + text_content = actions_table.get_text(separator=' ', strip=True) + logger.info(f"Found complete actions table with {len(text_content)} characters") + else: + # Find actions section by heading + text_content = soup.get_text(separator=' ', strip=True) + actions_heading = None + + for heading in soup.find_all(['h1', 'h2', 'h3', 'h4']): + if 'actions' in heading.get_text().lower(): + actions_heading = heading + break + + if actions_heading: + # Get content from actions heading to next major heading + current = actions_heading + content_parts = [actions_heading.get_text()] + + while current.next_sibling: + current = current.next_sibling + if hasattr(current, 'name'): + if current.name in ['h1', 'h2', 'h3'] and current != actions_heading: + break + content_parts.append(current.get_text(separator=' ', strip=True)) + + text_content = ' '.join(content_parts) + logger.info(f"Found actions section from heading with {len(text_content)} characters") + + return text_content + + @staticmethod + def _extract_parameters_section(soup, html_content): + """Extract complete parameters section from Syntax through Properties descriptions""" + # Find complete sections by headings + syntax_heading = None + see_also_heading = None + + for heading in soup.find_all(['h1', 'h2', 'h3', 'h4']): + heading_text = heading.get_text().lower() + if 'syntax' in heading_text and not syntax_heading: + syntax_heading = heading + elif ('see also' in heading_text or 'return values' in heading_text) and syntax_heading: + see_also_heading = heading + break + + if syntax_heading: + # Extract from Syntax to See Also (includes Properties section) + current = syntax_heading + content_elements = [syntax_heading] + + while current.next_sibling: + current = current.next_sibling + if hasattr(current, 'name'): + # Stop at See Also or Return Values (end of properties) + if current == see_also_heading or (current.name in ['h1', 'h2'] and + any(term in current.get_text().lower() for term in ['see also', 'return values', 'examples']) and + current != syntax_heading): + break + content_elements.append(current) + + # Create new soup with relevant content + section_soup = BeautifulSoup('', 'html.parser') + for element in content_elements: + if hasattr(element, 'name'): + section_soup.append(element.extract()) + + soup = section_soup + logger.info(f"Extracted complete Properties section including descriptions") + + # Only remove very large code examples (>1000 chars with clear JSON structure) + for code_block in soup.find_all(['pre', 'code']): + code_text = code_block.get_text() + if len(code_text) > 1000 and code_text.count('{') > 5 and code_text.count('"') > 10: + code_block.decompose() + + return soup.get_text(separator=' ', strip=True) + + @staticmethod + def smart_chunk_content(content, max_size, split_patterns): + """Split content at logical boundaries, never truncating mid-sentence""" + if len(content) <= max_size: + return [content] + + chunks = [] + current_pos = 0 + + while current_pos < len(content): + end_pos = min(current_pos + max_size, len(content)) + + if end_pos >= len(content): + chunks.append(content[current_pos:]) + break + + # Find best split point before end_pos + best_split = end_pos + for pattern in split_patterns: + split_pos = content.rfind(pattern, current_pos, end_pos) + if split_pos > current_pos: + best_split = min(best_split, split_pos + len(pattern)) + + # Fallback to sentence boundary + if best_split == end_pos: + sentence_end = content.rfind('. ', current_pos, end_pos) + if sentence_end > current_pos: + best_split = sentence_end + 2 + + chunks.append(content[current_pos:best_split]) + current_pos = best_split + + return chunks diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/python/s3_operations.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/python/s3_operations.py new file mode 100644 index 00000000..1a83d542 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/python/s3_operations.py @@ -0,0 +1,152 @@ +""" +S3 Operations Layer +Common functions for S3 operations across Lambda functions +""" +import json +import boto3 +import logging +import concurrent.futures +from datetime import datetime + +logger = logging.getLogger() +s3_client = boto3.client('s3') + +def store_output_in_s3(prefix, template_data, output_bucket): + """Store IaC template in S3 with proper prefixing""" + try: + if isinstance(template_data, dict): + filename = template_data.get('filename', 'template.tf') + content = template_data.get('code', str(template_data)) + else: + template_str = str(template_data) + + if 'filename:' in template_str.lower(): + lines = template_str.split('\n') + filename_line = next((line for line in lines if 'filename:' in line.lower()), None) + if filename_line: + import re + filename_match = re.search(r'\*?\*?filename:\s*`?([^`*\n]+)`?\*?\*?', filename_line, re.IGNORECASE) + if filename_match: + filename = filename_match.group(1).strip() + else: + filename = 'template.tf' + else: + filename = 'template.tf' + content = template_str + else: + filename = 'template.tf' + content = template_str + + file_key = f"{prefix}/{filename}" + + s3_client.put_object( + Bucket=output_bucket, + Key=file_key, + Body=content, + ContentType='text/plain' + ) + + logger.info(f"Stored template in S3: {file_key}") + return file_key + + except Exception as e: + logger.error(f"Error storing template in S3: {str(e)}") + raise + +def store_control_file(file_key, content, output_bucket): + """Store a single control file in S3""" + try: + if not content: + logger.warning(f"Empty content for file: {file_key}") + return None + + s3_client.put_object( + Bucket=output_bucket, + Key=file_key, + Body=content, + ContentType='text/plain' + ) + + logger.info(f"Successfully stored file in S3: {file_key}") + return file_key + + except Exception as e: + logger.error(f"Error storing file {file_key} in S3: {str(e)}") + return None + +def store_controls_in_parallel(service_id, config_id, controls, output_bucket): + """Store controls in parallel using thread pool""" + generated_files = [] + try: + with concurrent.futures.ThreadPoolExecutor(max_workers=3) as executor: + futures = [] + + control_types = { + 'detective_controls': 'detective_controls', + 'preventive_controls': 'preventive_controls', + 'proactive_controls': 'proactive_controls' + } + + for control_type, path in control_types.items(): + if control_type in controls and controls[control_type].get('code'): + file_key = f"{service_id}/{path}/{config_id}/{controls[control_type]['filename']}" + logger.info(f"Submitting {control_type} file: {file_key}") + + futures.append(executor.submit( + store_control_file, + file_key, + controls[control_type]['code'], + output_bucket + )) + + for future in concurrent.futures.as_completed(futures): + try: + result = future.result() + if result: + generated_files.append(result) + logger.info(f"Successfully stored file: {result}") + except Exception as e: + logger.error(f"Error in file storage thread: {str(e)}") + + return generated_files + + except Exception as e: + logger.error(f"Error in parallel file storage: {str(e)}") + return generated_files + +def store_json_and_markdown(service_id, prefix, json_data, markdown_content, output_bucket): + """Store both JSON and markdown versions of content""" + try: + # Add storage timestamp + if isinstance(json_data, dict) and '_metadata' in json_data: + json_data['_metadata']['storage_timestamp'] = datetime.utcnow().isoformat() + + # Store JSON version + s3_client.put_object( + Bucket=output_bucket, + Key=f"{service_id}/{prefix}.json", + Body=json.dumps(json_data, indent=2), + ContentType='application/json', + Metadata={ + "validated": "true", + "storage_date": datetime.utcnow().isoformat() + } + ) + + # Store markdown version + s3_client.put_object( + Bucket=output_bucket, + Key=f"{service_id}/{prefix}.md", + Body=markdown_content, + ContentType='text/markdown', + Metadata={ + "validated": "true", + "storage_date": datetime.utcnow().isoformat() + } + ) + + logger.info(f"Stored JSON and markdown for service: {service_id}") + + except Exception as e: + logger.error(f"Error storing JSON and markdown: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/requirements.txt b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/requirements.txt new file mode 100644 index 00000000..19c018b6 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/common-layer/requirements.txt @@ -0,0 +1,3 @@ +boto3>=1.28.0 +botocore>=1.31.0 +python-dateutil>=2.8.2 diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/dynamodb-operations-layer/build.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/dynamodb-operations-layer/build.sh new file mode 100755 index 00000000..195dd933 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/dynamodb-operations-layer/build.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# Build script for DynamoDB Operations Layer +echo "Building DynamoDB Operations Layer..." + +# Create python directory if it doesn't exist +mkdir -p python + +# Install dependencies if requirements.txt exists +if [ -f requirements.txt ]; then + echo "Installing dependencies..." + pip install -r requirements.txt -t python/ +fi + +echo "DynamoDB Operations Layer build complete!" +echo "Layer structure:" +find python -type f -name "*.py" | head -10 diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/dynamodb-operations-layer/python/dynamodb_operations.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/dynamodb-operations-layer/python/dynamodb_operations.py new file mode 100644 index 00000000..9b985bee --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/dynamodb-operations-layer/python/dynamodb_operations.py @@ -0,0 +1,275 @@ +""" +DynamoDB Operations Layer +Common functions for DynamoDB operations across Lambda functions +""" +import json +import boto3 +import logging +from datetime import datetime +import uuid +from botocore.exceptions import ClientError + +logger = logging.getLogger() +dynamodb = boto3.client('dynamodb') + +def get_service_actions_from_dynamodb(service_id, service_actions_table): + """Query service actions from DynamoDB""" + try: + logger.info(f"Querying actions for service_id: {service_id}") + response = dynamodb.query( + TableName=service_actions_table, + KeyConditionExpression='service_id = :sid', + ExpressionAttributeValues={ + ':sid': {'S': service_id} + } + ) + + actions = [] + for item in response.get('Items', []): + action = { + 'action_name': item.get('action_name', {}).get('S', ''), + 'service_action': item.get('service_action', {}).get('S', ''), + 'description': item.get('description', {}).get('S', ''), + 'accessLevel': item.get('accessLevel', {}).get('S', '') + } + actions.append(action) + + logger.info(f"Retrieved {len(actions)} actions for service {service_id}") + return actions + + except Exception as e: + logger.error(f"Error querying service actions: {str(e)}") + return [] + +def get_service_parameters_from_dynamodb(service_id, service_parameters_table): + """Query service parameters from DynamoDB""" + try: + logger.info(f"Querying parameters for service_id: {service_id}") + response = dynamodb.query( + TableName=service_parameters_table, + KeyConditionExpression='service_id = :sid', + ExpressionAttributeValues={ + ':sid': {'S': service_id} + } + ) + + parameters = [] + for item in response.get('Items', []): + param = { + 'parameter_name': item.get('parameter_name', {}).get('S', ''), + 'description': item.get('description', {}).get('S', ''), + 'type': item.get('type', {}).get('S', ''), + 'resource_type': item.get('resource_type', {}).get('S', '') + } + parameters.append(param) + + logger.info(f"Retrieved {len(parameters)} parameters for service {service_id}") + return parameters + + except Exception as e: + logger.error(f"Error querying service parameters: {str(e)}") + return [] + +def get_configurations_from_dynamodb(request_id, service_id, control_library_table): + """Fetch and group configurations from DynamoDB by service name""" + try: + logger.info(f"Fetching configurations for requestId: {request_id}, serviceId: {service_id}") + + response = dynamodb.scan( + TableName=control_library_table, + FilterExpression='requestId = :rid AND serviceId = :sid', + ExpressionAttributeValues={ + ':rid': {'S': request_id}, + ':sid': {'S': service_id} + } + ) + + items = response.get('Items', []) + + # Handle pagination if needed + while 'LastEvaluatedKey' in response: + response = dynamodb.scan( + TableName=control_library_table, + FilterExpression='requestId = :rid AND serviceId = :sid', + ExpressionAttributeValues={ + ':rid': {'S': request_id}, + ':sid': {'S': service_id} + }, + ExclusiveStartKey=response['LastEvaluatedKey'] + ) + items.extend(response.get('Items', [])) + + if not items: + logger.warning(f"No configurations found for requestId: {request_id}, serviceId: {service_id}") + return {} + + # Group configurations by service name + configurations_by_service = {} + for item in items: + parsed_item = parse_dynamodb_item(item) + service_name = parsed_item.get('service_name') + if service_name: + if service_name not in configurations_by_service: + configurations_by_service[service_name] = [] + configurations_by_service[service_name].append(parsed_item) + + logger.info(f"Found {len(items)} configurations for {len(configurations_by_service)} services") + return configurations_by_service + + except ClientError as e: + logger.error(f"DynamoDB error: {str(e)}") + raise + except Exception as e: + logger.error(f"Error fetching configurations from DynamoDB: {str(e)}") + raise + +def parse_dynamodb_item(item): + """Parse DynamoDB item and convert to python dict""" + try: + if not isinstance(item, dict): + logger.warning(f"Expected dict, got {type(item)}") + return item + + parsed_item = {} + for key, value in item.items(): + try: + if not isinstance(value, dict): + logger.warning(f"Unexpected value type for key {key}: {type(value)}") + parsed_item[key] = value + continue + + if 'S' in value: + parsed_item[key] = value['S'] + elif 'N' in value: + parsed_item[key] = float(value['N']) + elif 'BOOL' in value: + parsed_item[key] = value['BOOL'] + elif 'SS' in value: + parsed_item[key] = value['SS'] + elif 'M' in value: + parsed_item[key] = parse_dynamodb_item(value['M']) + elif 'L' in value: + parsed_item[key] = [parse_dynamodb_item(i) if isinstance(i, dict) else i for i in value['L']] + elif all(k in ['name', 'description'] for k in value.keys()): + # Handle Map type that's not wrapped in 'M' + parsed_item[key] = parse_dynamodb_item(value) + else: + logger.warning(f"Unhandled DynamoDB type for key {key}: {list(value.keys())}") + parsed_item[key] = value + + except Exception as e: + logger.error(f"Error parsing key {key}: {str(e)}") + parsed_item[key] = value + + # Parse JSON strings if needed + if 'recommended_configuration' in parsed_item: + try: + if isinstance(parsed_item['recommended_configuration'], str): + parsed_item['recommended_configuration'] = json.loads(parsed_item['recommended_configuration']) + except json.JSONDecodeError: + logger.warning(f"Could not parse recommended_configuration JSON for item: {parsed_item.get('configuration_id')}") + + return parsed_item + + except Exception as e: + logger.error(f"Error parsing DynamoDB item: {str(e)}") + raise + +def store_control_library(analyzed_requirements, service_request, control_library_table): + """Store analyzed requirements in DynamoDB control library""" + try: + timestamp = datetime.utcnow().isoformat() + batch_id = str(uuid.uuid4()) + + for recommendation in analyzed_requirements: + preventive_control = recommendation['preventive_control'] + if recommendation.get('configuration_priority') != 'VERY HIGH': + preventive_control = { + "details": { + "note": "SCP not required - priority level below VERY HIGH" + } + } + + item = { + 'configuration_id': {'S': recommendation['configuration_id']}, + 'configuration_short_name': {'S': recommendation['configuration_short_name']}, + 'configuration_rationale': {'S': json.dumps(recommendation['configuration_rationale'])}, + 'configuration_priority': {'S': recommendation['configuration_priority']}, + 'service_name': {'S': recommendation['service_name']}, + 'security_domain': {'S': recommendation['security_domain']}, + 'consolidated_requirements': {'S': recommendation['consolidated_requirements']}, + 'threat_vector': {'S': json.dumps(recommendation['threat_vector'])}, + 'recommended_configuration': {'S': json.dumps(recommendation['recommended_configuration'])}, + 'configuration_AWS_URL': {'S': recommendation['configuration_AWS_URL']}, + 'detective_control': {'S': json.dumps(recommendation['detective_control'])}, + 'preventive_control': {'S': json.dumps(preventive_control)}, + 'proactive_control': {'S': json.dumps(recommendation['proactive_control'])}, + 'timestamp': {'S': timestamp}, + 'batch_id': {'S': batch_id}, + 'requestId': {'S': service_request.get('requestId', 'UNKNOWN')}, + 'serviceId': {'S': service_request.get('serviceId', 'UNKNOWN')} + } + + dynamodb.put_item( + TableName=control_library_table, + Item=item + ) + + logger.info(f"Stored {len(analyzed_requirements)} recommendations in DynamoDB") + return batch_id + + except Exception as e: + logger.error(f"Error storing in DynamoDB: {str(e)}") + raise + +def query_dynamodb_by_gsi(table_name, index_name, key_name, key_value): + """Query DynamoDB table using Global Secondary Index""" + try: + logger.info(f"Querying {table_name} using GSI {index_name} for {key_name}={key_value}") + + response = dynamodb.query( + TableName=table_name, + IndexName=index_name, + KeyConditionExpression=f'{key_name} = :key_value', + ExpressionAttributeValues={ + ':key_value': {'S': key_value} + } + ) + + items = [] + for item in response.get('Items', []): + parsed_item = parse_dynamodb_item(item) + items.append(parsed_item) + + logger.info(f"Retrieved {len(items)} items from {table_name}") + return items + + except Exception as e: + logger.error(f"Error querying {table_name} by GSI: {str(e)}") + return [] + +def update_service_tracking(service_request, service_tracking_table): + """Update service tracking information in DynamoDB""" + try: + timestamp = datetime.utcnow().isoformat() + services = service_request.get('services', []) + service_name = services[0].get('serviceName', 'UNKNOWN') if services else 'UNKNOWN' + + item = { + 'requestId': {'S': service_request.get('requestId', 'UNKNOWN')}, + 'serviceId': {'S': service_request.get('serviceId', 'UNKNOWN')}, + 'service_name': {'S': service_name}, + 'timestamp': {'S': timestamp}, + 'status': {'S': 'ANALYZED'}, + 'services': {'S': json.dumps(services)} + } + + dynamodb.put_item( + TableName=service_tracking_table, + Item=item + ) + logger.info(f"Successfully updated service tracking for request ID: {service_request.get('requestId', 'UNKNOWN')}") + + except Exception as e: + logger.error(f"Error updating service tracking: {str(e)}") + raise diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/mcp-tools-layer/build.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/mcp-tools-layer/build.sh new file mode 100755 index 00000000..c0f206be --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/mcp-tools-layer/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Build script for MCP Tools Layer +# Installs MCP client dependencies + +set -e + +echo "Building MCP Tools Layer..." + +# Create python directory if it doesn't exist +mkdir -p python + +# Install Python dependencies for MCP integration +echo "Installing Python dependencies..." +pip install --target python/ requests beautifulsoup4 lxml + +echo "MCP Tools Layer build completed successfully!" +echo "Layer contents:" +ls -la python/ \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/mcp-tools-layer/python/mcp_tools.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/mcp-tools-layer/python/mcp_tools.py new file mode 100644 index 00000000..ada3f556 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/mcp-tools-layer/python/mcp_tools.py @@ -0,0 +1,210 @@ +""" +MCP Tools Integration for AWS Documentation MCP Server +Provides tools for structured AWS service documentation access +""" +import json +import logging +import subprocess +import os +from typing import Dict, List, Any, Optional + +logger = logging.getLogger() + +class MCPDocumentationClient: + """Client for AWS Documentation MCP Server""" + + def __init__(self): + self.server_path = os.environ.get('MCP_SERVER_PATH', 'uvx') + self.server_args = ['awslabs.aws-documentation-mcp-server@latest'] + + def get_service_documentation(self, service_name: str) -> Optional[Dict[str, Any]]: + """Get comprehensive documentation for an AWS service using search""" + try: + logger.info(f"Searching MCP documentation for service: {service_name}") + + # Use search_documentation to find service docs + search_query = f"{service_name} service documentation" + return self.search_documentation(search_query, 10) + + except Exception as e: + logger.error(f"Error fetching MCP documentation for {service_name}: {str(e)}") + return None + + def search_documentation(self, query: str, service: Optional[str] = None) -> Optional[List[Dict[str, Any]]]: + """Search AWS documentation using MCP server""" + try: + logger.info(f"Searching MCP documentation with query: {query}") + + # Prepare MCP request + mcp_request = { + "jsonrpc": "2.0", + "id": 2, + "method": "tools/call", + "params": { + "name": "search_documentation", + "arguments": { + "search_phrase": query, + "limit": 10 + } + } + } + + # Execute MCP server call + result = self._execute_mcp_call(mcp_request) + + if result and 'content' in result: + logger.info(f"Successfully searched MCP documentation for query: {query}") + return result['content'] + + return None + + except Exception as e: + logger.error(f"Error searching MCP documentation: {str(e)}") + return None + + def get_service_actions(self, service_name: str) -> Optional[List[Dict[str, Any]]]: + """Get IAM actions for a service using MCP""" + try: + # Use search to find IAM actions + search_query = f"{service_name} IAM actions permissions" + results = self.search_documentation(search_query) + + if results: + # Extract actions from search results + actions = [] + for result in results: + if 'actions' in result.get('content', '').lower(): + actions.append(result) + + return actions + + return None + + except Exception as e: + logger.error(f"Error getting MCP service actions for {service_name}: {str(e)}") + return None + + def get_service_parameters(self, service_name: str) -> Optional[List[Dict[str, Any]]]: + """Get CloudFormation parameters for a service using MCP""" + try: + # Use search to find CloudFormation parameters + search_query = f"{service_name} CloudFormation properties parameters" + results = self.search_documentation(search_query) + + if results: + # Extract parameters from search results + parameters = [] + for result in results: + content = result.get('content', '').lower() + if any(keyword in content for keyword in ['properties', 'parameters', 'cloudformation']): + parameters.append(result) + + return parameters + + return None + + except Exception as e: + logger.error(f"Error getting MCP service parameters for {service_name}: {str(e)}") + return None + + def _execute_mcp_call(self, request: Dict[str, Any]) -> Optional[Dict[str, Any]]: + """Execute MCP server call via subprocess""" + try: + # Convert request to JSON string + request_json = json.dumps(request) + + # Execute MCP server + process = subprocess.Popen( + [self.server_path] + self.server_args, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True + ) + + # Send request and get response + stdout, stderr = process.communicate(input=request_json, timeout=30) + + if process.returncode == 0: + # Parse JSON response + response = json.loads(stdout) + + if 'result' in response: + return response['result'] + elif 'error' in response: + logger.error(f"MCP server error: {response['error']}") + return None + else: + logger.error(f"MCP server failed with return code {process.returncode}: {stderr}") + return None + + except subprocess.TimeoutExpired: + logger.error("MCP server call timed out") + process.kill() + return None + except json.JSONDecodeError as e: + logger.error(f"Failed to parse MCP server response: {str(e)}") + return None + except Exception as e: + logger.error(f"Error executing MCP server call: {str(e)}") + return None + +def get_mcp_tools() -> Dict[str, Any]: + """Get MCP tools configuration for Bedrock Agent""" + return { + "toolChoice": { + "auto": {} + }, + "tools": [ + { + "toolSpec": { + "name": "get_aws_service_documentation", + "description": "Get comprehensive AWS service documentation including IAM actions, CloudFormation properties, and service capabilities", + "inputSchema": { + "json": { + "type": "object", + "properties": { + "service_name": { + "type": "string", + "description": "AWS service name (e.g., 's3', 'lambda', 'dynamodb')" + } + }, + "required": ["service_name"] + } + } + } + }, + { + "toolSpec": { + "name": "search_aws_documentation", + "description": "Search AWS documentation for specific topics, configurations, or best practices", + "inputSchema": { + "json": { + "type": "object", + "properties": { + "query": { + "type": "string", + "description": "Search query for AWS documentation" + }, + "service": { + "type": "string", + "description": "Optional: Limit search to specific AWS service" + } + }, + "required": ["query"] + } + } + } + } + ] + } + +# Global MCP client instance +_mcp_client = None + +def get_mcp_client() -> MCPDocumentationClient: + """Get singleton MCP client instance""" + global _mcp_client + if _mcp_client is None: + _mcp_client = MCPDocumentationClient() + return _mcp_client \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/requests-layer/build.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/requests-layer/build.sh new file mode 100755 index 00000000..61859e72 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/requests-layer/build.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +# Build script for requests layer +set -e + +echo "Building requests layer..." + +# Clean previous build +rm -rf python/ + +# Create python directory +mkdir -p python/ + +# Install dependencies +pip3 install -r requirements.txt -t python/ + +# Remove unnecessary files to reduce layer size +find python/ -type d -name "__pycache__" -exec rm -rf {} + 2>/dev/null || true +find python/ -name "*.pyc" -delete 2>/dev/null || true +find python/ -name "*.pyo" -delete 2>/dev/null || true +find python/ -name "*.dist-info" -exec rm -rf {} + 2>/dev/null || true +find python/ -name "*.egg-info" -exec rm -rf {} + 2>/dev/null || true + +echo "Requests layer build complete!" +echo "Layer contents:" +ls -la python/ diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/requests-layer/requirements.txt b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/requests-layer/requirements.txt new file mode 100644 index 00000000..f34e29c5 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/requests-layer/requirements.txt @@ -0,0 +1,5 @@ +requests>=2.31.0 +urllib3>=1.26.16 +certifi>=2023.7.22 +charset-normalizer>=3.2.0 +idna>=3.4 diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/build.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/build.sh new file mode 100755 index 00000000..d5e42b8b --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/build.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +echo "Building Validation Layer..." +mkdir -p python + +if [ -f requirements.txt ]; then + echo "Installing dependencies..." + pip3 install -r requirements.txt -t python/ +fi + +echo "Validation Layer build complete!" +find python -name "*.py" | head -5 diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/python/json_processing.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/python/json_processing.py new file mode 100644 index 00000000..7c9d7a04 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/python/json_processing.py @@ -0,0 +1,280 @@ +import json +import re +import logging + +logger = logging.getLogger() + +def camel_to_title(text): + """Convert camelCase to Title Case with spaces""" + # Insert space before uppercase letters that follow lowercase letters + text = re.sub(r'([a-z])([A-Z])', r'\1 \2', text) + # Handle sequences of uppercase letters followed by lowercase + text = re.sub(r'([A-Z]+)([A-Z][a-z])', r'\1 \2', text) + return text.title() + +def convert_json_to_markdown(json_data, title="Document"): + """Convert JSON to markdown with proper formatting for nested structures""" + try: + md = f"# {title}\n\n" + + for key, value in json_data.items(): + if key.startswith('_'): + # Handle metadata sections + md += f"## {camel_to_title(key[1:])}\n\n" + else: + md += f"## {camel_to_title(key)}\n\n" + + md += _format_value(value, 0) + md += "\n" + + return md + + except Exception as e: + return f"# Error\n\nFailed to convert JSON to markdown: {str(e)}\n" + +def _format_value(value, indent_level=0): + """Recursively format values with proper indentation""" + indent = " " * indent_level + + if isinstance(value, dict): + result = "" + dict_items = list(value.items()) + for i, (k, v) in enumerate(dict_items): + result += f"{indent}**{camel_to_title(k)}**: " + if isinstance(v, (dict, list)): + result += "\n" + result += _format_value(v, indent_level + 1) + # Add line break after nested structures + if i < len(dict_items) - 1: + result += "\n" + else: + result += f"{v}\n" + # Add line break between dictionary items (except last one) + if i < len(dict_items) - 1: + result += "\n" + return result + + elif isinstance(value, list): + if not value: + return f"{indent}*None*\n" + + # Check if all items are simple strings/numbers + if all(isinstance(item, (str, int, float, bool)) for item in value): + result = "" + for item in value: + result += f"{indent}- {item}\n" + return result + + # Check if this is a list of objects that should be a table + elif all(isinstance(item, dict) for item in value) and len(value) > 1: + # Get all unique keys from all objects + all_keys = [] + for item in value: + for k in item.keys(): + if k not in all_keys: + all_keys.append(k) + + # Create table if keys are reasonable for table format + if len(all_keys) <= 6: # Reasonable number of columns + result = "" + + # Create table header + result += f"{indent}| " + " | ".join(camel_to_title(k) for k in all_keys) + " |\n" + result += f"{indent}| " + " | ".join("---" for _ in all_keys) + " |\n" + + # Create table rows + for item in value: + row = [] + for k in all_keys: + cell_value = item.get(k, "") + if isinstance(cell_value, list): + # Join list items with
for table cells + cell_value = "
".join(str(v) for v in cell_value[:3]) # Limit to first 3 items + if len(item.get(k, [])) > 3: + cell_value += "
..." + elif isinstance(cell_value, dict): + cell_value = json.dumps(cell_value, separators=(',', ':')) + row.append(str(cell_value).replace('\n', ' ').replace('|', '\\|')) + result += f"{indent}| " + " | ".join(row) + " |\n" + result += "\n" + return result + + # Complex list items (not suitable for table) + result = "" + for i, item in enumerate(value): + if isinstance(item, dict): + result += f"{indent}**Item {i+1}**:\n" + result += _format_value(item, indent_level + 1) + else: + result += f"{indent}- {item}\n" + return result + + else: + return f"{indent}{value}\n" + +def clean_json_text(text): + """Clean and prepare JSON text for parsing""" + try: + text = text.strip() + + # Remove any incomplete parts + last_brace = text.rfind('}') + if last_brace > 0: + text = text[:last_brace+1] + + # Remove any trailing commas before closing braces + text = re.sub(r',(\s*})', r'\1', text) + + return text + except Exception as e: + logger.error(f"Error cleaning JSON text: {str(e)}") + raise + +def extract_json_from_text(text): + """Extract JSON from text content with improved parsing, handling markdown formatting""" + try: + text = text.strip() + logger.info(f"Cleaning and parsing text: {text[:100]}...") + + # Strategy 1: Direct JSON parsing + try: + parsed = json.loads(text) + if isinstance(parsed, dict): + return parsed + except json.JSONDecodeError: + pass + + # Strategy 2: Extract from markdown blocks + if '```json' in text or '```' in text: + blocks = text.split('```') + for block in blocks: + block = block.strip() + if block.startswith('json'): + block = block[4:].strip() + try: + parsed = json.loads(block) + if isinstance(parsed, dict): + return parsed + except json.JSONDecodeError: + continue + + # Strategy 3: Find JSON object + start_idx = text.find('{') + end_idx = text.rfind('}') + if start_idx >= 0 and end_idx > start_idx: + try: + json_str = text[start_idx:end_idx + 1] + parsed = json.loads(json_str) + if isinstance(parsed, dict): + return parsed + except json.JSONDecodeError: + pass + + logger.warning(f"No valid JSON found in content: {text[:200]}...") + return None + + except Exception as e: + logger.error(f"Error parsing content: {str(e)}") + return None + +def extract_json_from_content(content): + """Extract JSON from content with improved parsing logic""" + try: + # If content is already a dict or list, return it + if isinstance(content, (dict, list)): + return content + + # If content is a string, try to parse it + if isinstance(content, str): + # Try direct JSON parsing first + try: + return json.loads(content) + except json.JSONDecodeError: + pass + + # Look for JSON in markdown blocks + if '```json' in content: + json_blocks = content.split('```json') + for block in json_blocks[1:]: + try: + json_str = block.split('```')[0].strip() + return json.loads(json_str) + except json.JSONDecodeError: + continue + + # Try to find JSON object + start_idx = content.find('{') + end_idx = content.rfind('}') + if start_idx >= 0 and end_idx > start_idx: + try: + json_str = content[start_idx:end_idx + 1] + return json.loads(json_str) + except json.JSONDecodeError: + pass + + # Try to find JSON array + start_idx = content.find('[') + end_idx = content.rfind(']') + if start_idx >= 0 and end_idx > start_idx: + try: + json_str = content[start_idx:end_idx + 1] + return json.loads(json_str) + except json.JSONDecodeError: + pass + + # If content is a list of items, try to extract JSON from each item + if isinstance(content, list): + for item in content: + if isinstance(item, dict) and 'text' in item: + result = extract_json_from_content(item['text']) + if result: + return result + + logger.error(f"No valid JSON found in content: {str(content)[:200]}...") + raise ValueError("No valid JSON found in content") + + except Exception as e: + logger.error(f"Error in extract_json_from_content: {str(e)}") + raise + +def clean_and_extract_json(text): + """Clean markdown formatting and extract JSON content""" + try: + # Remove markdown formatting + if '```json' in text: + parts = text.split('```json') + if len(parts) > 1: + json_content = parts[1].split('```')[0].strip() + try: + parsed_json = json.loads(json_content) + logger.info("Successfully parsed JSON from markdown block") + return parsed_json + except json.JSONDecodeError: + logger.warning("Failed to parse JSON from markdown block") + + # Try to find JSON object + start_idx = text.find('{') + end_idx = text.rfind('}') + if start_idx >= 0 and end_idx > start_idx: + try: + json_str = text[start_idx:end_idx + 1] + parsed_json = json.loads(json_str) + logger.info("Successfully parsed JSON object") + return parsed_json + except json.JSONDecodeError: + logger.warning("Failed to parse JSON object") + + # Try to parse the entire text as JSON + try: + parsed_json = json.loads(text) + logger.info("Successfully parsed entire text as JSON") + return parsed_json + except json.JSONDecodeError: + logger.warning("Failed to parse entire text as JSON") + + logger.error(f"No valid JSON found in content: {text[:200]}...") + return None + + except Exception as e: + logger.error(f"Error cleaning and extracting JSON: {str(e)}") + return None diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/python/validation.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/python/validation.py new file mode 100644 index 00000000..c3e29898 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/python/validation.py @@ -0,0 +1,304 @@ +""" +Validation Layer +Common validation functions across Lambda functions +""" +import json +import logging +import re + +logger = logging.getLogger() + +def build_action_validation_set(validated_actions): + """Build comprehensive action validation set with both prefixed and non-prefixed actions""" + valid_action_names = set() + for action in validated_actions: + if action.get('service_action'): + valid_action_names.add(action['service_action']) + if action.get('action_name'): + valid_action_names.add(action['action_name']) + return valid_action_names + +def validate_configuration(config): + """Validate the configuration structure from DynamoDB""" + try: + required_fields = { + 'configuration_id': 'S', + 'service_name': 'S', + 'security_domain': 'S' + } + + for field, attr_type in required_fields.items(): + if not config.get(field, {}).get(attr_type): + logger.warning(f"Missing required field or invalid type: {field}") + return False + return True + except Exception as e: + logger.error(f"Error validating configuration: {str(e)}") + return False + +def validate_input(input_data): + """Validate the input parameters""" + try: + required_fields = ['requestId', 'serviceId'] + return all(input_data.get(field) for field in required_fields) + except Exception as e: + logger.error(f"Error validating input: {str(e)}") + return False + +def validate_recommendations(recommendations, valid_parameter_names, valid_action_names): + """Validate recommendations against known valid actions and parameters""" + validated_recommendations = [] + + for rec in recommendations: + settings = rec.get('recommended_configuration', {}).get('settings', {}) + invalid_params = [param for param in settings.keys() if param not in valid_parameter_names] + + if invalid_params: + logger.warning(f"Skipping recommendation with invalid parameters: {invalid_params}") + continue + + # Check SCP actions if priority is VERY HIGH + if rec.get('configuration_priority') == 'VERY HIGH': + scp = rec.get('preventive_control', {}).get('details', {}).get('scp_policy', {}) + actions = scp.get('Action', []) + if isinstance(actions, str): + actions = [actions] + + invalid_actions = [action for action in actions if action not in valid_action_names] + if invalid_actions: + logger.warning(f"Skipping recommendation with invalid SCP actions: {invalid_actions}") + continue + + validated_recommendations.append(rec) + logger.info(f"Validated recommendation: {rec['configuration_id']}") + + return validated_recommendations + +def validate_generated_controls(controls, valid_parameter_names, valid_action_names, original_config): + """Validate generated controls against valid parameters and actions""" + try: + if not isinstance(controls, dict): + logger.error("Invalid controls format") + return None + + for control_type, control in controls.items(): + if control_type == 'detective_controls': + if not validate_control_parameters(control.get('code', ''), + valid_parameter_names, + original_config): + logger.warning(f"Invalid parameters in detective control") + return None + + elif control_type == 'preventive_controls': + if not validate_control_actions(control.get('code', ''), + valid_action_names): + logger.warning(f"Invalid actions in preventive control") + return None + + elif control_type == 'proactive_controls': + if not validate_control_parameters(control.get('code', ''), + valid_parameter_names, + original_config): + logger.warning(f"Invalid parameters in proactive control") + return None + + return controls + + except Exception as e: + logger.error(f"Error validating controls: {str(e)}") + return None + +def validate_control_structure(control, control_type): + """Validate the structure of a specific control type""" + required_fields = { + 'configuration_id': str, + 'filename': str, + 'code': str, + 'control_id': str, + 'description': str, + 'implementation_guide': str + } + + for field, field_type in required_fields.items(): + if field not in control: + logger.error(f"Missing required field '{field}' in {control_type}") + return False + if not isinstance(control[field], field_type): + logger.error(f"Invalid type for field '{field}' in {control_type}") + return False + + return True + +def validate_control_parameters(control_code, valid_parameters, config): + """Validate control code only uses valid parameters""" + try: + config_params = config.get('recommended_configuration', {}).get('settings', {}).keys() + + for param in valid_parameters: + if param in control_code and param not in config_params: + logger.warning(f"Control uses invalid parameter: {param}") + return False + return True + except Exception as e: + logger.error(f"Error validating control parameters: {str(e)}") + return False + +def validate_control_actions(control_code, valid_actions): + """Validate control code only uses valid actions""" + try: + if isinstance(control_code, str): + try: + control_json = json.loads(control_code) + actions = control_json.get('Statement', [{}])[0].get('Action', []) + if isinstance(actions, str): + actions = [actions] + + for action in actions: + if action not in valid_actions: + logger.warning(f"Control uses invalid action: {action}") + return False + return True + except json.JSONDecodeError: + logger.error("Invalid JSON in control code") + return False + return False + except Exception as e: + logger.error(f"Error validating control actions: {str(e)}") + return False + +def validate_iac_parameters(template_content, valid_parameters, service_name): + """Validate IaC template parameters against AWS service documentation""" + try: + logger.info(f"Validating IaC parameters for {service_name}") + + valid_param_set = {param['parameter_name'] for param in valid_parameters} + + if isinstance(template_content, str): + if '.tf' in template_content: + params = re.findall(r'variable\s+"([^"]+)"', template_content) + normalized_valid_params = {p.replace('_', '').lower() for p in valid_param_set} + invalid_params = [p for p in params if p.replace('_', '').lower() not in normalized_valid_params] + else: + try: + import yaml + template_dict = yaml.safe_load(template_content) + params = list(template_dict.get('Parameters', {}).keys()) + invalid_params = [p for p in params if p not in valid_param_set] + except: + params = [] + invalid_params = [] + else: + params = [] + invalid_params = [] + + if invalid_params: + logger.warning(f"Invalid parameters found in template: {invalid_params}") + return False, invalid_params + + return True, [] + + except Exception as e: + logger.error(f"Error validating IaC parameters: {str(e)}") + return False, [] + +def validate_iam_model_actions(model, valid_action_names, valid_action_details): + """Validate IAM model actions against documented AWS actions""" + try: + if not isinstance(model, dict) or 'actions' not in model: + logger.error("Invalid IAM model structure") + return None + + validated_actions = [] + + for action in model['actions']: + action_name = action.get('action_name') + + if action_name not in valid_action_details: + logger.warning(f"Skipping invalid action: {action_name}") + continue + + valid_details = valid_action_details[action_name] + action['description'] = valid_details['description'] + action['accessLevel'] = valid_details['accessLevel'] + + validated_actions.append(action) + + if not validated_actions: + logger.error("No valid actions found after validation") + return None + + validated_model = { + "serviceName": model['serviceName'], + "servicePrefix": model['servicePrefix'], + "actions": validated_actions + } + + logger.info(f"Successfully validated {len(validated_actions)} actions") + return validated_model + + except Exception as e: + logger.error(f"Error validating IAM model actions: {str(e)}") + return None + +def validate_service_profile_content(profile, valid_param_details, valid_action_details): + """Validate service profile content against documented capabilities""" + try: + if not isinstance(profile, dict): + logger.error("Invalid profile structure") + return None + + # Validate encryption capabilities + encryption = profile.get('dataProtection', {}).get('encryption', {}) + if encryption: + encryption_params = [p for p in valid_param_details.keys() + if 'encrypt' in p.lower() or 'kms' in p.lower()] + encryption['atRest']['supported'] = bool(encryption_params) + + # Validate network capabilities + network = profile.get('networkControls', {}) + if network: + vpc_params = [p for p in valid_param_details.keys() + if 'vpc' in p.lower()] + network['vpcSupport'] = bool(vpc_params) + + # Validate IAM capabilities + access_controls = profile.get('accessControls', {}).get('iamSupport', {}) + if access_controls: + iam_actions = [a for a in valid_action_details.keys() + if any(role in a.lower() for role in ['role', 'policy', 'permission'])] + access_controls['serviceRoles'] = list(set( + role for action in iam_actions + for role in extract_roles_from_action(action) + )) + + # Validate logging capabilities + logging_config = profile.get('managementOps', {}).get('logging', {}) + if logging_config: + logging_config['cloudwatchSupport'] = any('cloudwatch' in p.lower() + for p in valid_param_details.keys()) + logging_config['cloudtrailSupport'] = any('cloudtrail' in p.lower() + for p in valid_param_details.keys()) + + # Add validation metadata + from datetime import datetime + profile['_metadata'] = { + "validation_timestamp": datetime.utcnow().isoformat(), + "validated_parameters": len(valid_param_details), + "validated_actions": len(valid_action_details) + } + + logger.info("Successfully validated service profile content") + return profile + + except Exception as e: + logger.error(f"Error validating service profile: {str(e)}") + return None + +def extract_roles_from_action(action_name): + """Extract role names from IAM action names""" + roles = [] + if 'role' in action_name.lower(): + role_parts = action_name.split(':') + if len(role_parts) > 1: + roles.append(role_parts[1]) + return roles diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/requirements.txt b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/requirements.txt new file mode 100644 index 00000000..c1a201db --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/validation-layer/requirements.txt @@ -0,0 +1 @@ +PyYAML>=6.0 diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/web-scraping-layer/build.sh b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/web-scraping-layer/build.sh new file mode 100755 index 00000000..8c750d8b --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/web-scraping-layer/build.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +# Build script for web scraping layer +set -e + +echo "Building web scraping layer..." + +# Clean previous build +rm -rf python/ + +# Create python directory +mkdir -p python/ + +# Install dependencies +pip3 install -r requirements.txt -t python/ + +# Remove unnecessary files to reduce layer size +find python/ -type d -name "__pycache__" -exec rm -rf {} + 2>/dev/null || true +find python/ -name "*.pyc" -delete 2>/dev/null || true +find python/ -name "*.pyo" -delete 2>/dev/null || true +find python/ -name "*.dist-info" -exec rm -rf {} + 2>/dev/null || true +find python/ -name "*.egg-info" -exec rm -rf {} + 2>/dev/null || true + +echo "Web scraping layer build complete!" +echo "Layer contents:" +ls -la python/ diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/web-scraping-layer/requirements.txt b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/web-scraping-layer/requirements.txt new file mode 100644 index 00000000..4e27682b --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/layers/web-scraping-layer/requirements.txt @@ -0,0 +1,5 @@ +beautifulsoup4>=4.12.2 +lxml>=4.9.3 +html5lib>=1.1 +soupsieve>=2.4.1 +webencodings>=0.5.1 diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/cleanup_service.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/cleanup_service.py new file mode 100755 index 00000000..a119a143 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/cleanup_service.py @@ -0,0 +1,126 @@ +#!/usr/bin/env python3 + +import boto3 +import sys +import os +from botocore.exceptions import ClientError + +def delete_s3_service_outputs(service_name, bucket_name): + """Delete S3 objects for the service""" + s3 = boto3.client('s3') + + try: + # List objects with service prefix + response = s3.list_objects_v2( + Bucket=bucket_name, + Prefix=f'{service_name}/' + ) + + if 'Contents' in response: + objects = [{'Key': obj['Key']} for obj in response['Contents']] + s3.delete_objects( + Bucket=bucket_name, + Delete={'Objects': objects} + ) + print(f"Deleted {len(objects)} S3 objects for {service_name}") + else: + print(f"No S3 objects found for {service_name}") + + except ClientError as e: + print(f"Error deleting S3 objects: {e}") + +def delete_dynamodb_service_items(service_name, table_names): + """Delete DynamoDB items for the service""" + dynamodb = boto3.resource('dynamodb') + + for table_name in table_names: + try: + table = dynamodb.Table(table_name) + deleted_count = 0 + + # Try service_name first, then service_id + for key_name in ['service_name', 'service_id']: + try: + response = table.scan( + FilterExpression='#sn = :service', + ExpressionAttributeNames={'#sn': key_name}, + ExpressionAttributeValues={':service': service_name} + ) + + # Get table key schema to determine proper delete key + key_schema = table.key_schema + partition_key = next(k['AttributeName'] for k in key_schema if k['KeyType'] == 'HASH') + sort_key = next((k['AttributeName'] for k in key_schema if k['KeyType'] == 'RANGE'), None) + + # Delete items + with table.batch_writer() as batch: + for item in response['Items']: + delete_key = {partition_key: item[partition_key]} + if sort_key: + delete_key[sort_key] = item[sort_key] + batch.delete_item(Key=delete_key) + deleted_count += 1 + + if deleted_count > 0: + print(f"Deleted {deleted_count} items from {table_name}") + break + + except ClientError as e: + if 'ValidationException' in str(e): + continue # Try next key name + raise + + if deleted_count == 0: + print(f"No items found in {table_name} for {service_name}") + + except ClientError as e: + if e.response['Error']['Code'] == 'ResourceNotFoundException': + print(f"Table {table_name} not found, skipping") + else: + print(f"Error deleting from {table_name}: {e}") + +def main(): + if len(sys.argv) != 2: + print("Usage: python3 cleanup_service.py ") + sys.exit(1) + + service_name = sys.argv[1] + + # Get account and region + sts = boto3.client('sts') + account = sts.get_caller_identity()['Account'] + region = boto3.Session().region_name or 'us-east-1' + + # S3 bucket + output_bucket = f"gensec-security-config-outputs-{account}-{region}" + + # DynamoDB tables + tables = [ + 'gensec-AWSServiceActions', + 'gensec-AWSServiceParameters', + 'gensec-AWSServiceInventory', + 'gensec-AWSServiceResources', + 'gensec-SecurityControlLibrary', + 'gensec-ServiceRequestTracking', + 'gensec-ServiceProfileLibrary' + ] + + print(f"Cleaning up service: {service_name}") + + # Delete S3 outputs + delete_s3_service_outputs(service_name, output_bucket) + + # Delete DynamoDB items + delete_dynamodb_service_items(service_name, tables) + + # Delete local test outputs + local_output_path = f"tests/output/{service_name}" + if os.path.exists(local_output_path): + import shutil + shutil.rmtree(local_output_path) + print(f"Deleted local output directory: {local_output_path}") + + print(f"Cleanup complete for {service_name}") + +if __name__ == "__main__": + main() diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/config-rules/aws_config_manage_rules_baseline.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/config-rules/aws_config_manage_rules_baseline.json new file mode 100644 index 00000000..85c5a346 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/config-rules/aws_config_manage_rules_baseline.json @@ -0,0 +1,18905 @@ +{ + "metadata": { + "generated_at": "2025-10-01T21:59:57.962481", + "total_rules": 701, + "total_entries": 728, + "service_distribution": { + "iam": 25, + "acm": 3, + "acmpca": 2, + "amazonmq": 12, + "elasticloadbalancingv2": 23, + "amplify": 5, + "apigateway": 10, + "apigatewayv2": 3, + "appconfig": 12, + "appflow": 2, + "appintegrations": 2, + "appmesh": 14, + "ec2": 79, + "apprunner": 7, + "appstream": 1, + "appsync": 7, + "aps": 1, + "athena": 7, + "auditmanager": 1, + "rds": 61, + "autoscaling": 9, + "backup": 4, + "batch": 10, + "elasticbeanstalk": 6, + "cassandra": 1, + "elasticloadbalancing": 12, + "cloudtrail": 11, + "cloudformation": 3, + "cloudfront": 17, + "cloudwatch": 4, + "s3": 30, + "logs": 2, + "kms": 4, + "codebuild": 9, + "codedeploy": 5, + "codeguruprofiler": 1, + "codegurureviewer": 1, + "codepipeline": 2, + "cognito": 5, + "connect": 1, + "events": 2, + "eventschemas": 1, + "customerprofiles": 3, + "datasync": 4, + "dax": 2, + "dms": 11, + "dynamodb": 11, + "ebs": 1, + "ssm": 11, + "ecr": 5, + "ecs": 13, + "efs": 12, + "eks": 9, + "elasticache": 10, + "elasticsearch": 4, + "emr": 5, + "evidently": 6, + "fis": 2, + "shield": 3, + "wafregional": 6, + "shieldregional": 1, + "waf": 5, + "frauddetector": 4, + "fsx": 9, + "glue": 4, + "guardduty": 11, + "inspector": 4, + "iot": 4, + "iotevents": 3, + "iotsitewise": 5, + "iottwinmaker": 5, + "iotwireless": 3, + "ivs": 4, + "kinesisfirehose": 1, + "kinesis": 2, + "kinesisvideo": 1, + "lambda": 7, + "lightsail": 4, + "macie": 2, + "msk": 5, + "kafkaconnect": 1, + "multi": 1, + "networkfirewall": 8, + "opensearch": 10, + "redshift": 15, + "redshiftserverless": 7, + "route53": 3, + "route53resolver": 4, + "rum": 1, + "s3express": 1, + "sagemaker": 15, + "secretsmanager": 5, + "security": 1, + "securityhub": 1, + "servicecatalog": 2, + "ses": 1, + "sns": 4, + "sqs": 3, + "stepfunctions": 2, + "storagegateway": 3, + "transfer": 10, + "backupgateway": 3, + "wafv2": 4, + "workspaces": 4 + } + }, + "rules": [ + { + "rule_name": "access-keys-rotated", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html", + "last_updated": "2025-10-01T21:57:30.557498", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "maxAccessKeyAge" + }, + "description": { + "S": "Maximum number of days without rotation. Default 90." + } + } + ] + }, + { + "rule_name": "account-part-of-organizations", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if an AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/account-part-of-organizations.html", + "last_updated": "2025-10-01T21:57:30.760859", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "MasterAccountId (Optional)" + }, + "description": { + "S": "The master account ID for an AWS account." + } + } + ] + }, + { + "rule_name": "acm-certificate-expiration-check", + "service_name": "acm", + "type": "MANAGED", + "description": "Checks if AWS Certificate Manager Certificates in your account are marked for expiration within the specified number of days.\nCertificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.\nThe rule is NON_COMPLIANT if your certificates are about to expire.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html", + "last_updated": "2025-10-01T21:57:30.969638", + "services": [ + "acm" + ], + "parameters": [ + { + "name": { + "S": "daysToExpiration (Optional)" + }, + "description": { + "S": "Specify the number of days before the rule flags the ACM Certificate as noncompliant." + } + } + ] + }, + { + "rule_name": "acm-certificate-rsa-check", + "service_name": "acm", + "type": "MANAGED", + "description": "Checks if RSA certificates managed by AWS Certificate Manager (ACM) have a key length of at least '2048' bits.The rule is NON_COMPLIANT if the minimum key length is less than 2048 bits.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-rsa-check.html", + "last_updated": "2025-10-01T21:57:31.181796", + "services": [ + "acm" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "acm-pca-root-ca-disabled", + "service_name": "acmpca", + "type": "MANAGED", + "description": "Checks if AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-pca-root-ca-disabled.html", + "last_updated": "2025-10-01T21:57:31.409926", + "services": [ + "acmpca" + ], + "parameters": [ + { + "name": { + "S": "exemptedCAArns (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon Resource Names (ARN) of CA's that can be enabled. This value can be supplied for other CAs, like specific root CAs or intermediate CA's that can be enabled." + } + } + ] + }, + { + "rule_name": "acmpca-certificate-authority-tagged", + "service_name": "acmpca", + "type": "MANAGED", + "description": "Checks if AWS Private CA certificate authorities have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/acmpca-certificate-authority-tagged.html", + "last_updated": "2025-10-01T21:57:31.621897", + "services": [ + "acmpca" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "active-mq-supported-version", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if an Amazon MQ ActiveMQ broker is running on a specified minimum supported engine version. The rule is NON_COMPLIANT if the ActiveMQ broker is not running on the minimum supported engine version that you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/active-mq-supported-version.html", + "last_updated": "2025-10-01T21:57:31.839340", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "supportedEngineVersion" + }, + "description": { + "S": "String value for the rule to check the minimum supported engine version for the ActiveMQ broker. ActiveMQ brokers use semantic versioning specification: X.Y.Z. X denotes the major version, Y represent" + } + } + ] + }, + { + "rule_name": "alb-desync-mode-check", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode. The rule is NON_COMPLIANT if ALB desync mitigation mode does not match with the user defined desync mitigation mode.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html", + "last_updated": "2025-10-01T21:57:32.056434", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "desyncMode" + }, + "description": { + "S": "Comma-separated list, in which customers can choose max 2 values among - 'defensive', 'strictest', and 'monitor'." + } + } + ] + }, + { + "rule_name": "alb-http-drop-invalid-header-enabled", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html", + "last_updated": "2025-10-01T21:57:32.273436", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "alb-http-to-https-redirection-check", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers.\nThe rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. The rule is also NON_COMPLIANT if one of more HTTP listeners have forwarding to an HTTP listener instead of redirection.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html", + "last_updated": "2025-10-01T21:57:32.507638", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "alb-internal-scheme-check", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if an Application Load Balancer scheme is internal. The rule is NON_COMPLIANT if configuration.scheme is not set to internal.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/alb-internal-scheme-check.html", + "last_updated": "2025-10-01T21:57:32.717376", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "alb-listener-tagged", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if Application Load Balancer listeners have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/alb-listener-tagged.html", + "last_updated": "2025-10-01T21:57:32.912346", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "alb-tagged", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if Application Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/alb-tagged.html", + "last_updated": "2025-10-01T21:57:33.121952", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "alb-waf-enabled", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if AWS WAF is enabled on Application Load Balancers (ALBs). The rule is NON_COMPLIANT if key: waf.enabled is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html", + "last_updated": "2025-10-01T21:57:33.340442", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "wafWebAclIds (Optional)" + }, + "description": { + "S": "Comma separated list of web ACL ID (for WAF) or web ACL ARN (for WAFV2) checking for ALB association." + } + } + ] + }, + { + "rule_name": "amplify-app-branch-auto-deletion-enabled", + "service_name": "amplify", + "type": "MANAGED", + "description": "Checks if AWS Amplify apps automatically disconnect a branch in Amplify Hosting when you delete a branch from your Git repository. The rule is NON_COMPLIANT if configuration.EnableBranchAutoDeletion is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/amplify-app-branch-auto-deletion-enabled.html", + "last_updated": "2025-10-01T21:57:33.546649", + "services": [ + "amplify" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "amplify-app-description", + "service_name": "amplify", + "type": "MANAGED", + "description": "Checks if AWS Amplify apps have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/amplify-app-description.html", + "last_updated": "2025-10-01T21:57:33.765649", + "services": [ + "amplify" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "amplify-app-tagged", + "service_name": "amplify", + "type": "MANAGED", + "description": "Checks if AWS Amplify apps have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/amplify-app-tagged.html", + "last_updated": "2025-10-01T21:57:33.976913", + "services": [ + "amplify" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "amplify-branch-performance-mode-enabled", + "service_name": "amplify", + "type": "MANAGED", + "description": "Checks if AWS Amplify branches have performance mode enabled. The rule is NON_COMPLIANT if configuration.EnablePerformanceMode is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/amplify-branch-performance-mode-enabled.html", + "last_updated": "2025-10-01T21:57:34.199859", + "services": [ + "amplify" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "amplify-branch-tagged", + "service_name": "amplify", + "type": "MANAGED", + "description": "Checks if AWS Amplify branches have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/amplify-branch-tagged.html", + "last_updated": "2025-10-01T21:57:34.402991", + "services": [ + "amplify" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "api-gw-associated-with-waf", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if an Amazon API Gateway API stage is using an AWS WAF web access control list (web ACL). The rule is NON_COMPLIANT if an AWS WAF Web ACL is not used or if a used AWS Web ACL does not match what is listed in the rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-associated-with-waf.html", + "last_updated": "2025-10-01T21:57:34.599991", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "WebAclArns (Optional)" + }, + "description": { + "S": "Comma-separated list of web ACL Amazon Resource Names (ARNs)." + } + } + ] + }, + { + "rule_name": "api-gw-cache-enabled-and-encrypted", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if all methods in Amazon API Gateway stages have cache enabled and cache encrypted. The rule is NON_COMPLIANT if any method in an Amazon API Gateway stage is not configured to cache or the cache is not encrypted.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html", + "last_updated": "2025-10-01T21:57:34.794889", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "api-gw-endpoint-type-check", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-endpoint-type-check.html", + "last_updated": "2025-10-01T21:57:34.993082", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "endpointConfigurationTypes" + }, + "description": { + "S": "Comma-separated list of allowed endpointConfigurationTypes. Allowed values are REGIONAL, PRIVATE and EDGE." + } + } + ] + }, + { + "rule_name": "api-gw-execution-logging-enabled", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if all methods in Amazon API Gateway stages have logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or if loggingLevel is neither ERROR nor INFO.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html", + "last_updated": "2025-10-01T21:57:35.270206", + "services": [ + "apigateway", + "apigatewayv2" + ], + "parameters": [ + { + "name": { + "S": "loggingLevel (Optional)" + }, + "description": { + "S": "Comma-separated list of specific logging levels (for example, ERROR, INFO or ERROR,INFO)." + } + } + ] + }, + { + "rule_name": "api-gw-execution-logging-enabled", + "service_name": "apigatewayv2", + "type": "MANAGED", + "description": "Checks if all methods in Amazon API Gateway stages have logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or if loggingLevel is neither ERROR nor INFO.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html", + "last_updated": "2025-10-01T21:57:35.270215", + "services": [ + "apigateway", + "apigatewayv2" + ], + "parameters": [ + { + "name": { + "S": "loggingLevel (Optional)" + }, + "description": { + "S": "Comma-separated list of specific logging levels (for example, ERROR, INFO or ERROR,INFO)." + } + } + ] + }, + { + "rule_name": "api-gw-rest-api-tagged", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if AWS ApiGateway REST API resources resources have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-rest-api-tagged.html", + "last_updated": "2025-10-01T21:57:35.463958", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "api-gw-ssl-enabled", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if a REST API stage uses an SSL certificate. The rule is NON_COMPLIANT if the REST API stage does not have an associated SSL certificate.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-ssl-enabled.html", + "last_updated": "2025-10-01T21:57:35.660839", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "CertificateIDs (Optional)" + }, + "description": { + "S": "Comma-separated list of client certificate IDs configured on a REST API stage." + } + } + ] + }, + { + "rule_name": "api-gw-stage-tagged", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if AWS ApiGateway stage resources resources have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-stage-tagged.html", + "last_updated": "2025-10-01T21:57:35.857569", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "api-gw-xray-enabled", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gw-xray-enabled.html", + "last_updated": "2025-10-01T21:57:36.060594", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "api-gwv2-access-logs-enabled", + "service_name": "apigatewayv2", + "type": "MANAGED", + "description": "Checks if Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-access-logs-enabled.html", + "last_updated": "2025-10-01T21:57:36.269779", + "services": [ + "apigatewayv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "api-gwv2-authorization-type-configured", + "service_name": "apigatewayv2", + "type": "MANAGED", + "description": "Checks if Amazon API Gatewayv2 API routes have an authorization type set. This rule is NON_COMPLIANT if the authorization type is NONE.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-authorization-type-configured.html", + "last_updated": "2025-10-01T21:57:36.484765", + "services": [ + "apigatewayv2" + ], + "parameters": [ + { + "name": { + "S": "authorizationType (Optional)" + }, + "description": { + "S": "Parameter to check API routes' authorization types against. String parameters matching CUSTOM, AWS_IAM, JWT are valid." + } + } + ] + }, + { + "rule_name": "apigateway-stage-access-logs-enabled", + "service_name": "apigateway", + "type": "MANAGED", + "description": "Checks if Amazon API Gateway stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apigateway-stage-access-logs-enabled.html", + "last_updated": "2025-10-01T21:57:36.691887", + "services": [ + "apigateway" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appconfig-application-description", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig applications have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-application-description.html", + "last_updated": "2025-10-01T21:57:36.877390", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appconfig-application-tagged", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig applications have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-application-tagged.html", + "last_updated": "2025-10-01T21:57:37.085226", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appconfig-configuration-profile-tagged", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig configuration profiles have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-configuration-profile-tagged.html", + "last_updated": "2025-10-01T21:57:37.290484", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appconfig-configuration-profile-validators-not-empty", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if an AWS AppConfig configuration profile includes at least one validator for syntactic or semantic check to ensure the configuration deploy functions as intended. The rule is NON_COMPLIANT if the Validators property is an empty array.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-configuration-profile-validators-not-empty.html", + "last_updated": "2025-10-01T21:57:37.491629", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appconfig-deployment-strategy-description", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig deployment strategies have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-deployment-strategy-description.html", + "last_updated": "2025-10-01T21:57:37.687443", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appconfig-deployment-strategy-minimum-final-bake-time", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if an AWS AppConfig deployment strategy requires the specified minimum bake time. The rule is NON_COMPLIANT if the deployment strategy has a final bake time less than value specified in the rule parameter. The default value is 30 minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-deployment-strategy-minimum-final-bake-time.html", + "last_updated": "2025-10-01T21:57:37.897548", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "minBakeTime (Optional)" + }, + "description": { + "S": "The minimum bake time in minutes of the AWS AppConfig deployment strategy for the rule to check. The rule is NON_COMPLIANT if the bake time is less than the value specified in this parameter. Valid va" + } + } + ] + }, + { + "rule_name": "appconfig-deployment-strategy-replicate-to-ssm", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig deployment strategies save the deployment strategy to an AWS Systems Manager (SSM) document. The rule is NON_COMPLIANT if configuration.ReplicateTo is not 'SSM_DOCUMENT'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-deployment-strategy-replicate-to-ssm.html", + "last_updated": "2025-10-01T21:57:38.099835", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appconfig-environment-description", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig environments have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-environment-description.html", + "last_updated": "2025-10-01T21:57:38.289838", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appconfig-environment-tagged", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig environments have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-environment-tagged.html", + "last_updated": "2025-10-01T21:57:38.506007", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appconfig-extension-association-tagged", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig extension associations have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-extension-association-tagged.html", + "last_updated": "2025-10-01T21:57:38.707112", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appconfig-freeform-profile-config-storage", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if freeform configuration profiles for AWS AppConfig store their configuration data in AWS Secrets Manager or AWS AppConfig hosted configuration store. The rule is NON_COMPLIANT if configuration.LocationUri is not secretsmanager or hosted.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-freeform-profile-config-storage.html", + "last_updated": "2025-10-01T21:57:38.894078", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appconfig-hosted-configuration-version-description", + "service_name": "appconfig", + "type": "MANAGED", + "description": "Checks if AWS AppConfig hosted configuration versions have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appconfig-hosted-configuration-version-description.html", + "last_updated": "2025-10-01T21:57:39.111506", + "services": [ + "appconfig" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appflow-flow-tagged", + "service_name": "appflow", + "type": "MANAGED", + "description": "Checks if Amazon AppFlow flows have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appflow-flow-tagged.html", + "last_updated": "2025-10-01T21:57:39.314774", + "services": [ + "appflow" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appflow-flow-trigger-type-check", + "service_name": "appflow", + "type": "MANAGED", + "description": "Checks if an Amazon AppFlow flow runs using the specified trigger type. The rule is NON_COMPLAINT if the flow does not run using the flow type specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appflow-flow-trigger-type-check.html", + "last_updated": "2025-10-01T21:57:39.517578", + "services": [ + "appflow" + ], + "parameters": [ + { + "name": { + "S": "triggerType" + }, + "description": { + "S": "Comma-separated list of trigger types for the rule to check. Valid values include: 'Scheduled', 'Event', and 'OnDemand'." + } + } + ] + }, + { + "rule_name": "appintegrations-event-integration-description", + "service_name": "appintegrations", + "type": "MANAGED", + "description": "Checks if Amazon AppIntegrations event integrations have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appintegrations-event-integration-description.html", + "last_updated": "2025-10-01T21:57:39.732639", + "services": [ + "appintegrations" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appintegrations-event-integration-tagged", + "service_name": "appintegrations", + "type": "MANAGED", + "description": "Checks if Amazon AppIntegrations event integrations have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appintegrations-event-integration-tagged.html", + "last_updated": "2025-10-01T21:57:39.921123", + "services": [ + "appintegrations" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appmesh-gateway-route-tagged", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh gateway routes have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-gateway-route-tagged.html", + "last_updated": "2025-10-01T21:57:40.141627", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appmesh-mesh-deny-tcp-forwarding", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if proxies for AWS App Mesh service meshes do not forward TCP traffic directly to services that aren't deployed with a proxy that is defined in the mesh. The rule is NON_COMPLIANT if configuration.Spec.EgressFilter.Type is set to 'ALLOW_ALL'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-mesh-deny-tcp-forwarding.html", + "last_updated": "2025-10-01T21:57:40.339688", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appmesh-mesh-tagged", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh meshes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-mesh-tagged.html", + "last_updated": "2025-10-01T21:57:40.538757", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appmesh-route-tagged", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh routes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-route-tagged.html", + "last_updated": "2025-10-01T21:57:40.741459", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-gateway-backend-defaults-tls", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if backend defaults for AWS App Mesh virtual gateways require the virtual gateways to communicate with all ports using TLS. The rule is NON_COMPLIANT if configuration.Spec.BackendDefaults.ClientPolicy.Tls.Enforce is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-gateway-backend-defaults-tls.html", + "last_updated": "2025-10-01T21:57:41.019415", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-gateway-logging-file-path-exists", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh virtual gateways have a file path to write access logs to. The rule is NON_COMPLIANT if configuration.Spec.Logging.AccessLog.File.Path does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-gateway-logging-file-path-exists.html", + "last_updated": "2025-10-01T21:57:41.219650", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-gateway-tagged", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh virtual gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-gateway-tagged.html", + "last_updated": "2025-10-01T21:57:41.544248", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-node-backend-defaults-tls-on", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if backend defaults for AWS App Mesh virtual nodes require the virtual nodes to communicate with all ports using TLS. The rule is NON_COMPLIANT if configuration.Spec.BackendDefaults.ClientPolicy.Tls.Enforce is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-node-backend-defaults-tls-on.html", + "last_updated": "2025-10-01T21:57:41.753728", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-node-cloud-map-ip-pref-check", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if an AWS App Mesh virtual node is configured with the specified IP preference for AWS Cloud Map service discovery. The rule is NON_COMPLIANT if the virtual node is not configured with the IP preference specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-node-cloud-map-ip-pref-check.html", + "last_updated": "2025-10-01T21:57:42.014018", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "ipPreference" + }, + "description": { + "S": "The IP preference value for AWS Cloud Map service discovery. The rule is NON_COMPLIANT if a virtual node is configured with a value that does not match this value. Valid values include: 'IPv6_PREFERRE" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-node-dns-ip-pref-check", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if an AWS App Mesh virtual node is configured with the specified IP preference for DNS service discovery. The rule is NON_COMPLIANT if the virtual node is not configured with the IP preference specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-node-dns-ip-pref-check.html", + "last_updated": "2025-10-01T21:57:42.247215", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "ipPreference" + }, + "description": { + "S": "The IP preference value for DNS service discovery. The rule is NON_COMPLIANT if a virtual node is configured with a value that does not match this value. Valid values include: 'IPv6_PREFERRED', 'IPv4_" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-node-logging-file-path-exists", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh virtual nodes have a file path to write access logs to. The rule is NON_COMPLIANT if configuration.Spec.Logging.AccessLog.File.Path does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-node-logging-file-path-exists.html", + "last_updated": "2025-10-01T21:57:42.506919", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-node-tagged", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh virtual nodes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-node-tagged.html", + "last_updated": "2025-10-01T21:57:42.706387", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-router-tagged", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh virtual routers have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-router-tagged.html", + "last_updated": "2025-10-01T21:57:42.928527", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appmesh-virtual-service-tagged", + "service_name": "appmesh", + "type": "MANAGED", + "description": "Checks if AWS App Mesh virtual services have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appmesh-virtual-service-tagged.html", + "last_updated": "2025-10-01T21:57:43.133611", + "services": [ + "appmesh" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "approved-amis-by-id", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if EC2 instances are using specified Amazon Machine Images (AMIs). Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are NON_COMPLIANT.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-id.html", + "last_updated": "2025-10-01T21:57:43.324391", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "amiIds" + }, + "description": { + "S": "Comma-separated list of up to 21 AMI IDs. There is a 1024 characters limit." + } + } + ] + }, + { + "rule_name": "approved-amis-by-tag", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if EC2 instances are using specified Amazon Machine Images (AMIs). Specify the tags that identify the AMIs. Running instances with AMIs that don't have at least one of the specified tags are NON_COMPLIANT.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-tag.html", + "last_updated": "2025-10-01T21:57:43.544126", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "amisByTagKeyAndValue" + }, + "description": { + "S": "Comma-separated list of up to 10 AMIs tags (tag-key:tag-value). For example, tag-key1 matches AMIs with tag-key1; tag-key2:value2 matches tag-key2 with the value 2." + } + } + ] + }, + { + "rule_name": "apprunner-service-in-vpc", + "service_name": "apprunner", + "type": "MANAGED", + "description": "Checks if AWS App Runner services route egress traffic through custom VPC. The rule is NON_COMPLIANT if configuration.NetworkConfiguration.EgressConfiguration.EgressType is equal to DEFAULT.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-in-vpc.html", + "last_updated": "2025-10-01T21:57:43.738909", + "services": [ + "apprunner" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "apprunner-service-ip-address-type-check", + "service_name": "apprunner", + "type": "MANAGED", + "description": "Checks if an AWS App Runner service is configured with the specified IP address type for incoming public network configuration. The rule is NON_COMPLIANT if the service is not configured with the IP address type specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-ip-address-type-check.html", + "last_updated": "2025-10-01T21:57:43.939988", + "services": [ + "apprunner" + ], + "parameters": [ + { + "name": { + "S": "ipAddressType" + }, + "description": { + "S": "The IP address type value for the rule to check. The rule is NON_COMPLIANT if an AWS App Runner service is configured with a value that does not match this value. Valid values include: 'IPV4', 'DUAL_S" + } + } + ] + }, + { + "rule_name": "apprunner-service-max-unhealthy-threshold", + "service_name": "apprunner", + "type": "MANAGED", + "description": "Checks if an AWS App Runner service is configured to have an unhealthy threshold less than or equal to the specified value. The rule is NON_COMPLIANT if the unhealthy threshold is greater than the value specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-max-unhealthy-threshold.html", + "last_updated": "2025-10-01T21:57:44.138954", + "services": [ + "apprunner" + ], + "parameters": [ + { + "name": { + "S": "maxUnhealthyThreshold" + }, + "description": { + "S": "The maximum unhealthy threshold value for the rule to check. The rule is NON_COMPLIANT if an AWS App Runner service is configured with an unhealthy threshold greater than this value. Valid values are " + } + } + ] + }, + { + "rule_name": "apprunner-service-no-public-access", + "service_name": "apprunner", + "type": "MANAGED", + "description": "Checks if AWS AppRunner Services are not publicly accessible. The rule is NON_COMPLIANT if service.configuration.NetworkConfiguration.IngressConfiguration.IsPubliclyAccessible is False.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-no-public-access.html", + "last_updated": "2025-10-01T21:57:44.348413", + "services": [ + "apprunner" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "apprunner-service-observability-enabled", + "service_name": "apprunner", + "type": "MANAGED", + "description": "Checks if AWS App Runner services have observability enabled. The rule is NON_COMPLIANT if configuration.ObservabilityConfiguration.ObservabilityEnabled is false'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-observability-enabled.html", + "last_updated": "2025-10-01T21:57:44.544464", + "services": [ + "apprunner" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "apprunner-service-tagged", + "service_name": "apprunner", + "type": "MANAGED", + "description": "Checks if AWS App Runner services have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-tagged.html", + "last_updated": "2025-10-01T21:57:44.734990", + "services": [ + "apprunner" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "apprunner-vpc-connector-tagged", + "service_name": "apprunner", + "type": "MANAGED", + "description": "Checks if AWS App Runner VPC connectors have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/apprunner-vpc-connector-tagged.html", + "last_updated": "2025-10-01T21:57:44.928204", + "services": [ + "apprunner" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "appstream-fleet-in-vpc", + "service_name": "appstream", + "type": "MANAGED", + "description": "Checks if Amazon AppStream 2.0 fleets use an Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if configuration.VpcConfig does not exist. The rule does not check Elastic fleets.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appstream-fleet-in-vpc.html", + "last_updated": "2025-10-01T21:57:45.142133", + "services": [ + "appstream" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appsync-associated-with-waf", + "service_name": "appsync", + "type": "MANAGED", + "description": "Checks if AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appsync-associated-with-waf.html", + "last_updated": "2025-10-01T21:57:45.329314", + "services": [ + "appsync" + ], + "parameters": [ + { + "name": { + "S": "wafWebAclARNs (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon Resource Names (ARNs) for authorized web ACLs." + } + } + ] + }, + { + "rule_name": "appsync-authorization-check", + "service_name": "appsync", + "type": "MANAGED", + "description": "Checks if an AWS AppSync API is using allowed authorization mechanisms. The rule is NON_COMPLIANT if an unapproved authorization mechanism is being used.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appsync-authorization-check.html", + "last_updated": "2025-10-01T21:57:45.530187", + "services": [ + "appsync" + ], + "parameters": [ + { + "name": { + "S": "AllowedAuthorizationTypes" + }, + "description": { + "S": "Comma-separated list of allowed AWS AppSync authorization mechanisms. Allowed values are: 'API_KEY', 'AWS_LAMBDA', 'AWS_IAM', 'OPENID_CONNECT', 'AMAZON_COGNITO_USER_POOLS'." + } + } + ] + }, + { + "rule_name": "appsync-cache-ct-encryption-at-rest", + "service_name": "appsync", + "type": "MANAGED", + "description": "Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON_COMPLIANT if 'AtRestEncryptionEnabled' is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appsync-cache-ct-encryption-at-rest.html", + "last_updated": "2025-10-01T21:57:45.764989", + "services": [ + "appsync" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appsync-cache-ct-encryption-in-transit", + "service_name": "appsync", + "type": "MANAGED", + "description": "Checks if an AWS AppSync API cache has encryption in transit enabled. The rule is NON_COMPLIANT if 'TransitEncryptionEnabled' is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appsync-cache-ct-encryption-in-transit.html", + "last_updated": "2025-10-01T21:57:45.972425", + "services": [ + "appsync" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appsync-cache-encryption-at-rest", + "service_name": "appsync", + "type": "MANAGED", + "description": "Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON_COMPLIANT if 'AtRestEncryptionEnabled' is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appsync-cache-encryption-at-rest.html", + "last_updated": "2025-10-01T21:57:46.178836", + "services": [ + "appsync" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appsync-graphql-api-xray-enabled", + "service_name": "appsync", + "type": "MANAGED", + "description": "Checks if AWS AppSync GraphQL APIs have AWS X-Ray tracing enabled. The rule is NON_COMPLIANT if configuration.XrayEnabled is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appsync-graphql-api-xray-enabled.html", + "last_updated": "2025-10-01T21:57:46.377470", + "services": [ + "appsync" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "appsync-logging-enabled", + "service_name": "appsync", + "type": "MANAGED", + "description": "Checks if an AWS AppSync API has field level logging enabled. The rule is NON_COMPLIANT if field level logging is not enabled, or if the field logging levels for the AppSync API do not match the values specified in the 'fieldLoggingLevel' parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/appsync-logging-enabled.html", + "last_updated": "2025-10-01T21:57:46.566254", + "services": [ + "appsync" + ], + "parameters": [ + { + "name": { + "S": "fieldLoggingLevel (Optional)" + }, + "description": { + "S": "Comma-separated list of field logging levels for the rule to check. For example, \"ERROR, INFO\"." + } + } + ] + }, + { + "rule_name": "aps-rule-groups-namespace-tagged", + "service_name": "aps", + "type": "MANAGED", + "description": "Checks if Amazon Managed Service for Prometheus rule groups namepaces have tags. You can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/aps-rule-groups-namespace-tagged.html", + "last_updated": "2025-10-01T21:57:46.819486", + "services": [ + "aps" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "athena-data-catalog-description", + "service_name": "athena", + "type": "MANAGED", + "description": "Checks if Amazon Athena data catalogs have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/athena-data-catalog-description.html", + "last_updated": "2025-10-01T21:57:47.009573", + "services": [ + "athena" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "athena-prepared-statement-description", + "service_name": "athena", + "type": "MANAGED", + "description": "Checks if Amazon Athena prepared statements have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/athena-prepared-statement-description.html", + "last_updated": "2025-10-01T21:57:47.216562", + "services": [ + "athena" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "athena-workgroup-description", + "service_name": "athena", + "type": "MANAGED", + "description": "Checks if Amazon Athena workgroups have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/athena-workgroup-description.html", + "last_updated": "2025-10-01T21:57:47.415470", + "services": [ + "athena" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "athena-workgroup-encrypted-at-rest", + "service_name": "athena", + "type": "MANAGED", + "description": "Checks if an Amazon Athena workgroup is encrypted at rest. The rule is NON_COMPLIANT if encryption of data at rest is not enabled for an Athena workgroup.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/athena-workgroup-encrypted-at-rest.html", + "last_updated": "2025-10-01T21:57:47.622042", + "services": [ + "athena" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "athena-workgroup-enforce-workgroup-configuration", + "service_name": "athena", + "type": "MANAGED", + "description": "Checks if Amazon Athena workgroups using Athena engine enforce workgroup configuration to override client-side settings. The rule is NON_COMPLIANT if configuration.WorkGroupConfiguration.EnforceWorkGroupConfiguration is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/athena-workgroup-enforce-workgroup-configuration.html", + "last_updated": "2025-10-01T21:57:47.830856", + "services": [ + "athena" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "athena-workgroup-engine-version-auto-upgrade", + "service_name": "athena", + "type": "MANAGED", + "description": "Checks if Amazon Athena workgroups using Athena engine are configured to auto upgrade. The rule is NON_COMPLIANT if configuration.WorkGroupConfiguration.EngineVersion.SelectedEngineVersion is not 'AUTO'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/athena-workgroup-engine-version-auto-upgrade.html", + "last_updated": "2025-10-01T21:57:48.046331", + "services": [ + "athena" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "athena-workgroup-logging-enabled", + "service_name": "athena", + "type": "MANAGED", + "description": "Checks if Amazon Athena WorkGroup publishes usage metrics to Amazon CloudWatch. The rule is NON_COMPLIANT if an Amazon Athena WorkGroup 'PublishCloudWatchMetricsEnabled' is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/athena-workgroup-logging-enabled.html", + "last_updated": "2025-10-01T21:57:48.268482", + "services": [ + "athena" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "auditmanager-assessment-tagged", + "service_name": "auditmanager", + "type": "MANAGED", + "description": "Checks if AWS Audit Manager assessments have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/auditmanager-assessment-tagged.html", + "last_updated": "2025-10-01T21:57:48.464651", + "services": [ + "auditmanager" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "aurora-last-backup-recovery-point-created", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon Aurora DB clusters. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) DB Cluster does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/aurora-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:57:48.668565", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Aurora DB clusters for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "aurora-meets-restore-time-target", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon Aurora DB clusters meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Aurora DB Cluster is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/aurora-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:57:48.880399", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "ID of Aurora DB cluster for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "aurora-mysql-backtracking-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Aurora MySQL cluster has backtracking enabled. The rule is NON_COMPLIANT if the Aurora cluster uses MySQL and it does not have backtracking enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-backtracking-enabled.html", + "last_updated": "2025-10-01T21:57:49.088024", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "BacktrackWindowInHours (Optional)" + }, + "description": { + "S": "Amount of time in hours (up to 72) to backtrack your Aurora MySQL cluster." + } + } + ] + }, + { + "rule_name": "aurora-mysql-cluster-audit-logging", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Aurora MySQL DB clusters have audit logging enabled. The rule is NON_COMPLIANT if a DB cluster does not have audit logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-cluster-audit-logging.html", + "last_updated": "2025-10-01T21:57:49.300230", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "aurora-resources-in-logically-air-gapped-vault", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Aurora DB clusters are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon Aurora DB cluster is not in a logically air-gapped vault within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-in-logically-air-gapped-vault.html", + "last_updated": "2025-10-01T21:57:49.526785", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Aurora DB clusters for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "aurora-resources-protected-by-backup-plan", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:57:49.769661", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Aurora DB clusters for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "autoscaling-capacity-rebalancing", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types. The rule is NON_COMPLIANT if capacity Rebalancing is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-capacity-rebalancing.html", + "last_updated": "2025-10-01T21:57:49.984251", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "autoscaling-group-elb-healthcheck-required", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks if your Amazon EC2 Auto Scaling groups that are associated with an Elastic Load Balancer use Elastic Load Balancing health checks. The rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling groups are not using Elastic Load Balancing health checks.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html", + "last_updated": "2025-10-01T21:57:50.194893", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "autoscaling-launch-config-hop-limit", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks the number of network hops that the metadata token can travel. This rule is NON_COMPLIANT if the Metadata response hop limit is greater than 1.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-hop-limit.html", + "last_updated": "2025-10-01T21:57:50.391594", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "autoscaling-launch-config-public-ip-disabled", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. The rule is NON_COMPLIANT if the Launch Configuration for an Amazon EC2 Auto Scaling group has AssociatePublicIpAddress set to 'true'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html", + "last_updated": "2025-10-01T21:57:50.604035", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "autoscaling-launch-template", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template. The rule is NON_COMPLIANT if the scaling group is not created from an EC2 launch template.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-template.html", + "last_updated": "2025-10-01T21:57:50.845854", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "autoscaling-launchconfig-requires-imdsv2", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks whether only IMDSv2 is enabled. This rule is NON_COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launchconfig-requires-imdsv2.html", + "last_updated": "2025-10-01T21:57:51.061942", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "autoscaling-multiple-az", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks if the Auto Scaling group spans multiple Availability Zones. The rule is NON_COMPLIANT if the Auto Scaling group does not span multiple Availability Zones.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-az.html", + "last_updated": "2025-10-01T21:57:51.260564", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "minAvailabilityZones (Optional)" + }, + "description": { + "S": "Minimum number of expected Availability zones." + } + } + ] + }, + { + "rule_name": "autoscaling-multiple-instance-types", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks if an Amazon EC2 Auto Scaling group uses multiple instance types. The rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined. This rule does not evaluate attribute-based instance types.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-instance-types.html", + "last_updated": "2025-10-01T21:57:51.481409", + "services": [ + "autoscaling" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "backup-plan-min-frequency-and-min-retention-check", + "service_name": "backup", + "type": "MANAGED", + "description": "Checks if a backup plan has a backup rule that satisfies the required frequency and retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/backup-plan-min-frequency-and-min-retention-check.html", + "last_updated": "2025-10-01T21:57:51.687503", + "services": [ + "backup" + ], + "parameters": [ + { + "name": { + "S": "requiredFrequencyValue (Optional)" + }, + "description": { + "S": "Numerical value for required backup frequency. Maximum of 24 for hours, 31 for days." + } + }, + { + "name": { + "S": "requiredRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "requiredFrequencyUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "backup-recovery-point-encrypted", + "service_name": "backup", + "type": "MANAGED", + "description": "Checks if a recovery point is encrypted. The rule is NON_COMPLIANT if the recovery point is not encrypted.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-encrypted.html", + "last_updated": "2025-10-01T21:57:51.889590", + "services": [ + "backup" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "backup-recovery-point-manual-deletion-disabled", + "service_name": "backup", + "type": "MANAGED", + "description": "Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-manual-deletion-disabled.html", + "last_updated": "2025-10-01T21:57:52.144794", + "services": [ + "backup" + ], + "parameters": [ + { + "name": { + "S": "principalArnList (Optional)" + }, + "description": { + "S": "Comma-separated list of AWS Identity and Access Management (IAM) Amazon Resource Names (ARNs) for the rule to NOT check." + } + } + ] + }, + { + "rule_name": "backup-recovery-point-minimum-retention-check", + "service_name": "backup", + "type": "MANAGED", + "description": "Checks if a recovery point expires no earlier than after the specified period. The rule is NON_COMPLIANT if the recovery point has a retention point that is less than the required retention period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-minimum-retention-check.html", + "last_updated": "2025-10-01T21:57:52.354093", + "services": [ + "backup" + ], + "parameters": [ + { + "name": { + "S": "requiredRetentionDays (Optional)" + }, + "description": { + "S": "Required retention period in days." + } + } + ] + }, + { + "rule_name": "batch-compute-environment-enabled", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch compute environments are enabled. The rule is NON_COMPLIANT if configuration.State is 'DISABLED'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-compute-environment-enabled.html", + "last_updated": "2025-10-01T21:57:52.554120", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "batch-compute-environment-managed", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch compute environments are managed. The rule is NON_COMPLIANT if configuration.Type is 'UNMANAGED'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-compute-environment-managed.html", + "last_updated": "2025-10-01T21:57:52.756854", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "batch-compute-environment-tagged", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch compute environments have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-compute-environment-tagged.html", + "last_updated": "2025-10-01T21:57:52.973303", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "batch-job-queue-enabled", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch job queues are enabled. The rule is NON_COMPLIANT if configuration.State is 'DISABLED'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-job-queue-enabled.html", + "last_updated": "2025-10-01T21:57:53.188595", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "batch-job-queue-tagged", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch job queues have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-job-queue-tagged.html", + "last_updated": "2025-10-01T21:57:53.397524", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "batch-managed-compute-env-allocation-strategy-check", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if an AWS Batch managed compute environment is configured with a specified allocation strategy. The rule is NON_COMPLIANT if the compute environment is not configured with an allocation strategy specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-managed-compute-env-allocation-strategy-check.html", + "last_updated": "2025-10-01T21:57:53.603505", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "allocationStrategy" + }, + "description": { + "S": "Comma-separated list of allocation strategies for the rule to check. Valid values include: 'BEST_FIT', 'BEST_FIT_PROGRESSIVE', 'SPOT_CAPACITY_OPTIMIZED', and 'SPOT_PRICE_CAPACITY_OPTIMIZED'." + } + } + ] + }, + { + "rule_name": "batch-managed-compute-env-compute-resources-tagged", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch managed compute environments compute resources have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. Tags starting with 'aws:' are not checked.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-managed-compute-env-compute-resources-tagged.html", + "last_updated": "2025-10-01T21:57:53.809632", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "batch-managed-compute-environment-using-launch-template", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch managed compute environments are configured using a launch template. The rule is NON_COMPLIANT if configuration.ComputeResources.LaunchTemplate does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-managed-compute-environment-using-launch-template.html", + "last_updated": "2025-10-01T21:57:54.017374", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "batch-managed-spot-compute-environment-max-bid", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if an AWS Batch managed Spot compute environment is configured to have a bid percentage less than or equal to the specified value. The rule is NON_COMPLIANT if the bid percentage is greater than the value specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-managed-spot-compute-environment-max-bid.html", + "last_updated": "2025-10-01T21:57:54.219456", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "maxBidPercentage" + }, + "description": { + "S": "The maximum bid percentage value for the rule to check. The rule is NON_COMPLIANT if an AWS Batch managed Spot compute environment is configured with a bid percentage greater than this value. Valid va" + } + } + ] + }, + { + "rule_name": "batch-scheduling-policy-tagged", + "service_name": "batch", + "type": "MANAGED", + "description": "Checks if AWS Batch scheduling policies have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/batch-scheduling-policy-tagged.html", + "last_updated": "2025-10-01T21:57:54.429141", + "services": [ + "batch" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "beanstalk-enhanced-health-reporting-enabled", + "service_name": "elasticbeanstalk", + "type": "MANAGED", + "description": "Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.\n The rule is COMPLIANT if the environment is configured for enhanced health reporting.\n The rule is NON_COMPLIANT if the environment is configured for basic health reporting.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html", + "last_updated": "2025-10-01T21:57:54.629245", + "services": [ + "elasticbeanstalk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cassandra-keyspace-tagged", + "service_name": "cassandra", + "type": "MANAGED", + "description": "Checks if Amazon Keyspaces (for Apache Cassandra) keyspaces have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cassandra-keyspace-tagged.html", + "last_updated": "2025-10-01T21:57:54.846870", + "services": [ + "cassandra" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "clb-desync-mode-check", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode. The rule is NON_COMPLIANT if CLB Desync mitigation mode does not match with user defined Desync mitigation mode.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/clb-desync-mode-check.html", + "last_updated": "2025-10-01T21:57:55.056076", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "desyncMode" + }, + "description": { + "S": "Comma-separated list of values. You can select a max of two. Valid values include 'Defensive', 'Strictest', and 'Monitor'." + } + } + ] + }, + { + "rule_name": "clb-multiple-az", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if a Classic Load Balancer spans multiple Availability Zones (AZs). The rule is NON_COMPLIANT if a Classic Load Balancer spans less than 2 AZs or does not span number of AZs mentioned in the minAvailabilityZones parameter (if provided).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/clb-multiple-az.html", + "last_updated": "2025-10-01T21:57:55.267315", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "minAvailabilityZones (Optional)" + }, + "description": { + "S": "Desired minimum number of expected AZs. Valid values are between 2 and 10, both inclusive. Default value is 2 if parameter is not specified." + } + } + ] + }, + { + "rule_name": "cloud-trail-cloud-watch-logs-enabled", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if AWS CloudTrail trails are configured to send logs to CloudWatch logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html", + "last_updated": "2025-10-01T21:57:55.459287", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "expectedDeliveryWindowAge (Optional)" + }, + "description": { + "S": "Maximum age in hours of the most recent delivery to CloudWatch logs that satisfies compliance." + } + } + ] + }, + { + "rule_name": "cloud-trail-encryption-enabled", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) encryption. The rule is COMPLIANT if the KmsKeyId is defined.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html", + "last_updated": "2025-10-01T21:57:55.674257", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloud-trail-log-file-validation-enabled", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html", + "last_updated": "2025-10-01T21:57:55.880360", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudformation-stack-drift-detection-check", + "service_name": "cloudformation", + "type": "MANAGED", + "description": "Checks if the actual configuration of a AWS CloudFormation (AWS CloudFormation) stack differs, or has drifted, from the expected configuration.\n\t\t\t\tA stack is considered to have drifted if one or more of its resources differ from their expected configuration.\n\t\t\t\tThe rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule is NON_COMPLIANT if the stack drift status is DRIFTED.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html", + "last_updated": "2025-10-01T21:57:56.100118", + "services": [ + "cloudformation" + ], + "parameters": [ + { + "name": { + "S": "cloudformationRoleArn" + }, + "description": { + "S": "The Amazon Resource Name (ARN) of the IAM role with policy permissions to detect drift for AWS CloudFormation stacks.\nFor information on required IAM permissions for the role,\nsee Detecting unmanaged " + } + } + ] + }, + { + "rule_name": "cloudformation-stack-notification-check", + "service_name": "cloudformation", + "type": "MANAGED", + "description": "Checks if your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally checks if specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-notification-check.html", + "last_updated": "2025-10-01T21:57:56.315857", + "services": [ + "cloudformation" + ], + "parameters": [ + { + "name": { + "S": "snsTopic1 (Optional)" + }, + "description": { + "S": "SNS Topic ARN." + } + }, + { + "name": { + "S": "snsTopic2 (Optional)" + }, + "description": { + "S": "SNS Topic ARN." + } + }, + { + "name": { + "S": "snsTopic3 (Optional)" + }, + "description": { + "S": "SNS Topic ARN." + } + }, + { + "name": { + "S": "snsTopic4 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "snsTopic5 (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-accesslogs-enabled", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket using standard logging (legacy). The rule is NON_COMPLIANT if a CloudFront distribution does not have legacy logging configured.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-accesslogs-enabled.html", + "last_updated": "2025-10-01T21:57:56.517724", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "S3BucketName (Optional)" + }, + "description": { + "S": "The name of the Amazon S3 bucket for storing server access logs." + } + } + ] + }, + { + "rule_name": "cloudfront-associated-with-waf", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-associated-with-waf.html", + "last_updated": "2025-10-01T21:57:56.736702", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "wafWebAclIds (Optional)" + }, + "description": { + "S": "Comma-separated list of web ACL IDs for WAF or web ACL Amazon Resource Names (ARNs) for WAFV2." + } + } + ] + }, + { + "rule_name": "cloudfront-custom-ssl-certificate", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if the certificate associated with an Amazon CloudFront distribution is the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-custom-ssl-certificate.html", + "last_updated": "2025-10-01T21:57:56.943662", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-default-root-object-configured", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if Amazon CloudFront distribution does not have a default root object configured.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-default-root-object-configured.html", + "last_updated": "2025-10-01T21:57:57.156986", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-no-deprecated-ssl-protocols", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any \u2018OriginSslProtocols\u2019 includes \u2018SSLv3\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html", + "last_updated": "2025-10-01T21:57:57.375524", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-origin-access-identity-enabled", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if CloudFront distribution with Amazon S3 Origin type has origin access identity configured. The rule is NON_COMPLIANT if the CloudFront distribution is backed by S3 and any origin type is not OAI configured, or the origin is not an S3 bucket.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-access-identity-enabled.html", + "last_updated": "2025-10-01T21:57:57.578092", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-origin-failover-enabled", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if an origin group is configured for the distribution of at least two origins in the origin group for Amazon CloudFront. The rule is NON_COMPLIANT if there are no origin groups for the distribution.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-failover-enabled.html", + "last_updated": "2025-10-01T21:57:57.792762", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-origin-lambda-url-oac-enabled", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions with Amazon Lambda Function URL origins have origin access control (OAC) enabled. The rule is NON_COMPLIANT if any Lambda Function URL origin in a CloudFront distribution does not have OAC enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-lambda-url-oac-enabled.html", + "last_updated": "2025-10-01T21:57:57.997612", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-s3-origin-access-control-enabled", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-s3-origin-access-control-enabled.html", + "last_updated": "2025-10-01T21:57:58.210428", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-s3-origin-non-existent-bucket", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if `S3OriginConfig` for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-s3-origin-non-existent-bucket.html", + "last_updated": "2025-10-01T21:57:58.424175", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-security-policy-check", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-security-policy-check.html", + "last_updated": "2025-10-01T21:57:58.626333", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-sni-enabled", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-sni-enabled.html", + "last_updated": "2025-10-01T21:57:58.830646", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-ssl-policy-check", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions are configured with the specified security policies.The rule is NON_COMPLIANT if a CloudFront Distribution is not configured with security policies that you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-ssl-policy-check.html", + "last_updated": "2025-10-01T21:57:59.052743", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "securityPolicies" + }, + "description": { + "S": "Comma-separated list of CloudFront distribution security policies for the rule to check. For example: \"TLSv1.2_2018, TLSv1.2_2019, TLSv1.2_2021\". For a list of valid value, see the Amazon CloudFront D" + } + } + ] + }, + { + "rule_name": "cloudfront-traffic-to-origin-encrypted", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if \u2018OriginProtocolPolicy\u2019 is \u2018http-only\u2019 or if \u2018OriginProtocolPolicy\u2019 is \u2018match-viewer\u2019 and \u2018ViewerProtocolPolicy\u2019 is \u2018allow-all\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html", + "last_updated": "2025-10-01T21:57:59.260488", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudfront-viewer-policy-https", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "Checks if your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the DefaultCacheBehavior or for the CacheBehaviors.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-viewer-policy-https.html", + "last_updated": "2025-10-01T21:57:59.462754", + "services": [ + "cloudfront" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudtrail-all-read-s3-data-event-check", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if an AWS CloudTrail multi-Region trail is enabled and logs all read S3 data events for your buckets. The rule is NON_COMPLIANT if no multi-Region trail logs all read S3 data event types for all current and future S3 buckets.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-all-read-s3-data-event-check.html", + "last_updated": "2025-10-01T21:57:59.688685", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudtrail-all-write-s3-data-event-check", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if an AWS CloudTrail multi-Region trail is enabled and logs all write S3 data events for your buckets. The rule is NON_COMPLIANT if no multi-Region trail logs all write S3 data event types for all current and future S3 buckets.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-all-write-s3-data-event-check.html", + "last_updated": "2025-10-01T21:57:59.904227", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudtrail-enabled", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html", + "last_updated": "2025-10-01T21:58:00.112085", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "s3BucketName (Optional)" + }, + "description": { + "S": "Name of S3 bucket for CloudTrail to deliver log files to." + } + }, + { + "name": { + "S": "snsTopicArn (Optional)" + }, + "description": { + "S": "CloudWatch log group ARN for CloudTrail to send data to." + } + }, + { + "name": { + "S": "cloudWatchLogsLogGroupArn (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudtrail-s3-bucket-access-logging", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if the S3 bucket configurations for your AWS CloudTrail logs have Amazon S3 server access logging enabled. The rule is NON_COMPLIANT if at least one S3 bucket for a CloudTrail trail does not have S3 server access logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-bucket-access-logging.html", + "last_updated": "2025-10-01T21:58:00.351937", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudtrail-s3-bucket-public-access-prohibited", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if the S3 bucket configurations for your AWS CloudTrail logs block public access. The rule is NON_COMPLIANT if at least one S3 bucket for a CloudTrail trail is publicly accessible.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-bucket-public-access-prohibited.html", + "last_updated": "2025-10-01T21:58:00.566488", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudtrail-s3-dataevents-enabled", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if at least one AWS CloudTrail trail is logging Amazon Simple Storage Service (Amazon S3) data events for all S3 buckets. The rule is NON_COMPLIANT if there are trails or if no trails record S3 data events.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html", + "last_updated": "2025-10-01T21:58:00.817406", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "S3BucketNames (Optional)" + }, + "description": { + "S": "Comma-separated list of S3 bucket names for which data events logging should be enabled. Default behavior checks for all S3 buckets." + } + } + ] + }, + { + "rule_name": "cloudtrail-security-trail-enabled", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks that there is at least one AWS CloudTrail trail defined with security best practices.\n\t\t\t\tThis rule is COMPLIANT if there is at least one trail that meets all of the following:", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-security-trail-enabled.html", + "last_updated": "2025-10-01T21:58:01.110422", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudwatch-alarm-action-check", + "service_name": "cloudwatch", + "type": "MANAGED", + "description": "Checks if CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally checks if any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-check.html", + "last_updated": "2025-10-01T21:58:01.344701", + "services": [ + "cloudwatch" + ], + "parameters": [ + { + "name": { + "S": "alarmActionRequired" + }, + "description": { + "S": "Alarms have at least one action." + } + }, + { + "name": { + "S": "insufficientDataActionRequired" + }, + "description": { + "S": "The action to execute, specified as an ARN." + } + }, + { + "name": { + "S": "okActionRequired" + }, + "description": { + "S": "The action to execute, specified as an ARN." + } + }, + { + "name": { + "S": "action1 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "action2 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "action3 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "action4 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "action5 (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudwatch-alarm-action-enabled-check", + "service_name": "cloudwatch", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch alarms actions are in enabled state. The rule is NON_COMPLIANT if the CloudWatch alarms actions are not in enabled state.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-enabled-check.html", + "last_updated": "2025-10-01T21:58:01.539589", + "services": [ + "cloudwatch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudwatch-alarm-resource-check", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-resource-check.html", + "last_updated": "2025-10-01T21:58:01.738288", + "services": [ + "s3", + "ec2", + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceType" + }, + "description": { + "S": "AWS resource type. The value can be one of the following: AWS::EC2::Volume, AWS::EC2::Instance, AWS::RDS::DBCluster, or AWS::S3::Bucket." + } + }, + { + "name": { + "S": "metricName" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudwatch-alarm-resource-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-resource-check.html", + "last_updated": "2025-10-01T21:58:01.738306", + "services": [ + "s3", + "ec2", + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceType" + }, + "description": { + "S": "AWS resource type. The value can be one of the following: AWS::EC2::Volume, AWS::EC2::Instance, AWS::RDS::DBCluster, or AWS::S3::Bucket." + } + }, + { + "name": { + "S": "metricName" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudwatch-alarm-resource-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-resource-check.html", + "last_updated": "2025-10-01T21:58:01.738313", + "services": [ + "s3", + "ec2", + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceType" + }, + "description": { + "S": "AWS resource type. The value can be one of the following: AWS::EC2::Volume, AWS::EC2::Instance, AWS::RDS::DBCluster, or AWS::S3::Bucket." + } + }, + { + "name": { + "S": "metricName" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudwatch-alarm-settings-check", + "service_name": "cloudwatch", + "type": "MANAGED", + "description": "Checks whether CloudWatch alarms with the given metric name have the specified settings.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-settings-check.html", + "last_updated": "2025-10-01T21:58:01.965126", + "services": [ + "cloudwatch" + ], + "parameters": [ + { + "name": { + "S": "metricName" + }, + "description": { + "S": "The name for the metric associated with the alarm." + } + }, + { + "name": { + "S": "threshold (Optional)" + }, + "description": { + "S": "The number of periods over which data is compared to the specified threshold." + } + }, + { + "name": { + "S": "evaluationPeriods (Optional)" + }, + "description": { + "S": "The operation for comparing the specified statistic and threshold (for example, 'GreaterThanThreshold')." + } + }, + { + "name": { + "S": "period (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "comparisonOperator (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "statistic (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cloudwatch-log-group-encrypted", + "service_name": "logs", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch Log Groups are encrypted with any AWS KMS key or a specified AWS KMS key Id. The rule is NON_COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html", + "last_updated": "2025-10-01T21:58:02.182563", + "services": [ + "logs" + ], + "parameters": [ + { + "name": { + "S": "KmsKeyId (Optional)" + }, + "description": { + "S": "Amazon Resource Name (ARN) of the ID for the KMS key that is used to encrypt the log group." + } + } + ] + }, + { + "rule_name": "cloudwatch-metric-stream-tagged", + "service_name": "cloudwatch", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch metric streams have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-metric-stream-tagged.html", + "last_updated": "2025-10-01T21:58:02.395148", + "services": [ + "cloudwatch" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "cmk-backing-key-rotation-enabled", + "service_name": "kms", + "type": "MANAGED", + "description": "Checks if automatic key rotation is enabled for each key and matches to the key ID of the customer created AWS KMS key. The rule is NON_COMPLIANT if the AWS Config recorder role for a resource does not have the kms:DescribeKey permission.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cmk-backing-key-rotation-enabled.html", + "last_updated": "2025-10-01T21:58:02.595377", + "services": [ + "kms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codebuild-project-artifact-encryption", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON_COMPLIANT if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-artifact-encryption.html", + "last_updated": "2025-10-01T21:58:02.808584", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codebuild-project-environment-privileged-check", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if an AWS CodeBuild project environment has privileged mode enabled. The rule is NON_COMPLIANT for a CodeBuild project if \u2018privilegedMode\u2019 is set to \u2018true\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-environment-privileged-check.html", + "last_updated": "2025-10-01T21:58:03.012942", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "exemptedProjects (Optional)" + }, + "description": { + "S": "Comma-separated list of CodeBuild project names that are allowed to have \u2018privilegedMode\u2019 with value \u2018true\u2019." + } + } + ] + }, + { + "rule_name": "codebuild-project-envvar-awscred-check", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-envvar-awscred-check.html", + "last_updated": "2025-10-01T21:58:03.218641", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codebuild-project-logging-enabled", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is NON_COMPLIANT if the status of all present log configurations is set to 'DISABLED'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-logging-enabled.html", + "last_updated": "2025-10-01T21:58:03.418535", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "s3BucketNames (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon S3 bucket names that logs should be sent to if S3 logs are configured." + } + }, + { + "name": { + "S": "cloudWatchGroupNames (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codebuild-project-s3-logs-encrypted", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if \u2018encryptionDisabled\u2019 is set to \u2018true\u2019 in a S3LogsConfig of a CodeBuild project.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-s3-logs-encrypted.html", + "last_updated": "2025-10-01T21:58:03.613954", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "exemptedProjects (Optional)" + }, + "description": { + "S": "Comma-separated list of CodeBuild project names that are allowed to output unencrypted logs." + } + } + ] + }, + { + "rule_name": "codebuild-project-source-repo-url-check", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if the Bitbucket source repository URL contains sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html", + "last_updated": "2025-10-01T21:58:03.829285", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codebuild-report-group-encrypted-at-rest", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if an AWS CodeBuild report group has encryption at rest setting enabled. The rule is NON_COMPLIANT if 'EncryptionDisabled' is 'true'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-report-group-encrypted-at-rest.html", + "last_updated": "2025-10-01T21:58:04.043649", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codebuild-report-group-tagged", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if AWS CodeBuild report groups have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-report-group-tagged.html", + "last_updated": "2025-10-01T21:58:04.246546", + "services": [ + "codebuild" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "codedeploy-auto-rollback-monitor-enabled", + "service_name": "codedeploy", + "type": "MANAGED", + "description": "Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached. The rule is NON_COMPLIANT if AutoRollbackConfiguration or AlarmConfiguration has not been configured or is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-auto-rollback-monitor-enabled.html", + "last_updated": "2025-10-01T21:58:04.450166", + "services": [ + "codedeploy" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codedeploy-deployment-group-auto-rollback-enabled", + "service_name": "codedeploy", + "type": "MANAGED", + "description": "Checks if AWS CodeDeploy deployment groups have auto rollback configuration enabled. The rule is NON_COMPLIANT if configuration.autoRollbackConfiguration.enabled is false or does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-deployment-group-auto-rollback-enabled.html", + "last_updated": "2025-10-01T21:58:04.663388", + "services": [ + "codedeploy" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codedeploy-deployment-group-outdated-instances-update", + "service_name": "codedeploy", + "type": "MANAGED", + "description": "Checks if AWS CodeDeploy deployment groups automatically update outdated instances. The rule is NON_COMPLIANT if configuration.outdatedInstancesStrategy is 'IGNORE'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-deployment-group-outdated-instances-update.html", + "last_updated": "2025-10-01T21:58:04.866612", + "services": [ + "codedeploy" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codedeploy-ec2-minimum-healthy-hosts-configured", + "service_name": "codedeploy", + "type": "MANAGED", + "description": "Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold. The rule is NON_COMPLIANT if either is below the threshold.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-ec2-minimum-healthy-hosts-configured.html", + "last_updated": "2025-10-01T21:58:05.076140", + "services": [ + "codedeploy" + ], + "parameters": [ + { + "name": { + "S": "minimumHealthyHostsFleetPercent (Optional)" + }, + "description": { + "S": "Minimum percentage of healthy hosts fleet during deployment. Default value is set to 66 percent." + } + }, + { + "name": { + "S": "minimumHealthyHostsHostCount (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codedeploy-lambda-allatonce-traffic-shift-disabled", + "service_name": "codedeploy", + "type": "MANAGED", + "description": "Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration. The rule is NON_COMPLIANT if the deployment group is using the deployment configuration 'CodeDeployDefault.LambdaAllAtOnce'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-lambda-allatonce-traffic-shift-disabled.html", + "last_updated": "2025-10-01T21:58:05.279999", + "services": [ + "codedeploy" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "codeguruprofiler-profiling-group-tagged", + "service_name": "codeguruprofiler", + "type": "MANAGED", + "description": "Checks if Amazon CodeGuru Profiler profiling groups have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codeguruprofiler-profiling-group-tagged.html", + "last_updated": "2025-10-01T21:58:05.468235", + "services": [ + "codeguruprofiler" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "codegurureviewer-repository-association-tagged", + "service_name": "codegurureviewer", + "type": "MANAGED", + "description": "Checks if Amazon CodeGuru Reviewer repository associations have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codegurureviewer-repository-association-tagged.html", + "last_updated": "2025-10-01T21:58:05.672540", + "services": [ + "codegurureviewer" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "codepipeline-deployment-count-check", + "service_name": "codepipeline", + "type": "MANAGED", + "description": "Checks if the first deployment stage of AWS CodePipeline performs more than one deployment. Optionally checks if each of the subsequent remaining stages deploy to more than the specified number of deployments (deploymentLimit).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-deployment-count-check.html", + "last_updated": "2025-10-01T21:58:05.868640", + "services": [ + "codepipeline" + ], + "parameters": [ + { + "name": { + "S": "deploymentLimit (Optional)" + }, + "description": { + "S": "The maximum number of deployments each stage can perform." + } + } + ] + }, + { + "rule_name": "codepipeline-region-fanout-check", + "service_name": "codepipeline", + "type": "MANAGED", + "description": "Checks if each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number.\n\t\tThe first deployment stage can deploy to a maximum of one region and the second deployment stage can deploy to a maximum number specified in the regionFanoutFactor.\n\t\tIf you do not provide a regionFanoutFactor, by default the value is three.\n\t\tFor example: If 1st deployment stage deploys t", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-region-fanout-check.html", + "last_updated": "2025-10-01T21:58:06.077868", + "services": [ + "codepipeline" + ], + "parameters": [ + { + "name": { + "S": "regionFanoutFactor (Optional)" + }, + "description": { + "S": "The number of regions the AWS CodePipeline has deployed to in all previous stages is the acceptable number of regions any stage can deploy to." + } + } + ] + }, + { + "rule_name": "cognito-identity-pool-unauth-access-check", + "service_name": "cognito", + "type": "MANAGED", + "description": "Checks if Amazon Cognito Identity Pool allows unauthenticated identities. The rule is NON_COMPLIANT if the Identity Pool is configured to allow unauthenticated identities.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cognito-identity-pool-unauth-access-check.html", + "last_updated": "2025-10-01T21:58:06.304848", + "services": [ + "cognito" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cognito-identity-pool-unauthenticated-logins", + "service_name": "cognito", + "type": "MANAGED", + "description": "Checks if Amazon Cognito identity pools disallow unauthenticated logins. The rule is NON_COMPLIANT if configuration.AllowUnauthenticatedIdentities is true.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cognito-identity-pool-unauthenticated-logins.html", + "last_updated": "2025-10-01T21:58:06.513047", + "services": [ + "cognito" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cognito-user-pool-advanced-security-enabled", + "service_name": "cognito", + "type": "MANAGED", + "description": "Checks if an Amazon Cognito user pool has advanced security enabled for standard authentication. The rule is NON_COMPLIANT if advanced security is not enabled. Optionally, you can specify an advanced security mode for the rule to check.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cognito-user-pool-advanced-security-enabled.html", + "last_updated": "2025-10-01T21:58:06.723587", + "services": [ + "cognito" + ], + "parameters": [ + { + "name": { + "S": "SecurityMode (Optional)" + }, + "description": { + "S": "String value of the advanced security mode for the rule to check. If provided, the rule is NON_COMPLIANT if the advanced security mode for user pools does not match this parameter value. Valid values " + } + } + ] + }, + { + "rule_name": "cognito-user-pool-password-policy-check", + "service_name": "cognito", + "type": "MANAGED", + "description": "Checks if the password policy for Amazon cognito user pool meets the specified requirements indicated in the parameters. The rule is NON_COMPLIANT if the user pool password policy does not meet the specified requirements.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cognito-user-pool-password-policy-check.html", + "last_updated": "2025-10-01T21:58:06.940901", + "services": [ + "cognito" + ], + "parameters": [ + { + "name": { + "S": "requireSymbols (Optional)" + }, + "description": { + "S": "Whether to require at least one symbol in password." + } + }, + { + "name": { + "S": "temporaryPasswordValidity (Optional)" + }, + "description": { + "S": "Whether to require at least one number in password." + } + }, + { + "name": { + "S": "minLength (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "requireNumbers (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "requireUppercase (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "requireLowercase (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "cognito-user-pool-tagged", + "service_name": "cognito", + "type": "MANAGED", + "description": "Checks if Amazon Cognito user pools have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cognito-user-pool-tagged.html", + "last_updated": "2025-10-01T21:58:07.139664", + "services": [ + "cognito" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "connect-instance-logging-enabled", + "service_name": "connect", + "type": "MANAGED", + "description": "Checks if Amazon Connect instances have flow logs enabled in an Amazon CloudWatch log group. The rule is NON_COMPLIANT if an Amazon Connect instance does not have flow logs enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/connect-instance-logging-enabled.html", + "last_updated": "2025-10-01T21:58:07.332582", + "services": [ + "connect" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "custom-eventbus-policy-attached", + "service_name": "events", + "type": "MANAGED", + "description": "Checks if Amazon EventBridge custom event buses have a resource-based policy attached. The rule is NON_COMPLIANT if a custom event bus policy does not have an attached resource-based policy.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/custom-eventbus-policy-attached.html", + "last_updated": "2025-10-01T21:58:07.536389", + "services": [ + "events" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "custom-schema-registry-policy-attached", + "service_name": "eventschemas", + "type": "MANAGED", + "description": "Checks if custom Amazon EventBridge schema registries have a resource policy attached. The rule is NON_COMPLIANT for custom schema registries without a resource policy attached.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/custom-schema-registry-policy-attached.html", + "last_updated": "2025-10-01T21:58:07.744044", + "services": [ + "eventschemas" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "customerprofiles-domain-tagged", + "service_name": "customerprofiles", + "type": "MANAGED", + "description": "Checks if Amazon Connect Customer Profiles domains have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/customerprofiles-domain-tagged.html", + "last_updated": "2025-10-01T21:58:07.946174", + "services": [ + "customerprofiles" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "customerprofiles-object-type-allow-profile-creation", + "service_name": "customerprofiles", + "type": "MANAGED", + "description": "Checks if Amazon Connect Customer Profiles object types allow the creation of a new standard profile if one does not exist. The rule is NON_COMPLIANT if configuration.AllowProfileCreation is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/customerprofiles-object-type-allow-profile-creation.html", + "last_updated": "2025-10-01T21:58:08.148463", + "services": [ + "customerprofiles" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "customerprofiles-object-type-tagged", + "service_name": "customerprofiles", + "type": "MANAGED", + "description": "Checks if Amazon Connect Customer Profiles object types have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/customerprofiles-object-type-tagged.html", + "last_updated": "2025-10-01T21:58:08.382215", + "services": [ + "customerprofiles" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "cw-loggroup-retention-period-check", + "service_name": "logs", + "type": "MANAGED", + "description": "Checks if an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/cw-loggroup-retention-period-check.html", + "last_updated": "2025-10-01T21:58:08.587876", + "services": [ + "logs" + ], + "parameters": [ + { + "name": { + "S": "LogGroupNames (Optional)" + }, + "description": { + "S": "A comma-separated list of Log Group names to check the retention period." + } + }, + { + "name": { + "S": "MinRetentionTime (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "datasync-location-object-storage-using-https", + "service_name": "datasync", + "type": "MANAGED", + "description": "Checks if AWS DataSync location object storage servers use the HTTPS protocol to communicate. The rule is NON_COMPLIANT if configuration.ServerProtocol is not 'HTTPS'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/datasync-location-object-storage-using-https.html", + "last_updated": "2025-10-01T21:58:08.794505", + "services": [ + "datasync" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "datasync-task-data-verification-enabled", + "service_name": "datasync", + "type": "MANAGED", + "description": "Checks if AWS DataSync tasks have data verification enabled to perform additional verification at the end of your transfer. The rule is NON_COMPLIANT if configuration.Options.VerifyMode is 'NONE'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/datasync-task-data-verification-enabled.html", + "last_updated": "2025-10-01T21:58:09.003151", + "services": [ + "datasync" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "datasync-task-logging-enabled", + "service_name": "datasync", + "type": "MANAGED", + "description": "Checks if an AWS DataSync task has Amazon CloudWatch logging enabled. The rule is NON_COMPLIANT if an AWS DataSync task does not have Amazon CloudWatch logging enabled or if the logging level is not equivalent to the logging level that you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/datasync-task-logging-enabled.html", + "last_updated": "2025-10-01T21:58:09.227434", + "services": [ + "datasync" + ], + "parameters": [ + { + "name": { + "S": "logLevel (Optional)" + }, + "description": { + "S": "String value for the logging level. Valid values include: 'BASIC' and 'TRANSFER'. If not specified, the default value is 'BASIC'." + } + } + ] + }, + { + "rule_name": "datasync-task-tagged", + "service_name": "datasync", + "type": "MANAGED", + "description": "Checks if AWS DataSync tasks have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/datasync-task-tagged.html", + "last_updated": "2025-10-01T21:58:09.447288", + "services": [ + "datasync" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "dax-encryption-enabled", + "service_name": "dax", + "type": "MANAGED", + "description": "Checks if Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dax-encryption-enabled.html", + "last_updated": "2025-10-01T21:58:09.700610", + "services": [ + "dax" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dax-tls-endpoint-encryption", + "service_name": "dax", + "type": "MANAGED", + "description": "Checks if your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON_COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dax-tls-endpoint-encryption.html", + "last_updated": "2025-10-01T21:58:09.904340", + "services": [ + "dax" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "db-instance-backup-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/db-instance-backup-enabled.html", + "last_updated": "2025-10-01T21:58:10.123261", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "backupRetentionPeriod (Optional)" + }, + "description": { + "S": "Retention period for backups." + } + }, + { + "name": { + "S": "backupRetentionMinimum (Optional)" + }, + "description": { + "S": "Time range in which backups are created." + } + }, + { + "name": { + "S": "preferredBackupWindow (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "checkReadReplicas (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "desired-instance-tenancy", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks EC2 instances for a 'tenancy' value. Also checks if AMI IDs are specified to be launched from those AMIs or if Host IDs are launched on those Dedicated Hosts. The rule is COMPLIANT if the instance matches a host and an AMI, if specified, in a list.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-tenancy.html", + "last_updated": "2025-10-01T21:58:10.325595", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "tenancy" + }, + "description": { + "S": "Desired tenancy of the instances. Valid values are DEDICATED, HOST and DEFAULT." + } + }, + { + "name": { + "S": "imageId (Optional)" + }, + "description": { + "S": "The IDs of the EC2 Dedicated Hosts on which the instances are meant to be launched. Separate multiple Host IDs with commas." + } + }, + { + "name": { + "S": "hostId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "desired-instance-type", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if your EC2 instances are of a specific instance type. The rule is NON_COMPLIANT if an EC2 instance is not specified in the parameter list. For a list of supported EC2 instance types, see Instance types in the EC2 User Guide for Linux Instances.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-type.html", + "last_updated": "2025-10-01T21:58:10.546970", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "instanceType" + }, + "description": { + "S": "Comma-separated list of EC2 instance types (for example, \"t2.small, m4.large, i2.xlarge\")." + } + } + ] + }, + { + "rule_name": "dms-auto-minor-version-upgrade-check", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if an AWS Database Migration Service (AWS DMS) replication instance has automatic minor version upgrades enabled. The rule is NON_COMPLIANT if an AWS DMS replication instance is not configured with automatic minor version upgrades.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-auto-minor-version-upgrade-check.html", + "last_updated": "2025-10-01T21:58:10.751806", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-endpoint-ssl-configured", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON_COMPLIANT if AWS DMS does not have an SSL connection configured.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-endpoint-ssl-configured.html", + "last_updated": "2025-10-01T21:58:10.964076", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-endpoint-tagged", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if AWS DMS endpoints have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-endpoint-tagged.html", + "last_updated": "2025-10-01T21:58:11.599811", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "dms-mongo-db-authentication-enabled", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if AWS Database Migration Service (AWS DMS) endpoints for MongoDb data stores are enabled for password-based authentication and access control. The rule is NON_COMPLIANT if password-based authentication and access control is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-mongo-db-authentication-enabled.html", + "last_updated": "2025-10-01T21:58:11.855201", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-neptune-iam-authorization-enabled", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if an AWS Database Migration Service (AWS DMS) endpoint for Amazon Neptune databases is configured with IAM authorization. The rule is NON_COMPLIANT if an AWS DMS endpoint where Neptune is the target has IamAuthEnabled set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-neptune-iam-authorization-enabled.html", + "last_updated": "2025-10-01T21:58:12.079093", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-redis-tls-enabled", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON_COMPLIANT if TLS/SSL encryption is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-redis-tls-enabled.html", + "last_updated": "2025-10-01T21:58:12.296801", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-replication-instance-multi-az-enabled", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if AWS Database Migration Service (DMS) replication instances are configured with multiple Availability Zones. The rule is NON_COMPLIANT if a DMS replication instance is not configured to use multiple Availability Zones.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-instance-multi-az-enabled.html", + "last_updated": "2025-10-01T21:58:12.519769", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-replication-not-public", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if AWS Database Migration Service (AWS DMS) replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is set to true.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-not-public.html", + "last_updated": "2025-10-01T21:58:12.732492", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-replication-task-sourcedb-logging", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if logging is enabled with a valid severity level for AWS DMS replication tasks of a source database. The rule is NON_COMPLIANT if logging is not enabled or logs for DMS replication tasks of a source database have a severity level that is not valid.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-task-sourcedb-logging.html", + "last_updated": "2025-10-01T21:58:12.940476", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dms-replication-task-tagged", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if AWS DMS replication tasks have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-task-tagged.html", + "last_updated": "2025-10-01T21:58:13.147530", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "dms-replication-task-targetdb-logging", + "service_name": "dms", + "type": "MANAGED", + "description": "Checks if logging is enabled with a valid severity level for AWS DMS replication task events of a target database. The rule is NON_COMPLIANT if logging is not enabled or replication task logging of a target database has a severity level that is not valid.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-task-targetdb-logging.html", + "last_updated": "2025-10-01T21:58:13.355921", + "services": [ + "dms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "docdb-cluster-audit-logging-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon DocumentDB (with MongoDB compatibility) instance cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if an Amazon DocumentDB instance cluster does not have CloudWatch log export enabled for audit logs.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-audit-logging-enabled.html", + "last_updated": "2025-10-01T21:58:13.587877", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "docdb-cluster-backup-retention-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Document DB cluster retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is less than the value specified by the parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-backup-retention-check.html", + "last_updated": "2025-10-01T21:58:13.808981", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "minimumBackupRetentionPeriod (Optional)" + }, + "description": { + "S": "Minimum days backups should be kept. Valid values 1 to 35, default value is 7. This rule is NON_COMPLIANT if value is greater than 'backupRetentionPeriod'." + } + } + ] + }, + { + "rule_name": "docdb-cluster-deletion-protection-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon DocumentDB (with MongoDB compatibility) cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon DocumentDB cluster has the deletionProtection field set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-deletion-protection-enabled.html", + "last_updated": "2025-10-01T21:58:14.035766", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "docdb-cluster-encrypted", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if storage encryption is enabled for your Amazon DocumentDB (with MongoDB compatibility) clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-encrypted.html", + "last_updated": "2025-10-01T21:58:14.264950", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "A comma-separated list of KMS key ARNs to compare with the KmsKeyID of the encrypted cluster." + } + } + ] + }, + { + "rule_name": "docdb-cluster-encrypted-in-transit", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if connections to Amazon DocumentDB clusters are configured to use encryption in transit. The rule is NON_COMPLIANT if the parameter group is not \"in-sync\", or the TLS parameter is set to either \"disabled\" or a value in excludeTlsParameters.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-encrypted-in-transit.html", + "last_updated": "2025-10-01T21:58:14.461619", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "excludeTlsParameters (Optional)" + }, + "description": { + "S": "Comma-separated list of TLS cluster parameters for the rule to NOT check. Default value: 'disabled'." + } + } + ] + }, + { + "rule_name": "docdb-cluster-snapshot-public-prohibited", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon DocumentDB manual cluster snapshots are public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-snapshot-public-prohibited.html", + "last_updated": "2025-10-01T21:58:14.664060", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-autoscaling-enabled", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if Amazon DynamoDB tables or global secondary indexes can process read/write capacity using on-demand mode or provisioned mode with auto scaling enabled. The rule is NON_COMPLIANT if either mode is used without auto scaling enabled", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-autoscaling-enabled.html", + "last_updated": "2025-10-01T21:58:14.869022", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "minProvisionedReadCapacity (Optional)" + }, + "description": { + "S": "The minimum number of units that should be provisioned with read capacity in the Auto Scaling group." + } + }, + { + "name": { + "S": "maxProvisionedReadCapacity (Optional)" + }, + "description": { + "S": "The target utilization percentage for read capacity. Target utilization is expressed in terms of the ratio of consumed capacity to provisioned capacity." + } + }, + { + "name": { + "S": "targetReadUtilization (Optional)" + }, + "description": { + "S": "The maximum number of units that should be provisioned with write capacity in the Auto Scaling group." + } + }, + { + "name": { + "S": "minProvisionedWriteCapacity (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "maxProvisionedWriteCapacity (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "targetWriteUtilization (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-in-backup-plan", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks whether Amazon DynamoDB table is present in AWS Backup Plans. The rule is NON_COMPLIANT if Amazon DynamoDB tables are not present in any AWS Backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-in-backup-plan.html", + "last_updated": "2025-10-01T21:58:15.055496", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-last-backup-recovery-point-created", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period. The rule is NON_COMPLIANT if the DynamoDB Table does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:58:15.252446", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of the DynamoDB Tables for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-meets-restore-time-target", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon DynamoDB Tables meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of a DynamoDB Table is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:58:15.453675", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Name of DynamoDB Table for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-pitr-enabled", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-pitr-enabled.html", + "last_updated": "2025-10-01T21:58:15.664501", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-resources-protected-by-backup-plan", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if Amazon DynamoDB tables are protected by a backup plan. The rule is NON_COMPLIANT if the DynamoDB Table is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:58:15.876515", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for DynamoDB tables for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-table-deletion-protection-enabled", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if an Amazon DynamoDB table have deletion protection set to enabled. The rule is NON_COMPLIANT if the table have deletion protection set to disabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-deletion-protection-enabled.html", + "last_updated": "2025-10-01T21:58:16.080718", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-table-encrypted-kms", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if Amazon DynamoDB table is not encrypted with AWS KMS.\n\t\t\t\tThe rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in kmsKeyArns input parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encrypted-kms.html", + "last_updated": "2025-10-01T21:58:16.285468", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon DynamoDB Tables." + } + } + ] + }, + { + "rule_name": "dynamodb-table-encryption-enabled", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encryption-enabled.html", + "last_updated": "2025-10-01T21:58:16.499691", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "dynamodb-throughput-limit-check", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80 percent of your account limits.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-throughput-limit-check.html", + "last_updated": "2025-10-01T21:58:16.759937", + "services": [ + "dynamodb" + ], + "parameters": [ + { + "name": { + "S": "accountRCUThresholdPercentage (Optional)" + }, + "description": { + "S": "Percentage of provisioned read capacity units for your account. When this value is reached, the rule is marked as noncompliant." + } + }, + { + "name": { + "S": "accountWCUThresholdPercentage (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ebs-in-backup-plan", + "service_name": "ec2", + "type": "MANAGED", + "description": "Check if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ebs-in-backup-plan.html", + "last_updated": "2025-10-01T21:58:16.968183", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ebs-last-backup-recovery-point-created", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon Elastic Block Store (Amazon EBS). The rule is NON_COMPLIANT if the Amazon EBS volume does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ebs-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:58:17.184370", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon EBS volumes for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ebs-meets-restore-time-target", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon Elastic Block Store (Amazon EBS) volumes meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EBS volume is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ebs-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:58:17.401709", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "ID of Amazon EBS volume for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ebs-optimized-instance", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EBS optimization is enabled for your Amazon Elastic Compute Cloud (Amazon EC2) instances that can be Amazon EBS-optimized. The rule is NON_COMPLIANT if EBS optimization is not enabled for an Amazon EC2 instance that can be EBS-optimized.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ebs-optimized-instance.html", + "last_updated": "2025-10-01T21:58:17.605542", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ebs-resources-in-logically-air-gapped-vault", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EBS volume is not in a logically air-gapped vault within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ebs-resources-in-logically-air-gapped-vault.html", + "last_updated": "2025-10-01T21:58:17.818756", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon EBS volumes for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ebs-resources-protected-by-backup-plan", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EBS volume is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ebs-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:58:18.040779", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for Amazon EBS volumes for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ebs-snapshot-public-restorable-check", + "service_name": "ebs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html", + "last_updated": "2025-10-01T21:58:18.275800", + "services": [ + "ebs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-capacity-reservation-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 capacity reservations have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-capacity-reservation-tagged.html", + "last_updated": "2025-10-01T21:58:18.487173", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-carrier-gateway-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 carrier gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-carrier-gateway-tagged.html", + "last_updated": "2025-10-01T21:58:18.695829", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-client-vpn-connection-log-enabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if AWS Client VPN endpoint has client connection logging enabled. The rule is NON_COMPLIANT if 'Configuration.ConnectionLogOptions.Enabled' is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-client-vpn-connection-log-enabled.html", + "last_updated": "2025-10-01T21:58:18.928379", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-client-vpn-endpoint-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 client VPN endpoints have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-client-vpn-endpoint-tagged.html", + "last_updated": "2025-10-01T21:58:19.185135", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-client-vpn-not-authorize-all", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if the AWS Client VPN authorization rules authorizes connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-client-vpn-not-authorize-all.html", + "last_updated": "2025-10-01T21:58:19.400220", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-dhcp-options-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 DHCP options have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-dhcp-options-tagged.html", + "last_updated": "2025-10-01T21:58:19.612324", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-ebs-encryption-by-default", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-ebs-encryption-by-default.html", + "last_updated": "2025-10-01T21:58:19.819919", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-enis-source-destination-check-enabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if EC2 ENIs managed by users have source/destination check enabled. The rule is NON_COMPLIANT if source/destination check is disabled on these ENIs for 'lambda', 'aws_codestar_connections_managed', 'branch', 'efa', 'interface', and 'quicksight'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-enis-source-destination-check-enabled.html", + "last_updated": "2025-10-01T21:58:20.033540", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-fleet-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 fleets have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-fleet-tagged.html", + "last_updated": "2025-10-01T21:58:20.248708", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-imdsv2-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is NON_COMPLIANT if the HttpTokens is set to optional.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-imdsv2-check.html", + "last_updated": "2025-10-01T21:58:20.440837", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-instance-detailed-monitoring-enabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-detailed-monitoring-enabled.html", + "last_updated": "2025-10-01T21:58:20.659057", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-instance-launched-with-allowed-ami", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if running or stopped EC2 instances were launched with Amazon Machine Images (AMIs) that meet your Allowed AMIs criteria. The rule is NON_COMPLIANT if an AMI doesn't meet the Allowed AMIs criteria and the Allowed AMIs settings isn't disabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-launched-with-allowed-ami.html", + "last_updated": "2025-10-01T21:58:20.881663", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "InstanceStateNameList (Optional)" + }, + "description": { + "S": "Comma-separate list of Amazon EC2 instance states for the rule to check. Valid values are \"running\" and \"stopped\"." + } + } + ] + }, + { + "rule_name": "ec2-instance-managed-by-systems-manager", + "service_name": "ssm", + "type": "MANAGED", + "description": "For this rule, the rule identifier (EC2_INSTANCE_MANAGED_BY_SSM) and rule name (ec2-instance-managed-by-systems-manager) are different.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html", + "last_updated": "2025-10-01T21:58:21.110657", + "services": [ + "ssm", + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-instance-managed-by-systems-manager", + "service_name": "ec2", + "type": "MANAGED", + "description": "For this rule, the rule identifier (EC2_INSTANCE_MANAGED_BY_SSM) and rule name (ec2-instance-managed-by-systems-manager) are different.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html", + "last_updated": "2025-10-01T21:58:21.110673", + "services": [ + "ssm", + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-instance-multiple-eni-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). The rule is NON_COMPLIANT an Amazon EC2 instance use multiple network interfaces.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-multiple-eni-check.html", + "last_updated": "2025-10-01T21:58:21.343342", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "NetworkInterfaceIds (Optional)" + }, + "description": { + "S": "Comma-separated list of network instance IDs" + } + } + ] + }, + { + "rule_name": "ec2-instance-no-public-ip", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if EC2 instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the EC2 instance configuration item. The rule applies only to IPv4.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-no-public-ip.html", + "last_updated": "2025-10-01T21:58:21.566474", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-instance-profile-attached", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html", + "last_updated": "2025-10-01T21:58:21.780945", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "IamInstanceProfileArnList (Optional)" + }, + "description": { + "S": "Comma-separated list of IAM profile Amazon Resource Names (ARNs) that can be attached to Amazon EC2 instances." + } + } + ] + }, + { + "rule_name": "ec2-instances-in-vpc", + "service_name": "ec2", + "type": "MANAGED", + "description": "For this rule, the rule identifier (INSTANCES_IN_VPC) and rule name (ec2-instances-in-vpc) are different.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html", + "last_updated": "2025-10-01T21:58:22.006151", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "vpcId (Optional)" + }, + "description": { + "S": "VPC ID that contains these EC2 instances." + } + } + ] + }, + { + "rule_name": "ec2-last-backup-recovery-point-created", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances. The rule is NON_COMPLIANT if the Amazon EC2 instance does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:58:22.225665", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon EC2 instances for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-launch-template-imdsv2-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if the currently set default version of an Amazon EC2 Launch Template requires new launched instances to use V2 of the Amazon EC2 Instance Metadata Service (IMDSv2). The rule is NON_COMPLIANT if 'Metadata version' is not specified as V2 (IMDSv2).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-launch-template-imdsv2-check.html", + "last_updated": "2025-10-01T21:58:22.452009", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-launch-template-public-ip-disabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 Launch Templates are set to assign public IP addresses to Network Interfaces. The rule is NON_COMPLIANT if the default version of an EC2 Launch Template has at least 1 Network Interface with 'AssociatePublicIpAddress' set to 'true'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-launch-template-public-ip-disabled.html", + "last_updated": "2025-10-01T21:58:22.667365", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "exemptedLaunchTemplates (Optional)" + }, + "description": { + "S": "Comma-separated list of exempted EC2 Launch Template IDs that are allowed to have Network Interfaces with the AssociatePublicIpAddress value set to 'true'." + } + } + ] + }, + { + "rule_name": "ec2-launch-template-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 launch templates have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-launch-template-tagged.html", + "last_updated": "2025-10-01T21:58:22.879781", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-launch-templates-ebs-volume-encrypted", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks whether Amazon EC2 launch templates have encryption enabled for all attached EBS volumes.The rule is NON_COMPLIANT if encryption is set to False for any EBS volume configured in the launch template.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-launch-templates-ebs-volume-encrypted.html", + "last_updated": "2025-10-01T21:58:23.103393", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-managedinstance-applications-blacklisted", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if none of the specified applications are installed on the instance. Optionally, specify the version. Newer versions will not be denylisted. Optionally, specify the platform to apply the rule only to instances running that platform.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-blacklisted.html", + "last_updated": "2025-10-01T21:58:23.316858", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "applicationNames" + }, + "description": { + "S": "Comma-separated list of application names. Optionally, specify versions appended with ':' (for example, 'Chrome:0.5.3, Firefox').\nNoteThe application names must be an exact match. For example, use fir" + } + }, + { + "name": { + "S": "platformType (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-managedinstance-applications-required", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-required.html", + "last_updated": "2025-10-01T21:58:23.524167", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "applicationNames" + }, + "description": { + "S": "Comma-separated list of application names. Optionally, specify versions appended with ':' (for example, 'Chrome:0.5.3, Firefox').\nNoteThe application names must be an exact match. For example, use fir" + } + }, + { + "name": { + "S": "platformType (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-managedinstance-association-compliance-status-check", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.\nFor more information about associations, see What is an association?.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html", + "last_updated": "2025-10-01T21:58:23.771214", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-managedinstance-inventory-blacklisted", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks whether instances managed by Amazon EC2 Systems Manager are configured to collect blacklisted inventory types.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-inventory-blacklisted.html", + "last_updated": "2025-10-01T21:58:23.988826", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "inventoryNames" + }, + "description": { + "S": "Comma separated list of Systems Manager inventory types (for example, 'AWS:Network, AWS:WindowsUpdate')." + } + }, + { + "name": { + "S": "platformType (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-managedinstance-patch-compliance-status-check", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html", + "last_updated": "2025-10-01T21:58:24.197434", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-managedinstance-platform-check", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks whether EC2 managed instances have the desired configurations.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-platform-check.html", + "last_updated": "2025-10-01T21:58:24.406368", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "platformType" + }, + "description": { + "S": "Platform type (for example, 'Linux')." + } + }, + { + "name": { + "S": "platformVersion (Optional)" + }, + "description": { + "S": "Agent version (for example, '2.0.433.0')." + } + }, + { + "name": { + "S": "agentVersion (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "platformName (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-meets-restore-time-target", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon Elastic Compute Cloud (Amazon EC2) instances meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EC2 instance is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:58:24.620569", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "ID of Amazon EC2 instance for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-network-insights-access-scope-analysis-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 network insights access scope analyses have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-network-insights-access-scope-analysis-tagged.html", + "last_updated": "2025-10-01T21:58:24.840813", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-network-insights-access-scope-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 network insights access scopes have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-network-insights-access-scope-tagged.html", + "last_updated": "2025-10-01T21:58:25.051718", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-network-insights-analysis-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 network insights analyses have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-network-insights-analysis-tagged.html", + "last_updated": "2025-10-01T21:58:25.255720", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-network-insights-path-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 network insights paths have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-network-insights-path-tagged.html", + "last_updated": "2025-10-01T21:58:25.447527", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-no-amazon-key-pair", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-no-amazon-key-pair.html", + "last_updated": "2025-10-01T21:58:25.650043", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-paravirtual-instance-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if the virtualization type of an EC2 instance is paravirtual. This rule is NON_COMPLIANT for an EC2 instance if 'virtualizationType' is set to 'paravirtual'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-paravirtual-instance-check.html", + "last_updated": "2025-10-01T21:58:25.863741", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-prefix-list-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 managed prefix lists have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-prefix-list-tagged.html", + "last_updated": "2025-10-01T21:58:26.066340", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-resources-in-logically-air-gapped-vault", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EC2 instance is not in a logically air-gapped vault within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-resources-in-logically-air-gapped-vault.html", + "last_updated": "2025-10-01T21:58:26.267192", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon EC2 instances for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-resources-protected-by-backup-plan", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EC2 instance is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:58:26.472371", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for Amazon EC2 instances for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-security-group-attached-to-eni", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks that non-default security groups are attached to Amazon Elastic Compute Cloud (EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an EC2 instance or an ENI.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni.html", + "last_updated": "2025-10-01T21:58:26.682724", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-security-group-attached-to-eni-periodic", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if non-default security groups are attached to Elastic network interfaces (ENIs). The rule is NON_COMPLIANT if the security group is not associated with an ENI. Security groups not owned by the calling account evaluate as NOT_APPLICABLE.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni-periodic.html", + "last_updated": "2025-10-01T21:58:26.887825", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-spot-fleet-request-ct-encryption-at-rest", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 Spot Fleet request launch parameters set encrypted to True for attached EBS volumes. The rule is NON_COMPLIANT if any EBS volumes has encrypted set to False. The rule does not evaluate spot fleet requests using launch templates.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-spot-fleet-request-ct-encryption-at-rest.html", + "last_updated": "2025-10-01T21:58:27.103559", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-stopped-instance", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if there are Amazon Elastic Compute Cloud (Amazon EC2) instances stopped for more than the allowed number of days. The rule is NON_COMPLIANT if the state of an Amazon EC2 instance has been stopped for longer than the allowed number of days, or if the amount of time cannot be determined.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-stopped-instance.html", + "last_updated": "2025-10-01T21:58:27.315631", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "AllowedDays (Optional)" + }, + "description": { + "S": "The number of days an Amazon EC2 instance can be stopped before the rule is NON_COMPLIANT. The default number of days is 30.\nNoteThe number of days selected needs to be less than the configured retent" + } + } + ] + }, + { + "rule_name": "ec2-token-hop-limit-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit. The rule is NON_COMPLIANT for an instance if it has a hop limit value above the intended limit.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-token-hop-limit-check.html", + "last_updated": "2025-10-01T21:58:27.520621", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "tokenHopLimit (Optional)" + }, + "description": { + "S": "The desired token hop limit. Valid values are between 1 and 64, both inclusive. Default value is 1 if parameter is not specified." + } + } + ] + }, + { + "rule_name": "ec2-traffic-mirror-filter-description", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 traffic mirror filters have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-traffic-mirror-filter-description.html", + "last_updated": "2025-10-01T21:58:27.709672", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-traffic-mirror-filter-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 traffic mirror filters have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-traffic-mirror-filter-tagged.html", + "last_updated": "2025-10-01T21:58:27.926888", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-traffic-mirror-session-description", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 traffic mirror sessions have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-traffic-mirror-session-description.html", + "last_updated": "2025-10-01T21:58:28.126729", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-traffic-mirror-session-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 traffic mirror sessions have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-traffic-mirror-session-tagged.html", + "last_updated": "2025-10-01T21:58:28.332899", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-traffic-mirror-target-description", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 traffic mirror targets have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-traffic-mirror-target-description.html", + "last_updated": "2025-10-01T21:58:28.527044", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-traffic-mirror-target-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 traffic mirror targets have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-traffic-mirror-target-tagged.html", + "last_updated": "2025-10-01T21:58:28.735671", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-transit-gateway-auto-vpc-attach-disabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled. The rule is NON_COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-transit-gateway-auto-vpc-attach-disabled.html", + "last_updated": "2025-10-01T21:58:28.941366", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-transit-gateway-multicast-domain-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 transit gateway multicast domains have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-transit-gateway-multicast-domain-tagged.html", + "last_updated": "2025-10-01T21:58:29.161898", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ec2-volume-inuse-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html", + "last_updated": "2025-10-01T21:58:29.384455", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "deleteOnTermination (Optional)" + }, + "description": { + "S": "EBS volumes are marked for deletion when an instance is terminated. Possible values: True or False (other input values are marked as NON_COMPLIANT).\nIf set to True, the rule is NON_COMPLIANT if a term" + } + } + ] + }, + { + "rule_name": "ec2-vpn-connection-logging-enabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if AWS Site-to-Site VPN connections have Amazon CloudWatch logging enabled for both tunnels. The rule is NON_COMPLIANT if a Site-to-Site VPN connection does not have CloudWatch logging enabled for either or both tunnels.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-vpn-connection-logging-enabled.html", + "last_updated": "2025-10-01T21:58:29.576254", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ec2-vpn-connection-tagged", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EC2 VPN connections have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-vpn-connection-tagged.html", + "last_updated": "2025-10-01T21:58:29.767388", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ecr-private-image-scanning-enabled", + "service_name": "ecr", + "type": "MANAGED", + "description": "Checks if a private Amazon Elastic Container Registry (Amazon ECR) repository has image scanning enabled.\nThe rule is NON_COMPLIANT if the private Amazon ECR repository's scan frequency is not on scan on push or continuous scan.\nFor more information on enabling image scanning, see Image scanning in the Amazon ECR User Guide.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-image-scanning-enabled.html", + "last_updated": "2025-10-01T21:58:30.024680", + "services": [ + "ecr" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecr-private-lifecycle-policy-configured", + "service_name": "ecr", + "type": "MANAGED", + "description": "Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON_COMPLIANT if no lifecycle policy is configured for the ECR private repository.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html", + "last_updated": "2025-10-01T21:58:30.259925", + "services": [ + "ecr" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecr-private-tag-immutability-enabled", + "service_name": "ecr", + "type": "MANAGED", + "description": "Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled. This rule is NON_COMPLIANT if tag immutability is not enabled for the private ECR repository.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html", + "last_updated": "2025-10-01T21:58:30.467151", + "services": [ + "ecr" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecr-repository-cmk-encryption-enabled", + "service_name": "ecr", + "type": "MANAGED", + "description": "Checks if ECR repository is encrypted at rest using customer-managed KMS key. This rule is NON_COMPLIANT if the repository is encrypted using AES256 or the default KMS key ('aws/ecr').", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecr-repository-cmk-encryption-enabled.html", + "last_updated": "2025-10-01T21:58:30.689174", + "services": [ + "ecr" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of KMS key Amazon Resource Names (ARNs) intended to encrypt the ECR repository." + } + } + ] + }, + { + "rule_name": "ecr-repository-tagged", + "service_name": "ecr", + "type": "MANAGED", + "description": "Checks if Amazon ECR repositories have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecr-repository-tagged.html", + "last_updated": "2025-10-01T21:58:30.909045", + "services": [ + "ecr" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ecs-awsvpc-networking-enabled", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if the networking mode for active ECSTaskDefinitions is set to \u2018awsvpc\u2019. This rule is NON_COMPLIANT if active ECSTaskDefinitions is not set to \u2018awsvpc\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-awsvpc-networking-enabled.html", + "last_updated": "2025-10-01T21:58:31.170615", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-capacity-provider-tagged", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if Amazon ECS capacity providers have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-capacity-provider-tagged.html", + "last_updated": "2025-10-01T21:58:31.383497", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ecs-container-insights-enabled", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Container Service clusters have container insights enabled. The rule is NON_COMPLIANT if container insights are not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html", + "last_updated": "2025-10-01T21:58:31.591436", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-containers-nonprivileged", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to \u2018true\u2019. The rule is NON_COMPLIANT if the privileged parameter is \u2018true\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-nonprivileged.html", + "last_updated": "2025-10-01T21:58:31.787648", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-containers-readonly-access", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. The rule is NON_COMPLIANT if the readonlyRootFilesystem parameter in the container definition of ECSTaskDefinitions is set to \u2018false\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-readonly-access.html", + "last_updated": "2025-10-01T21:58:31.997895", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-fargate-latest-platform-version", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if ECS Fargate services is set to the latest platform version. The rule is NON_COMPLIANT if PlatformVersion for the Fargate launch type is not set to LATEST, or if neither latestLinuxVersion nor latestWindowsVersion are provided as parameters.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html", + "last_updated": "2025-10-01T21:58:32.206713", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "latestLinuxVersion (Optional)" + }, + "description": { + "S": "Latest Linux supported 'PlatformVersion' in semantic versioning (SemVer) format. Parameter may be needed if Fargate was deployed and the 'PlatformVersion' was explicitly specified or CodeDeploy is use" + } + }, + { + "name": { + "S": "latestWindowsVersion (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-no-environment-secrets", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if secrets are passed as container environment variables. The rule is NON_COMPLIANT if 1 or more environment variable key matches a key listed in the 'secretKeys' parameter (excluding environmental variables from other locations such as Amazon S3).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-no-environment-secrets.html", + "last_updated": "2025-10-01T21:58:32.416316", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "secretKeys" + }, + "description": { + "S": "Comma-separated list of key names to search for in the environment variables of container definitions within Task Definitions. Extra spaces will be removed." + } + } + ] + }, + { + "rule_name": "ecs-task-definition-log-configuration", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html", + "last_updated": "2025-10-01T21:58:32.615163", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-task-definition-memory-hard-limit", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions. The rule is NON_COMPLIANT for a task definition if the \u2018memory\u2019 parameter is absent for one container definition.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-memory-hard-limit.html", + "last_updated": "2025-10-01T21:58:32.828210", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-task-definition-network-mode-not-host", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if the latest active revision of Amazon ECS task definitions use host network mode. The rule is NON_COMPLIANT if the latest active revision of the ECS task definition uses host network mode.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-network-mode-not-host.html", + "last_updated": "2025-10-01T21:58:33.041695", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-task-definition-nonroot-user", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on. The rule is NON_COMPLIANT if the \u2018user\u2019 parameter is not present or set to \u2018root\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-nonroot-user.html", + "last_updated": "2025-10-01T21:58:33.256056", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-task-definition-pid-mode-check", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if ECSTaskDefinitions are configured to share a host\u2019s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers. The rule is NON_COMPLIANT if the pidMode parameter is set to \u2018host\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-pid-mode-check.html", + "last_updated": "2025-10-01T21:58:33.474578", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ecs-task-definition-user-for-host-mode-check", + "service_name": "ecs", + "type": "MANAGED", + "description": "Checks if Amazon ECS task definitions with host network mode have privileged OR nonroot in the container definition. The rule is NON_COMPLIANT if the latest active revision of a task definition has privileged=false (or is null) AND user=root (or is null).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html", + "last_updated": "2025-10-01T21:58:33.695807", + "services": [ + "ecs" + ], + "parameters": [ + { + "name": { + "S": "SkipInactiveTaskDefinitions (Optional)" + }, + "description": { + "S": "Boolean flag to not check INACTIVE Amazon EC2 task definitions. If set to 'true', the rule won't evaluate INACTIVE Amazon EC2 task definitions. If set to 'false', the rule will evaluate the latest rev" + } + } + ] + }, + { + "rule_name": "efs-access-point-enforce-root-directory", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory. The rule is NON_COMPLIANT if the value of 'Path' is set to '/' (default root directory of the file system).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-root-directory.html", + "last_updated": "2025-10-01T21:58:33.907348", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "approvedDirectories (Optional)" + }, + "description": { + "S": "Comma-separated list of subdirectory paths that are approved for Amazon EFS access point root directory enforcement." + } + } + ] + }, + { + "rule_name": "efs-access-point-enforce-user-identity", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. The rule is NON_COMPLIANT if 'PosixUser' is not defined or if parameters are provided and there is no match in the corresponding parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-user-identity.html", + "last_updated": "2025-10-01T21:58:34.108942", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "approvedUids (Optional)" + }, + "description": { + "S": "Comma-separated list of POSIX user ID that are approved for EFS access point user enforcement." + } + }, + { + "name": { + "S": "approvedGids (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "efs-automatic-backups-enabled", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic File System (Amazon EFS) file system has automatic backups enabled. The rule is NON_COMPLIANT if `BackupPolicy.Status` is set to DISABLED.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-automatic-backups-enabled.html", + "last_updated": "2025-10-01T21:58:34.324231", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "efs-encrypted-check", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the encrypted key is set to false on DescribeFileSystems or if the KmsKeyId key on DescribeFileSystems does not match the KmsKeyId parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-encrypted-check.html", + "last_updated": "2025-10-01T21:58:34.537582", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "KmsKeyId (Optional)" + }, + "description": { + "S": "Amazon Resource Name (ARN) of the KMS key that is used to encrypt the EFS file system." + } + } + ] + }, + { + "rule_name": "efs-file-system-tagged", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System file systems have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-file-system-tagged.html", + "last_updated": "2025-10-01T21:58:34.766122", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "efs-filesystem-ct-encrypted", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System (Amazon EFS) encrypts data with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if a file system is not encrypted. Optionally, you can check if a file system is not encrypted with specified KMS keys.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-filesystem-ct-encrypted.html", + "last_updated": "2025-10-01T21:58:34.993594", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "(Optional) Comma-separated list of Amazon Resource Names (ARNs) for AWS KMS keys. If provided, the rule checks if the specified KMS keys do not encrypt an Amazon EFS file system." + } + } + ] + }, + { + "rule_name": "efs-in-backup-plan", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-in-backup-plan.html", + "last_updated": "2025-10-01T21:58:35.356315", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "efs-last-backup-recovery-point-created", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems. The rule is NON_COMPLIANT if the Amazon EFS File System does not have a corresponding Recovery Point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:58:35.555154", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon EFS File Systems for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "efs-meets-restore-time-target", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon Elastic File System (Amazon EFS) File Systems meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EFS File System is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:58:35.788212", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "ID of EFS File System for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "efs-mount-target-public-accessible", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic File System (Amazon EFS) is associated with subnets that assign public IP addresses on launch. The rule is NON_COMPLIANT if the Amazon EFS mount target is associated with subnets that assign public IP addresses on launch.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-mount-target-public-accessible.html", + "last_updated": "2025-10-01T21:58:35.984257", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "efs-resources-in-logically-air-gapped-vault", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System (Amazon EFS) File Systems are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EFS File System is not in a logically air-gapped vault within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-resources-in-logically-air-gapped-vault.html", + "last_updated": "2025-10-01T21:58:36.181460", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon EFS File Systems for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "efs-resources-protected-by-backup-plan", + "service_name": "efs", + "type": "MANAGED", + "description": "Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the EFS File System is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/efs-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:58:36.388354", + "services": [ + "efs" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for EFS File Systems for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "eip-attached", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if all Elastic IP addresses that are allocated to an AWS account are attached to EC2 instances or in-use elastic network interfaces. The rule is NON_COMPLIANT if the 'AssociationId' is null for the Elastic IP address.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eip-attached.html", + "last_updated": "2025-10-01T21:58:36.591320", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "eks-addon-tagged", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if Amazon EKS add-ons have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-addon-tagged.html", + "last_updated": "2025-10-01T21:58:36.788624", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "eks-cluster-log-enabled", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled or if logging is not enabled with the log type mentioned.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-log-enabled.html", + "last_updated": "2025-10-01T21:58:36.989126", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "logTypes (Optional)" + }, + "description": { + "S": "Comma-separated list of EKS Cluster control plane log types for the rule to check. Valid values: \"api\", \"audit\", \"authenticator\", \"controllerManager\", \"scheduler" + } + } + ] + }, + { + "rule_name": "eks-cluster-logging-enabled", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-logging-enabled.html", + "last_updated": "2025-10-01T21:58:37.203380", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "eks-cluster-oldest-supported-version", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version. The rule is NON_COMPLIANT if an EKS cluster is running oldest supported version (equal to the parameter 'oldestVersionSupported').", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-oldest-supported-version.html", + "last_updated": "2025-10-01T21:58:37.416849", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "oldestVersionSupported" + }, + "description": { + "S": "Value of the oldest version of Kubernetes supported on AWS." + } + } + ] + }, + { + "rule_name": "eks-cluster-secrets-encrypted", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if Amazon EKS clusters are configured to have Kubernetes secrets encrypted using AWS KMS. The rule is NON_COMPLIANT if an EKS cluster does not have an encryptionConfig resource or if encryptionConfig does not name secrets as a resource.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-secrets-encrypted.html", + "last_updated": "2025-10-01T21:58:37.628121", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of KMS key Amazon Resource Names (ARNs) that are approved for EKS usage." + } + } + ] + }, + { + "rule_name": "eks-cluster-supported-version", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version. This rule is NON_COMPLIANT if an EKS cluster is running an unsupported version (less than the parameter 'oldestVersionSupported').", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-supported-version.html", + "last_updated": "2025-10-01T21:58:37.845011", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "oldestVersionSupported" + }, + "description": { + "S": "Value of the oldest version of Kubernetes supported on AWS." + } + } + ] + }, + { + "rule_name": "eks-endpoint-no-public-access", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-endpoint-no-public-access.html", + "last_updated": "2025-10-01T21:58:38.064668", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "eks-fargate-profile-tagged", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if Amazon EKS fargate profiles have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-fargate-profile-tagged.html", + "last_updated": "2025-10-01T21:58:38.278847", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "eks-secrets-encrypted", + "service_name": "eks", + "type": "MANAGED", + "description": "Checks if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/eks-secrets-encrypted.html", + "last_updated": "2025-10-01T21:58:38.493127", + "services": [ + "eks" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma separated list of Amazon Resource Name (ARN) of the KMS key that should be used for encrypted secrets in an EKS cluster." + } + } + ] + }, + { + "rule_name": "elastic-beanstalk-logs-to-cloudwatch", + "service_name": "elasticbeanstalk", + "type": "MANAGED", + "description": "Checks if AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elastic-beanstalk-logs-to-cloudwatch.html", + "last_updated": "2025-10-01T21:58:38.722927", + "services": [ + "elasticbeanstalk" + ], + "parameters": [ + { + "name": { + "S": "RetentionInDays (Optional)" + }, + "description": { + "S": "Checks the number of days to keep log events before they expire. Valid values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653. The rule is NON_COMPLIANT if the value of " + } + }, + { + "name": { + "S": "DeleteOnTerminate (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elastic-beanstalk-managed-updates-enabled", + "service_name": "elasticbeanstalk", + "type": "MANAGED", + "description": "Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled.\n The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true.\n The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a parameter is provided and its value does not match the existing configurations.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elastic-beanstalk-managed-updates-enabled.html", + "last_updated": "2025-10-01T21:58:38.942601", + "services": [ + "elasticbeanstalk" + ], + "parameters": [ + { + "name": { + "S": "UpdateLevel (Optional)" + }, + "description": { + "S": "Indicates whether update levels are set to 'minor' version updates or a 'patch' version updates." + } + } + ] + }, + { + "rule_name": "elasticache-auto-minor-version-upgrade-check", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache clusters have auto minor version upgrades enabled. The rule is NON_COMPLIANT for an ElastiCache cluster if it is using the Redis or Valkey engine and 'AutoMinorVersionUpgrade' is not set to 'true'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-auto-minor-version-upgrade-check.html", + "last_updated": "2025-10-01T21:58:39.157221", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticache-automatic-backup-check-enabled", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache clusters (Valkey or Redis OSS) have automatic backup turned on. The rule is NON_COMPLIANT if automated backup is not enabled or the SnapshotRetentionLimit for a cluster is less than the specified snapshotRetentionPeriod.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-automatic-backup-check-enabled.html", + "last_updated": "2025-10-01T21:58:39.380980", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "snapshotRetentionPeriod (Optional)" + }, + "description": { + "S": "Minimum snapshot retention period in days for Valkey or Redis OSS. Valid values are 1 to 35. Default value is 1." + } + } + ] + }, + { + "rule_name": "elasticache-rbac-auth-enabled", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache replication groups have RBAC authentication enabled. The rule is NON_COMPLIANT if the Redis version is 6 or above and \u2018UserGroupIds\u2019 is missing, empty, or does not match an entry provided by the 'allowedUserGroupIDs' parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-rbac-auth-enabled.html", + "last_updated": "2025-10-01T21:58:39.599721", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "allowedUserGroupIDs (Optional)" + }, + "description": { + "S": "A comma-separated list of User Group IDs that are approved for ElastiCache replication group access." + } + } + ] + }, + { + "rule_name": "elasticache-redis-cluster-automatic-backup-check", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Check if the Amazon ElastiCache Redis clusters have automatic backup turned on.\n\t\t\t\tThe rule is NON_COMPLIANT if the SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter.\n\t\t\t\tFor example: If the parameter is 15 then the rule is non-compliant if the snapshotRetentionPeriod is between 0-15.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-redis-cluster-automatic-backup-check.html", + "last_updated": "2025-10-01T21:58:39.816389", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "snapshotRetentionPeriod (Optional)" + }, + "description": { + "S": "Minimum snapshot retention period in days for Redis cluster. Default is 15 days." + } + } + ] + }, + { + "rule_name": "elasticache-repl-grp-auto-failover-enabled", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache Redis replication groups have automatic failover enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if \u2018AutomaticFailover\u2019 is not set to \u2018enabled\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-repl-grp-auto-failover-enabled.html", + "last_updated": "2025-10-01T21:58:40.045301", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticache-repl-grp-encrypted-at-rest", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache replication groups have encryption-at-rest enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if 'AtRestEncryptionEnabled' is disabled or if the KMS key ARN does not match the approvedKMSKeyArns parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-repl-grp-encrypted-at-rest.html", + "last_updated": "2025-10-01T21:58:40.256235", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "approvedKMSKeyIds (Optional)" + }, + "description": { + "S": "Comma-separated list of KMS Key IDs that are approved for ElastiCache usage." + } + } + ] + }, + { + "rule_name": "elasticache-repl-grp-encrypted-in-transit", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache replication groups have encryption-in-transit enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if \u2018TransitEncryptionEnabled\u2019 is set to \u2018false\u2019.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-repl-grp-encrypted-in-transit.html", + "last_updated": "2025-10-01T21:58:40.456426", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticache-repl-grp-redis-auth-enabled", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache replication groups have Redis AUTH enabled. The rule is NON_COMPLIANT for an ElastiCache replication group if the Redis version of its nodes is below 6 (Version 6+ use Redis ACLs) and \u2018AuthToken\u2019 is missing or is empty/null.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-repl-grp-redis-auth-enabled.html", + "last_updated": "2025-10-01T21:58:40.683889", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticache-subnet-group-check", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if Amazon ElastiCache clusters are configured with a custom subnet group. The rule is NON_COMPLIANT for an ElastiCache cluster if it is using a default subnet group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-subnet-group-check.html", + "last_updated": "2025-10-01T21:58:40.888168", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticache-supported-engine-version", + "service_name": "elasticache", + "type": "MANAGED", + "description": "Checks if ElastiCache clusters are running a version greater or equal to the recommended engine version. The rule is NON_COMPLIANT if the 'EngineVersion' for an ElastiCache cluster is less than the specified recommended version for its given engine.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticache-supported-engine-version.html", + "last_updated": "2025-10-01T21:58:41.092596", + "services": [ + "elasticache" + ], + "parameters": [ + { + "name": { + "S": "latestMemcachedVersion" + }, + "description": { + "S": "The latest recommended engine version for Memcached. Valid values are in semantic versioning (SemVer) format with 3-component number for major, minor, and patch versions (for example, 1.6.6, not 1.6)." + } + }, + { + "name": { + "S": "latestRedisVersion" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticbeanstalk-application-description", + "service_name": "elasticbeanstalk", + "type": "MANAGED", + "description": "Checks if AWS Elastic Beanstalk applications have a description. The rule is NON_COMPLIANT if configuration.description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticbeanstalk-application-description.html", + "last_updated": "2025-10-01T21:58:41.307603", + "services": [ + "elasticbeanstalk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticbeanstalk-application-version-description", + "service_name": "elasticbeanstalk", + "type": "MANAGED", + "description": "Checks if AWS Elastic Beanstalk application versions have a description. The rule is NON_COMPLIANT if configuration.description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticbeanstalk-application-version-description.html", + "last_updated": "2025-10-01T21:58:41.515972", + "services": [ + "elasticbeanstalk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticbeanstalk-environment-description", + "service_name": "elasticbeanstalk", + "type": "MANAGED", + "description": "Checks if AWS Elastic Beanstalk environments have a description. The rule is NON_COMPLIANT if configuration.description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticbeanstalk-environment-description.html", + "last_updated": "2025-10-01T21:58:41.740625", + "services": [ + "elasticbeanstalk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticsearch-encrypted-at-rest", + "service_name": "elasticsearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-encrypted-at-rest.html", + "last_updated": "2025-10-01T21:58:41.942505", + "services": [ + "elasticsearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticsearch-in-vpc-only", + "service_name": "elasticsearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains are in Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-in-vpc-only.html", + "last_updated": "2025-10-01T21:58:42.153101", + "services": [ + "elasticsearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elasticsearch-logs-to-cloudwatch", + "service_name": "elasticsearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is COMPLIANT if a log is enabled for an Amazon ES domain. This rule is NON_COMPLIANT if logging is not configured.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-logs-to-cloudwatch.html", + "last_updated": "2025-10-01T21:58:42.368470", + "services": [ + "elasticsearch" + ], + "parameters": [ + { + "name": { + "S": "logTypes (Optional)" + }, + "description": { + "S": "Comma-separated list of logs that are enabled. Valid values are 'search', 'index', 'error'." + } + } + ] + }, + { + "rule_name": "elasticsearch-node-to-node-encryption-check", + "service_name": "elasticsearch", + "type": "MANAGED", + "description": "Check that Amazon OpenSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elasticsearch-node-to-node-encryption-check.html", + "last_updated": "2025-10-01T21:58:42.592290", + "services": [ + "elasticsearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elb-acm-certificate-required", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager.\n\t\t\t\tTo use this rule, use an SSL or HTTPS listener with your Classic Load Balancer.\n\t\t\t\tThis rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html", + "last_updated": "2025-10-01T21:58:42.810386", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elb-cross-zone-load-balancing-enabled", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if cross-zone load balancing is enabled for Classic Load Balancers. The rule is NON_COMPLIANT if cross-zone load balancing is not enabled for Classic Load Balancers.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html", + "last_updated": "2025-10-01T21:58:43.026013", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elb-custom-security-policy-ssl-check", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks whether your Classic Load Balancer SSL listeners are using a custom policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-custom-security-policy-ssl-check.html", + "last_updated": "2025-10-01T21:58:43.245453", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "sslProtocolsAndCiphers" + }, + "description": { + "S": "Comma separated list of ciphers and protocols." + } + } + ] + }, + { + "rule_name": "elb-deletion-protection-enabled", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks whether an Elastic Load Balancer has deletion protection enabled. The rule is NON_COMPLIANT if deletion_protection.enabled is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-deletion-protection-enabled.html", + "last_updated": "2025-10-01T21:58:43.450104", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elb-internal-scheme-check", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if a Classic Load Balancer scheme is internal. The rule is NON_COMPLIANT if configuration.scheme is not set to internal.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-internal-scheme-check.html", + "last_updated": "2025-10-01T21:58:43.677684", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elb-logging-enabled", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled. The rule is NON_COMPLIANT if the access_logs.s3.enabled is false or access_logs.S3.bucket is not equal to the s3BucketName that you provided.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html", + "last_updated": "2025-10-01T21:58:43.894724", + "services": [ + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "s3BucketNames (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon S3 bucket names for Amazon ELB to deliver the log files." + } + } + ] + }, + { + "rule_name": "elb-logging-enabled", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled. The rule is NON_COMPLIANT if the access_logs.s3.enabled is false or access_logs.S3.bucket is not equal to the s3BucketName that you provided.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html", + "last_updated": "2025-10-01T21:58:43.894732", + "services": [ + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "s3BucketNames (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon S3 bucket names for Amazon ELB to deliver the log files." + } + } + ] + }, + { + "rule_name": "elb-predefined-security-policy-ssl-check", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if your Classic Load Balancer SSL listeners use a predefined policy. The rule is NON_COMPLIANT if the Classic Load Balancer HTTPS/SSL listener's policy does not equal the value of the parameter 'predefinedPolicyName'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html", + "last_updated": "2025-10-01T21:58:44.096166", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "predefinedPolicyName" + }, + "description": { + "S": "Name of the predefined policy." + } + } + ] + }, + { + "rule_name": "elb-tagged", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if Classic Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-tagged.html", + "last_updated": "2025-10-01T21:58:44.295933", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "elb-tls-https-listeners-only", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if your Classic Load Balancer is configured with SSL or HTTPS listeners. The rule is NON_COMPLIANT if a listener is not configured with SSL or HTTPS.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elb-tls-https-listeners-only.html", + "last_updated": "2025-10-01T21:58:44.500596", + "services": [ + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elbv2-acm-certificate-required", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM).\nThis rule is NON_COMPLIANT if at least 1 load balancer has at least 1 listener that is configured without a certificate from ACM or is configured with a certificate different from an ACM certificate.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elbv2-acm-certificate-required.html", + "last_updated": "2025-10-01T21:58:44.699745", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "AcmCertificatesAllowed (Optional)" + }, + "description": { + "S": "Comma-separated list of certificate Amazon Resource Names (ARNs)." + } + } + ] + }, + { + "rule_name": "elbv2-listener-encryption-in-transit", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if listeners for the load balancers are configured with HTTPS or TLS termination. The rule is NON_COMPLIANT if listeners are not configured with HTTPS or TLS termination.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elbv2-listener-encryption-in-transit.html", + "last_updated": "2025-10-01T21:58:44.911662", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "elbv2-multiple-az", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) is mapped to multiple Availability Zones (AZs).\nThe rule is NON_COMPLIANT if an Elastic Load Balancer V2 is mapped to less than 2 AZs.\nFor more information, see Availability Zones for your Application Load Balancer.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elbv2-multiple-az.html", + "last_updated": "2025-10-01T21:58:45.131513", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "minAvailabilityZones (Optional)" + }, + "description": { + "S": "Minimum number of expected AZs (between 2 and 10 inclusive)." + } + } + ] + }, + { + "rule_name": "elbv2-predefined-security-policy-ssl-check", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if listeners for Application Load Balancers (ALBs) or Network Load Balancers (NLBs) use certain security policies. The rule is NON_COMPLIANT if an HTTPS listener for an ALB or a TLS listener for a NLB does not use the security policies you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/elbv2-predefined-security-policy-ssl-check.html", + "last_updated": "2025-10-01T21:58:45.336196", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "sslPolicies" + }, + "description": { + "S": "Comma-separated list of SSL security policies for the rule to check. For example, \"ELBSecurityPolicy-TLS13-1-2-2021-06\"." + } + } + ] + }, + { + "rule_name": "emr-block-public-access", + "service_name": "emr", + "type": "MANAGED", + "description": "Checks if an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/emr-block-public-access.html", + "last_updated": "2025-10-01T21:58:45.531197", + "services": [ + "emr" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "emr-kerberos-enabled", + "service_name": "emr", + "type": "MANAGED", + "description": "Checks if Amazon EMR clusters have Kerberos enabled. The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/emr-kerberos-enabled.html", + "last_updated": "2025-10-01T21:58:45.732134", + "services": [ + "emr" + ], + "parameters": [ + { + "name": { + "S": "TicketLifetimeInHours (Optional)" + }, + "description": { + "S": "Period for which Kerberos ticket issued by cluster's KDC is valid." + } + }, + { + "name": { + "S": "Realm (Optional)" + }, + "description": { + "S": "Domain name of the other realm in the trust relationship." + } + }, + { + "name": { + "S": "Domain (Optional)" + }, + "description": { + "S": "Fully qualified domain of the KDC server in the other realm of the trust relationship." + } + }, + { + "name": { + "S": "AdminServer (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "KdcServer (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "emr-master-no-public-ip", + "service_name": "emr", + "type": "MANAGED", + "description": "Checks if Amazon EMR clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/emr-master-no-public-ip.html", + "last_updated": "2025-10-01T21:58:45.947958", + "services": [ + "emr", + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "emr-master-no-public-ip", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon EMR clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/emr-master-no-public-ip.html", + "last_updated": "2025-10-01T21:58:45.947968", + "services": [ + "emr", + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "emr-security-configuration-encryption-rest", + "service_name": "emr", + "type": "MANAGED", + "description": "Checks if an Amazon EMR security configuration has encryption at rest enabled. The rule is NON_COMPLIANT if configuration.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/emr-security-configuration-encryption-rest.html", + "last_updated": "2025-10-01T21:58:46.149798", + "services": [ + "emr" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "emr-security-configuration-encryption-transit", + "service_name": "emr", + "type": "MANAGED", + "description": "Checks if an Amazon EMR security configuration has encryption in transit enabled. The rule is NON_COMPLIANT if configuration.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/emr-security-configuration-encryption-transit.html", + "last_updated": "2025-10-01T21:58:46.345993", + "services": [ + "emr" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "encrypted-volumes", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if attached Amazon EBS volumes are encrypted and optionally are encrypted with a specified KMS key. The rule is NON_COMPLIANT if attached EBS volumes are unencrypted or are encrypted with a KMS key not in the supplied parameters.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html", + "last_updated": "2025-10-01T21:58:46.548176", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "kmsId (Optional)" + }, + "description": { + "S": "ID or ARN of the KMS key that is used to encrypt the volume." + } + } + ] + }, + { + "rule_name": "event-data-store-cmk-encryption-enabled", + "service_name": "cloudtrail", + "type": "MANAGED", + "description": "Checks if AWS Cloud Trail event data stores have customer managed AWS KMS keys enabled. The rule is NON_COMPLIANT if an event data store has disabled customer managed KMS keys. Optionally, you can specify a list of KMS keys for the rule to check.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/event-data-store-cmk-encryption-enabled.html", + "last_updated": "2025-10-01T21:58:46.742464", + "services": [ + "cloudtrail" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon Resource Names (ARNs) of AWS KMS keys for the rule to check. If provided, the rule is NON_COMPLIANT if an AWS Cloud Trail event data store is not encrypted with one of t" + } + } + ] + }, + { + "rule_name": "evidently-launch-description", + "service_name": "evidently", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch Evidently launches have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/evidently-launch-description.html", + "last_updated": "2025-10-01T21:58:46.956857", + "services": [ + "evidently" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "evidently-launch-tagged", + "service_name": "evidently", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch Evidently launches have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/evidently-launch-tagged.html", + "last_updated": "2025-10-01T21:58:47.165776", + "services": [ + "evidently" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "evidently-project-description", + "service_name": "evidently", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch Evidently projects have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/evidently-project-description.html", + "last_updated": "2025-10-01T21:58:47.424427", + "services": [ + "evidently" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "evidently-project-tagged", + "service_name": "evidently", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch Evidently projects have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/evidently-project-tagged.html", + "last_updated": "2025-10-01T21:58:47.632482", + "services": [ + "evidently" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "evidently-segment-description", + "service_name": "evidently", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch Evidently segments have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/evidently-segment-description.html", + "last_updated": "2025-10-01T21:58:47.835420", + "services": [ + "evidently" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "evidently-segment-tagged", + "service_name": "evidently", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch Evidently segments have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/evidently-segment-tagged.html", + "last_updated": "2025-10-01T21:58:48.054300", + "services": [ + "evidently" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "fis-experiment-template-log-configuration-exists", + "service_name": "fis", + "type": "MANAGED", + "description": "Checks if AWS FIS experiment templates have experiment logging configured. The rule is NON_COMPLIANT if configuration.LogConfiguration does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fis-experiment-template-log-configuration-exists.html", + "last_updated": "2025-10-01T21:58:48.279088", + "services": [ + "fis" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fis-experiment-template-tagged", + "service_name": "fis", + "type": "MANAGED", + "description": "Checks if AWS FIS experiment templates have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fis-experiment-template-tagged.html", + "last_updated": "2025-10-01T21:58:48.494672", + "services": [ + "fis" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "fms-shield-resource-policy-check", + "service_name": "shield", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.702477", + "services": [ + "shield", + "ec2", + "wafregional", + "shieldregional", + "cloudfront", + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "A unique identifier for a Web ACL." + } + }, + { + "name": { + "S": "resourceTypes" + }, + "description": { + "S": "The resource tags you specify for the rule to check. For example, { \"tagKey1\" : [\"tagValue1\"], \"tagKey2\" : [\"tagValue2\", \"tagValue3\"] }." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-shield-resource-policy-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.702500", + "services": [ + "shield", + "ec2", + "wafregional", + "shieldregional", + "cloudfront", + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "A unique identifier for a Web ACL." + } + }, + { + "name": { + "S": "resourceTypes" + }, + "description": { + "S": "The resource tags you specify for the rule to check. For example, { \"tagKey1\" : [\"tagValue1\"], \"tagKey2\" : [\"tagValue2\", \"tagValue3\"] }." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-shield-resource-policy-check", + "service_name": "wafregional", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.702512", + "services": [ + "shield", + "ec2", + "wafregional", + "shieldregional", + "cloudfront", + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "A unique identifier for a Web ACL." + } + }, + { + "name": { + "S": "resourceTypes" + }, + "description": { + "S": "The resource tags you specify for the rule to check. For example, { \"tagKey1\" : [\"tagValue1\"], \"tagKey2\" : [\"tagValue2\", \"tagValue3\"] }." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-shield-resource-policy-check", + "service_name": "shieldregional", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.702523", + "services": [ + "shield", + "ec2", + "wafregional", + "shieldregional", + "cloudfront", + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "A unique identifier for a Web ACL." + } + }, + { + "name": { + "S": "resourceTypes" + }, + "description": { + "S": "The resource tags you specify for the rule to check. For example, { \"tagKey1\" : [\"tagValue1\"], \"tagKey2\" : [\"tagValue2\", \"tagValue3\"] }." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-shield-resource-policy-check", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.702533", + "services": [ + "shield", + "ec2", + "wafregional", + "shieldregional", + "cloudfront", + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "A unique identifier for a Web ACL." + } + }, + { + "name": { + "S": "resourceTypes" + }, + "description": { + "S": "The resource tags you specify for the rule to check. For example, { \"tagKey1\" : [\"tagValue1\"], \"tagKey2\" : [\"tagValue2\", \"tagValue3\"] }." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-shield-resource-policy-check", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.702544", + "services": [ + "shield", + "ec2", + "wafregional", + "shieldregional", + "cloudfront", + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "A unique identifier for a Web ACL." + } + }, + { + "name": { + "S": "resourceTypes" + }, + "description": { + "S": "The resource tags you specify for the rule to check. For example, { \"tagKey1\" : [\"tagValue1\"], \"tagKey2\" : [\"tagValue2\", \"tagValue3\"] }." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-shield-resource-policy-check", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-shield-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.702554", + "services": [ + "shield", + "ec2", + "wafregional", + "shieldregional", + "cloudfront", + "elasticloadbalancingv2", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "A unique identifier for a Web ACL." + } + }, + { + "name": { + "S": "resourceTypes" + }, + "description": { + "S": "The resource tags you specify for the rule to check. For example, { \"tagKey1\" : [\"tagValue1\"], \"tagKey2\" : [\"tagValue2\", \"tagValue3\"] }." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-webacl-resource-policy-check", + "service_name": "apigateway", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.915854", + "services": [ + "apigateway", + "wafregional", + "cloudfront", + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "The WebACLId of the web ACL." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "If true, exclude resources that match resourceTags." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule." + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-webacl-resource-policy-check", + "service_name": "wafregional", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.915872", + "services": [ + "apigateway", + "wafregional", + "cloudfront", + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "The WebACLId of the web ACL." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "If true, exclude resources that match resourceTags." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule." + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-webacl-resource-policy-check", + "service_name": "cloudfront", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.915883", + "services": [ + "apigateway", + "wafregional", + "cloudfront", + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "The WebACLId of the web ACL." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "If true, exclude resources that match resourceTags." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule." + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-webacl-resource-policy-check", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-resource-policy-check.html", + "last_updated": "2025-10-01T21:58:48.915893", + "services": [ + "apigateway", + "wafregional", + "cloudfront", + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "webACLId" + }, + "description": { + "S": "The WebACLId of the web ACL." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "If true, exclude resources that match resourceTags." + } + }, + { + "name": { + "S": "excludeResourceTags (Optional)" + }, + "description": { + "S": "If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule." + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-webacl-rulegroup-association-check", + "service_name": "wafregional", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-rulegroup-association-check.html", + "last_updated": "2025-10-01T21:58:49.142693", + "services": [ + "wafregional", + "waf" + ], + "parameters": [ + { + "name": { + "S": "ruleGroups" + }, + "description": { + "S": "Comma-separated list of RuleGroupIds and WafOverrideAction pairs. (for example, ruleGroupId-1:NONE, ruleGroupId2:COUNT)" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule." + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fms-webacl-rulegroup-association-check", + "service_name": "waf", + "type": "MANAGED", + "description": "This rule is currently in the deprecation process. We do not recommend that you use them directly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fms-webacl-rulegroup-association-check.html", + "last_updated": "2025-10-01T21:58:49.142713", + "services": [ + "wafregional", + "waf" + ], + "parameters": [ + { + "name": { + "S": "ruleGroups" + }, + "description": { + "S": "Comma-separated list of RuleGroupIds and WafOverrideAction pairs. (for example, ruleGroupId-1:NONE, ruleGroupId2:COUNT)" + } + }, + { + "name": { + "S": "fmsManagedToken (Optional)" + }, + "description": { + "S": "If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule." + } + }, + { + "name": { + "S": "fmsRemediationEnabled (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "frauddetector-entity-type-tagged", + "service_name": "frauddetector", + "type": "MANAGED", + "description": "Checks if Amazon Fraud Detector entity types have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/frauddetector-entity-type-tagged.html", + "last_updated": "2025-10-01T21:58:49.343822", + "services": [ + "frauddetector" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "frauddetector-label-tagged", + "service_name": "frauddetector", + "type": "MANAGED", + "description": "Checks if Amazon Fraud Detector labels have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/frauddetector-label-tagged.html", + "last_updated": "2025-10-01T21:58:49.542384", + "services": [ + "frauddetector" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "frauddetector-outcome-tagged", + "service_name": "frauddetector", + "type": "MANAGED", + "description": "Checks if Amazon Fraud Detector outcomes have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/frauddetector-outcome-tagged.html", + "last_updated": "2025-10-01T21:58:49.739468", + "services": [ + "frauddetector" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "frauddetector-variable-tagged", + "service_name": "frauddetector", + "type": "MANAGED", + "description": "Checks if Amazon Fraud Detector variables have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/frauddetector-variable-tagged.html", + "last_updated": "2025-10-01T21:58:49.937644", + "services": [ + "frauddetector" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "fsx-last-backup-recovery-point-created", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon FSx File Systems. The rule is NON_COMPLIANT if the Amazon FSx File System does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:58:50.159362", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon FSx File Systems for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fsx-lustre-copy-tags-to-backups", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if the Amazon FSx for Lustre file systems are configured to copy tags to backups. The rule is NON_COMPLIANT if Lustre file systems are not configured to copy tags to backups.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html", + "last_updated": "2025-10-01T21:58:50.351113", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fsx-meets-restore-time-target", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon FSx File Systems meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon FSx File System is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:58:50.570620", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "ID of Amazon FSx File System for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fsx-ontap-deployment-type-check", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if Amazon FSx for NetApp ONTAP file systems are configured with certain deployment types. The rule is NON_COMPLIANT if the Amazon FSx for NetApp ONTAP file systems are not configured with the deployment types you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-ontap-deployment-type-check.html", + "last_updated": "2025-10-01T21:58:50.781239", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "deploymentTypes" + }, + "description": { + "S": "Comma-separated list of allowed Deployment types for the rule to check." + } + } + ] + }, + { + "rule_name": "fsx-openzfs-copy-tags-enabled", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if the Amazon FSx for OpenZFS file systems are configured to copy tags to backups and volumes. The rule is NON_COMPLIANT if FSx for OpenZFS file systems are not configured to copy tags to backups and volumes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-openzfs-copy-tags-enabled.html", + "last_updated": "2025-10-01T21:58:51.002790", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fsx-openzfs-deployment-type-check", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if the Amazon FSx for OpenZFS file systems are configured with certain deployment types. The rule is NON_COMPLIANT if FSx for OpenZFS file systems are not configured with the deployment types you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-openzfs-deployment-type-check.html", + "last_updated": "2025-10-01T21:58:51.206359", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "deploymentTypes" + }, + "description": { + "S": "Comma-separated list of allowed Deployment types for the rule to check." + } + } + ] + }, + { + "rule_name": "fsx-resources-protected-by-backup-plan", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if Amazon FSx File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon FSx File System is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:58:51.394751", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon FSx File Systems for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fsx-windows-audit-log-configured", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if the Amazon FSx for Windows File Server file systems have file access auditing enabled. The rule is NON_COMPLIANT if the FSx for Windows File Server file systems do not have file access auditing enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-windows-audit-log-configured.html", + "last_updated": "2025-10-01T21:58:51.586224", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "fsx-windows-deployment-type-check", + "service_name": "fsx", + "type": "MANAGED", + "description": "Checks if the Amazon FSx for WINDOWS file systems are configured with certain deployment types. The rule is NON_COMPLIANT if FSx for WINDOWS file systems are not configured with the deployment types you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-windows-deployment-type-check.html", + "last_updated": "2025-10-01T21:58:51.811589", + "services": [ + "fsx" + ], + "parameters": [ + { + "name": { + "S": "deploymentTypes" + }, + "description": { + "S": "Comma-separated list of allowed Deployment types for the rule to check." + } + } + ] + }, + { + "rule_name": "glb-listener-tagged", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if Gateway Load Balancer listeners have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/glb-listener-tagged.html", + "last_updated": "2025-10-01T21:58:52.019590", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "glb-tagged", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if Gateway Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/glb-tagged.html", + "last_updated": "2025-10-01T21:58:52.223038", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "global-endpoint-event-replication-enabled", + "service_name": "events", + "type": "MANAGED", + "description": "Checks if event replication is enabled for Amazon EventBridge global endpoints. The rule is NON_COMPLIANT if event replication is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/global-endpoint-event-replication-enabled.html", + "last_updated": "2025-10-01T21:58:52.431605", + "services": [ + "events" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "glue-job-logging-enabled", + "service_name": "glue", + "type": "MANAGED", + "description": "Checks if an AWS Glue job has logging enabled. The rule is NON_COMPLIANT if an AWS Glue job does not have Amazon CloudWatch logs enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/glue-job-logging-enabled.html", + "last_updated": "2025-10-01T21:58:52.644531", + "services": [ + "glue" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "glue-ml-transform-encrypted-at-rest", + "service_name": "glue", + "type": "MANAGED", + "description": "Checks if an AWS Glue ML Transform has encryption at rest enabled. The rule is NON_COMPLIANT if `MLUserDataEncryptionMode` is set to `DISABLED`.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/glue-ml-transform-encrypted-at-rest.html", + "last_updated": "2025-10-01T21:58:52.845031", + "services": [ + "glue" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "glue-ml-transform-tagged", + "service_name": "glue", + "type": "MANAGED", + "description": "Checks if AWS Glue machine learning transforms have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/glue-ml-transform-tagged.html", + "last_updated": "2025-10-01T21:58:53.048868", + "services": [ + "glue" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "glue-spark-job-supported-version", + "service_name": "glue", + "type": "MANAGED", + "description": "Checks if an AWS Glue Spark job is running on the specified minimum supported AWS Glue version. The rule is NON_COMPLIANT if the AWS Glue Spark job is not running on the minimum supported AWS Glue version that you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/glue-spark-job-supported-version.html", + "last_updated": "2025-10-01T21:58:53.272863", + "services": [ + "glue" + ], + "parameters": [ + { + "name": { + "S": "minimumSupportedGlueVersion" + }, + "description": { + "S": "String value you must specify of the minimum supported AWS Glue version for the rule to check." + } + } + ] + }, + { + "rule_name": "guardduty-ec2-protection-runtime-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if ECS Runtime Monitoring with automated agent management is enabled for Amazon GuardDuty detector. The rule is NON_COMPLIANT if the feature is not enabled for your account or at least one member account in your organization.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-ec2-protection-runtime-enabled.html", + "last_updated": "2025-10-01T21:58:53.524911", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-ecs-protection-runtime-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if ECS Runtime Monitoring with automated agent management is enabled for Amazon GuardDuty detector. The rule is NON_COMPLIANT if the feature is not enabled for your account or at least one member account in your organization.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-ecs-protection-runtime-enabled.html", + "last_updated": "2025-10-01T21:58:53.744832", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-eks-protection-audit-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Audit Log Monitoring for Amazon Elastic Kubernetes Service (Amazon EKS) is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the EKS Audit Log Monitoring feature is not enabled for your account.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-audit-enabled.html", + "last_updated": "2025-10-01T21:58:53.962541", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-eks-protection-runtime-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Amazon EKS Runtime Monitoring with automated agent management is enabled for GuardDuty detector in your account. The rule is NON_COMPLIANT if EKS Runtime Monitoring with automated agent management in GuardDuty is not enabled for your account.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-runtime-enabled.html", + "last_updated": "2025-10-01T21:58:54.172803", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-enabled-centralized", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Amazon GuardDuty is enabled in your AWS account and AWS Region. If you provide an AWS account for centralization, the rule evaluates the GuardDuty results in the centralized account. The rule is COMPLIANT when GuardDuty is enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-enabled-centralized.html", + "last_updated": "2025-10-01T21:58:54.421380", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "CentralMonitoringAccount (Optional)" + }, + "description": { + "S": "Comma separated list of AWS Accounts (12-digit) where Amazon GuardDuty results are allowed to be centralized." + } + } + ] + }, + { + "rule_name": "guardduty-lambda-protection-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Lambda Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Lambda Protection feature in Amazon GuardDuty is not enabled for your account.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-lambda-protection-enabled.html", + "last_updated": "2025-10-01T21:58:54.616665", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-malware-protection-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Malware Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Malware Protection feature in Amazon GuardDuty is not enabled for your account.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-malware-protection-enabled.html", + "last_updated": "2025-10-01T21:58:54.835983", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-non-archived-findings", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Amazon GuardDuty has findings that are non-archived. The rule is NON_COMPLIANT if GuardDuty has non-archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-non-archived-findings.html", + "last_updated": "2025-10-01T21:58:55.056660", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "daysLowSev (Optional)" + }, + "description": { + "S": "The number of days Amazon GuardDuty low severity findings are allowed to stay non archived. The default is 30 days." + } + }, + { + "name": { + "S": "daysMediumSev (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "daysHighSev (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-rds-protection-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (Amazon RDS) protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Amazon RDS protection feature in Amazon GuardDuty is not enabled for you account.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-rds-protection-enabled.html", + "last_updated": "2025-10-01T21:58:55.267292", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-runtime-monitoring-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if Runtime Monitoring is enabled for Amazon GuardDuty detector in your account or organization. The rule is NON_COMPLIANT if Runtime Monitoring in GuardDuty is not enabled for your account or at least one member account in your organization.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-runtime-monitoring-enabled.html", + "last_updated": "2025-10-01T21:58:55.466171", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "guardduty-s3-protection-enabled", + "service_name": "guardduty", + "type": "MANAGED", + "description": "Checks if S3 Protection is enabled for an Amazon GuardDuty Detector in your account. The rule is NON_COMPLIANT if the S3 Protection feature in Amazon GuardDuty is not enabled for your account.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-s3-protection-enabled.html", + "last_updated": "2025-10-01T21:58:55.690961", + "services": [ + "guardduty" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-customer-policy-blocked-kms-actions", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked KMS actions on all AWS KMS key resources. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys by the managed IAM policy.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.html", + "last_updated": "2025-10-01T21:58:55.911088", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "blockedActionsPatterns" + }, + "description": { + "S": "Comma-separated list of blocked KMS action patterns for the rule to check. The rule is NON_COMPLIANT if IAM customer managed policies allow wildcard access to all resources for the actions you specify" + } + }, + { + "name": { + "S": "excludePermissionBoundaryPolicy (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-external-access-analyzer-enabled", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if an IAM Access Analyzer for external access is activated in your account per region. The rule is NON_COMPLIANT if there are no analyzers for external access in the region or if the 'status' attribute is not set to 'ACTIVE'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-external-access-analyzer-enabled.html", + "last_updated": "2025-10-01T21:58:56.133625", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-group-has-users-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks whether IAM groups have at least one IAM user.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-group-has-users-check.html", + "last_updated": "2025-10-01T21:58:56.347407", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-inline-policy-blocked-kms-actions", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if the inline policies attached to your IAM users, roles, and groups do not allow blocked actions on all AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys in an inline policy.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-inline-policy-blocked-kms-actions.html", + "last_updated": "2025-10-01T21:58:56.548035", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "blockedActionsPatterns" + }, + "description": { + "S": "Comma-separated list of blocked KMS action patterns, for example, kms:*, kms:Decrypt, kms:ReEncrypt*." + } + }, + { + "name": { + "S": "excludeRoleByManagementAccount (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-no-inline-policy-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if the inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-no-inline-policy-check.html", + "last_updated": "2025-10-01T21:58:56.751847", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-oidc-provider-tagged", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if AWS IAM OIDC providers have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-oidc-provider-tagged.html", + "last_updated": "2025-10-01T21:58:56.953584", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iam-password-policy", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if the account password policy for AWS Identity and Access Management (IAM) users meets the specified requirements indicated in the parameters. The rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html", + "last_updated": "2025-10-01T21:58:57.149166", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "RequireUppercaseCharacters (Optional)" + }, + "description": { + "S": "Require at least one uppercase character in password." + } + }, + { + "name": { + "S": "RequireLowercaseCharacters (Optional)" + }, + "description": { + "S": "Require at least one number in password." + } + }, + { + "name": { + "S": "RequireSymbols (Optional)" + }, + "description": { + "S": "Number of days before password expiration." + } + }, + { + "name": { + "S": "RequireNumbers (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "MinimumPasswordLength (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "PasswordReusePrevention (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "MaxPasswordAge (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-policy-blacklisted-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks in each AWS Identity and Access Management (IAM) resource, if a policy Amazon Resource Name (ARN) in the input parameter is attached to the IAM resource. The rule is NON_COMPLIANT if the policy ARN is attached to the IAM resource.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-blacklisted-check.html", + "last_updated": "2025-10-01T21:58:57.338019", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "policyArns" + }, + "description": { + "S": "Comma separated list of IAM policy arns which should not be attached to any IAM entity." + } + }, + { + "name": { + "S": "exceptionList (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-policy-in-use", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-in-use.html", + "last_updated": "2025-10-01T21:58:57.546241", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "policyARN" + }, + "description": { + "S": "An IAM policy ARN to be checked." + } + }, + { + "name": { + "S": "policyUsageType (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-policy-no-statements-with-admin-access", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if AWS Identity and Access Management (IAM) policies that you create have Allow statements that grant permissions to all actions on all resources. The rule is NON_COMPLIANT if any customer managed IAM policy statement includes \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\".", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html", + "last_updated": "2025-10-01T21:58:57.758521", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "excludePermissionBoundaryPolicy (Optional)" + }, + "description": { + "S": "Boolean flag to exclude the evaluation of IAM policies used as permissions boundaries. If set to 'true', the rule will not include permissions boundaries in the evaluation. Otherwise, all IAM policies" + } + } + ] + }, + { + "rule_name": "iam-policy-no-statements-with-full-access", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources. The rule is NON_COMPLIANT if any customer managed IAM policy allows full access to at least 1 AWS service.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-full-access.html", + "last_updated": "2025-10-01T21:58:57.969124", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "excludePermissionBoundaryPolicy (Optional)" + }, + "description": { + "S": "Boolean flag to exclude the evaluation of IAM policies used as permissions boundaries. If set to 'true', the rule will not include permissions boundaries in the evaluation. Otherwise, all IAM policies" + } + } + ] + }, + { + "rule_name": "iam-role-managed-policy-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if all managed policies specified in the list of managed policies are attached to the AWS Identity and Access Management (IAM) role. The rule is NON_COMPLIANT if a managed policy is not attached to the IAM role.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-role-managed-policy-check.html", + "last_updated": "2025-10-01T21:58:58.168443", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "managedPolicyArns" + }, + "description": { + "S": "Comma-separated list of AWS managed policy Amazon Resource Names (ARNs).\nFor more information, see Amazon Resource Names (ARNs)\nand AWS managed policies in the IAM User Guide." + } + } + ] + }, + { + "rule_name": "iam-root-access-key-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if the root user access key is available. The rule is COMPLIANT if the user access key does not exist. Otherwise, NON_COMPLIANT.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html", + "last_updated": "2025-10-01T21:58:58.370410", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-saml-provider-tagged", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if AWS IAM SAML providers have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-saml-provider-tagged.html", + "last_updated": "2025-10-01T21:58:58.582349", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iam-server-certificate-expiration-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if AWS IAM SSL/TLS server certificates stored in IAM are expired. The rule is NON_COMPLIANT if an IAM server certificate is expired.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-server-certificate-expiration-check.html", + "last_updated": "2025-10-01T21:58:58.777609", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-server-certificate-tagged", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if AWS IAM server certificates have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-server-certificate-tagged.html", + "last_updated": "2025-10-01T21:58:58.976150", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iam-user-group-membership-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks whether IAM users are members of at least one IAM group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-user-group-membership-check.html", + "last_updated": "2025-10-01T21:58:59.183622", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "groupNames (Optional)" + }, + "description": { + "S": "Comma-separated list of IAM groups in which IAM users must be members.\nNoteThis rule does not support group names with commas." + } + } + ] + }, + { + "rule_name": "iam-user-mfa-enabled", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if the AWS Identity and Access Management (IAM) users have multi-factor authentication (MFA) enabled. The rule is NON_COMPLIANT if MFA is not enabled for at least one IAM user.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-user-mfa-enabled.html", + "last_updated": "2025-10-01T21:58:59.394081", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-user-no-policies-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if none of your AWS Identity and Access Management (IAM) users have policies attached. IAM users must inherit permissions from IAM groups or roles. The rule is NON_COMPLIANT if there is at least one IAM user with policies attached.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html", + "last_updated": "2025-10-01T21:58:59.588114", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iam-user-unused-credentials-check", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.\nThe rule is NON_COMPLIANT if there are inactive accounts not recently used.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iam-user-unused-credentials-check.html", + "last_updated": "2025-10-01T21:58:59.819778", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "maxCredentialUsageAge" + }, + "description": { + "S": "Maximum number of days a credential cannot be used. The default value is 90 days." + } + } + ] + }, + { + "rule_name": "inspector-ec2-scan-enabled", + "service_name": "inspector", + "type": "MANAGED", + "description": "Checks if Amazon Inspector V2 EC2 scanning is activated for your single or multi-account environment to detect potential vulnerabilities and network reachability issues on your EC2 instances. The rule is NON_COMPLIANT if EC2 scanning is not activated.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/inspector-ec2-scan-enabled.html", + "last_updated": "2025-10-01T21:59:00.015767", + "services": [ + "inspector" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "inspector-ecr-scan-enabled", + "service_name": "inspector", + "type": "MANAGED", + "description": "Checks if Amazon Inspector V2 ECR scanning is activated for your single or multi-account environment to detect potential software vulnerabilities in your container images. The rule is NON_COMPLIANT if ECR scanning is not activated.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/inspector-ecr-scan-enabled.html", + "last_updated": "2025-10-01T21:59:00.208327", + "services": [ + "inspector" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "inspector-lambda-code-scan-enabled", + "service_name": "inspector", + "type": "MANAGED", + "description": "Checks if Amazon Inspector V2 Lambda code scanning is activated for your single or multi-account environment to detect potential code vulnerabilities. The rule is NON_COMPLIANT if Lambda code scanning is not activated.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/inspector-lambda-code-scan-enabled.html", + "last_updated": "2025-10-01T21:59:00.395328", + "services": [ + "inspector" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "inspector-lambda-standard-scan-enabled", + "service_name": "inspector", + "type": "MANAGED", + "description": "Checks if Amazon Inspector V2 Lambda standard scanning is activated for your single or multi-account environment to detect potential software vulnerabilities. The rule is NON_COMPLIANT if Lambda standard scanning is not activated.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/inspector-lambda-standard-scan-enabled.html", + "last_updated": "2025-10-01T21:59:00.594708", + "services": [ + "inspector" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "internet-gateway-authorized-vpc-only", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/internet-gateway-authorized-vpc-only.html", + "last_updated": "2025-10-01T21:59:00.787262", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "AuthorizedVpcIds (Optional)" + }, + "description": { + "S": "Comma-separated list of the authorized VPC IDs with attached IGWs. If parameter is not provided all attached IGWs will be NON_COMPLIANT." + } + } + ] + }, + { + "rule_name": "iot-authorizer-token-signing-enabled", + "service_name": "iot", + "type": "MANAGED", + "description": "Checks if an AWS IoT Core authorizer has not disabled the signing requirements for validating the token signature in an authorization request. The rule is NON_COMPLIANT if the authorizer has configuration.SigningDisabled set to True.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iot-authorizer-token-signing-enabled.html", + "last_updated": "2025-10-01T21:59:01.006847", + "services": [ + "iot" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "iot-job-template-tagged", + "service_name": "iot", + "type": "MANAGED", + "description": "Checks if AWS IoT job template resources resources have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iot-job-template-tagged.html", + "last_updated": "2025-10-01T21:59:01.211574", + "services": [ + "iot" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iot-scheduled-audit-tagged", + "service_name": "iot", + "type": "MANAGED", + "description": "Checks if AWS IoT scheduled audits have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iot-scheduled-audit-tagged.html", + "last_updated": "2025-10-01T21:59:01.407129", + "services": [ + "iot" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotdevicedefender-custom-metric-tagged", + "service_name": "iot", + "type": "MANAGED", + "description": "AWS IoT Device Defender custom metrics have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotdevicedefender-custom-metric-tagged.html", + "last_updated": "2025-10-01T21:59:01.618308", + "services": [ + "iot" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotevents-alarm-model-tagged", + "service_name": "iotevents", + "type": "MANAGED", + "description": "Checks if AWS IoT Events alarm models have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotevents-alarm-model-tagged.html", + "last_updated": "2025-10-01T21:59:01.817120", + "services": [ + "iotevents" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotevents-detector-model-tagged", + "service_name": "iotevents", + "type": "MANAGED", + "description": "Checks if AWS IoT Events detector models have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotevents-detector-model-tagged.html", + "last_updated": "2025-10-01T21:59:02.045587", + "services": [ + "iotevents" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotevents-input-tagged", + "service_name": "iotevents", + "type": "MANAGED", + "description": "Checks if AWS IoT Events inputs have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotevents-input-tagged.html", + "last_updated": "2025-10-01T21:59:02.300299", + "services": [ + "iotevents" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotsitewise-asset-model-tagged", + "service_name": "iotsitewise", + "type": "MANAGED", + "description": "Checks if AWS IoT SiteWise asset models have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotsitewise-asset-model-tagged.html", + "last_updated": "2025-10-01T21:59:02.502898", + "services": [ + "iotsitewise" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotsitewise-dashboard-tagged", + "service_name": "iotsitewise", + "type": "MANAGED", + "description": "Checks if AWS IoT SiteWise dashboards have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotsitewise-dashboard-tagged.html", + "last_updated": "2025-10-01T21:59:02.710348", + "services": [ + "iotsitewise" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotsitewise-gateway-tagged", + "service_name": "iotsitewise", + "type": "MANAGED", + "description": "Checks if AWS IoT SiteWise gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotsitewise-gateway-tagged.html", + "last_updated": "2025-10-01T21:59:02.920540", + "services": [ + "iotsitewise" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotsitewise-portal-tagged", + "service_name": "iotsitewise", + "type": "MANAGED", + "description": "Checks if AWS IoT SiteWise portals have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotsitewise-portal-tagged.html", + "last_updated": "2025-10-01T21:59:03.119767", + "services": [ + "iotsitewise" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotsitewise-project-tagged", + "service_name": "iotsitewise", + "type": "MANAGED", + "description": "Checks if AWS IoT SiteWise projects have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotsitewise-project-tagged.html", + "last_updated": "2025-10-01T21:59:03.318736", + "services": [ + "iotsitewise" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iottwinmaker-component-type-tagged", + "service_name": "iottwinmaker", + "type": "MANAGED", + "description": "Checks if AWS IoT TwinMaker component types have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iottwinmaker-component-type-tagged.html", + "last_updated": "2025-10-01T21:59:03.523194", + "services": [ + "iottwinmaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iottwinmaker-entity-tagged", + "service_name": "iottwinmaker", + "type": "MANAGED", + "description": "Checks if AWS IoT TwinMaker entities have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iottwinmaker-entity-tagged.html", + "last_updated": "2025-10-01T21:59:03.722718", + "services": [ + "iottwinmaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iottwinmaker-scene-tagged", + "service_name": "iottwinmaker", + "type": "MANAGED", + "description": "Checks if AWS IoT TwinMaker scenes have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iottwinmaker-scene-tagged.html", + "last_updated": "2025-10-01T21:59:03.923474", + "services": [ + "iottwinmaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iottwinmaker-sync-job-tagged", + "service_name": "iottwinmaker", + "type": "MANAGED", + "description": "Checks if AWS IoT TwinMaker sync jobs have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iottwinmaker-sync-job-tagged.html", + "last_updated": "2025-10-01T21:59:04.145923", + "services": [ + "iottwinmaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iottwinmaker-workspace-tagged", + "service_name": "iottwinmaker", + "type": "MANAGED", + "description": "Checks if AWS IoT TwinMaker workspaces have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iottwinmaker-workspace-tagged.html", + "last_updated": "2025-10-01T21:59:04.337244", + "services": [ + "iottwinmaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotwireless-fuota-task-tagged", + "service_name": "iotwireless", + "type": "MANAGED", + "description": "Checks if AWS IoT Wireless FUOTA tasks have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotwireless-fuota-task-tagged.html", + "last_updated": "2025-10-01T21:59:04.536798", + "services": [ + "iotwireless" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotwireless-multicast-group-tagged", + "service_name": "iotwireless", + "type": "MANAGED", + "description": "Checks if AWS IoT Wireless multicast groups have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotwireless-multicast-group-tagged.html", + "last_updated": "2025-10-01T21:59:04.761497", + "services": [ + "iotwireless" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "iotwireless-service-profile-tagged", + "service_name": "iotwireless", + "type": "MANAGED", + "description": "Checks if AWS IoT Wireless service profiles have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/iotwireless-service-profile-tagged.html", + "last_updated": "2025-10-01T21:59:04.966402", + "services": [ + "iotwireless" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ivs-channel-playback-authorization-enabled", + "service_name": "ivs", + "type": "MANAGED", + "description": "Checks if Amazon IVS channels have playback authorization enabled. The rule is NON_COMPLIANT if configuration.Authorized is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ivs-channel-playback-authorization-enabled.html", + "last_updated": "2025-10-01T21:59:05.174095", + "services": [ + "ivs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ivs-channel-tagged", + "service_name": "ivs", + "type": "MANAGED", + "description": "Checks if Amazon IVS channels have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ivs-channel-tagged.html", + "last_updated": "2025-10-01T21:59:05.364759", + "services": [ + "ivs" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ivs-playback-key-pair-tagged", + "service_name": "ivs", + "type": "MANAGED", + "description": "Checks if Amazon IVS playback key pairs have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ivs-playback-key-pair-tagged.html", + "last_updated": "2025-10-01T21:59:05.568106", + "services": [ + "ivs" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "ivs-recording-configuration-tagged", + "service_name": "ivs", + "type": "MANAGED", + "description": "Checks if Amazon IVS recording configurations have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ivs-recording-configuration-tagged.html", + "last_updated": "2025-10-01T21:59:05.773166", + "services": [ + "ivs" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "kinesis-firehose-delivery-stream-encrypted", + "service_name": "kinesisfirehose", + "type": "MANAGED", + "description": "Checks if Amazon Kinesis Data Firehose delivery streams are encrypted at rest with server-side encryption. The rule is NON_COMPLIANT if a Kinesis Data Firehose delivery stream is not encrypted at rest with server-side encryption.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/kinesis-firehose-delivery-stream-encrypted.html", + "last_updated": "2025-10-01T21:59:05.985147", + "services": [ + "kinesisfirehose" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of KMS Key Arns that are approved for Kinesis Firehose usage." + } + } + ] + }, + { + "rule_name": "kinesis-stream-backup-retention-check", + "service_name": "kinesis", + "type": "MANAGED", + "description": "Checks if an Amazon Kinesis Data Stream has its data record retention period set to a specific number of hours. The rule is NON_COMPLIANT if the property `RetentionPeriodHours` is set to a value less than the value specified by the parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/kinesis-stream-backup-retention-check.html", + "last_updated": "2025-10-01T21:59:06.236180", + "services": [ + "kinesis" + ], + "parameters": [ + { + "name": { + "S": "minimumBackupRetentionPeriod (Optional)" + }, + "description": { + "S": "Minimum hours data records should be retained. Valid values are 24 to 8760, default value is 168." + } + } + ] + }, + { + "rule_name": "kinesis-stream-encrypted", + "service_name": "kinesis", + "type": "MANAGED", + "description": "Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption. The rule is NON_COMPLIANT for a Kinesis stream if 'StreamEncryption' is not present.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/kinesis-stream-encrypted.html", + "last_updated": "2025-10-01T21:59:06.435353", + "services": [ + "kinesis" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "kinesis-video-stream-minimum-data-retention", + "service_name": "kinesisvideo", + "type": "MANAGED", + "description": "Checks if an Amazon Kinesis Video stream is configured with a value greater than or equal to the specified minimum data retention. The rule is NON_COMPLIANT if DataRetentionInHours is less than the value specified in the required rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/kinesis-video-stream-minimum-data-retention.html", + "last_updated": "2025-10-01T21:59:06.630547", + "services": [ + "kinesisvideo" + ], + "parameters": [ + { + "name": { + "S": "minDataRetentionInHours" + }, + "description": { + "S": "The minimum data retention in hours of the Amazon Kinesis Video stream for the rule to check. The rule is NON_COMPLIANT if the data retention in hours is less than the value specified in this paramete" + } + } + ] + }, + { + "rule_name": "kms-cmk-not-scheduled-for-deletion", + "service_name": "kms", + "type": "MANAGED", + "description": "Checks if AWS Key Management Service (AWS KMS) keys are not scheduled for deletion in AWS KMS. The rule is NON_COMPLIANT if KMS keys are scheduled for deletion.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/kms-cmk-not-scheduled-for-deletion.html", + "last_updated": "2025-10-01T21:59:06.829582", + "services": [ + "kms" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyIds (Optional)" + }, + "description": { + "S": "(Optional) Comma-separated list of specific customer managed key IDs not to be scheduled for deletion. If you do not specify any keys, the rule checks all the keys." + } + } + ] + }, + { + "rule_name": "kms-key-policy-no-public-access", + "service_name": "kms", + "type": "MANAGED", + "description": "Checks if the AWS KMS key policy allows public access. The rule is NON_COMPLIANT if the KMS key policy allows public access to the KMS key.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/kms-key-policy-no-public-access.html", + "last_updated": "2025-10-01T21:59:07.029211", + "services": [ + "kms" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "kms-key-tagged", + "service_name": "kms", + "type": "MANAGED", + "description": "Checks if AWS Key Management Service (KMS) keys have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/kms-key-tagged.html", + "last_updated": "2025-10-01T21:59:07.233012", + "services": [ + "kms" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "lambda-concurrency-check", + "service_name": "lambda", + "type": "MANAGED", + "description": "Checks if the Lambda function is configured with a function-level concurrent execution limit. The rule is NON_COMPLIANT if the Lambda function is not configured with a function-level concurrent execution limit.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lambda-concurrency-check.html", + "last_updated": "2025-10-01T21:59:07.442976", + "services": [ + "lambda" + ], + "parameters": [ + { + "name": { + "S": "ConcurrencyLimitLow (Optional)" + }, + "description": { + "S": "Minimum concurrency execution limit" + } + }, + { + "name": { + "S": "ConcurrencyLimitHigh (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "lambda-dlq-check", + "service_name": "lambda", + "type": "MANAGED", + "description": "Checks if a Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lambda-dlq-check.html", + "last_updated": "2025-10-01T21:59:07.643322", + "services": [ + "lambda" + ], + "parameters": [ + { + "name": { + "S": "dlqArns (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon SQS and Amazon SNS ARNs that must be configured as the Lambda function dead-letter queue target." + } + } + ] + }, + { + "rule_name": "lambda-function-public-access-prohibited", + "service_name": "lambda", + "type": "MANAGED", + "description": "Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is NON_COMPLIANT.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-public-access-prohibited.html", + "last_updated": "2025-10-01T21:59:07.834946", + "services": [ + "lambda" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "lambda-function-settings-check", + "service_name": "lambda", + "type": "MANAGED", + "description": "Checks if the AWS Lambda function settings for runtime, role, timeout, and memory size match the expected values. The rule ignores functions with the 'Image' package type\nand functions with runtime set to 'OS-only Runtime'.\nThe rule is NON_COMPLIANT if the Lambda function settings do not match the expected values.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-settings-check.html", + "last_updated": "2025-10-01T21:59:08.039329", + "services": [ + "lambda" + ], + "parameters": [ + { + "name": { + "S": "runtime" + }, + "description": { + "S": "Comma-separated list of AWS Lambda runtime values" + } + }, + { + "name": { + "S": "role (Optional)" + }, + "description": { + "S": "AWS Lambda function timeout in seconds" + } + }, + { + "name": { + "S": "timeout (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "memorySize (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "lambda-function-xray-enabled", + "service_name": "lambda", + "type": "MANAGED", + "description": "Checks if AWS X-Ray is enabled on AWS Lambda functions.The rule is NON_COMPLIANT if X-Ray tracing is disabled for a Lambda function.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-xray-enabled.html", + "last_updated": "2025-10-01T21:59:08.233463", + "services": [ + "lambda" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "lambda-inside-vpc", + "service_name": "lambda", + "type": "MANAGED", + "description": "Checks if a Lambda function is allowed access to a virtual private cloud (VPC). The rule is NON_COMPLIANT if the Lambda function is not VPC enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html", + "last_updated": "2025-10-01T21:59:08.420938", + "services": [ + "lambda" + ], + "parameters": [ + { + "name": { + "S": "subnetIds (Optional)" + }, + "description": { + "S": "Comma-separated list of Subnet IDs that Lambda functions can be associated with." + } + } + ] + }, + { + "rule_name": "lambda-vpc-multi-az-check", + "service_name": "lambda", + "type": "MANAGED", + "description": "Checks if Lambda has more than 1 availability zone associated. The rule is NON_COMPLIANT if only 1 availability zone is associated with the Lambda or the number of availability zones associated is less than number specified in the optional parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lambda-vpc-multi-az-check.html", + "last_updated": "2025-10-01T21:59:08.614299", + "services": [ + "lambda" + ], + "parameters": [ + { + "name": { + "S": "availabilityZones (Optional)" + }, + "description": { + "S": "Number of expected Availability zones." + } + } + ] + }, + { + "rule_name": "lightsail-bucket-allow-public-overrides-disabled", + "service_name": "lightsail", + "type": "MANAGED", + "description": "Checks if Amazon Lightsail buckets have allow public overrides disabled. The rule is NON_COMPLIANT if AllowPublicOverrides is true. Note: AllowPublicOverrides has no effect if GetObject is public, see lightsail-bucket-get-object-private.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lightsail-bucket-allow-public-overrides-disabled.html", + "last_updated": "2025-10-01T21:59:08.821952", + "services": [ + "lightsail" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "lightsail-bucket-tagged", + "service_name": "lightsail", + "type": "MANAGED", + "description": "Checks if Amazon Lightsail buckets have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lightsail-bucket-tagged.html", + "last_updated": "2025-10-01T21:59:09.030074", + "services": [ + "lightsail" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "lightsail-certificate-tagged", + "service_name": "lightsail", + "type": "MANAGED", + "description": "Checks if Amazon Lightsail certificates have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lightsail-certificate-tagged.html", + "last_updated": "2025-10-01T21:59:09.246138", + "services": [ + "lightsail" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "lightsail-disk-tagged", + "service_name": "lightsail", + "type": "MANAGED", + "description": "Checks if Amazon Lightsail disks have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/lightsail-disk-tagged.html", + "last_updated": "2025-10-01T21:59:09.443333", + "services": [ + "lightsail" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "macie-auto-sensitive-data-discovery-check", + "service_name": "macie", + "type": "MANAGED", + "description": "Checks if automated sensitive data discovery is enabled for Amazon Macie. The rule is NON_COMPLIANT if automated sensitive data discovery is disabled. The rule is APPLICABLE for administrator accounts and NOT_APPLICABLE for member accounts.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/macie-auto-sensitive-data-discovery-check.html", + "last_updated": "2025-10-01T21:59:09.676032", + "services": [ + "macie" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "macie-status-check", + "service_name": "macie", + "type": "MANAGED", + "description": "Checks if Amazon Macie is enabled in your account per region. The rule is NON_COMPLIANT if the 'status' attribute is not set to 'ENABLED'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/macie-status-check.html", + "last_updated": "2025-10-01T21:59:09.898436", + "services": [ + "macie" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mariadb-publish-logs-to-cloudwatch-logs", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon MariaDB database instances are configured to publish logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if a database instance is not configured to publish logs to CloudWatch Logs.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mariadb-publish-logs-to-cloudwatch-logs.html", + "last_updated": "2025-10-01T21:59:10.127100", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "logTypes (Optional)" + }, + "description": { + "S": "Comma-separated list of log types for the rule to check. If not provided, the rule checks for the default log types: 'error' and 'audit'." + } + } + ] + }, + { + "rule_name": "mfa-enabled-for-iam-console-access", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if AWS multi-factor authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html", + "last_updated": "2025-10-01T21:59:10.336071", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-active-broker-ldap-authentication", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if Amazon MQ ActiveMQ brokers use the LDAP authentication strategy to secure the broker. The rule is NON_COMPLIANT if configuration.AuthenticationStrategy is not 'ldap'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-active-broker-ldap-authentication.html", + "last_updated": "2025-10-01T21:59:10.534708", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-active-deployment-mode", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks the deployment mode configured for Amazon MQ ActiveMQ broker engine. The rule is NON_COMPLIANT if the default single-instance broker mode is being used.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-active-deployment-mode.html", + "last_updated": "2025-10-01T21:59:10.738838", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-active-single-instance-broker-storage-type-efs", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if an Amazon MQ for ActiveMQ single-instance broker using the mq.m5 instance type family is configured with Amazon Elastic File System (EFS) for broker storage. The rule is NON_COMPLIANT if configuration.StorageType is not 'efs'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-active-single-instance-broker-storage-type-efs.html", + "last_updated": "2025-10-01T21:59:10.960997", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-auto-minor-version-upgrade-enabled", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if automatic minor version upgrades are enabled for Amazon MQ brokers. The rule is NON_COMPLIANT if the 'AutoMinorVersionUpgrade' field is not enabled for an Amazon MQ broker.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-auto-minor-version-upgrade-enabled.html", + "last_updated": "2025-10-01T21:59:11.173768", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-automatic-minor-version-upgrade-enabled", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if automatic minor version upgrades are enabled for Amazon MQ brokers. The rule is NON_COMPLIANT if the 'AutoMinorVersionUpgrade' field is not enabled for an Amazon MQ broker.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-automatic-minor-version-upgrade-enabled.html", + "last_updated": "2025-10-01T21:59:11.388975", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-broker-general-logging-enabled", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if Amazon MQ brokers have general logging enabled. The rule is NON_COMPLIANT if configuration.Logs.General is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-broker-general-logging-enabled.html", + "last_updated": "2025-10-01T21:59:11.585576", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-cloudwatch-audit-log-enabled", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-cloudwatch-audit-log-enabled.html", + "last_updated": "2025-10-01T21:59:11.790690", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-cloudwatch-audit-logging-enabled", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-cloudwatch-audit-logging-enabled.html", + "last_updated": "2025-10-01T21:59:12.025536", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-no-public-access", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if Amazon MQ brokers are not publicly accessible. The rule is NON_COMPLIANT if the 'PubliclyAccessible' field is set to true for an Amazon MQ broker.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-no-public-access.html", + "last_updated": "2025-10-01T21:59:12.236064", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "mq-rabbit-deployment-mode", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks the deployment mode configured for the Amazon MQ RabbitMQ broker engine. The rule is NON_COMPLIANT if the default single-instance broker mode is being used.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/mq-rabbit-deployment-mode.html", + "last_updated": "2025-10-01T21:59:12.459214", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "msk-cluster-public-access-disabled", + "service_name": "msk", + "type": "MANAGED", + "description": "Checks if public access is disabled on Amazon MSK clusters. The rule is NON_COMPLIANT if public access on an Amazon MSK cluster is not disabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/msk-cluster-public-access-disabled.html", + "last_updated": "2025-10-01T21:59:12.666478", + "services": [ + "msk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "msk-cluster-tagged", + "service_name": "msk", + "type": "MANAGED", + "description": "Checks if Amazon MSK clusters have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/msk-cluster-tagged.html", + "last_updated": "2025-10-01T21:59:12.880528", + "services": [ + "msk" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "msk-connect-connector-logging-enabled", + "service_name": "kafkaconnect", + "type": "MANAGED", + "description": "Checks if Amazon MSK Connector has logging enabled to any one of the log destinations. The rule is NON_COMPLIANT if Amazon MSK Connector does not have logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/msk-connect-connector-logging-enabled.html", + "last_updated": "2025-10-01T21:59:13.080266", + "services": [ + "kafkaconnect" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "msk-enhanced-monitoring-enabled", + "service_name": "msk", + "type": "MANAGED", + "description": "Checks if enhanced monitoring is enabled for an Amazon MSK cluster set to PER_TOPIC_PER_BROKER or PER_TOPIC_PER_PARTITION. The rule is NON_COMPLIANT if enhanced monitoring is enabled and set to DEFAULT or PER_BROKER.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/msk-enhanced-monitoring-enabled.html", + "last_updated": "2025-10-01T21:59:13.289290", + "services": [ + "msk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "msk-in-cluster-node-require-tls", + "service_name": "msk", + "type": "MANAGED", + "description": "Checks if an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/msk-in-cluster-node-require-tls.html", + "last_updated": "2025-10-01T21:59:13.485170", + "services": [ + "msk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "msk-unrestricted-access-check", + "service_name": "msk", + "type": "MANAGED", + "description": "Checks if an Amazon MSK Cluster has unauthenticated access disabled. The rule is NON_COMPLIANT if Amazon MSK Cluster has unauthenticated access enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/msk-unrestricted-access-check.html", + "last_updated": "2025-10-01T21:59:13.692440", + "services": [ + "msk" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "multi-region-cloudtrail-enabled", + "service_name": "multi", + "type": "MANAGED", + "description": "For this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/multi-region-cloudtrail-enabled.html", + "last_updated": "2025-10-01T21:59:13.900125", + "services": [ + "multi" + ], + "parameters": [ + { + "name": { + "S": "s3BucketName (Optional)" + }, + "description": { + "S": "Name of Amazon S3 bucket for AWS CloudTrail to deliver log files to." + } + }, + { + "name": { + "S": "snsTopicArn (Optional)" + }, + "description": { + "S": "Amazon CloudWatch log group ARN for AWS CloudTrail to send data to." + } + }, + { + "name": { + "S": "cloudWatchLogsLogGroupArn (Optional)" + }, + "description": { + "S": "Type of events to record. Valid values are ReadOnly, WriteOnly and ALL." + } + }, + { + "name": { + "S": "includeManagementEvents (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "readWriteType (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "nacl-no-unrestricted-ssh-rdp", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/nacl-no-unrestricted-ssh-rdp.html", + "last_updated": "2025-10-01T21:59:14.107091", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "neptune-cluster-backup-retention-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune DB cluster retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is less than the value specified by the parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-backup-retention-check.html", + "last_updated": "2025-10-01T21:59:14.317868", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "minimumBackupRetentionPeriod (Optional)" + }, + "description": { + "S": "Minimum days backups should be kept. Valid values 1 to 35, default value is 7. The rule is NON_COMPLIANT if value is greater than 'backupRetentionPeriod'. The rule is COMPLIANT if value is less than o" + } + } + ] + }, + { + "rule_name": "neptune-cluster-cloudwatch-log-export-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-cloudwatch-log-export-enabled.html", + "last_updated": "2025-10-01T21:59:14.518451", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "neptune-cluster-copy-tags-to-snapshot-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune cluster is configured to copy all tags to snapshots when the snapshots are created. The rule is NON_COMPLIANT if 'copyTagsToSnapshot' is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-copy-tags-to-snapshot-enabled.html", + "last_updated": "2025-10-01T21:59:14.718389", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "neptune-cluster-deletion-protection-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune DB cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster has the deletionProtection field set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-deletion-protection-enabled.html", + "last_updated": "2025-10-01T21:59:14.924103", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "neptune-cluster-encrypted", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if storage encryption is enabled for your Amazon Neptune DB clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-encrypted.html", + "last_updated": "2025-10-01T21:59:15.131709", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "KmsKeyArns (Optional)" + }, + "description": { + "S": "A comma-separated list of KMS key ARNs to compare with the KmsKeyId of the encrypted cluster." + } + } + ] + }, + { + "rule_name": "neptune-cluster-iam-database-authentication", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-iam-database-authentication.html", + "last_updated": "2025-10-01T21:59:15.325929", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "neptune-cluster-multi-az-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune cluster is configured with Amazon RDS Multi-AZ replication. The rule is NON_COMPLIANT if Multi-AZ replication is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-multi-az-enabled.html", + "last_updated": "2025-10-01T21:59:15.537663", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "neptune-cluster-snapshot-encrypted", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune DB cluster has snapshots encrypted. The rule is NON_COMPLIANT if a Neptune cluster does not have snapshots encrypted.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-snapshot-encrypted.html", + "last_updated": "2025-10-01T21:59:15.754501", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "neptune-cluster-snapshot-public-prohibited", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Neptune manual DB cluster snapshot is public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-snapshot-public-prohibited.html", + "last_updated": "2025-10-01T21:59:15.983625", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "netfw-deletion-protection-enabled", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Checks if AWS Network Firewall has deletion protection enabled. The rule is NON_COMPLIANT if Network Firewall does not have deletion protection enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-deletion-protection-enabled.html", + "last_updated": "2025-10-01T21:59:16.211862", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "netfw-logging-enabled", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Checks if AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-logging-enabled.html", + "last_updated": "2025-10-01T21:59:16.417607", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "logType (Optional)" + }, + "description": { + "S": "logType (Optional): Log type for the rule to check for firewalls: 'alert', 'flow', or 'both'." + } + } + ] + }, + { + "rule_name": "netfw-multi-az-enabled", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Checks if AWS Network Firewall firewalls are deployed across multiple Availability Zones. The rule is NON_COMPLIANT if firewalls are deployed in only one Availability Zone or in fewer zones than the number listed in the optional parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-multi-az-enabled.html", + "last_updated": "2025-10-01T21:59:16.641641", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "availabilityZones (Optional)" + }, + "description": { + "S": "The number of expected Availability Zones." + } + } + ] + }, + { + "rule_name": "netfw-policy-default-action-fragment-packets", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-fragment-packets.html", + "last_updated": "2025-10-01T21:59:16.864280", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "statelessFragmentDefaultActions" + }, + "description": { + "S": "Comma-separated list of values. You can select a max of two. Valid values include 'aws:pass', 'aws:drop', and 'aws:forward_to_sfe'." + } + } + ] + }, + { + "rule_name": "netfw-policy-default-action-full-packets", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets. This rule is NON_COMPLIANT if default stateless action for full packets does not match with user defined default stateless action.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-full-packets.html", + "last_updated": "2025-10-01T21:59:17.078222", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "statelessDefaultActions" + }, + "description": { + "S": "Comma-separated list of values. You can select a max of two. Valid values include 'aws:pass', 'aws:drop', and 'aws:forward_to_sfe'." + } + } + ] + }, + { + "rule_name": "netfw-policy-rule-group-associated", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Check AWS Network Firewall policy is associated with stateful OR stateless rule groups. This rule is NON_COMPLIANT if no stateful or stateless rule groups are associated with the Network Firewall policy else COMPLIANT if any one of the rule group exists.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-rule-group-associated.html", + "last_updated": "2025-10-01T21:59:17.303764", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "netfw-stateless-rule-group-not-empty", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Checks if a Stateless Network Firewall Rule Group contains rules. The rule is NON_COMPLIANT if there are no rules in a Stateless Network Firewall Rule Group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-stateless-rule-group-not-empty.html", + "last_updated": "2025-10-01T21:59:17.506942", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "netfw-subnet-change-protection-enabled", + "service_name": "networkfirewall", + "type": "MANAGED", + "description": "Checks if AWS Network Firewall has subnet change protection enabled. The rule is NON_COMPLIANT if subnet change protection is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/netfw-subnet-change-protection-enabled.html", + "last_updated": "2025-10-01T21:59:17.713713", + "services": [ + "networkfirewall" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "nlb-cross-zone-load-balancing-enabled", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs). The rule is NON_COMPLIANT if cross-zone load balancing is not enabled for an NLB.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/nlb-cross-zone-load-balancing-enabled.html", + "last_updated": "2025-10-01T21:59:17.924293", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "nlb-internal-scheme-check", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if a Network Load Balancer scheme is internal. The rule is NON_COMPLIANT if configuration.scheme is not set to internal.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/nlb-internal-scheme-check.html", + "last_updated": "2025-10-01T21:59:18.134442", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "nlb-listener-tagged", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if Network Load Balancer listeners have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/nlb-listener-tagged.html", + "last_updated": "2025-10-01T21:59:18.358294", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "nlb-logging-enabled", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if access logging is enabled for Network Load Balancers. The rule is NON_COMPLIANT if access logging is not enabled for a Network Load balancer.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/nlb-logging-enabled.html", + "last_updated": "2025-10-01T21:59:18.563020", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "nlb-tagged", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if Network Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/nlb-tagged.html", + "last_updated": "2025-10-01T21:59:18.787494", + "services": [ + "elasticloadbalancingv2" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "no-unrestricted-route-to-igw", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if there are public routes in the route table to an Internet gateway (IGW). The rule is NON_COMPLIANT if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/no-unrestricted-route-to-igw.html", + "last_updated": "2025-10-01T21:59:18.987531", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "routeTableIds (Optional)" + }, + "description": { + "S": "Comma-separated list of route table IDs that can have routes to an Internet Gateway with a destination CIDR block of '0.0.0.0/0' or '::/0'." + } + } + ] + }, + { + "rule_name": "opensearch-access-control-enabled", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains have fine-grained access control enabled. The rule is NON_COMPLIANT if AdvancedSecurityOptions is not enabled for the OpenSearch Service domain.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-access-control-enabled.html", + "last_updated": "2025-10-01T21:59:19.194003", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "opensearch-audit-logging-enabled", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains have audit logging enabled. The rule is NON_COMPLIANT if an OpenSearch Service domain does not have audit logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-audit-logging-enabled.html", + "last_updated": "2025-10-01T21:59:19.423614", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "cloudWatchLogsLogGroupArnList (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon Resource Names (ARNs) for Amazon CloudWatch Logs log groups. The rule checks if the specified log groups are configured for audit logs.\nValid values include: arn:aws:log" + } + } + ] + }, + { + "rule_name": "opensearch-data-node-fault-tolerance", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON_COMPLIANT for an OpenSearch domain if 'instanceCount' is less than 3 or 'zoneAwarenessEnabled' is set to 'false'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-data-node-fault-tolerance.html", + "last_updated": "2025-10-01T21:59:19.627713", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "opensearch-encrypted-at-rest", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-encrypted-at-rest.html", + "last_updated": "2025-10-01T21:59:19.833271", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "opensearch-https-required", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks whether connections to OpenSearch domains are using HTTPS. The rule is NON_COMPLIANT if the Amazon OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in 'tlsPolicies'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-https-required.html", + "last_updated": "2025-10-01T21:59:20.043891", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "tlsPolicies (Optional)" + }, + "description": { + "S": "Comma-separated list of TLS security policies to check against the Amazon OpensSearch domain." + } + } + ] + }, + { + "rule_name": "opensearch-in-vpc-only", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-in-vpc-only.html", + "last_updated": "2025-10-01T21:59:20.249088", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "opensearch-logs-to-cloudwatch", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if logging is not configured.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-logs-to-cloudwatch.html", + "last_updated": "2025-10-01T21:59:20.466825", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "logTypes (Optional)" + }, + "description": { + "S": "Comma-separated list of logs that are enabled. Valid values are 'search', 'index', 'error'." + } + } + ] + }, + { + "rule_name": "opensearch-node-to-node-encryption-check", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Check if Amazon OpenSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is not enabled on the domain", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-node-to-node-encryption-check.html", + "last_updated": "2025-10-01T21:59:20.677495", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "opensearch-primary-node-fault-tolerance", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service domains are configured with at least three dedicated primary nodes. The rule is NON_COMPLIANT for an OpenSearch Service domain if 'DedicatedMasterEnabled' is set to 'false', or 'DedicatedMasterCount' is less than 3.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-primary-node-fault-tolerance.html", + "last_updated": "2025-10-01T21:59:20.878931", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "opensearch-update-check", + "service_name": "opensearch", + "type": "MANAGED", + "description": "Checks if Amazon OpenSearch Service version updates are available but not installed. The rule is NON_COMPLIANT for an OpenSearch domain if the latest software updates are not installed.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/opensearch-update-check.html", + "last_updated": "2025-10-01T21:59:21.086708", + "services": [ + "opensearch" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rabbit-mq-supported-version", + "service_name": "amazonmq", + "type": "MANAGED", + "description": "Checks if an Amazon MQ RabbitMQ broker is running on a specified minimum supported engine version. The rule is NON_COMPLIANT if the RabbitMQ broker is not running on the minimum supported engine version that you specify.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rabbit-mq-supported-version.html", + "last_updated": "2025-10-01T21:59:21.293013", + "services": [ + "amazonmq" + ], + "parameters": [ + { + "name": { + "S": "supportedEngineVersion" + }, + "description": { + "S": "String value for the rule to check the minimum supported engine version for the RabbitMQ broker. RabbitMQ brokers use semantic versioning specification: X.Y.Z. X denotes the major version, Y represent" + } + } + ] + }, + { + "rule_name": "rds-aurora-mysql-audit-logging-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Aurora MySQL-Compatible Edition clusters are configured to publish audit logs to Amazon CloudWatch Logs.\nThe rule is NON_COMPLIANT if Aurora MySQL-Compatible Edition clusters do not have audit log publishing configured.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-aurora-mysql-audit-logging-enabled.html", + "last_updated": "2025-10-01T21:59:21.506459", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-aurora-postgresql-logs-to-cloudwatch", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Aurora PostgreSQL DB cluster is configured to publish PostgreSQL logs to Amazon CloudWatch Logs. This rule is NON_COMPLIANT if the DB cluster is not configured to publish PostgreSQL logs to Amazon CloudWatch Logs.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-aurora-postgresql-logs-to-cloudwatch.html", + "last_updated": "2025-10-01T21:59:21.711513", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-automatic-minor-version-upgrade-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON_COMPLIANT if the value of 'autoMinorVersionUpgrade' is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-automatic-minor-version-upgrade-enabled.html", + "last_updated": "2025-10-01T21:59:21.921538", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-cluster-auto-minor-version-upgrade-enable", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if automatic minor version upgrades are enabled for Amazon RDS Multi-AZ cluster deployments. The rule is NON_COMPLIANT if autoMinorVersionUpgrade is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-auto-minor-version-upgrade-enable.html", + "last_updated": "2025-10-01T21:59:22.143058", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-cluster-default-admin-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username is set to the default value.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-default-admin-check.html", + "last_updated": "2025-10-01T21:59:22.348934", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "validAdminUserNames (Optional)" + }, + "description": { + "S": "Comma-separated list of admin username(s) that Amazon RDS clusters can use. Cannot include 'postgres' or 'admin' as valid username(s) as these are default values." + } + } + ] + }, + { + "rule_name": "rds-cluster-deletion-protection-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is NON_COMPLIANT if an RDS cluster does not have deletion protection enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-deletion-protection-enabled.html", + "last_updated": "2025-10-01T21:59:22.545664", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-cluster-encrypted-at-rest", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Relational Database Service (Amazon RDS) cluster is encrypted at rest. The rule is NON_COMPLIANT if an Amazon RDS cluster is not encrypted at rest.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-encrypted-at-rest.html", + "last_updated": "2025-10-01T21:59:22.758553", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-cluster-iam-authentication-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is COMPLIANT if an RDS Cluster has IAM authentication enabled and NON_COMPLIANT otherwise.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-iam-authentication-enabled.html", + "last_updated": "2025-10-01T21:59:22.957609", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-cluster-multi-az-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Multi-Availability Zone (Multi-AZ) replication is enabled on Amazon Aurora and Multi-AZ DB clusters managed by Amazon Relational Database Service (Amazon RDS). The rule is NON_COMPLIANT if an Amazon RDS instance is not configured with Multi-AZ.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-multi-az-enabled.html", + "last_updated": "2025-10-01T21:59:23.170045", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-db-security-group-not-allowed", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if there are any Amazon Relational Database Service (Amazon RDS)\nDB security groups that are not the default DB security group. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-db-security-group-not-allowed.html", + "last_updated": "2025-10-01T21:59:23.392490", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-enhanced-monitoring-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if enhanced monitoring is enabled for Amazon RDS instances. This rule is NON_COMPLIANT if 'monitoringInterval' is '0' in the configuration item of the RDS instance, or if 'monitoringInterval' does not match the rule parameter value.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-enhanced-monitoring-enabled.html", + "last_updated": "2025-10-01T21:59:23.644336", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "monitoringInterval (Optional)" + }, + "description": { + "S": "An integer value in seconds between points when enhanced monitoring metrics are collected for the database instance. The valid values are 1, 5, 10, 15, 30, and 60." + } + } + ] + }, + { + "rule_name": "rds-event-subscription-tagged", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon RDS event subscriptions have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-event-subscription-tagged.html", + "last_updated": "2025-10-01T21:59:23.869860", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "rds-in-backup-plan", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (Amazon RDS) databases are present in AWS Backup plans. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-in-backup-plan.html", + "last_updated": "2025-10-01T21:59:24.054692", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-instance-default-admin-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value. This rule will only run on RDS database instances. The rule is NON_COMPLIANT if the admin username is set to the default value.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-default-admin-check.html", + "last_updated": "2025-10-01T21:59:24.239429", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "validAdminUserNames (Optional)" + }, + "description": { + "S": "Comma-separated list of admin username(s) that Amazon RDS instances can use. (Cannot include 'postgres' or 'admin' as valid username(s) as these are default values.)" + } + } + ] + }, + { + "rule_name": "rds-instance-deletion-protection-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled; for example, deletionProtection is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-deletion-protection-enabled.html", + "last_updated": "2025-10-01T21:59:24.421379", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "databaseEngines (Optional)" + }, + "description": { + "S": "Comma-separated list of RDS database engines to include in the evaluation of the rule. For example, 'mysql, postgres, mariadb'." + } + } + ] + }, + { + "rule_name": "rds-instance-iam-authentication-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-iam-authentication-enabled.html", + "last_updated": "2025-10-01T21:59:24.613162", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-instance-public-access-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if the Amazon Relational Database Service (Amazon RDS) instances are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html", + "last_updated": "2025-10-01T21:59:24.810583", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-instance-subnet-igw-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if RDS DB instances are deployed in a public subnet with a route to the internet gateway. The rule is NON_COMPLIANT if RDS DB instances is deployed in a public subnet", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-subnet-igw-check.html", + "last_updated": "2025-10-01T21:59:24.998980", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-last-backup-recovery-point-created", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS). The rule is NON_COMPLIANT if the Amazon RDS instance does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:59:25.198514", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon RDS instances for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-logging-enabled", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON_COMPLIANT if any log types are not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-logging-enabled.html", + "last_updated": "2025-10-01T21:59:25.383574", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "additionalLogs (Optional)" + }, + "description": { + "S": "Comma-separated list of engine names and log type names. For example, \"additionalLogs\": \"oracle: general, slowquery ; aurora: alert, slowquery\"" + } + } + ] + }, + { + "rule_name": "rds-mariadb-instance-encrypted-in-transit", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if connections to Amazon RDS for MariaDB DB instances with engine version greater than or equal to 10.5 use encryption in transit. The rule is NON_COMPLIANT if the DB parameter group is not in-sync or if require_secure_transport is not set to ON.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-mariadb-instance-encrypted-in-transit.html", + "last_updated": "2025-10-01T21:59:25.571739", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-meets-restore-time-target", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon Relational Database Service (Amazon RDS) instances meets specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon RDS instance is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:59:25.771797", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "ID of Amazon RDS instance for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-multi-az-support", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks whether high availability is enabled for your RDS DB instances.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-multi-az-support.html", + "last_updated": "2025-10-01T21:59:25.951473", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-mysql-cluster-copy-tags-to-snapshot-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (Amazon RDS) MySQL DB clusters are configured to copy tags to snapshots. The rule is NON_COMPLIANT if an Amazon RDS MySQL DB cluster is not configured to copy tags to snapshots.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-mysql-cluster-copy-tags-to-snapshot-check.html", + "last_updated": "2025-10-01T21:59:26.135404", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-mysql-instance-encrypted-in-transit", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if connections to Amazon RDS for MySQL database instances are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated database parameter group is not in-sync or if the require_secure_transport parameter is not set to 1.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-mysql-instance-encrypted-in-transit.html", + "last_updated": "2025-10-01T21:59:26.331140", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-option-group-tagged", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon RDS option group resources have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-option-group-tagged.html", + "last_updated": "2025-10-01T21:59:26.521884", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "rds-pgsql-cluster-copy-tags-to-snapshot-check", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (Amazon RDS) PostgreSQL DB clusters are configured to copy tags to snapshots. The rule is NON_COMPLIANT if an RDS PostgreSQL DB cluster's CopyTagsToSnapshot property is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-pgsql-cluster-copy-tags-to-snapshot-check.html", + "last_updated": "2025-10-01T21:59:26.706076", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-postgres-instance-encrypted-in-transit", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if connections to Amazon RDS PostgreSQL database instances are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated database parameter group is not in-sync or if the rds.force_ssl parameter is not set to 1.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-postgres-instance-encrypted-in-transit.html", + "last_updated": "2025-10-01T21:59:26.903366", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-postgresql-logs-to-cloudwatch", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon PostgreSQL DB instance is configured to publish logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the DB instance is not configured to publish logs to Amazon CloudWatch Logs.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-postgresql-logs-to-cloudwatch.html", + "last_updated": "2025-10-01T21:59:27.095156", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "logTypes (Optional)" + }, + "description": { + "S": "Comma-separated list of log types to be published to CloudWatch Logs. Valid values are: 'postgresql', 'upgrade'. Default value is 'postgresql'." + } + } + ] + }, + { + "rule_name": "rds-proxy-tls-encryption", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon RDS proxies enforce TLS for all connections. The rule is NON_COMPLIANT if an Amazon RDS proxy does not have TLS enforced for all connections.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-proxy-tls-encryption.html", + "last_updated": "2025-10-01T21:59:27.305472", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-resources-protected-by-backup-plan", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon RDS Database instance is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:59:27.492042", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for Amazon RDS instances for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-snapshot-encrypted", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is NON_COMPLIANT if the Amazon RDS DB snapshots are not encrypted.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshot-encrypted.html", + "last_updated": "2025-10-01T21:59:27.684701", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-snapshots-public-prohibited", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is NON_COMPLIANT if any existing and new Amazon RDS snapshots are public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html", + "last_updated": "2025-10-01T21:59:27.890074", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-sql-server-logs-to-cloudwatch", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if an Amazon SQL Server DB instance is configured to publish logs to Amazon CloudWatch Logs. This rule is NON_COMPLIANT if the DB instance is not configured to publish logs to Amazon CloudWatch Logs.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-sql-server-logs-to-cloudwatch.html", + "last_updated": "2025-10-01T21:59:28.091604", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "logTypes (Optional)" + }, + "description": { + "S": "logTypes - (Optional): Comma-separated list of log types to be published to CloudWatch Logs. Valid values are: 'error', 'agent'. Default value is 'error', 'agent'." + } + } + ] + }, + { + "rule_name": "rds-sqlserver-encrypted-in-transit", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if connections to Amazon RDS SQL server database instances are configured to use encryption in transit. The rule is NON_COMPLIANT if the DB parameter force_ssl for the parameter group is not set to 1 or the ApplyStatus parameter is not 'in-sync'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-sqlserver-encrypted-in-transit.html", + "last_updated": "2025-10-01T21:59:28.287332", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "rds-storage-encrypted", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if storage encryption is enabled for your Amazon Relational Database Service (Amazon RDS) DB instances. The rule is NON_COMPLIANT if storage encryption is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-storage-encrypted.html", + "last_updated": "2025-10-01T21:59:28.482089", + "services": [ + "rds" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyId (Optional)" + }, + "description": { + "S": "KMS key ID or Amazon Resource Name (ARN) used to encrypt the storage." + } + } + ] + }, + { + "rule_name": "redshift-audit-logging-enabled", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if Amazon Redshift clusters are logging audits to a specific bucket. The rule is NON_COMPLIANT if audit logging is not enabled for a Redshift cluster or if the 'bucketNames' parameter is provided but the audit logging destination does not match.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-audit-logging-enabled.html", + "last_updated": "2025-10-01T21:59:28.675504", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "bucketNames (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon S3 bucket names for storing audit logs." + } + } + ] + }, + { + "rule_name": "redshift-backup-enabled", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks that Amazon Redshift automated snapshots are enabled for clusters.\n\t\t\t\tThe rule is NON_COMPLIANT if the value for automatedSnapshotRetentionPeriod is greater than MaxRetentionPeriod or\n\t\t\t\tless than MinRetentionPeriod or the value is 0.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-backup-enabled.html", + "last_updated": "2025-10-01T21:59:28.865578", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "MinRetentionPeriod (Optional)" + }, + "description": { + "S": "Minimum value for the retention period. Minimum value is 1." + } + }, + { + "name": { + "S": "MaxRetentionPeriod (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-cluster-configuration-check", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if Amazon Redshift clusters have the specified settings. The rule is NON_COMPLIANT if the Amazon Redshift cluster is not encrypted or encrypted with another key, or if a cluster does not have audit logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-configuration-check.html", + "last_updated": "2025-10-01T21:59:29.053906", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "clusterDbEncrypted" + }, + "description": { + "S": "Database encryption is enabled." + } + }, + { + "name": { + "S": "loggingEnabled" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "nodeTypes (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-cluster-kms-enabled", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption.\n The rule is COMPLIANT if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter.\n The rule is NON_COMPLIANT if the cluster is not encrypted or encrypted with another key.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-kms-enabled.html", + "last_updated": "2025-10-01T21:59:29.245686", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of AWS KMS key Amazon Resource Names (ARNs) used in Amazon Redshift clusters for encryption." + } + } + ] + }, + { + "rule_name": "redshift-cluster-maintenancesettings-check", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if Amazon Redshift clusters have the specified maintenance settings. The rule is NON_COMPLIANT if the automatic upgrades to major version is disabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html", + "last_updated": "2025-10-01T21:59:29.438233", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "allowVersionUpgrade" + }, + "description": { + "S": "Allow version upgrade is enabled." + } + }, + { + "name": { + "S": "preferredMaintenanceWindow (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "automatedSnapshotRetentionPeriod (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-cluster-multi-az-enabled", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if an Amazon Redshift cluster has multiple Availability Zones deployments enabled. This rule is NON_COMPLIANT if Amazon Redshift cluster does not have multiple Availability Zones deployments enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-multi-az-enabled.html", + "last_updated": "2025-10-01T21:59:29.624157", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-cluster-parameter-group-tagged", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if Amazon Redshift cluster parameter groups have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-parameter-group-tagged.html", + "last_updated": "2025-10-01T21:59:29.805124", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "redshift-cluster-public-access-check", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the cluster configuration item.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-public-access-check.html", + "last_updated": "2025-10-01T21:59:29.996279", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-cluster-subnet-group-multi-az", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks If Amazon Redshift subnet groups contain subnets from more than one Availability Zone. The rule is NON_COMPLIANT if an Amazon Redshift subnet group does not contain subnets from at least two different Availability Zones.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-subnet-group-multi-az.html", + "last_updated": "2025-10-01T21:59:30.195771", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-default-admin-check", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if an Amazon Redshift cluster has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username for a Redshift cluster is set to \u201cawsuser\u201d or if the username does not match what is listed in parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-admin-check.html", + "last_updated": "2025-10-01T21:59:30.393819", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "validAdminUserNames (Optional)" + }, + "description": { + "S": "Comma-separated list of admin username(s) for Redshift clusters to use. Note: 'awsuser' is the default and not accepted." + } + } + ] + }, + { + "rule_name": "redshift-default-db-name-check", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if a Redshift cluster has changed its database name from the default value. The rule is NON_COMPLIANT if the database name for a Redshift cluster is set to \u201cdev\u201d, or if the optional parameter is provided and the database name does not match.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-db-name-check.html", + "last_updated": "2025-10-01T21:59:30.600651", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "validDatabaseNames (Optional)" + }, + "description": { + "S": "Comma-separated list of database name(s) for Redshift clusters." + } + } + ] + }, + { + "rule_name": "redshift-enhanced-vpc-routing-enabled", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled. The rule is NON_COMPLIANT if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html", + "last_updated": "2025-10-01T21:59:30.802266", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-require-tls-ssl", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-require-tls-ssl.html", + "last_updated": "2025-10-01T21:59:31.009466", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-serverless-default-admin-check", + "service_name": "redshiftserverless", + "type": "MANAGED", + "description": "Checks if an Amazon Redshift Serverless Namespace has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username for a Redshift Serverless Namespace is set to \u201cadmin\u201d.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-serverless-default-admin-check.html", + "last_updated": "2025-10-01T21:59:31.234076", + "services": [ + "redshiftserverless" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-serverless-default-db-name-check", + "service_name": "redshiftserverless", + "type": "MANAGED", + "description": "Checks if an Amazon Redshift Serverless namespace has changed its database name from the default value. The rule is NON_COMPLIANT if the database name for an Amazon Redshift Serverless namespace is set to `dev`.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-serverless-default-db-name-check.html", + "last_updated": "2025-10-01T21:59:31.450609", + "services": [ + "redshiftserverless" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-serverless-namespace-cmk-encryption", + "service_name": "redshiftserverless", + "type": "MANAGED", + "description": "Checks if Amazon Redshift Serverless namespaces are encrypted by customer managed AWS KMS keys. The rule is NON_COMPLIANT if a namespace is not encrypted by a customer managed key. Optionally, you can specify a list of KMS keys for rule to check.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-serverless-namespace-cmk-encryption.html", + "last_updated": "2025-10-01T21:59:31.667382", + "services": [ + "redshiftserverless" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon Resource Names (ARNs) of customer managed keys for the rule to check. If provided, the rule is NON_COMPLIANT if an Amazon Redshift Serverless namespace is not encrypted " + } + } + ] + }, + { + "rule_name": "redshift-serverless-publish-logs-to-cloudwatch", + "service_name": "redshiftserverless", + "type": "MANAGED", + "description": "Checks if Amazon Redshift Serverless Namespace is configured to publish the following logs to Amazon CloudWatch Logs. This rule is NON_COMPLIANT if the Namespace is not configured to publish the following logs to Amazon CloudWatch Logs.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-serverless-publish-logs-to-cloudwatch.html", + "last_updated": "2025-10-01T21:59:31.876935", + "services": [ + "redshiftserverless" + ], + "parameters": [ + { + "name": { + "S": "logType (Optional)" + }, + "description": { + "S": "Comma-separated list of log types to be published to CloudWatch Logs. Valid values are 'connectionlog', 'userlog' Default value is 'connectionlog', 'userlog'." + } + } + ] + }, + { + "rule_name": "redshift-serverless-workgroup-encrypted-in-transit", + "service_name": "redshiftserverless", + "type": "MANAGED", + "description": "Checks if AWS Redshift Serverless workgroups have the require_ssl config parameter set to true. The rule is NON_COMPLIANT if require_ssl is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-serverless-workgroup-encrypted-in-transit.html", + "last_updated": "2025-10-01T21:59:32.097045", + "services": [ + "redshiftserverless" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-serverless-workgroup-no-public-access", + "service_name": "redshiftserverless", + "type": "MANAGED", + "description": "Checks if Amazon Redshift Serverless workgroups do not allow public access. The rule is NON_COMPLIANT if a workgroup has 'Turn on Public Accessible' enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-serverless-workgroup-no-public-access.html", + "last_updated": "2025-10-01T21:59:32.299499", + "services": [ + "redshiftserverless" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-serverless-workgroup-routes-within-vpc", + "service_name": "redshiftserverless", + "type": "MANAGED", + "description": "Checks if Amazon Redshift Serverless workgroups route the network traffic through a VPC. The rule is NON_COMPLIANT if workgroups have 'Turn on Enhanced VPC routing' disabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-serverless-workgroup-routes-within-vpc.html", + "last_updated": "2025-10-01T21:59:32.520988", + "services": [ + "redshiftserverless" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "redshift-unrestricted-port-access", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if security groups associated with an Amazon Redshift cluster have inbound rules that allow unrestricted incoming traffic. The rule is NON_COMPLIANT if there are inbound rules that allow unrestricted incoming traffic to the Redshift cluster port.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/redshift-unrestricted-port-access.html", + "last_updated": "2025-10-01T21:59:32.719062", + "services": [ + "redshift" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "acm", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927582", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "autoscaling", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927595", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927601", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "elasticloadbalancingv2", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927607", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "codebuild", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927650", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "redshift", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927657", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "rds", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927663", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927670", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "dynamodb", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927678", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "cloudformation", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927684", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "required-tags", + "service_name": "elasticloadbalancing", + "type": "MANAGED", + "description": "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,\nwhile also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.\nYou can check up to 6 tags at a time.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html", + "last_updated": "2025-10-01T21:59:32.927691", + "services": [ + "acm", + "autoscaling", + "ec2", + "elasticloadbalancingv2", + "codebuild", + "redshift", + "rds", + "s3", + "dynamodb", + "cloudformation", + "elasticloadbalancing" + ], + "parameters": [ + { + "name": { + "S": "tag1Key" + }, + "description": { + "S": "Key of the required tag." + } + }, + { + "name": { + "S": "tag1Value (Optional)" + }, + "description": { + "S": "Optional value of the second required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Key (Optional)" + }, + "description": { + "S": "Optional value of the third required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag2Value (Optional)" + }, + "description": { + "S": "Optional value of the fourth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Key (Optional)" + }, + "description": { + "S": "Optional value of the fifth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag3Value (Optional)" + }, + "description": { + "S": "Optional value of the sixth required tag. Separate multiple values with commas." + } + }, + { + "name": { + "S": "tag4Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag4Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag5Value (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Key (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "tag6Value (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "restricted-common-ports", + "service_name": "ec2", + "type": "MANAGED", + "description": "For this rule, the rule identifier (RESTRICTED_INCOMING_TRAFFIC) and rule name (restricted-common-ports) are different.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html", + "last_updated": "2025-10-01T21:59:33.135204", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "blockedPort1 (Optional)" + }, + "description": { + "S": "Blocked TCP port number. The default of 20 corresponds to File Transfer Protocol (FTP) Data Transfer." + } + }, + { + "name": { + "S": "blockedPort2 (Optional)" + }, + "description": { + "S": "Blocked TCP port number. The default of 3306 corresponds to MySQL protocol." + } + }, + { + "name": { + "S": "blockedPort3 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "blockedPort4 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "blockedPort5 (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "blockedPorts (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "restricted-ssh", + "service_name": "ec2", + "type": "MANAGED", + "description": "For this rule, the rule identifier (INCOMING_SSH_DISABLED) and rule name (restricted-ssh) are different.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html", + "last_updated": "2025-10-01T21:59:33.335530", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "root-account-hardware-mfa-enabled", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials.\nThe rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html", + "last_updated": "2025-10-01T21:59:33.531652", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "root-account-mfa-enabled", + "service_name": "iam", + "type": "MANAGED", + "description": "Checks if the root user of your AWS account requires multi-factor authentication for console sign-in. The rule is NON_COMPLIANT if the AWS Identity and Access Management (IAM) root account user does not have multi-factor authentication (MFA) enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/root-account-mfa-enabled.html", + "last_updated": "2025-10-01T21:59:33.737041", + "services": [ + "iam" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "route53-health-check-tagged", + "service_name": "route53", + "type": "MANAGED", + "description": "Checks if Amazon Route 53 health checks have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/route53-health-check-tagged.html", + "last_updated": "2025-10-01T21:59:33.930957", + "services": [ + "route53" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "route53-hosted-zone-tagged", + "service_name": "route53", + "type": "MANAGED", + "description": "Checks if Amazon Route 53 hosted zones have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/route53-hosted-zone-tagged.html", + "last_updated": "2025-10-01T21:59:34.122987", + "services": [ + "route53" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "route53-query-logging-enabled", + "service_name": "route53", + "type": "MANAGED", + "description": "Checks if DNS query logging is enabled for your Amazon Route 53 public hosted zones. The rule is NON_COMPLIANT if DNS query logging is not enabled for your Amazon Route 53 public hosted zones.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/route53-query-logging-enabled.html", + "last_updated": "2025-10-01T21:59:34.316849", + "services": [ + "route53" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "route53-resolver-firewall-domain-list-tagged", + "service_name": "route53resolver", + "type": "MANAGED", + "description": "Checks if Amazon Route 53 Resolver firewall domain lists have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/route53-resolver-firewall-domain-list-tagged.html", + "last_updated": "2025-10-01T21:59:34.509591", + "services": [ + "route53resolver" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "route53-resolver-firewall-rule-group-association-tagged", + "service_name": "route53resolver", + "type": "MANAGED", + "description": "Checks if Amazon Route 53 Resolver firewall rule group associations have tags. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/route53-resolver-firewall-rule-group-association-tagged.html", + "last_updated": "2025-10-01T21:59:34.707385", + "services": [ + "route53resolver" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "route53-resolver-firewall-rule-group-tagged", + "service_name": "route53resolver", + "type": "MANAGED", + "description": "Checks if Amazon Route 53 Resolver firewall rule groups have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/route53-resolver-firewall-rule-group-tagged.html", + "last_updated": "2025-10-01T21:59:34.904080", + "services": [ + "route53resolver" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "route53-resolver-resolver-rule-tagged", + "service_name": "route53resolver", + "type": "MANAGED", + "description": "Checks if Amazon Route 53 Resolver resolver rules have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/route53-resolver-resolver-rule-tagged.html", + "last_updated": "2025-10-01T21:59:35.098894", + "services": [ + "route53resolver" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "rum-app-monitor-tagged", + "service_name": "rum", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch RUM app monitors have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/rum-app-monitor-tagged.html", + "last_updated": "2025-10-01T21:59:35.300218", + "services": [ + "rum" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "s3-access-point-in-vpc-only", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if an Amazon S3 access point does not allow access from the internet (NetworkOrigin is VPC). The rule is NON_COMPLIANT if NetworkOrigin is Internet.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-access-point-in-vpc-only.html", + "last_updated": "2025-10-01T21:59:35.542856", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-access-point-public-access-blocks", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-access-point-public-access-blocks.html", + "last_updated": "2025-10-01T21:59:35.745501", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "excludedAccessPoints (Optional)" + }, + "description": { + "S": "Comma-separated list of names for allowed public Amazon S3 access points." + } + } + ] + }, + { + "rule_name": "s3-account-level-public-access-blocks", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks.html", + "last_updated": "2025-10-01T21:59:35.954743", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "IgnorePublicAcls (Optional)" + }, + "description": { + "S": "IgnorePublicAcls is enforced or not, default True" + } + }, + { + "name": { + "S": "BlockPublicPolicy (Optional)" + }, + "description": { + "S": "RestrictPublicBuckets is enforced or not, default True" + } + }, + { + "name": { + "S": "BlockPublicAcls (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "RestrictPublicBuckets (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-account-level-public-access-blocks-periodic", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if the required public access block settings are configured at the account level. The rule is NON_COMPLIANT if the configuration item does not match one or more settings from parameters (or default).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html", + "last_updated": "2025-10-01T21:59:36.165665", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "IgnorePublicAcls (Optional)" + }, + "description": { + "S": "IgnorePublicAcls is enforced or not, default True" + } + }, + { + "name": { + "S": "BlockPublicPolicy (Optional)" + }, + "description": { + "S": "BlockPublicAcls is enforced or not, default True" + } + }, + { + "name": { + "S": "BlockPublicAcls (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "RestrictPublicBuckets (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-acl-prohibited", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). The rule is NON_COMPLIANT if ACLs are configured for user access in Amazon S3 Buckets.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html", + "last_updated": "2025-10-01T21:59:36.362572", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-blacklisted-actions-prohibited", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.\n\t\t\t\tFor example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket.\n\t\t\t\tThe rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-blacklisted-actions-prohibited.html", + "last_updated": "2025-10-01T21:59:36.571492", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "blacklistedActionPattern" + }, + "description": { + "S": "Comma-separated list of blacklisted action patterns, for example, s3:GetBucket* and s3:DeleteObject." + } + } + ] + }, + { + "rule_name": "s3-bucket-cross-region-replication-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if you have enabled S3 Cross-Region Replication for your Amazon S3 buckets. The rule is NON_COMPLIANT if there are no replication rules enabled for Cross-Region Replication.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-cross-region-replication-enabled.html", + "last_updated": "2025-10-01T21:59:36.788710", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-default-lock-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if the S3 bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-default-lock-enabled.html", + "last_updated": "2025-10-01T21:59:37.013653", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "mode (Optional)" + }, + "description": { + "S": "mode: (optional): A mode parameter with valid values of GOVERNANCE or COMPLIANCE." + } + } + ] + }, + { + "rule_name": "s3-bucket-level-public-access-prohibited", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if S3 buckets are publicly accessible. The rule is NON_COMPLIANT if an S3 bucket is not listed in the excludedPublicBuckets parameter and bucket level settings are public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html", + "last_updated": "2025-10-01T21:59:37.232613", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "excludedPublicBuckets (Optional)" + }, + "description": { + "S": "Comma-separated list of known allowed public Amazon S3 bucket names." + } + } + ] + }, + { + "rule_name": "s3-bucket-logging-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if logging is enabled for your S3 buckets. The rule is NON_COMPLIANT if logging is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html", + "last_updated": "2025-10-01T21:59:37.441591", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "targetBucket (Optional)" + }, + "description": { + "S": "Target S3 bucket for storing server access logs." + } + }, + { + "name": { + "S": "targetPrefix (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-mfa-delete-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-mfa-delete-enabled.html", + "last_updated": "2025-10-01T21:59:37.654011", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-policy-grantee-check", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-grantee-check.html", + "last_updated": "2025-10-01T21:59:37.862869", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "awsPrincipals (Optional)" + }, + "description": { + "S": "Comma-separated list of principals such as IAM User ARNs, IAM Role ARNs, and AWS accounts. You must provide the full ARN or use partial matching. For example, \"arn:aws:iam::AccountID:role/role_name\" o" + } + }, + { + "name": { + "S": "servicePrincipals (Optional)" + }, + "description": { + "S": "Comma-separated list of identity providers for web identity federation such as Amazon Cognito and SAML identity providers. For example 'cognito-identity.amazonaws.com, arn:aws:iam::111122223333:saml-p" + } + }, + { + "name": { + "S": "federatedUsers (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon Virtual Private Clouds (Amazon VPC) IDs, for example 'vpc-1234abc0, vpc-ab1234c0'." + } + }, + { + "name": { + "S": "ipAddresses (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "vpcIds (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-policy-not-more-permissive", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-not-more-permissive.html", + "last_updated": "2025-10-01T21:59:38.072245", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "controlPolicy" + }, + "description": { + "S": "Amazon S3 bucket policy that defines an upper bound on the permissions of your S3 buckets. The policy can be a maximum of 1024 characters long." + } + } + ] + }, + { + "rule_name": "s3-bucket-public-read-prohibited", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited.html", + "last_updated": "2025-10-01T21:59:38.290045", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-public-write-prohibited", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html", + "last_updated": "2025-10-01T21:59:38.495470", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-replication-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if S3 buckets have replication rules enabled. The rule is NON_COMPLIANT if an S3 bucket does not have a replication rule or has a replication rule that is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-replication-enabled.html", + "last_updated": "2025-10-01T21:59:38.706180", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "ReplicationType (Optional)" + }, + "description": { + "S": "Accepted values: 'CROSS-REGION' and 'SAME-REGION'. Enter 'CROSS-REGION' for the rule to check that all buckets have only Cross-Region Replication enabled. Enter 'SAME-REGION' for the rule to check tha" + } + } + ] + }, + { + "rule_name": "s3-bucket-server-side-encryption-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if your Amazon S3 bucket either has the Amazon S3 default encryption enabled\nor that the Amazon S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.\nThe rule is NON_COMPLIANT if your Amazon S3 bucket is not encrypted by default.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-server-side-encryption-enabled.html", + "last_updated": "2025-10-01T21:59:38.905585", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-ssl-requests-only", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if S3 buckets have policies that require requests to use SSL/TLS. The rule is NON_COMPLIANT if any S3 bucket has policies allowing HTTP requests.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html", + "last_updated": "2025-10-01T21:59:39.116489", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-bucket-tagged", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if Amazon S3 buckets have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-tagged.html", + "last_updated": "2025-10-01T21:59:39.322238", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "s3-bucket-versioning-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-versioning-enabled.html", + "last_updated": "2025-10-01T21:59:39.520663", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "isMfaDeleteEnabled (Optional)" + }, + "description": { + "S": "MFA delete is enabled for your S3 buckets." + } + } + ] + }, + { + "rule_name": "s3-default-encryption-kms", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if the S3 buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the S3 bucket is not encrypted with an AWS KMS key.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-default-encryption-kms.html", + "last_updated": "2025-10-01T21:59:39.737118", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon S3 Buckets." + } + } + ] + }, + { + "rule_name": "s3-event-notifications-enabled", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-event-notifications-enabled.html", + "last_updated": "2025-10-01T21:59:39.943201", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "destinationArn (Optional)" + }, + "description": { + "S": "The Amazon Resource Name (ARN) of the destination for the event notification (Amazon SNS topic, AWS Lambda, Amazon SQS Queue)." + } + }, + { + "name": { + "S": "eventTypes (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-last-backup-recovery-point-created", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3). The rule is NON_COMPLIANT if the Amazon S3 bucket does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:59:40.173677", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon S3 bucket for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-lifecycle-policy-check", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-lifecycle-policy-check.html", + "last_updated": "2025-10-01T21:59:40.371978", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "targetTransitionDays (Optional)" + }, + "description": { + "S": "Number of days after object creation when objects are transitioned to a specified storage class (for example, 30 days)." + } + }, + { + "name": { + "S": "targetExpirationDays (Optional)" + }, + "description": { + "S": "Destination storage class type.\nFor example, Amazon S3 Standard-Infrequent Access (S3 Standard-IA). For more information, see Understanding and managing Amazon S3 storage classes." + } + }, + { + "name": { + "S": "targetTransitionStorageClass (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon S3 bucket names that have lifecycle policy enabled." + } + }, + { + "name": { + "S": "targetPrefix (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "bucketNames (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-meets-restore-time-target", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if the restore time of Amazon Simple Storage Service (Amazon S3) buckets meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon S3 bucket is greater than maxRestoreTime minutes.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-meets-restore-time-target.html", + "last_updated": "2025-10-01T21:59:40.560231", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "maxRestoreTime" + }, + "description": { + "S": "Numerical value for the maximum allowed restore runtime." + } + }, + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Name of Amazon S3 bucket for the rule to check." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-resources-in-logically-air-gapped-vault", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if Amazon Simple Storage Service (Amazon S3) buckets are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon S3 bucket is not in a logically air-gapped vault within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-resources-in-logically-air-gapped-vault.html", + "last_updated": "2025-10-01T21:59:40.765123", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Amazon S3 bucket for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-resources-protected-by-backup-plan", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon S3 bucket is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:59:40.967774", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for Amazon S3 buckets for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "s3-version-lifecycle-policy-check", + "service_name": "s3", + "type": "MANAGED", + "description": "Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. The rule is NON_COMPLIANT if Amazon S3 lifecycle policy is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-version-lifecycle-policy-check.html", + "last_updated": "2025-10-01T21:59:41.173087", + "services": [ + "s3" + ], + "parameters": [ + { + "name": { + "S": "bucketNames (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon S3 bucket names that have lifecycle policy enabled." + } + } + ] + }, + { + "rule_name": "s3express-dir-bucket-lifecycle-rules-check", + "service_name": "s3express", + "type": "MANAGED", + "description": "Checks if lifecycle rules are configured for an Amazon S3 Express directory bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/s3express-dir-bucket-lifecycle-rules-check.html", + "last_updated": "2025-10-01T21:59:41.400935", + "services": [ + "s3express" + ], + "parameters": [ + { + "name": { + "S": "targetExpirationDays (Optional)" + }, + "description": { + "S": "Number of days after creation when objects are deleted from Amazon S3 Express directory buckets." + } + } + ] + }, + { + "rule_name": "sagemaker-app-image-config-tagged", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if Amazon SageMaker app image configs have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-app-image-config-tagged.html", + "last_updated": "2025-10-01T21:59:41.612478", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "sagemaker-domain-in-vpc", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if an Amazon SageMaker domain uses a customer owned Amazon Virtual Private Cloud (VPC) for non-EFS traffic. The rule is NON_COMPLIANT if configuration.AppNetworkAccessType is not set to VpcOnly.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-domain-in-vpc.html", + "last_updated": "2025-10-01T21:59:41.816654", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sagemaker-domain-tagged", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if Amazon SageMaker domains have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-domain-tagged.html", + "last_updated": "2025-10-01T21:59:42.022261", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "sagemaker-endpoint-config-prod-instance-count", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if Amazon SageMaker endpoint configurations have production variants `InitialInstanceCount` set to a value greater than 1. The rule is NON_COMPLIANT if production variants `InitialInstanceCount` is equal to 1.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-endpoint-config-prod-instance-count.html", + "last_updated": "2025-10-01T21:59:42.224261", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sagemaker-endpoint-configuration-kms-key-configured", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker endpoint configuration. The rule is NON_COMPLIANT if 'KmsKeyId' is not specified for the Amazon SageMaker endpoint configuration.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-endpoint-configuration-kms-key-configured.html", + "last_updated": "2025-10-01T21:59:42.434375", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of specific AWS KMS key ARNs allowed for an Amazon SageMaker endpoint configuration." + } + } + ] + }, + { + "rule_name": "sagemaker-feature-group-tagged", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if Amazon SageMaker feature groups have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-feature-group-tagged.html", + "last_updated": "2025-10-01T21:59:42.660005", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "sagemaker-image-description", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if Amazon SageMaker images have a description. The rule is NON_COMPLIANT if configuration.ImageDescription does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-image-description.html", + "last_updated": "2025-10-01T21:59:42.893266", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sagemaker-image-tagged", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if Amazon SageMaker images have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-image-tagged.html", + "last_updated": "2025-10-01T21:59:43.110385", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "sagemaker-model-in-vpc", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if an Amazon SageMaker model uses an Amazon Virtual Private Cloud (Amazon VPC) for container traffic. The rule is NON_COMPLIANT if configuration.VpcConfig does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-model-in-vpc.html", + "last_updated": "2025-10-01T21:59:43.320368", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sagemaker-model-isolation-enabled", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if an Amazon SageMaker model has network isolation enabled. The rule is NON_COMPLIANT if configuration.EnableNetworkIsolation is false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-model-isolation-enabled.html", + "last_updated": "2025-10-01T21:59:43.516677", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sagemaker-notebook-instance-inside-vpc", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if an Amazon SageMaker notebook instance is launched within a VPC or within a list of approved subnets. The rule is NON_COMPLIANT if a notebook instance is not launched within a VPC or if its subnet ID is not included in the parameter list.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-inside-vpc.html", + "last_updated": "2025-10-01T21:59:43.703057", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "SubnetIds (Optional)" + }, + "description": { + "S": "Comma-separated list of subnet IDs that notebook instances can be launched in." + } + } + ] + }, + { + "rule_name": "sagemaker-notebook-instance-kms-key-configured", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if an AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if 'KmsKeyId' is not specified for the SageMaker notebook instance.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html", + "last_updated": "2025-10-01T21:59:43.898801", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of AWS KMS key ARNs allowed for an Amazon SageMaker notebook instance." + } + } + ] + }, + { + "rule_name": "sagemaker-notebook-instance-platform-version", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if a Sagemaker Notebook Instance is configured to use a supported platform identifier version. The rule is NON_COMPLIANT if a Notebook Instance is not using the specified supported platform identifier version as specified in the parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-platform-version.html", + "last_updated": "2025-10-01T21:59:44.095880", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "supportedPlatformIdentifierVersions" + }, + "description": { + "S": "Comma-separated list of the supported platform identifier version for the rule to check." + } + } + ] + }, + { + "rule_name": "sagemaker-notebook-instance-root-access-check", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if the Amazon SageMaker RootAccess setting is enabled for Amazon SageMaker notebook instances. The rule is NON_COMPLIANT if the RootAccess setting is set to \u2018Enabled\u2019 for an Amazon SageMaker notebook instance.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-root-access-check.html", + "last_updated": "2025-10-01T21:59:44.304768", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sagemaker-notebook-no-direct-internet-access", + "service_name": "sagemaker", + "type": "MANAGED", + "description": "Checks if direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if a SageMaker notebook instance is internet-enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html", + "last_updated": "2025-10-01T21:59:44.494750", + "services": [ + "sagemaker" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "secretsmanager-rotation-enabled-check", + "service_name": "secretsmanager", + "type": "MANAGED", + "description": "Checks if AWS Secrets Manager secret has rotation enabled. The rule also checks an optional maximumAllowedRotationFrequency parameter.\n\t\t\t\tIf the parameter is specified, the rotation frequency of the secret is compared with the maximum allowed frequency.\n\t\t\t\tThe rule is NON_COMPLIANT if the secret is not scheduled for rotation.\n\t\t\t\tThe rule is also NON_COMPLIANT if the rotation frequency is higher than the number specified in the maximumAllowedRotationFrequency parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html", + "last_updated": "2025-10-01T21:59:44.699441", + "services": [ + "secretsmanager" + ], + "parameters": [ + { + "name": { + "S": "maximumAllowedRotationFrequency (Optional)" + }, + "description": { + "S": "Maximum allowed rotation frequency of the secret in days." + } + }, + { + "name": { + "S": "maximumAllowedRotationFrequencyInHours (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "secretsmanager-scheduled-rotation-success-check", + "service_name": "secretsmanager", + "type": "MANAGED", + "description": "Checks if AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON_COMPLIANT if the date passes and the secret isn't rotated.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-scheduled-rotation-success-check.html", + "last_updated": "2025-10-01T21:59:44.896348", + "services": [ + "secretsmanager" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "secretsmanager-secret-periodic-rotation", + "service_name": "secretsmanager", + "type": "MANAGED", + "description": "Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-periodic-rotation.html", + "last_updated": "2025-10-01T21:59:45.091280", + "services": [ + "secretsmanager" + ], + "parameters": [ + { + "name": { + "S": "maxDaysSinceRotation (Optional)" + }, + "description": { + "S": "Maximum number of days in which a secret can remain unchanged. The default value is 90 days." + } + } + ] + }, + { + "rule_name": "secretsmanager-secret-unused", + "service_name": "secretsmanager", + "type": "MANAGED", + "description": "Checks if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-unused.html", + "last_updated": "2025-10-01T21:59:45.291062", + "services": [ + "secretsmanager" + ], + "parameters": [ + { + "name": { + "S": "unusedForDays (Optional)" + }, + "description": { + "S": "The number of days in which a secret can remain unused. The default value is 90 days." + } + } + ] + }, + { + "rule_name": "secretsmanager-using-cmk", + "service_name": "secretsmanager", + "type": "MANAGED", + "description": "Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager)\n or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is COMPLIANT if a secret is encrypted using a customer managed key.\n This rule is NON_COMPLIANT if a secret is encrypted using aws/secretsmanager.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html", + "last_updated": "2025-10-01T21:59:45.489134", + "services": [ + "secretsmanager" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyArns (Optional)" + }, + "description": { + "S": "Comma-separated list of KMS key Amazon Resource Names (ARNs) to check if the keys are used in the encryption." + } + } + ] + }, + { + "rule_name": "security-account-information-provided", + "service_name": "security", + "type": "MANAGED", + "description": "Checks if you have provided security contact information for your AWS account contacts. The rule is NON_COMPLIANT if security contact information within the account is not provided.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/security-account-information-provided.html", + "last_updated": "2025-10-01T21:59:45.684339", + "services": [ + "security" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "securityhub-enabled", + "service_name": "securityhub", + "type": "MANAGED", + "description": "Checks if AWS Security Hub is enabled for an AWS Account. The rule is NON_COMPLIANT if AWS Security Hub is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/securityhub-enabled.html", + "last_updated": "2025-10-01T21:59:45.900476", + "services": [ + "securityhub" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "service-catalog-portfolio-tagged", + "service_name": "servicecatalog", + "type": "MANAGED", + "description": "Checks if AWS Service Catalog portfolio resources have tags. Optionally, required tag keys can be specified. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/service-catalog-portfolio-tagged.html", + "last_updated": "2025-10-01T21:59:46.106921", + "services": [ + "servicecatalog" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "service-catalog-shared-within-organization", + "service_name": "servicecatalog", + "type": "MANAGED", + "description": "Checks if AWS Service Catalog shares portfolios to an organization (a collection of AWS accounts treated as a single unit) when integration is enabled with AWS Organizations. The rule is NON_COMPLIANT if the `Type` value of a share is `ACCOUNT`.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/service-catalog-shared-within-organization.html", + "last_updated": "2025-10-01T21:59:46.297244", + "services": [ + "servicecatalog" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "service-vpc-endpoint-enabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Service Endpoint for the service provided in rule parameter is created for each Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if an Amazon VPC doesn't have an Amazon VPC endpoint created for the service.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/service-vpc-endpoint-enabled.html", + "last_updated": "2025-10-01T21:59:46.516053", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "serviceName" + }, + "description": { + "S": "The short name or suffix for the service. Note: To get a list of available service names or valid suffix list, use DescribeVpcEndpointServices." + } + } + ] + }, + { + "rule_name": "ses-malware-scanning-enabled", + "service_name": "ses", + "type": "MANAGED", + "description": "Checks if malware and spam scanning on receiving messages is enabled for Amazon Simple Email Service (Amazon SES). The rule is NON_COMPLIANT if malware and spam scanning is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ses-malware-scanning-enabled.html", + "last_updated": "2025-10-01T21:59:46.724967", + "services": [ + "ses" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "shield-advanced-enabled-autorenew", + "service_name": "shield", + "type": "MANAGED", + "description": "Checks if AWS Shield Advanced is enabled in your AWS account and this subscription is set to automatically renew. The rule is COMPLIANT if Shield Advanced is enabled and auto renew is enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/shield-advanced-enabled-autorenew.html", + "last_updated": "2025-10-01T21:59:46.927162", + "services": [ + "shield" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "shield-drt-access", + "service_name": "shield", + "type": "MANAGED", + "description": "Checks if the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/shield-drt-access.html", + "last_updated": "2025-10-01T21:59:47.159659", + "services": [ + "shield" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sns-encrypted-kms", + "service_name": "sns", + "type": "MANAGED", + "description": "Checks if SNS topics are encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if an SNS topic is not encrypted with AWS KMS. Optionally, specify the key ARNs, the alias ARNs, the alias name, or the key IDs for the rule to check.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html", + "last_updated": "2025-10-01T21:59:47.351738", + "services": [ + "sns" + ], + "parameters": [ + { + "name": { + "S": "kmsKeyIds (Optional)" + }, + "description": { + "S": "Comma-separated list of AWS KMS key Amazon Resource Names (ARNs), KMS alias ARNs, KMS alias names, or KMS key IDs for the rule to check." + } + } + ] + }, + { + "rule_name": "sns-topic-message-delivery-notification-enabled", + "service_name": "sns", + "type": "MANAGED", + "description": "Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-message-delivery-notification-enabled.html", + "last_updated": "2025-10-01T21:59:47.546497", + "services": [ + "sns" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sns-topic-no-public-access", + "service_name": "sns", + "type": "MANAGED", + "description": "Checks if the SNS topic access policy allows public access. The rule is NON_COMPLIANT if the SNS topic access policy allows public access.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-no-public-access.html", + "last_updated": "2025-10-01T21:59:47.745930", + "services": [ + "sns" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sqs-queue-dlq-check", + "service_name": "sqs", + "type": "MANAGED", + "description": "Checks if Amazon Simple Queue Service (Amazon SQS) queues have configuration to use dead-letter queue (DLQ). The rule is NON_COMPLIANT if an Amazon SQS queue does not have any configuration to use DLQ.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sqs-queue-dlq-check.html", + "last_updated": "2025-10-01T21:59:47.968406", + "services": [ + "sqs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sqs-queue-no-public-access", + "service_name": "sqs", + "type": "MANAGED", + "description": "Checks if the SQS queue access policy allows public access. The rule is NON_COMPLIANT if the SQS queue access policy allows public access.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sqs-queue-no-public-access.html", + "last_updated": "2025-10-01T21:59:48.156301", + "services": [ + "sqs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "sqs-queue-policy-full-access-check", + "service_name": "sqs", + "type": "MANAGED", + "description": "Checks if the SQS queue access policy allows full access. The rule is NON_COMPLIANT if the SQS policy contains `SQS:*` within `Action` and `Effect` is `Allow`.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/sqs-queue-policy-full-access-check.html", + "last_updated": "2025-10-01T21:59:48.354712", + "services": [ + "sqs" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ssm-automation-block-public-sharing", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if AWS Systems Manager Documents has block public sharing enabled. The rule is NON_COMPLIANT if Systems Manager Documents has block public sharing disabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ssm-automation-block-public-sharing.html", + "last_updated": "2025-10-01T21:59:48.559242", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ssm-automation-logging-enabled", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if AWS Systems Manager Automation has Amazon CloudWatch logging enabled. The rule returns NON_COMPLIANT if Systems Manager Automation doesn't have CloudWatch logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ssm-automation-logging-enabled.html", + "last_updated": "2025-10-01T21:59:48.747263", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ssm-document-not-public", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if AWS Systems Manager documents owned by the account are public. The rule is NON_COMPLIANT if Systems Manager documents with the owner 'Self' are public.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-not-public.html", + "last_updated": "2025-10-01T21:59:48.944428", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "ssm-document-tagged", + "service_name": "ssm", + "type": "MANAGED", + "description": "Checks if AWS Systems Manager documents have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-tagged.html", + "last_updated": "2025-10-01T21:59:49.141393", + "services": [ + "ssm" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "step-functions-state-machine-logging-enabled", + "service_name": "stepfunctions", + "type": "MANAGED", + "description": "Checks if AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/step-functions-state-machine-logging-enabled.html", + "last_updated": "2025-10-01T21:59:49.350335", + "services": [ + "stepfunctions" + ], + "parameters": [ + { + "name": { + "S": "cloudWatchLogGroupArns (Optional)" + }, + "description": { + "S": "Comma-separated list of Amazon Resource Names (ARNs) for Amazon CloudWatch Logs log groups. The rule checks if the specified log groups are configured for your state machine logs." + } + }, + { + "name": { + "S": "logLevel (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "stepfunctions-state-machine-tagged", + "service_name": "stepfunctions", + "type": "MANAGED", + "description": "Checks if AWS Step Functions state machines have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/stepfunctions-state-machine-tagged.html", + "last_updated": "2025-10-01T21:59:49.557331", + "services": [ + "stepfunctions" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "storagegateway-last-backup-recovery-point-created", + "service_name": "storagegateway", + "type": "MANAGED", + "description": "Checks if a recovery point was created for AWS Storage Gateway volumes. The rule is NON_COMPLIANT if the Storage Gateway volume does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/storagegateway-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:59:49.758489", + "services": [ + "storagegateway" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Storage Gateway volumes for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "storagegateway-resources-in-logically-air-gapped-vault", + "service_name": "storagegateway", + "type": "MANAGED", + "description": "Checks if AWS Storage Gateway volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an AWS Storage Gateway volume is not in a logically air-gapped vault within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/storagegateway-resources-in-logically-air-gapped-vault.html", + "last_updated": "2025-10-01T21:59:49.957631", + "services": [ + "storagegateway" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of Storage Gateway volumes for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "storagegateway-resources-protected-by-backup-plan", + "service_name": "storagegateway", + "type": "MANAGED", + "description": "Checks if AWS Storage Gateway volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Storage Gateway volume is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/storagegateway-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:59:50.163588", + "services": [ + "storagegateway" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for Storage Gateway Volumes for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "subnet-auto-assign-public-ip-disabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address.\n The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address.\n The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html", + "last_updated": "2025-10-01T21:59:50.364700", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "transfer-agreement-description", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family agreements have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-agreement-description.html", + "last_updated": "2025-10-01T21:59:50.568275", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "transfer-agreement-tagged", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family agreements have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-agreement-tagged.html", + "last_updated": "2025-10-01T21:59:50.772178", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "transfer-certificate-description", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family certificates have a description. The rule is NON_COMPLIANT if configuration.Description does not exist.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-certificate-description.html", + "last_updated": "2025-10-01T21:59:50.973918", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "transfer-certificate-tagged", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family certificates have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-certificate-tagged.html", + "last_updated": "2025-10-01T21:59:51.184712", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "transfer-connector-logging-enabled", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family Connector publishes logs to Amazon CloudWatch. The rule is NON_COMPLIANT if a Connector does not have a LoggingRole assigned.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-connector-logging-enabled.html", + "last_updated": "2025-10-01T21:59:51.510129", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "transfer-connector-tagged", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family connectors have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-connector-tagged.html", + "last_updated": "2025-10-01T21:59:51.698682", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "transfer-family-server-no-ftp", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if a server created with AWS Transfer Family uses FTP for endpoint connection. The rule is NON_COMPLIANT if the server protocol for endpoint connection is FTP-enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-family-server-no-ftp.html", + "last_updated": "2025-10-01T21:59:51.928645", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "transfer-profile-tagged", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family profiles have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-profile-tagged.html", + "last_updated": "2025-10-01T21:59:52.130811", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "transfer-workflow-description", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family workflows have a description. The rule is NON_COMPLIANT if configuration.Description does not exist or is an empty string.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-workflow-description.html", + "last_updated": "2025-10-01T21:59:52.320122", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "transfer-workflow-tagged", + "service_name": "transfer", + "type": "MANAGED", + "description": "Checks if AWS Transfer Family workflows have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-workflow-tagged.html", + "last_updated": "2025-10-01T21:59:52.528539", + "services": [ + "transfer" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "virtualmachine-last-backup-recovery-point-created", + "service_name": "backupgateway", + "type": "MANAGED", + "description": "Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines. The rule is NON_COMPLIANT if an AWS Backup-Gateway VirtualMachines does not have a corresponding recovery point created within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/virtualmachine-last-backup-recovery-point-created.html", + "last_updated": "2025-10-01T21:59:52.742074", + "services": [ + "backupgateway" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of AWS Backup-Gateway VirtualMachines for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 744 for hours, 31 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "virtualmachine-resources-in-logically-air-gapped-vault", + "service_name": "backupgateway", + "type": "MANAGED", + "description": "Checks if AWS Backup-Gateway VirtualMachines are in a logically air-gapped vault. The rule is NON_COMPLIANT if an AWS Backup-Gateway VirtualMachines is not in a logically air-gapped vault within the specified time period.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/virtualmachine-resources-in-logically-air-gapped-vault.html", + "last_updated": "2025-10-01T21:59:52.946909", + "services": [ + "backupgateway" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags of AWS Backup-Gateway VirtualMachines for the rule to check, in JSON format." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days." + } + }, + { + "name": { + "S": "recoveryPointAgeValue (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "recoveryPointAgeUnit (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "virtualmachine-resources-protected-by-backup-plan", + "service_name": "backupgateway", + "type": "MANAGED", + "description": "Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan. The rule is NON_COMPLIANT if the Backup-Gateway VirtualMachine is not covered by a backup plan.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/virtualmachine-resources-protected-by-backup-plan.html", + "last_updated": "2025-10-01T21:59:53.159942", + "services": [ + "backupgateway" + ], + "parameters": [ + { + "name": { + "S": "resourceTags (Optional)" + }, + "description": { + "S": "Tags for AWS Backup-Gateway VirtualMachines for the rule to check, in JSON format {\"tagkey\" : \"tagValue\"}." + } + }, + { + "name": { + "S": "resourceId (Optional)" + }, + "description": { + "S": "Comma-separated list of destination regions for the cross-region backup copy to be kept" + } + }, + { + "name": { + "S": "crossRegionList (Optional)" + }, + "description": { + "S": "The maximum retention period in days for the Backup Vault Lock" + } + }, + { + "name": { + "S": "crossAccountList (Optional)" + }, + "description": { + "S": "Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault" + } + }, + { + "name": { + "S": "maxRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "minRetentionDays (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "backupVaultLockCheck (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "vpc-default-security-group-closed", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if the default security group of any Amazon Virtual Private Cloud (Amazon VPC) does not allow inbound or outbound traffic. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic rules.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html", + "last_updated": "2025-10-01T21:59:53.378044", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "vpc-endpoint-enabled", + "service_name": "sns", + "type": "MANAGED", + "description": "Checks if each service specified in the parameter has an Amazon VPC endpoint. The rule is NON_COMPLIANT if Amazon VPC does not have a VPC endpoint created for each specified service. Optionally, you can specify certain VPCs for the rule to check.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-endpoint-enabled.html", + "last_updated": "2025-10-01T21:59:53.607898", + "services": [ + "sns", + "ec2" + ], + "parameters": [ + { + "name": { + "S": "serviceNames" + }, + "description": { + "S": "Comma-separated list of service names or endpoints. Example: \"access-analyzer, appconfig, cloudtrail\" or \"com.amazonaws.region.access-analyzer\". Use DescribeVpcEndpointServices for available names." + } + }, + { + "name": { + "S": "vpcIds (Optional)" + }, + "description": { + "S": "Comma-separated list of AWS Config resource types for the rule to check. If specified, the rule returns a compliance status only if at least one specified resource is recorded in the account. For exam" + } + }, + { + "name": { + "S": "scopeConfigResourceTypes (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "vpc-endpoint-enabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if each service specified in the parameter has an Amazon VPC endpoint. The rule is NON_COMPLIANT if Amazon VPC does not have a VPC endpoint created for each specified service. Optionally, you can specify certain VPCs for the rule to check.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-endpoint-enabled.html", + "last_updated": "2025-10-01T21:59:53.607908", + "services": [ + "sns", + "ec2" + ], + "parameters": [ + { + "name": { + "S": "serviceNames" + }, + "description": { + "S": "Comma-separated list of service names or endpoints. Example: \"access-analyzer, appconfig, cloudtrail\" or \"com.amazonaws.region.access-analyzer\". Use DescribeVpcEndpointServices for available names." + } + }, + { + "name": { + "S": "vpcIds (Optional)" + }, + "description": { + "S": "Comma-separated list of AWS Config resource types for the rule to check. If specified, the rule returns a compliance status only if at least one specified resource is recorded in the account. For exam" + } + }, + { + "name": { + "S": "scopeConfigResourceTypes (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "vpc-flow-logs-enabled", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if Amazon Virtual Private Cloud (Amazon VPC) flow logs are found and enabled for all Amazon VPCs. The rule is NON_COMPLIANT if flow logs are not enabled for at least one Amazon VPC.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html", + "last_updated": "2025-10-01T21:59:53.854507", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "trafficType (Optional)" + }, + "description": { + "S": "TrafficType of flow logs" + } + } + ] + }, + { + "rule_name": "vpc-network-acl-unused-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if there are unused network access control lists (network ACLs). The rule is COMPLIANT if each network ACL is associated with a subnet. The rule is NON_COMPLIANT if a network ACL is not associated with a subnet.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-network-acl-unused-check.html", + "last_updated": "2025-10-01T21:59:54.062160", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "vpc-peering-dns-resolution-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if DNS resolution from accepter/requester VPC to private IP is enabled. The rule is NON_COMPLIANT if DNS resolution from accepter/requester VPC to private IP is not enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-peering-dns-resolution-check.html", + "last_updated": "2025-10-01T21:59:54.266321", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "vpcIds (Optional)" + }, + "description": { + "S": "Comma-separated list of VPC IDs to be checked." + } + } + ] + }, + { + "rule_name": "vpc-sg-open-only-to-authorized-ports", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if security groups allowing unrestricted incoming traffic ('0.0.0.0/0' or '::/0') only allow inbound TCP or UDP connections on authorized ports. The rule is NON_COMPLIANT if such security groups do not have ports specified in the rule parameters.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html", + "last_updated": "2025-10-01T21:59:54.474183", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "authorizedTcpPorts (Optional)" + }, + "description": { + "S": "Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0 or ::/0. Ranges are defined by dash, for example, \"443,1020-1025\"." + } + }, + { + "name": { + "S": "authorizedUdpPorts (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "vpc-sg-port-restriction-check", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks if security groups restrict incoming traffic to restricted ports explicitly from 0.0.0.0/0 or ::/0. The rule is NON_COMPLIANT if security groups allow incoming traffic from 0.0.0.0/0 or ::/0 over TCP/UDP ports 22/3389 or as specified in parameters.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-sg-port-restriction-check.html", + "last_updated": "2025-10-01T21:59:54.677717", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "restrictPorts (Optional)" + }, + "description": { + "S": "Comma-separated list of ports that should not be open for incoming traffic over the full IP range. Valid port numbers range from 0 to 65535. If not specified, the rule defaults to check for 22 and 338" + } + }, + { + "name": { + "S": "protocolType (Optional)" + }, + "description": { + "S": "Boolean flag to exclude the evaluation of external security groups. If set to 'true', the rule will not include external security groups in the evaluation. Otherwise, all security groups are evaluated" + } + }, + { + "name": { + "S": "excludeExternalSecurityGroups (Optional)" + }, + "description": { + "S": "" + } + }, + { + "name": { + "S": "ipType (Optional)" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "vpc-vpn-2-tunnels-up", + "service_name": "ec2", + "type": "MANAGED", + "description": "Checks that both VPN tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/vpc-vpn-2-tunnels-up.html", + "last_updated": "2025-10-01T21:59:54.876729", + "services": [ + "ec2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "waf-classic-logging-enabled", + "service_name": "waf", + "type": "MANAGED", + "description": "Checks if logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/waf-classic-logging-enabled.html", + "last_updated": "2025-10-01T21:59:55.085582", + "services": [ + "waf" + ], + "parameters": [ + { + "name": { + "S": "KinesisFirehoseDeliveryStreamArns (Optional)" + }, + "description": { + "S": "Comma separated list of Amazon Kinesis stream ARN for AWS WAF logs." + } + } + ] + }, + { + "rule_name": "waf-global-rule-not-empty", + "service_name": "waf", + "type": "MANAGED", + "description": "Checks if an AWS WAF global rule contains any conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rule-not-empty.html", + "last_updated": "2025-10-01T21:59:55.294941", + "services": [ + "waf" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "waf-global-rulegroup-not-empty", + "service_name": "waf", + "type": "MANAGED", + "description": "Checks if an AWS WAF Classic rule group contains any rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rulegroup-not-empty.html", + "last_updated": "2025-10-01T21:59:55.489366", + "services": [ + "waf" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "waf-global-webacl-not-empty", + "service_name": "waf", + "type": "MANAGED", + "description": "Checks whether a WAF Global Web ACL contains any WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/waf-global-webacl-not-empty.html", + "last_updated": "2025-10-01T21:59:55.701934", + "services": [ + "waf" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "waf-regional-rule-not-empty", + "service_name": "wafregional", + "type": "MANAGED", + "description": "Checks whether WAF regional rule contains conditions. This rule is COMPLIANT if the regional rule contains at least one condition and NON_COMPLIANT otherwise.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rule-not-empty.html", + "last_updated": "2025-10-01T21:59:55.906269", + "services": [ + "wafregional" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "waf-regional-rulegroup-not-empty", + "service_name": "wafregional", + "type": "MANAGED", + "description": "Checks if WAF Regional rule groups contain any rules. The rule is NON_COMPLIANT if there are no rules present within a WAF Regional rule group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rulegroup-not-empty.html", + "last_updated": "2025-10-01T21:59:56.123791", + "services": [ + "wafregional" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "waf-regional-webacl-not-empty", + "service_name": "wafregional", + "type": "MANAGED", + "description": "Checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is NON_COMPLIANT if there are no WAF rules or rule groups present within a Web ACL.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-webacl-not-empty.html", + "last_updated": "2025-10-01T21:59:56.346368", + "services": [ + "wafregional" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "wafv2-logging-enabled", + "service_name": "wafv2", + "type": "MANAGED", + "description": "Checks if logging is enabled on AWS WAFv2 regional and global web access control lists (web ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html", + "last_updated": "2025-10-01T21:59:56.549286", + "services": [ + "wafv2" + ], + "parameters": [ + { + "name": { + "S": "KinesisFirehoseDeliveryStreamArns (Optional)" + }, + "description": { + "S": "Comma separated list of Kinesis Firehose delivery stream ARNs" + } + } + ] + }, + { + "rule_name": "wafv2-rulegroup-logging-enabled", + "service_name": "wafv2", + "type": "MANAGED", + "description": "Checks if Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/wafv2-rulegroup-logging-enabled.html", + "last_updated": "2025-10-01T21:59:56.748064", + "services": [ + "wafv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "wafv2-rulegroup-not-empty", + "service_name": "wafv2", + "type": "MANAGED", + "description": "Checks if WAFv2 Rule Groups contain rules. The rule is NON_COMPLIANT if there are no rules in a WAFv2 Rule Group.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/wafv2-rulegroup-not-empty.html", + "last_updated": "2025-10-01T21:59:56.949109", + "services": [ + "wafv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "wafv2-webacl-not-empty", + "service_name": "wafv2", + "type": "MANAGED", + "description": "Checks if a WAFv2 Web ACL contains any WAF rules or WAF rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rules or WAF rule groups.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/wafv2-webacl-not-empty.html", + "last_updated": "2025-10-01T21:59:57.144289", + "services": [ + "wafv2" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "workspaces-connection-alias-tagged", + "service_name": "workspaces", + "type": "MANAGED", + "description": "Checks if Amazon WorkSpaces connection aliases have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/workspaces-connection-alias-tagged.html", + "last_updated": "2025-10-01T21:59:57.340672", + "services": [ + "workspaces" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + }, + { + "rule_name": "workspaces-root-volume-encryption-enabled", + "service_name": "workspaces", + "type": "MANAGED", + "description": "Checks if an Amazon WorkSpace volume has the root volume encryption settings set to enabled. This rule is NON_COMPLIANT if the encryption setting is not enabled for the root volume.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/workspaces-root-volume-encryption-enabled.html", + "last_updated": "2025-10-01T21:59:57.541738", + "services": [ + "workspaces" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "workspaces-user-volume-encryption-enabled", + "service_name": "workspaces", + "type": "MANAGED", + "description": "Checks if an Amazon WorkSpace volume has the user volume encryption settings set to enabled. This rule is NON_COMPLIANT if the encryption setting is not enabled for the user volume.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/workspaces-user-volume-encryption-enabled.html", + "last_updated": "2025-10-01T21:59:57.745904", + "services": [ + "workspaces" + ], + "parameters": [ + { + "name": { + "S": "None" + }, + "description": { + "S": "" + } + } + ] + }, + { + "rule_name": "workspaces-workspace-tagged", + "service_name": "workspaces", + "type": "MANAGED", + "description": "Checks if Amazon WorkSpaces workspaces have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'.", + "documentation_url": "https://docs.aws.amazon.com/config/latest/developerguide/workspaces-workspace-tagged.html", + "last_updated": "2025-10-01T21:59:57.954525", + "services": [ + "workspaces" + ], + "parameters": [ + { + "name": { + "S": "requiredKeyTags (Optional)" + }, + "description": { + "S": "Comma-separated list of tag keys for the rule to check. If provided, the rule is NON_COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting wit" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/config-rules/load_config_rules.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/config-rules/load_config_rules.py new file mode 100755 index 00000000..570f7c35 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/config-rules/load_config_rules.py @@ -0,0 +1,293 @@ +#!/usr/bin/env python3 +""" +Load AWS Config Managed Rules from documentation to DynamoDB +""" + +import boto3 +import json +import os +import re +import requests +from bs4 import BeautifulSoup +from typing import List, Dict +from datetime import datetime + +# Configuration +TABLE_NAME = 'gensec-AWSConfigManagedRules' +REGION = 'us-east-1' + +def extract_services_from_resource_types(resource_types: List[str]) -> List[str]: + """Extract AWS service names from resource types""" + services = set() + + for rt in resource_types: + if '::' in rt and rt.startswith('AWS::'): + # Extract service from AWS::ServiceName::ResourceType + parts = rt.split('::') + if len(parts) >= 2: + service_name = parts[1].lower() + services.add(service_name) + + return list(services) if services else ['global'] + +def extract_service_from_rule_name(rule_name: str) -> str: + """Extract AWS service name from Config rule name using patterns""" + # Extract first part before dash as service name + parts = rule_name.split('-') + if len(parts) > 1: + return parts[0] + return 'global' + +def extract_rule_details(rule_name: str) -> Dict: + """Extract detailed information from individual rule documentation page""" + url = f"https://docs.aws.amazon.com/config/latest/developerguide/{rule_name}.html" + headers = { + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36' + } + + try: + response = requests.get(url, headers=headers, timeout=10) + if response.status_code != 200: + return {} + + soup = BeautifulSoup(response.content, 'html.parser') + + details = { + 'documentation_url': url, + 'type': 'MANAGED', + 'parameters': [], + 'resource_types': [] + } + + # Extract description from first paragraph + first_p = soup.find('p') + if first_p: + details['description'] = first_p.get_text().strip()[:500] # Limit length + + # Extract resource types - look for the pattern after "Resource Types:" + resource_types = re.findall(r'AWS::[A-Za-z0-9]+::[A-Za-z0-9]+', soup.get_text()) + if resource_types: + details['resource_types'] = list(set(resource_types)) # Remove duplicates + + # Extract parameters + params_section = soup.find(string=re.compile(r'Parameters?:')) + if params_section: + params_parent = params_section.parent + if params_parent: + # Look for parameter definitions in the following content + dl_elem = params_parent.find_next('dl') + if dl_elem: + param_terms = dl_elem.find_all('dt') + param_descs = dl_elem.find_all('dd') + + for i, term in enumerate(param_terms): + if 'Type:' not in term.get_text() and 'Default:' not in term.get_text(): + param_name = term.get_text().strip() + param_desc = param_descs[i].get_text().strip() if i < len(param_descs) else "" + + details['parameters'].append({ + 'name': param_name, + 'description': param_desc[:200] # Limit length + }) + + return details + + except Exception as e: + print(f"Error extracting details for {rule_name}: {str(e)}") + return {} + +def extract_rules_from_documentation(): + """Extract AWS Config managed rules from documentation""" + url = "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + headers = { + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36' + } + + try: + response = requests.get(url, headers=headers, timeout=30) + response.raise_for_status() + + soup = BeautifulSoup(response.content, 'html.parser') + rule_names = set() + + # Extract rules from documentation elements + elements = soup.find_all(['code', 'pre', 'tt', 'td', 'th', 'li']) + for element in elements: + text = element.get_text() + matches = re.findall(r'\b([a-z][a-z0-9]*(?:-[a-z0-9]+)+)\b', text.lower()) + for match in matches: + if (5 <= len(match) <= 80 and + match.count('-') >= 1 and + not match.startswith('-') and + not match.endswith('-')): + rule_names.add(match) + + # Filter to valid AWS Config rules + valid_rules = [] + for rule in rule_names: + if (any(rule.endswith(suffix) for suffix in ['-check', '-enabled', '-required', '-prohibited', '-tagged', '-encrypted', '-compliance', '-validation', '-configured', '-disabled']) or + rule in ['instances-in-vpc', 'restricted-ssh', 'restricted-common-ports', 'access-keys-rotated'] or + re.match(r'^[a-z]+[0-9]*-[a-z0-9-]+$', rule)): + valid_rules.append(rule) + + print(f"Documentation scraping found {len(valid_rules)} rules") + return sorted(valid_rules) + + except Exception as e: + print(f"Error extracting from documentation: {str(e)}") + return [] + +def get_fallback_rules() -> List[str]: + """Load fallback rules from baseline file (read-only)""" + fallback_file = os.path.join(os.path.dirname(__file__), 'aws_config_manage_rules_baseline.json') + try: + with open(fallback_file, 'r') as f: + rules = json.load(f) + print(f"Loaded {len(rules)} rules from baseline file") + return rules + except Exception as e: + print(f"Error loading baseline file: {str(e)}") + return [] + +def store_rules_in_dynamodb(rules: List[Dict]) -> bool: + """Store rules in DynamoDB table""" + try: + dynamodb = boto3.client('dynamodb', region_name=REGION) + + # Clear existing rules + response = dynamodb.scan(TableName=TABLE_NAME, ProjectionExpression='rule_name, service_name') + for item in response.get('Items', []): + dynamodb.delete_item( + TableName=TABLE_NAME, + Key={ + 'rule_name': item['rule_name'], + 'service_name': item['service_name'] + } + ) + + # Store new rules + for rule in rules: + dynamodb.put_item(TableName=TABLE_NAME, Item=rule) + + print(f"Successfully stored {len(rules)} rules in DynamoDB") + return True + + except Exception as e: + print(f"Error storing rules in DynamoDB: {str(e)}") + return False + +def main(): + print(f"Loading AWS Config managed rules to {TABLE_NAME}...") + + # Try to get rules from documentation + rule_names = extract_rules_from_documentation() + + if not rule_names: + print("Documentation extraction failed, using baseline file...") + rule_names = get_fallback_rules() + + if not rule_names: + print("❌ No rules found from any source") + return + + # Convert to DynamoDB format with enhanced schema + rules = [] + service_counts = {} + + print(f"Extracting detailed information for {len(rule_names)} rules...") + + for i, rule_name in enumerate(rule_names): + if i % 10 == 0: + print(f"Processing rule {i+1}/{len(rule_names)}: {rule_name}") + + # Extract detailed information first + details = extract_rule_details(rule_name) + + # Extract services from resource types (primary method) + services_from_resources = extract_services_from_resource_types(details.get('resource_types', [])) + + # Fallback to rule name if no resource types found + if not services_from_resources or services_from_resources == ['global']: + fallback_service = extract_service_from_rule_name(rule_name) + services_from_resources = [fallback_service] + + # Create separate entry for each service + for service_name in services_from_resources: + service_counts[service_name] = service_counts.get(service_name, 0) + 1 + + # Create rule record for this specific service + rule_record = { + 'rule_name': {'S': rule_name}, + 'service_name': {'S': service_name}, # Individual service for GSI + 'type': {'S': details.get('type', 'MANAGED')}, + 'description': {'S': details.get('description', f'AWS Config managed rule for {service_name}')}, + 'documentation_url': {'S': details.get('documentation_url', f'https://docs.aws.amazon.com/config/latest/developerguide/{rule_name}.html')}, + 'last_updated': {'S': datetime.utcnow().isoformat()} + } + + # Add all services this rule supports (for reference) + rule_record['services'] = {'SS': services_from_resources} + + # Add parameters if available + if details.get('parameters'): + params_list = [] + for param in details['parameters']: + params_list.append({'M': { + 'name': {'S': param['name']}, + 'description': {'S': param['description']} + }}) + if params_list: + rule_record['parameters'] = {'L': params_list} + + rules.append(rule_record) + + if rules: + print(f"\nService distribution:") + for service, count in sorted(service_counts.items()): + print(f" {service}: {count} rules") + + # Generate JSON file with datetime + timestamp = datetime.utcnow().strftime('%Y%m%d_%H%M%S') + json_filename = f"aws_config_rules_{timestamp}.json" + + # Convert DynamoDB format to regular JSON for readability + json_data = [] + for rule in rules: + json_rule = {} + for key, value in rule.items(): + if isinstance(value, dict): + if 'S' in value: + json_rule[key] = value['S'] + elif 'SS' in value: + json_rule[key] = value['SS'] + elif 'L' in value: + json_rule[key] = [item['M'] for item in value['L']] + elif 'M' in value: + json_rule[key] = value['M'] + else: + json_rule[key] = value + json_data.append(json_rule) + + # Save to JSON file + with open(json_filename, 'w') as f: + json.dump({ + 'metadata': { + 'generated_at': datetime.utcnow().isoformat(), + 'total_rules': len(set(rule['rule_name']['S'] for rule in rules)), + 'total_entries': len(rules), + 'service_distribution': service_counts + }, + 'rules': json_data + }, f, indent=2) + + print(f"\n✅ JSON file generated: {json_filename}") + + if store_rules_in_dynamodb(rules): + print(f"\n✅ Successfully loaded {len(rules)} AWS Config managed rules") + else: + print(f"\n❌ Failed to store rules in DynamoDB") + else: + print("❌ No valid rules to store") + +if __name__ == '__main__': + main() diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/download_outputs.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/download_outputs.py new file mode 100755 index 00000000..e12f2962 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/download_outputs.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 + +import boto3 +import os +import sys +from pathlib import Path +import argparse + +def download_s3_bucket(output_dir="tests/output", service_filter=None): + # Get AWS account and region from environment or use defaults + account = os.environ.get('AWS_ACCOUNT_ID') + region = os.environ.get('AWS_DEFAULT_REGION', 'us-east-1') + + if not account: + # Try to get account from STS + try: + sts = boto3.client('sts') + account = sts.get_caller_identity()['Account'] + except Exception as e: + print(f"Error getting account ID: {e}") + sys.exit(1) + + bucket_name = f"gensec-security-config-outputs-{account}-{region}" + local_dir = Path(output_dir) + + # Create local directory + local_dir.mkdir(exist_ok=True) + + # Initialize S3 client + s3 = boto3.client('s3') + + try: + # List all objects in bucket + paginator = s3.get_paginator('list_objects_v2') + pages = paginator.paginate(Bucket=bucket_name) + + for page in pages: + if 'Contents' not in page: + continue + + for obj in page['Contents']: + key = obj['Key'] + + # Skip old-stuff folder + if key.startswith('old-stuff/'): + continue + + # Filter by service if specified + if service_filter and service_filter.lower() not in key.lower(): + continue + + # Create local file path + local_file = local_dir / key + local_file.parent.mkdir(parents=True, exist_ok=True) + + # Download file + print(f"Downloading: {key}") + s3.download_file(bucket_name, key, str(local_file)) + + print(f"Download complete. Files saved to: {local_dir}") + + except Exception as e: + print(f"Error downloading from bucket {bucket_name}: {e}") + sys.exit(1) + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='Download S3 outputs, optionally filtered by service') + parser.add_argument('--service', '-s', help='Service name to filter downloads (e.g., ACM, S3, Lambda)') + parser.add_argument('--output-dir', '-o', default='../tests/output', help='Output directory (default: ../tests/output)') + + args = parser.parse_args() + + if args.service: + print(f"Downloading outputs for service: {args.service}") + else: + print("Downloading all outputs") + + download_s3_bucket(args.output_dir, args.service) diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/service-mapping/aws_service_mappings.json b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/service-mapping/aws_service_mappings.json new file mode 100644 index 00000000..778834d7 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/service-mapping/aws_service_mappings.json @@ -0,0 +1,5031 @@ +{ + "metadata": { + "description": "AWS Service mappings for CloudFormation resource types and IAM service authorization", + "last_updated": "2025-11-05 18:16:44 UTC", + "total_services": 263, + "usage": "This file maps AWS service IDs to their CloudFormation resource types and IAM service names for documentation collection", + "version": "1.0.0" + }, + "services": { + "accessanalyzer": { + "cloudformation_prefix": "AWS::AccessAnalyzer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AccessAnalyzer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "accessanalyzer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html" + ], + "service_id": "accessanalyzer", + "service_page": "./AWS_AccessAnalyzer.html" + }, + "acmpca": { + "cloudformation_prefix": "AWS::ACMPCA::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ACMPCA.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "acmpca", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonacmpca.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_acmpca.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsacmpca.html" + ], + "service_id": "acmpca", + "service_page": "./AWS_ACMPCA.html" + }, + "aiops": { + "cloudformation_prefix": "AWS::AIOps::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AIOps.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "aiops", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonaiops.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_aiops.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaiops.html" + ], + "service_id": "aiops", + "service_page": "./AWS_AIOps.html" + }, + "amazonmq": { + "cloudformation_prefix": "AWS::AmazonMQ::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AmazonMQ.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amazonmq", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonamazonmq.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmq.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamazonmq.html" + ], + "service_id": "amazonmq", + "service_page": "./AWS_AmazonMQ.html" + }, + "amazonq": { + "cloudformation_prefix": "AWS::Q::", + "common_actions": [], + "documentation_urls": [], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amazonq", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonq.html" + ], + "service_id": "amazonq", + "service_page": null + }, + "amplify": { + "cloudformation_prefix": "AWS::Amplify::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Amplify.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amplify", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonamplify.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amplify.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html" + ], + "service_id": "amplify", + "service_page": "./AWS_Amplify.html" + }, + "amplifyuibuilder": { + "cloudformation_prefix": "AWS::AmplifyUIBuilder::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AmplifyUIBuilder.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "amplifyuibuilder", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonamplifyuibuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amplifyuibuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyuibuilder.html" + ], + "service_id": "amplifyuibuilder", + "service_page": "./AWS_AmplifyUIBuilder.html" + }, + "apigateway": { + "cloudformation_prefix": "AWS::ApiGateway::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApiGateway.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apigateway", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html" + ], + "service_id": "apigateway", + "service_page": "./AWS_ApiGateway.html" + }, + "apigatewayv2": { + "cloudformation_prefix": "AWS::ApiGatewayV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApiGatewayV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apigateway", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apigateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapigateway.html" + ], + "service_id": "apigatewayv2", + "service_page": "./AWS_ApiGatewayV2.html" + }, + "appconfig": { + "cloudformation_prefix": "AWS::AppConfig::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppConfig.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appconfig", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappconfig.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appconfig.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html" + ], + "service_id": "appconfig", + "service_page": "./AWS_AppConfig.html" + }, + "appflow": { + "cloudformation_prefix": "AWS::AppFlow::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppFlow.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appflow", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appflow.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappflow.html" + ], + "service_id": "appflow", + "service_page": "./AWS_AppFlow.html" + }, + "appintegrations": { + "cloudformation_prefix": "AWS::AppIntegrations::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppIntegrations.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appintegrations", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappintegrations.html" + ], + "service_id": "appintegrations", + "service_page": "./AWS_AppIntegrations.html" + }, + "applicationautoscaling": { + "cloudformation_prefix": "AWS::ApplicationAutoScaling::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApplicationAutoScaling.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "application-autoscaling", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapplication-autoscaling.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_application-autoscaling.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplication-autoscaling.html" + ], + "service_id": "applicationautoscaling", + "service_page": "./AWS_ApplicationAutoScaling.html" + }, + "applicationinsights": { + "cloudformation_prefix": "AWS::ApplicationInsights::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApplicationInsights.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "applicationinsights", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapplicationinsights.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationinsights.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationinsights.html" + ], + "service_id": "applicationinsights", + "service_page": "./AWS_ApplicationInsights.html" + }, + "applicationsignals": { + "cloudformation_prefix": "AWS::ApplicationSignals::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ApplicationSignals.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "applicationsignals", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapplicationsignals.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationsignals.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationsignals.html" + ], + "service_id": "applicationsignals", + "service_page": "./AWS_ApplicationSignals.html" + }, + "appmesh": { + "cloudformation_prefix": "AWS::AppMesh::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppMesh.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appmesh", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappmesh.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appmesh.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html" + ], + "service_id": "appmesh", + "service_page": "./AWS_AppMesh.html" + }, + "apprunner": { + "cloudformation_prefix": "AWS::AppRunner::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppRunner.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apprunner", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapprunner.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apprunner.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html" + ], + "service_id": "apprunner", + "service_page": "./AWS_AppRunner.html" + }, + "appstream": { + "cloudformation_prefix": "AWS::AppStream::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppStream.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appstream", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappstream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appstream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappstream.html" + ], + "service_id": "appstream", + "service_page": "./AWS_AppStream.html" + }, + "appsync": { + "cloudformation_prefix": "AWS::AppSync::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppSync.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "appsync", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappsync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_appsync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html" + ], + "service_id": "appsync", + "service_page": "./AWS_AppSync.html" + }, + "apptest": { + "cloudformation_prefix": "AWS::AppTest::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AppTest.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "apptest", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapptest.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apptest.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapptest.html" + ], + "service_id": "apptest", + "service_page": "./AWS_AppTest.html" + }, + "aps": { + "cloudformation_prefix": "AWS::APS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_APS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "aps", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonaps.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_aps.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaps.html" + ], + "service_id": "aps", + "service_page": "./AWS_APS.html" + }, + "arcregionswitch": { + "cloudformation_prefix": "AWS::ARCRegionSwitch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ARCRegionSwitch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "arcregionswitch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonarcregionswitch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_arcregionswitch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsarcregionswitch.html" + ], + "service_id": "arcregionswitch", + "service_page": "./AWS_ARCRegionSwitch.html" + }, + "arczonalshift": { + "cloudformation_prefix": "AWS::ARCZonalShift::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ARCZonalShift.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "arczonalshift", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonarczonalshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_arczonalshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsarczonalshift.html" + ], + "service_id": "arczonalshift", + "service_page": "./AWS_ARCZonalShift.html" + }, + "athena": { + "cloudformation_prefix": "AWS::Athena::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Athena.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "athena", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_athena.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsathena.html" + ], + "service_id": "athena", + "service_page": "./AWS_Athena.html" + }, + "auditmanager": { + "cloudformation_prefix": "AWS::AuditManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AuditManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "auditmanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonauditmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_auditmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html" + ], + "service_id": "auditmanager", + "service_page": "./AWS_AuditManager.html" + }, + "autoscaling": { + "cloudformation_prefix": "AWS::AutoScaling::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AutoScaling.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "autoscaling", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html" + ], + "service_id": "autoscaling", + "service_page": "./AWS_AutoScaling.html" + }, + "autoscalingplans": { + "cloudformation_prefix": "AWS::AutoScalingPlans::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_AutoScalingPlans.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "autoscalingplans", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonautoscalingplans.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_autoscalingplans.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsautoscalingplans.html" + ], + "service_id": "autoscalingplans", + "service_page": "./AWS_AutoScalingPlans.html" + }, + "b2bi": { + "cloudformation_prefix": "AWS::B2BI::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_B2BI.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "b2bi", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonb2bi.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_b2bi.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsb2bi.html" + ], + "service_id": "b2bi", + "service_page": "./AWS_B2BI.html" + }, + "backup": { + "cloudformation_prefix": "AWS::Backup::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Backup.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "backup", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbackup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_backup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html" + ], + "service_id": "backup", + "service_page": "./AWS_Backup.html" + }, + "backupgateway": { + "cloudformation_prefix": "AWS::BackupGateway::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BackupGateway.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "backupgateway", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbackupgateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_backupgateway.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackupgateway.html" + ], + "service_id": "backupgateway", + "service_page": "./AWS_BackupGateway.html" + }, + "batch": { + "cloudformation_prefix": "AWS::Batch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Batch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "batch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbatch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_batch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html" + ], + "service_id": "batch", + "service_page": "./AWS_Batch.html" + }, + "bcmdataexports": { + "cloudformation_prefix": "AWS::BCMDataExports::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BCMDataExports.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "bcmdataexports", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbcmdataexports.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_bcmdataexports.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbcmdataexports.html" + ], + "service_id": "bcmdataexports", + "service_page": "./AWS_BCMDataExports.html" + }, + "bedrock": { + "cloudformation_prefix": "AWS::Bedrock::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Bedrock.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "bedrock", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_bedrock.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbedrock.html" + ], + "service_id": "bedrock", + "service_page": "./AWS_Bedrock.html" + }, + "bedrockagentcore": { + "cloudformation_prefix": "AWS::BedrockAgentCore::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BedrockAgentCore.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "bedrockagentcore", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_bedrockagentcore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbedrockagentcore.html" + ], + "service_id": "bedrockagentcore", + "service_page": "./AWS_BedrockAgentCore.html" + }, + "billing": { + "cloudformation_prefix": "AWS::Billing::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Billing.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "billing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbilling.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_billing.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbilling.html" + ], + "service_id": "billing", + "service_page": "./AWS_Billing.html" + }, + "billingconductor": { + "cloudformation_prefix": "AWS::BillingConductor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_BillingConductor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "billingconductor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbillingconductor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_billingconductor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbillingconductor.html" + ], + "service_id": "billingconductor", + "service_page": "./AWS_BillingConductor.html" + }, + "budgets": { + "cloudformation_prefix": "AWS::Budgets::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Budgets.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "budgets", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbudgets.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_budgets.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgets.html" + ], + "service_id": "budgets", + "service_page": "./AWS_Budgets.html" + }, + "cassandra": { + "cloudformation_prefix": "AWS::Cassandra::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Cassandra.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cassandra", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncassandra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cassandra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscassandra.html" + ], + "service_id": "cassandra", + "service_page": "./AWS_Cassandra.html" + }, + "ce": { + "cloudformation_prefix": "AWS::CE::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CE.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ce", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonce.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ce.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsce.html" + ], + "service_id": "ce", + "service_page": "./AWS_CE.html" + }, + "certificatemanager": { + "cloudformation_prefix": "AWS::CertificateManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CertificateManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "certificatemanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncertificatemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_certificatemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html" + ], + "service_id": "certificatemanager", + "service_page": "./AWS_CertificateManager.html" + }, + "chatbot": { + "cloudformation_prefix": "AWS::Chatbot::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Chatbot.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "chatbot", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchatbot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_chatbot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html" + ], + "service_id": "chatbot", + "service_page": "./AWS_Chatbot.html" + }, + "cleanrooms": { + "cloudformation_prefix": "AWS::CleanRooms::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CleanRooms.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cleanrooms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncleanrooms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cleanrooms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscleanrooms.html" + ], + "service_id": "cleanrooms", + "service_page": "./AWS_CleanRooms.html" + }, + "cleanroomsml": { + "cloudformation_prefix": "AWS::CleanRoomsML::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CleanRoomsML.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cleanroomsml", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncleanroomsml.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cleanroomsml.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscleanroomsml.html" + ], + "service_id": "cleanroomsml", + "service_page": "./AWS_CleanRoomsML.html" + }, + "cloud9": { + "cloudformation_prefix": "AWS::Cloud9::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Cloud9.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloud9", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloud9.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloud9.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html" + ], + "service_id": "cloud9", + "service_page": "./AWS_Cloud9.html" + }, + "cloudformation": { + "cloudformation_prefix": "AWS::CloudFormation::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudFormation.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudformation", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html" + ], + "service_id": "cloudformation", + "service_page": "./AWS_CloudFormation.html" + }, + "cloudfront": { + "cloudformation_prefix": "AWS::CloudFront::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudFront.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudfront", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudfront.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudfront.html" + ], + "service_id": "cloudfront", + "service_page": "./AWS_CloudFront.html" + }, + "cloudtrail": { + "cloudformation_prefix": "AWS::CloudTrail::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudTrail.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudtrail", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudtrail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudtrail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudtrail.html" + ], + "service_id": "cloudtrail", + "service_page": "./AWS_CloudTrail.html" + }, + "cloudwatch": { + "cloudformation_prefix": "AWS::CloudWatch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CloudWatch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cloudwatch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudwatch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudwatch.html" + ], + "service_id": "cloudwatch", + "service_page": "./AWS_CloudWatch.html" + }, + "codeartifact": { + "cloudformation_prefix": "AWS::CodeArtifact::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeArtifact.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codeartifact", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeartifact.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codeartifact.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html" + ], + "service_id": "codeartifact", + "service_page": "./AWS_CodeArtifact.html" + }, + "codebuild": { + "cloudformation_prefix": "AWS::CodeBuild::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeBuild.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codebuild", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodebuild.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codebuild.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodebuild.html" + ], + "service_id": "codebuild", + "service_page": "./AWS_CodeBuild.html" + }, + "codecommit": { + "cloudformation_prefix": "AWS::CodeCommit::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeCommit.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codecommit", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodecommit.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codecommit.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodecommit.html" + ], + "service_id": "codecommit", + "service_page": "./AWS_CodeCommit.html" + }, + "codeconnections": { + "cloudformation_prefix": "AWS::CodeConnections::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeConnections.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codeconnections", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codeconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeconnections.html" + ], + "service_id": "codeconnections", + "service_page": "./AWS_CodeConnections.html" + }, + "codedeploy": { + "cloudformation_prefix": "AWS::CodeDeploy::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeDeploy.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codedeploy", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodedeploy.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codedeploy.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html" + ], + "service_id": "codedeploy", + "service_page": "./AWS_CodeDeploy.html" + }, + "codeguruprofiler": { + "cloudformation_prefix": "AWS::CodeGuruProfiler::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeGuruProfiler.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codeguruprofiler", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codeguruprofiler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeguruprofiler.html" + ], + "service_id": "codeguruprofiler", + "service_page": "./AWS_CodeGuruProfiler.html" + }, + "codegurureviewer": { + "cloudformation_prefix": "AWS::CodeGuruReviewer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeGuruReviewer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codegurureviewer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codegurureviewer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodegurureviewer.html" + ], + "service_id": "codegurureviewer", + "service_page": "./AWS_CodeGuruReviewer.html" + }, + "codepipeline": { + "cloudformation_prefix": "AWS::CodePipeline::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodePipeline.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codepipeline", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodepipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codepipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodepipeline.html" + ], + "service_id": "codepipeline", + "service_page": "./AWS_CodePipeline.html" + }, + "codestar": { + "cloudformation_prefix": "AWS::CodeStar::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeStar.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codestar", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodestar.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codestar.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html" + ], + "service_id": "codestar", + "service_page": "./AWS_CodeStar.html" + }, + "codestarconnections": { + "cloudformation_prefix": "AWS::CodeStarConnections::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeStarConnections.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codestarconnections", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodestarconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codestarconnections.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html" + ], + "service_id": "codestarconnections", + "service_page": "./AWS_CodeStarConnections.html" + }, + "codestarnotifications": { + "cloudformation_prefix": "AWS::CodeStarNotifications::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CodeStarNotifications.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "codestarnotifications", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodestarnotifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_codestarnotifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html" + ], + "service_id": "codestarnotifications", + "service_page": "./AWS_CodeStarNotifications.html" + }, + "cognito": { + "cloudformation_prefix": "AWS::Cognito::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Cognito.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cognito", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognito.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cognito.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscognito.html" + ], + "service_id": "cognito", + "service_page": "./AWS_Cognito.html" + }, + "comprehend": { + "cloudformation_prefix": "AWS::Comprehend::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Comprehend.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "comprehend", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehend.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_comprehend.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomprehend.html" + ], + "service_id": "comprehend", + "service_page": "./AWS_Comprehend.html" + }, + "config": { + "cloudformation_prefix": "AWS::Config::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Config.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "config", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconfig.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_config.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html" + ], + "service_id": "config", + "service_page": "./AWS_Config.html" + }, + "connect": { + "cloudformation_prefix": "AWS::Connect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Connect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "connect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_connect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnect.html" + ], + "service_id": "connect", + "service_page": "./AWS_Connect.html" + }, + "connectcampaigns": { + "cloudformation_prefix": "AWS::ConnectCampaigns::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ConnectCampaigns.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "connectcampaigns", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcampaigns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_connectcampaigns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectcampaigns.html" + ], + "service_id": "connectcampaigns", + "service_page": "./AWS_ConnectCampaigns.html" + }, + "connectcampaignsv2": { + "cloudformation_prefix": "AWS::ConnectCampaignsV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ConnectCampaignsV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "connectcampaignsv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcampaignsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_connectcampaignsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectcampaignsv2.html" + ], + "service_id": "connectcampaignsv2", + "service_page": "./AWS_ConnectCampaignsV2.html" + }, + "controltower": { + "cloudformation_prefix": "AWS::ControlTower::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ControlTower.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "controltower", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncontroltower.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_controltower.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscontroltower.html" + ], + "service_id": "controltower", + "service_page": "./AWS_ControlTower.html" + }, + "cur": { + "cloudformation_prefix": "AWS::CUR::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CUR.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "cur", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncur.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cur.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscur.html" + ], + "service_id": "cur", + "service_page": "./AWS_CUR.html" + }, + "customerprofiles": { + "cloudformation_prefix": "AWS::CustomerProfiles::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_CustomerProfiles.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "customerprofiles", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncustomerprofiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_customerprofiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscustomerprofiles.html" + ], + "service_id": "customerprofiles", + "service_page": "./AWS_CustomerProfiles.html" + }, + "databrew": { + "cloudformation_prefix": "AWS::DataBrew::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataBrew.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "databrew", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatabrew.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_databrew.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabrew.html" + ], + "service_id": "databrew", + "service_page": "./AWS_DataBrew.html" + }, + "datapipeline": { + "cloudformation_prefix": "AWS::DataPipeline::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataPipeline.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "datapipeline", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatapipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datapipeline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatapipeline.html" + ], + "service_id": "datapipeline", + "service_page": "./AWS_DataPipeline.html" + }, + "datasync": { + "cloudformation_prefix": "AWS::DataSync::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataSync.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "datasync", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatasync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datasync.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html" + ], + "service_id": "datasync", + "service_page": "./AWS_DataSync.html" + }, + "datazone": { + "cloudformation_prefix": "AWS::DataZone::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DataZone.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "datazone", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatazone.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datazone.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatazone.html" + ], + "service_id": "datazone", + "service_page": "./AWS_DataZone.html" + }, + "dax": { + "cloudformation_prefix": "AWS::DAX::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DAX.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dax", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondax.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dax.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdax.html" + ], + "service_id": "dax", + "service_page": "./AWS_DAX.html" + }, + "deadline": { + "cloudformation_prefix": "AWS::Deadline::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Deadline.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "deadline", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondeadline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_deadline.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeadline.html" + ], + "service_id": "deadline", + "service_page": "./AWS_Deadline.html" + }, + "detective": { + "cloudformation_prefix": "AWS::Detective::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Detective.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "detective", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_detective.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdetective.html" + ], + "service_id": "detective", + "service_page": "./AWS_Detective.html" + }, + "devicefarm": { + "cloudformation_prefix": "AWS::DeviceFarm::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DeviceFarm.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "devicefarm", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevicefarm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_devicefarm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html" + ], + "service_id": "devicefarm", + "service_page": "./AWS_DeviceFarm.html" + }, + "devopsguru": { + "cloudformation_prefix": "AWS::DevOpsGuru::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DevOpsGuru.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "devopsguru", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_devopsguru.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevopsguru.html" + ], + "service_id": "devopsguru", + "service_page": "./AWS_DevOpsGuru.html" + }, + "directoryservice": { + "cloudformation_prefix": "AWS::DirectoryService::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DirectoryService.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "directoryservice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondirectoryservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_directoryservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservice.html" + ], + "service_id": "directoryservice", + "service_page": "./AWS_DirectoryService.html" + }, + "dlm": { + "cloudformation_prefix": "AWS::DLM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DLM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dlm", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondlm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dlm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdlm.html" + ], + "service_id": "dlm", + "service_page": "./AWS_DLM.html" + }, + "dms": { + "cloudformation_prefix": "AWS::DMS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DMS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdms.html" + ], + "service_id": "dms", + "service_page": "./AWS_DMS.html" + }, + "docdb": { + "cloudformation_prefix": "AWS::DocDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DocDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "docdb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondocdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_docdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdocdb.html" + ], + "service_id": "docdb", + "service_page": "./AWS_DocDB.html" + }, + "docdbelastic": { + "cloudformation_prefix": "AWS::DocDBElastic::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DocDBElastic.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "docdbelastic", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondocdbelastic.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_docdbelastic.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdocdbelastic.html" + ], + "service_id": "docdbelastic", + "service_page": "./AWS_DocDBElastic.html" + }, + "dsql": { + "cloudformation_prefix": "AWS::DSQL::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DSQL.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dsql", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondsql.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dsql.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdsql.html" + ], + "service_id": "dsql", + "service_page": "./AWS_DSQL.html" + }, + "dynamodb": { + "cloudformation_prefix": "AWS::DynamoDB::", + "common_actions": [ + "CreateTable", + "DeleteTable", + "DescribeTable", + "PutItem", + "GetItem", + "UpdateItem", + "DeleteItem" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_DynamoDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "dynamodb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_dynamodb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdynamodb.html" + ], + "service_id": "dynamodb", + "service_page": "./AWS_DynamoDB.html" + }, + "ec2": { + "cloudformation_prefix": "AWS::EC2::", + "common_actions": [ + "RunInstances", + "TerminateInstances", + "DescribeInstances", + "CreateVpc", + "DeleteVpc" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EC2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ec2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ec2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsec2.html" + ], + "service_id": "ec2", + "service_page": "./AWS_EC2.html" + }, + "ecr": { + "cloudformation_prefix": "AWS::ECR::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ECR.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ecr", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonecr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ecr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsecr.html" + ], + "service_id": "ecr", + "service_page": "./AWS_ECR.html" + }, + "ecs": { + "cloudformation_prefix": "AWS::ECS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ECS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ecs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonecs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ecs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsecs.html" + ], + "service_id": "ecs", + "service_page": "./AWS_ECS.html" + }, + "efs": { + "cloudformation_prefix": "AWS::EFS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EFS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "efs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonefs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_efs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsefs.html" + ], + "service_id": "efs", + "service_page": "./AWS_EFS.html" + }, + "eks": { + "cloudformation_prefix": "AWS::EKS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EKS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "eks", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneks.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_eks.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awseks.html" + ], + "service_id": "eks", + "service_page": "./AWS_EKS.html" + }, + "elasticache": { + "cloudformation_prefix": "AWS::ElastiCache::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElastiCache.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticache", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticache.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticache.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticache.html" + ], + "service_id": "elasticache", + "service_page": "./AWS_ElastiCache.html" + }, + "elasticbeanstalk": { + "cloudformation_prefix": "AWS::ElasticBeanstalk::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElasticBeanstalk.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticbeanstalk", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticbeanstalk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticbeanstalk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticbeanstalk.html" + ], + "service_id": "elasticbeanstalk", + "service_page": "./AWS_ElasticBeanstalk.html" + }, + "elasticloadbalancing": { + "cloudformation_prefix": "AWS::ElasticLoadBalancing::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElasticLoadBalancing.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticloadbalancing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancing.html" + ], + "service_id": "elasticloadbalancing", + "service_page": "./AWS_ElasticLoadBalancing.html" + }, + "elasticloadbalancingv2": { + "cloudformation_prefix": "AWS::ElasticLoadBalancingV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ElasticLoadBalancingV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticloadbalancing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancingv2.html" + ], + "service_id": "elasticloadbalancingv2", + "service_page": "./AWS_ElasticLoadBalancingV2.html" + }, + "elasticsearch": { + "cloudformation_prefix": "AWS::Elasticsearch::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Elasticsearch.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "elasticsearch", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticsearch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticsearch.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticsearch.html" + ], + "service_id": "elasticsearch", + "service_page": "./AWS_Elasticsearch.html" + }, + "emr": { + "cloudformation_prefix": "AWS::EMR::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EMR.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "emr", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_emr.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsemr.html" + ], + "service_id": "emr", + "service_page": "./AWS_EMR.html" + }, + "emrcontainers": { + "cloudformation_prefix": "AWS::EMRContainers::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EMRContainers.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "emrcontainers", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemrcontainers.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_emrcontainers.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsemrcontainers.html" + ], + "service_id": "emrcontainers", + "service_page": "./AWS_EMRContainers.html" + }, + "emrserverless": { + "cloudformation_prefix": "AWS::EMRServerless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EMRServerless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "emrserverless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemrserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_emrserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsemrserverless.html" + ], + "service_id": "emrserverless", + "service_page": "./AWS_EMRServerless.html" + }, + "entityresolution": { + "cloudformation_prefix": "AWS::EntityResolution::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EntityResolution.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "entityresolution", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonentityresolution.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_entityresolution.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsentityresolution.html" + ], + "service_id": "entityresolution", + "service_page": "./AWS_EntityResolution.html" + }, + "events": { + "cloudformation_prefix": "AWS::Events::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Events.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "events", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonevents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_events.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsevents.html" + ], + "service_id": "events", + "service_page": "./AWS_Events.html" + }, + "eventschemas": { + "cloudformation_prefix": "AWS::EventSchemas::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EventSchemas.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "eventschemas", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventschemas.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_eventschemas.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awseventschemas.html" + ], + "service_id": "eventschemas", + "service_page": "./AWS_EventSchemas.html" + }, + "evidently": { + "cloudformation_prefix": "AWS::Evidently::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Evidently.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "evidently", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonevidently.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_evidently.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsevidently.html" + ], + "service_id": "evidently", + "service_page": "./AWS_Evidently.html" + }, + "evs": { + "cloudformation_prefix": "AWS::EVS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_EVS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "evs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonevs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_evs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsevs.html" + ], + "service_id": "evs", + "service_page": "./AWS_EVS.html" + }, + "finspace": { + "cloudformation_prefix": "AWS::FinSpace::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FinSpace.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "finspace", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfinspace.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_finspace.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfinspace.html" + ], + "service_id": "finspace", + "service_page": "./AWS_FinSpace.html" + }, + "fis": { + "cloudformation_prefix": "AWS::FIS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FIS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "fis", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfis.html" + ], + "service_id": "fis", + "service_page": "./AWS_FIS.html" + }, + "fms": { + "cloudformation_prefix": "AWS::FMS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FMS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "fms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfms.html" + ], + "service_id": "fms", + "service_page": "./AWS_FMS.html" + }, + "forecast": { + "cloudformation_prefix": "AWS::Forecast::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Forecast.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "forecast", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonforecast.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_forecast.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsforecast.html" + ], + "service_id": "forecast", + "service_page": "./AWS_Forecast.html" + }, + "frauddetector": { + "cloudformation_prefix": "AWS::FraudDetector::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FraudDetector.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "frauddetector", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_frauddetector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfrauddetector.html" + ], + "service_id": "frauddetector", + "service_page": "./AWS_FraudDetector.html" + }, + "fsx": { + "cloudformation_prefix": "AWS::FSx::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_FSx.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "fsx", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fsx.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfsx.html" + ], + "service_id": "fsx", + "service_page": "./AWS_FSx.html" + }, + "gamelift": { + "cloudformation_prefix": "AWS::GameLift::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GameLift.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "gamelift", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_gamelift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgamelift.html" + ], + "service_id": "gamelift", + "service_page": "./AWS_GameLift.html" + }, + "gameliftstreams": { + "cloudformation_prefix": "AWS::GameLiftStreams::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GameLiftStreams.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "gameliftstreams", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongameliftstreams.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_gameliftstreams.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgameliftstreams.html" + ], + "service_id": "gameliftstreams", + "service_page": "./AWS_GameLiftStreams.html" + }, + "globalaccelerator": { + "cloudformation_prefix": "AWS::GlobalAccelerator::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GlobalAccelerator.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "globalaccelerator", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonglobalaccelerator.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_globalaccelerator.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglobalaccelerator.html" + ], + "service_id": "globalaccelerator", + "service_page": "./AWS_GlobalAccelerator.html" + }, + "glue": { + "cloudformation_prefix": "AWS::Glue::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Glue.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "glue", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonglue.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_glue.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html" + ], + "service_id": "glue", + "service_page": "./AWS_Glue.html" + }, + "grafana": { + "cloudformation_prefix": "AWS::Grafana::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Grafana.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "grafana", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongrafana.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_grafana.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgrafana.html" + ], + "service_id": "grafana", + "service_page": "./AWS_Grafana.html" + }, + "greengrass": { + "cloudformation_prefix": "AWS::Greengrass::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Greengrass.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "greengrass", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongreengrass.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_greengrass.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgreengrass.html" + ], + "service_id": "greengrass", + "service_page": "./AWS_Greengrass.html" + }, + "greengrassv2": { + "cloudformation_prefix": "AWS::GreengrassV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GreengrassV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "greengrassv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongreengrassv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_greengrassv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgreengrassv2.html" + ], + "service_id": "greengrassv2", + "service_page": "./AWS_GreengrassV2.html" + }, + "groundstation": { + "cloudformation_prefix": "AWS::GroundStation::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GroundStation.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "groundstation", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongroundstation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_groundstation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html" + ], + "service_id": "groundstation", + "service_page": "./AWS_GroundStation.html" + }, + "guardduty": { + "cloudformation_prefix": "AWS::GuardDuty::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_GuardDuty.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "guardduty", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonguardduty.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_guardduty.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsguardduty.html" + ], + "service_id": "guardduty", + "service_page": "./AWS_GuardDuty.html" + }, + "healthimaging": { + "cloudformation_prefix": "AWS::HealthImaging::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_HealthImaging.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "healthimaging", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthimaging.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_healthimaging.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html" + ], + "service_id": "healthimaging", + "service_page": "./AWS_HealthImaging.html" + }, + "healthlake": { + "cloudformation_prefix": "AWS::HealthLake::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_HealthLake.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "healthlake", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_healthlake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html" + ], + "service_id": "healthlake", + "service_page": "./AWS_HealthLake.html" + }, + "iam": { + "cloudformation_prefix": "AWS::IAM::", + "common_actions": [ + "CreateRole", + "DeleteRole", + "AttachRolePolicy", + "DetachRolePolicy", + "CreatePolicy" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IAM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iam", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiam.html" + ], + "service_id": "iam", + "service_page": "./AWS_IAM.html" + }, + "identitystore": { + "cloudformation_prefix": "AWS::IdentityStore::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IdentityStore.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "identitystore", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonidentitystore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_identitystore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html" + ], + "service_id": "identitystore", + "service_page": "./AWS_IdentityStore.html" + }, + "imagebuilder": { + "cloudformation_prefix": "AWS::ImageBuilder::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ImageBuilder.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "imagebuilder", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonimagebuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_imagebuilder.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsimagebuilder.html" + ], + "service_id": "imagebuilder", + "service_page": "./AWS_ImageBuilder.html" + }, + "inspector": { + "cloudformation_prefix": "AWS::Inspector::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Inspector.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "inspector", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_inspector.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinspector.html" + ], + "service_id": "inspector", + "service_page": "./AWS_Inspector.html" + }, + "inspectorv2": { + "cloudformation_prefix": "AWS::InspectorV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_InspectorV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "inspectorv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspectorv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_inspectorv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinspectorv2.html" + ], + "service_id": "inspectorv2", + "service_page": "./AWS_InspectorV2.html" + }, + "internetmonitor": { + "cloudformation_prefix": "AWS::InternetMonitor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_InternetMonitor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "internetmonitor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninternetmonitor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_internetmonitor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinternetmonitor.html" + ], + "service_id": "internetmonitor", + "service_page": "./AWS_InternetMonitor.html" + }, + "invoicing": { + "cloudformation_prefix": "AWS::Invoicing::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Invoicing.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "invoicing", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninvoicing.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_invoicing.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinvoicing.html" + ], + "service_id": "invoicing", + "service_page": "./AWS_Invoicing.html" + }, + "iot": { + "cloudformation_prefix": "AWS::IoT::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoT.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iot", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iot.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html" + ], + "service_id": "iot", + "service_page": "./AWS_IoT.html" + }, + "iotanalytics": { + "cloudformation_prefix": "AWS::IoTAnalytics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTAnalytics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotanalytics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html" + ], + "service_id": "iotanalytics", + "service_page": "./AWS_IoTAnalytics.html" + }, + "iotcoredeviceadvisor": { + "cloudformation_prefix": "AWS::IoTCoreDeviceAdvisor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTCoreDeviceAdvisor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotcoredeviceadvisor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotcoredeviceadvisor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotcoredeviceadvisor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoredeviceadvisor.html" + ], + "service_id": "iotcoredeviceadvisor", + "service_page": "./AWS_IoTCoreDeviceAdvisor.html" + }, + "iotevents": { + "cloudformation_prefix": "AWS::IoTEvents::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTEvents.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotevents", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotevents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotevents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotevents.html" + ], + "service_id": "iotevents", + "service_page": "./AWS_IoTEvents.html" + }, + "iotfleethub": { + "cloudformation_prefix": "AWS::IoTFleetHub::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTFleetHub.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotfleethub", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotfleethub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotfleethub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleethub.html" + ], + "service_id": "iotfleethub", + "service_page": "./AWS_IoTFleetHub.html" + }, + "iotfleetwise": { + "cloudformation_prefix": "AWS::IoTFleetWise::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTFleetWise.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotfleetwise", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotfleetwise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotfleetwise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html" + ], + "service_id": "iotfleetwise", + "service_page": "./AWS_IoTFleetWise.html" + }, + "iotmanagedintegrations": { + "cloudformation_prefix": "AWS::IoTManagedIntegrations::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTManagedIntegrations.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotmanagedintegrations", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotmanagedintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotmanagedintegrations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotmanagedintegrations.html" + ], + "service_id": "iotmanagedintegrations", + "service_page": "./AWS_IoTManagedIntegrations.html" + }, + "iotsitewise": { + "cloudformation_prefix": "AWS::IoTSiteWise::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTSiteWise.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotsitewise", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotsitewise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotsitewise.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html" + ], + "service_id": "iotsitewise", + "service_page": "./AWS_IoTSiteWise.html" + }, + "iottwinmaker": { + "cloudformation_prefix": "AWS::IoTTwinMaker::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTTwinMaker.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iottwinmaker", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniottwinmaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iottwinmaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html" + ], + "service_id": "iottwinmaker", + "service_page": "./AWS_IoTTwinMaker.html" + }, + "iotwireless": { + "cloudformation_prefix": "AWS::IoTWireless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IoTWireless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "iotwireless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoniotwireless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iotwireless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html" + ], + "service_id": "iotwireless", + "service_page": "./AWS_IoTWireless.html" + }, + "ivs": { + "cloudformation_prefix": "AWS::IVS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IVS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ivs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonivs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ivs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsivs.html" + ], + "service_id": "ivs", + "service_page": "./AWS_IVS.html" + }, + "ivschat": { + "cloudformation_prefix": "AWS::IVSChat::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_IVSChat.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ivschat", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonivschat.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ivschat.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsivschat.html" + ], + "service_id": "ivschat", + "service_page": "./AWS_IVSChat.html" + }, + "kafkaconnect": { + "cloudformation_prefix": "AWS::KafkaConnect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KafkaConnect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kafkaconnect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkafkaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kafkaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskafkaconnect.html" + ], + "service_id": "kafkaconnect", + "service_page": "./AWS_KafkaConnect.html" + }, + "kendra": { + "cloudformation_prefix": "AWS::Kendra::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Kendra.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kendra", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kendra.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskendra.html" + ], + "service_id": "kendra", + "service_page": "./AWS_Kendra.html" + }, + "kendraranking": { + "cloudformation_prefix": "AWS::KendraRanking::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KendraRanking.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kendraranking", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendraranking.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kendraranking.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskendraranking.html" + ], + "service_id": "kendraranking", + "service_page": "./AWS_KendraRanking.html" + }, + "kinesis": { + "cloudformation_prefix": "AWS::Kinesis::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Kinesis.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesis", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesis.html" + ], + "service_id": "kinesis", + "service_page": "./AWS_Kinesis.html" + }, + "kinesisanalytics": { + "cloudformation_prefix": "AWS::KinesisAnalytics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisAnalytics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisanalytics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisanalytics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisanalytics.html" + ], + "service_id": "kinesisanalytics", + "service_page": "./AWS_KinesisAnalytics.html" + }, + "kinesisanalyticsv2": { + "cloudformation_prefix": "AWS::KinesisAnalyticsV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisAnalyticsV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisanalyticsv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisanalyticsv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisanalyticsv2.html" + ], + "service_id": "kinesisanalyticsv2", + "service_page": "./AWS_KinesisAnalyticsV2.html" + }, + "kinesisfirehose": { + "cloudformation_prefix": "AWS::KinesisFirehose::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisFirehose.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisfirehose", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisfirehose.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisfirehose.html" + ], + "service_id": "kinesisfirehose", + "service_page": "./AWS_KinesisFirehose.html" + }, + "kinesisvideo": { + "cloudformation_prefix": "AWS::KinesisVideo::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KinesisVideo.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kinesisvideo", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisvideo.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kinesisvideo.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskinesisvideo.html" + ], + "service_id": "kinesisvideo", + "service_page": "./AWS_KinesisVideo.html" + }, + "kms": { + "cloudformation_prefix": "AWS::KMS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_KMS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "kms", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_kms.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskms.html" + ], + "service_id": "kms", + "service_page": "./AWS_KMS.html" + }, + "lakeformation": { + "cloudformation_prefix": "AWS::LakeFormation::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LakeFormation.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lakeformation", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlakeformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lakeformation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslakeformation.html" + ], + "service_id": "lakeformation", + "service_page": "./AWS_LakeFormation.html" + }, + "lambda": { + "cloudformation_prefix": "AWS::Lambda::", + "common_actions": [ + "CreateFunction", + "DeleteFunction", + "InvokeFunction", + "UpdateFunctionCode", + "GetFunction" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Lambda.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lambda", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html" + ], + "service_id": "lambda", + "service_page": "./AWS_Lambda.html" + }, + "launchwizard": { + "cloudformation_prefix": "AWS::LaunchWizard::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LaunchWizard.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "launchwizard", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlaunchwizard.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_launchwizard.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslaunchwizard.html" + ], + "service_id": "launchwizard", + "service_page": "./AWS_LaunchWizard.html" + }, + "lex": { + "cloudformation_prefix": "AWS::Lex::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Lex.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lex", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlex.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lex.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslex.html" + ], + "service_id": "lex", + "service_page": "./AWS_Lex.html" + }, + "licensemanager": { + "cloudformation_prefix": "AWS::LicenseManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LicenseManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "licensemanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlicensemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_licensemanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html" + ], + "service_id": "licensemanager", + "service_page": "./AWS_LicenseManager.html" + }, + "lightsail": { + "cloudformation_prefix": "AWS::Lightsail::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Lightsail.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lightsail", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lightsail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslightsail.html" + ], + "service_id": "lightsail", + "service_page": "./AWS_Lightsail.html" + }, + "location": { + "cloudformation_prefix": "AWS::Location::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Location.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "location", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_location.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslocation.html" + ], + "service_id": "location", + "service_page": "./AWS_Location.html" + }, + "logs": { + "cloudformation_prefix": "AWS::Logs::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Logs.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "logs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlogs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_logs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslogs.html" + ], + "service_id": "logs", + "service_page": "./AWS_Logs.html" + }, + "lookoutequipment": { + "cloudformation_prefix": "AWS::LookoutEquipment::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LookoutEquipment.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lookoutequipment", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutequipment.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lookoutequipment.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslookoutequipment.html" + ], + "service_id": "lookoutequipment", + "service_page": "./AWS_LookoutEquipment.html" + }, + "lookoutmetrics": { + "cloudformation_prefix": "AWS::LookoutMetrics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LookoutMetrics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lookoutmetrics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutmetrics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lookoutmetrics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslookoutmetrics.html" + ], + "service_id": "lookoutmetrics", + "service_page": "./AWS_LookoutMetrics.html" + }, + "lookoutvision": { + "cloudformation_prefix": "AWS::LookoutVision::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_LookoutVision.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "lookoutvision", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutvision.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_lookoutvision.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslookoutvision.html" + ], + "service_id": "lookoutvision", + "service_page": "./AWS_LookoutVision.html" + }, + "m2": { + "cloudformation_prefix": "AWS::M2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_M2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "m2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonm2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_m2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsm2.html" + ], + "service_id": "m2", + "service_page": "./AWS_M2.html" + }, + "macie": { + "cloudformation_prefix": "AWS::Macie::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Macie.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "macie", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacie.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_macie.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmacie.html" + ], + "service_id": "macie", + "service_page": "./AWS_Macie.html" + }, + "managedblockchain": { + "cloudformation_prefix": "AWS::ManagedBlockchain::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ManagedBlockchain.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "managedblockchain", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_managedblockchain.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmanagedblockchain.html" + ], + "service_id": "managedblockchain", + "service_page": "./AWS_ManagedBlockchain.html" + }, + "mediaconnect": { + "cloudformation_prefix": "AWS::MediaConnect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaConnect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediaconnect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediaconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediaconnect.html" + ], + "service_id": "mediaconnect", + "service_page": "./AWS_MediaConnect.html" + }, + "mediaconvert": { + "cloudformation_prefix": "AWS::MediaConvert::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaConvert.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediaconvert", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediaconvert.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediaconvert.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediaconvert.html" + ], + "service_id": "mediaconvert", + "service_page": "./AWS_MediaConvert.html" + }, + "medialive": { + "cloudformation_prefix": "AWS::MediaLive::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaLive.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "medialive", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmedialive.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_medialive.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmedialive.html" + ], + "service_id": "medialive", + "service_page": "./AWS_MediaLive.html" + }, + "mediapackage": { + "cloudformation_prefix": "AWS::MediaPackage::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaPackage.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediapackage", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediapackage.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediapackage.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediapackage.html" + ], + "service_id": "mediapackage", + "service_page": "./AWS_MediaPackage.html" + }, + "mediapackagev2": { + "cloudformation_prefix": "AWS::MediaPackageV2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaPackageV2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediapackagev2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediapackagev2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediapackagev2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediapackagev2.html" + ], + "service_id": "mediapackagev2", + "service_page": "./AWS_MediaPackageV2.html" + }, + "mediastore": { + "cloudformation_prefix": "AWS::MediaStore::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaStore.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediastore", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediastore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediastore.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediastore.html" + ], + "service_id": "mediastore", + "service_page": "./AWS_MediaStore.html" + }, + "mediatailor": { + "cloudformation_prefix": "AWS::MediaTailor::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MediaTailor.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mediatailor", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediatailor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mediatailor.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmediatailor.html" + ], + "service_id": "mediatailor", + "service_page": "./AWS_MediaTailor.html" + }, + "memorydb": { + "cloudformation_prefix": "AWS::MemoryDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MemoryDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "memorydb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmemorydb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_memorydb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmemorydb.html" + ], + "service_id": "memorydb", + "service_page": "./AWS_MemoryDB.html" + }, + "mpa": { + "cloudformation_prefix": "AWS::MPA::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MPA.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mpa", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmpa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mpa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmpa.html" + ], + "service_id": "mpa", + "service_page": "./AWS_MPA.html" + }, + "msk": { + "cloudformation_prefix": "AWS::MSK::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MSK.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "msk", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmsk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_msk.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmsk.html" + ], + "service_id": "msk", + "service_page": "./AWS_MSK.html" + }, + "mwaa": { + "cloudformation_prefix": "AWS::MWAA::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_MWAA.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "mwaa", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmwaa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_mwaa.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmwaa.html" + ], + "service_id": "mwaa", + "service_page": "./AWS_MWAA.html" + }, + "neptune": { + "cloudformation_prefix": "AWS::Neptune::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Neptune.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "neptune", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptune.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_neptune.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsneptune.html" + ], + "service_id": "neptune", + "service_page": "./AWS_Neptune.html" + }, + "neptunegraph": { + "cloudformation_prefix": "AWS::NeptuneGraph::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NeptuneGraph.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "neptunegraph", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptunegraph.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_neptunegraph.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsneptunegraph.html" + ], + "service_id": "neptunegraph", + "service_page": "./AWS_NeptuneGraph.html" + }, + "networkfirewall": { + "cloudformation_prefix": "AWS::NetworkFirewall::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NetworkFirewall.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "networkfirewall", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnetworkfirewall.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkfirewall.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html" + ], + "service_id": "networkfirewall", + "service_page": "./AWS_NetworkFirewall.html" + }, + "networkmanager": { + "cloudformation_prefix": "AWS::NetworkManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NetworkManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "networkmanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnetworkmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkmanager.html" + ], + "service_id": "networkmanager", + "service_page": "./AWS_NetworkManager.html" + }, + "notifications": { + "cloudformation_prefix": "AWS::Notifications::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Notifications.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "notifications", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnotifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_notifications.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnotifications.html" + ], + "service_id": "notifications", + "service_page": "./AWS_Notifications.html" + }, + "notificationscontacts": { + "cloudformation_prefix": "AWS::NotificationsContacts::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_NotificationsContacts.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "notificationscontacts", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnotificationscontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_notificationscontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnotificationscontacts.html" + ], + "service_id": "notificationscontacts", + "service_page": "./AWS_NotificationsContacts.html" + }, + "oam": { + "cloudformation_prefix": "AWS::Oam::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Oam.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "oam", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonoam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_oam.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsoam.html" + ], + "service_id": "oam", + "service_page": "./AWS_Oam.html" + }, + "observabilityadmin": { + "cloudformation_prefix": "AWS::ObservabilityAdmin::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ObservabilityAdmin.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "observabilityadmin", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonobservabilityadmin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_observabilityadmin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsobservabilityadmin.html" + ], + "service_id": "observabilityadmin", + "service_page": "./AWS_ObservabilityAdmin.html" + }, + "odb": { + "cloudformation_prefix": "AWS::ODB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ODB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "odb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonodb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_odb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsodb.html" + ], + "service_id": "odb", + "service_page": "./AWS_ODB.html" + }, + "omics": { + "cloudformation_prefix": "AWS::Omics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Omics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "omics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonomics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_omics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsomics.html" + ], + "service_id": "omics", + "service_page": "./AWS_Omics.html" + }, + "opensearchserverless": { + "cloudformation_prefix": "AWS::OpenSearchServerless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_OpenSearchServerless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "opensearchserverless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_opensearchserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopensearchserverless.html" + ], + "service_id": "opensearchserverless", + "service_page": "./AWS_OpenSearchServerless.html" + }, + "opensearchservice": { + "cloudformation_prefix": "AWS::OpenSearchService::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_OpenSearchService.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "opensearchservice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_opensearchservice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopensearchservice.html" + ], + "service_id": "opensearchservice", + "service_page": "./AWS_OpenSearchService.html" + }, + "organizations": { + "cloudformation_prefix": "AWS::Organizations::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Organizations.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "organizations", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonorganizations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_organizations.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html" + ], + "service_id": "organizations", + "service_page": "./AWS_Organizations.html" + }, + "osis": { + "cloudformation_prefix": "AWS::OSIS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_OSIS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "osis", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonosis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_osis.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsosis.html" + ], + "service_id": "osis", + "service_page": "./AWS_OSIS.html" + }, + "panorama": { + "cloudformation_prefix": "AWS::Panorama::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Panorama.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "panorama", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpanorama.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_panorama.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html" + ], + "service_id": "panorama", + "service_page": "./AWS_Panorama.html" + }, + "paymentcryptography": { + "cloudformation_prefix": "AWS::PaymentCryptography::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PaymentCryptography.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "paymentcryptography", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpaymentcryptography.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_paymentcryptography.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html" + ], + "service_id": "paymentcryptography", + "service_page": "./AWS_PaymentCryptography.html" + }, + "pcaconnectorad": { + "cloudformation_prefix": "AWS::PCAConnectorAD::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PCAConnectorAD.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pcaconnectorad", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpcaconnectorad.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pcaconnectorad.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspcaconnectorad.html" + ], + "service_id": "pcaconnectorad", + "service_page": "./AWS_PCAConnectorAD.html" + }, + "pcaconnectorscep": { + "cloudformation_prefix": "AWS::PCAConnectorSCEP::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PCAConnectorSCEP.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pcaconnectorscep", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpcaconnectorscep.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pcaconnectorscep.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspcaconnectorscep.html" + ], + "service_id": "pcaconnectorscep", + "service_page": "./AWS_PCAConnectorSCEP.html" + }, + "pcs": { + "cloudformation_prefix": "AWS::PCS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PCS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pcs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpcs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pcs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspcs.html" + ], + "service_id": "pcs", + "service_page": "./AWS_PCS.html" + }, + "personalize": { + "cloudformation_prefix": "AWS::Personalize::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Personalize.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "personalize", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpersonalize.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_personalize.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspersonalize.html" + ], + "service_id": "personalize", + "service_page": "./AWS_Personalize.html" + }, + "pinpoint": { + "cloudformation_prefix": "AWS::Pinpoint::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Pinpoint.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pinpoint", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpoint.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pinpoint.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspinpoint.html" + ], + "service_id": "pinpoint", + "service_page": "./AWS_Pinpoint.html" + }, + "pinpointemail": { + "cloudformation_prefix": "AWS::PinpointEmail::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_PinpointEmail.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pinpointemail", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointemail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pinpointemail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspinpointemail.html" + ], + "service_id": "pinpointemail", + "service_page": "./AWS_PinpointEmail.html" + }, + "pipes": { + "cloudformation_prefix": "AWS::Pipes::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Pipes.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "pipes", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpipes.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_pipes.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspipes.html" + ], + "service_id": "pipes", + "service_page": "./AWS_Pipes.html" + }, + "proton": { + "cloudformation_prefix": "AWS::Proton::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Proton.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "proton", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonproton.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_proton.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html" + ], + "service_id": "proton", + "service_page": "./AWS_Proton.html" + }, + "q": { + "cloudformation_prefix": "AWS::Q::", + "common_actions": [], + "documentation_urls": [], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "q", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonq.html" + ], + "service_id": "q", + "service_page": null + }, + "qbusiness": { + "cloudformation_prefix": "AWS::QBusiness::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_QBusiness.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "qbusiness", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqbusiness.html" + ], + "service_id": "qbusiness", + "service_page": "./AWS_QBusiness.html" + }, + "qldb": { + "cloudformation_prefix": "AWS::QLDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_QLDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "qldb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqldb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_qldb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsqldb.html" + ], + "service_id": "qldb", + "service_page": "./AWS_QLDB.html" + }, + "quicksight": { + "cloudformation_prefix": "AWS::QuickSight::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_QuickSight.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "quicksight", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_quicksight.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsquicksight.html" + ], + "service_id": "quicksight", + "service_page": "./AWS_QuickSight.html" + }, + "ram": { + "cloudformation_prefix": "AWS::RAM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RAM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ram", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonram.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ram.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsram.html" + ], + "service_id": "ram", + "service_page": "./AWS_RAM.html" + }, + "rbin": { + "cloudformation_prefix": "AWS::Rbin::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Rbin.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rbin", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrbin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rbin.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrbin.html" + ], + "service_id": "rbin", + "service_page": "./AWS_Rbin.html" + }, + "rds": { + "cloudformation_prefix": "AWS::RDS::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RDS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rds", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rds.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrds.html" + ], + "service_id": "rds", + "service_page": "./AWS_RDS.html" + }, + "redshift": { + "cloudformation_prefix": "AWS::Redshift::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Redshift.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "redshift", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_redshift.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsredshift.html" + ], + "service_id": "redshift", + "service_page": "./AWS_Redshift.html" + }, + "redshiftserverless": { + "cloudformation_prefix": "AWS::RedshiftServerless::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RedshiftServerless.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "redshiftserverless", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_redshiftserverless.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsredshiftserverless.html" + ], + "service_id": "redshiftserverless", + "service_page": "./AWS_RedshiftServerless.html" + }, + "refactorspaces": { + "cloudformation_prefix": "AWS::RefactorSpaces::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RefactorSpaces.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "refactorspaces", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrefactorspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_refactorspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrefactorspaces.html" + ], + "service_id": "refactorspaces", + "service_page": "./AWS_RefactorSpaces.html" + }, + "rekognition": { + "cloudformation_prefix": "AWS::Rekognition::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Rekognition.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rekognition", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rekognition.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrekognition.html" + ], + "service_id": "rekognition", + "service_page": "./AWS_Rekognition.html" + }, + "resiliencehub": { + "cloudformation_prefix": "AWS::ResilienceHub::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ResilienceHub.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "resiliencehub", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresiliencehub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_resiliencehub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresiliencehub.html" + ], + "service_id": "resiliencehub", + "service_page": "./AWS_ResilienceHub.html" + }, + "resourceexplorer2": { + "cloudformation_prefix": "AWS::ResourceExplorer2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ResourceExplorer2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "resourceexplorer2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourceexplorer2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_resourceexplorer2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceexplorer2.html" + ], + "service_id": "resourceexplorer2", + "service_page": "./AWS_ResourceExplorer2.html" + }, + "resourcegroups": { + "cloudformation_prefix": "AWS::ResourceGroups::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ResourceGroups.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "resourcegroups", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegroups.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_resourcegroups.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html" + ], + "service_id": "resourcegroups", + "service_page": "./AWS_ResourceGroups.html" + }, + "rolesanywhere": { + "cloudformation_prefix": "AWS::RolesAnywhere::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RolesAnywhere.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rolesanywhere", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrolesanywhere.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rolesanywhere.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrolesanywhere.html" + ], + "service_id": "rolesanywhere", + "service_page": "./AWS_RolesAnywhere.html" + }, + "route53": { + "cloudformation_prefix": "AWS::Route53::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53.html" + ], + "service_id": "route53", + "service_page": "./AWS_Route53.html" + }, + "route53profiles": { + "cloudformation_prefix": "AWS::Route53Profiles::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53Profiles.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53profiles", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53profiles.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53profiles.html" + ], + "service_id": "route53profiles", + "service_page": "./AWS_Route53Profiles.html" + }, + "route53recoverycontrol": { + "cloudformation_prefix": "AWS::Route53RecoveryControl::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53RecoveryControl.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53recoverycontrol", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoverycontrol.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53recoverycontrol.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53recoverycontrol.html" + ], + "service_id": "route53recoverycontrol", + "service_page": "./AWS_Route53RecoveryControl.html" + }, + "route53recoveryreadiness": { + "cloudformation_prefix": "AWS::Route53RecoveryReadiness::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53RecoveryReadiness.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53recoveryreadiness", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoveryreadiness.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53recoveryreadiness.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53recoveryreadiness.html" + ], + "service_id": "route53recoveryreadiness", + "service_page": "./AWS_Route53RecoveryReadiness.html" + }, + "route53resolver": { + "cloudformation_prefix": "AWS::Route53Resolver::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Route53Resolver.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "route53resolver", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_route53resolver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53resolver.html" + ], + "service_id": "route53resolver", + "service_page": "./AWS_Route53Resolver.html" + }, + "rtbfabric": { + "cloudformation_prefix": "AWS::RTBFabric::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RTBFabric.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rtbfabric", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrtbfabric.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rtbfabric.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrtbfabric.html" + ], + "service_id": "rtbfabric", + "service_page": "./AWS_RTBFabric.html" + }, + "rum": { + "cloudformation_prefix": "AWS::RUM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_RUM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "rum", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrum.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_rum.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrum.html" + ], + "service_id": "rum", + "service_page": "./AWS_RUM.html" + }, + "s3": { + "cloudformation_prefix": "AWS::S3::", + "common_actions": [ + "CreateBucket", + "DeleteBucket", + "GetObject", + "PutObject", + "DeleteObject", + "ListBucket" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3.html" + ], + "service_id": "s3", + "service_page": "./AWS_S3.html" + }, + "s3express": { + "cloudformation_prefix": "AWS::S3Express::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Express.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3express", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3express.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3express.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3express.html" + ], + "service_id": "s3express", + "service_page": "./AWS_S3Express.html" + }, + "s3objectlambda": { + "cloudformation_prefix": "AWS::S3ObjectLambda::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3ObjectLambda.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3objectlambda", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3objectlambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3objectlambda.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3objectlambda.html" + ], + "service_id": "s3objectlambda", + "service_page": "./AWS_S3ObjectLambda.html" + }, + "s3outposts": { + "cloudformation_prefix": "AWS::S3Outposts::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Outposts.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3outposts", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3outposts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3outposts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3outposts.html" + ], + "service_id": "s3outposts", + "service_page": "./AWS_S3Outposts.html" + }, + "s3tables": { + "cloudformation_prefix": "AWS::S3Tables::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Tables.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3tables", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3tables.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3tables.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3tables.html" + ], + "service_id": "s3tables", + "service_page": "./AWS_S3Tables.html" + }, + "s3vectors": { + "cloudformation_prefix": "AWS::S3Vectors::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_S3Vectors.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "s3vectors", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3vectors.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_s3vectors.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awss3vectors.html" + ], + "service_id": "s3vectors", + "service_page": "./AWS_S3Vectors.html" + }, + "sagemaker": { + "cloudformation_prefix": "AWS::SageMaker::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SageMaker.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sagemaker", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sagemaker.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssagemaker.html" + ], + "service_id": "sagemaker", + "service_page": "./AWS_SageMaker.html" + }, + "scheduler": { + "cloudformation_prefix": "AWS::Scheduler::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Scheduler.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "scheduler", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonscheduler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_scheduler.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsscheduler.html" + ], + "service_id": "scheduler", + "service_page": "./AWS_Scheduler.html" + }, + "sdb": { + "cloudformation_prefix": "AWS::SDB::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SDB.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sdb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sdb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssdb.html" + ], + "service_id": "sdb", + "service_page": "./AWS_SDB.html" + }, + "secretsmanager": { + "cloudformation_prefix": "AWS::SecretsManager::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SecretsManager.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "secretsmanager", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecretsmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_secretsmanager.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html" + ], + "service_id": "secretsmanager", + "service_page": "./AWS_SecretsManager.html" + }, + "securityhub": { + "cloudformation_prefix": "AWS::SecurityHub::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SecurityHub.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "securityhub", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecurityhub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_securityhub.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html" + ], + "service_id": "securityhub", + "service_page": "./AWS_SecurityHub.html" + }, + "securitylake": { + "cloudformation_prefix": "AWS::SecurityLake::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SecurityLake.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "securitylake", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecuritylake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_securitylake.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritylake.html" + ], + "service_id": "securitylake", + "service_page": "./AWS_SecurityLake.html" + }, + "servicecatalog": { + "cloudformation_prefix": "AWS::ServiceCatalog::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ServiceCatalog.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "servicecatalog", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonservicecatalog.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicecatalog.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html" + ], + "service_id": "servicecatalog", + "service_page": "./AWS_ServiceCatalog.html" + }, + "servicecatalogappregistry": { + "cloudformation_prefix": "AWS::ServiceCatalogAppRegistry::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ServiceCatalogAppRegistry.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "servicecatalogappregistry", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonservicecatalogappregistry.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicecatalogappregistry.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalogappregistry.html" + ], + "service_id": "servicecatalogappregistry", + "service_page": "./AWS_ServiceCatalogAppRegistry.html" + }, + "servicediscovery": { + "cloudformation_prefix": "AWS::ServiceDiscovery::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_ServiceDiscovery.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "servicediscovery", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonservicediscovery.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicediscovery.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicediscovery.html" + ], + "service_id": "servicediscovery", + "service_page": "./AWS_ServiceDiscovery.html" + }, + "ses": { + "cloudformation_prefix": "AWS::SES::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SES.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ses", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ses.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsses.html" + ], + "service_id": "ses", + "service_page": "./AWS_SES.html" + }, + "shield": { + "cloudformation_prefix": "AWS::Shield::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Shield.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "shield", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonshield.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_shield.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html" + ], + "service_id": "shield", + "service_page": "./AWS_Shield.html" + }, + "signer": { + "cloudformation_prefix": "AWS::Signer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Signer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "signer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsigner.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_signer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html" + ], + "service_id": "signer", + "service_page": "./AWS_Signer.html" + }, + "simspaceweaver": { + "cloudformation_prefix": "AWS::SimSpaceWeaver::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SimSpaceWeaver.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "simspaceweaver", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimspaceweaver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_simspaceweaver.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssimspaceweaver.html" + ], + "service_id": "simspaceweaver", + "service_page": "./AWS_SimSpaceWeaver.html" + }, + "smsvoice": { + "cloudformation_prefix": "AWS::SMSVOICE::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SMSVOICE.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "smsvoice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsmsvoice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_smsvoice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssmsvoice.html" + ], + "service_id": "smsvoice", + "service_page": "./AWS_SMSVOICE.html" + }, + "sns": { + "cloudformation_prefix": "AWS::SNS::", + "common_actions": [ + "CreateTopic", + "DeleteTopic", + "Publish", + "Subscribe", + "Unsubscribe" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SNS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sns", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sns.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssns.html" + ], + "service_id": "sns", + "service_page": "./AWS_SNS.html" + }, + "sqs": { + "cloudformation_prefix": "AWS::SQS::", + "common_actions": [ + "CreateQueue", + "DeleteQueue", + "SendMessage", + "ReceiveMessage", + "DeleteMessage" + ], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SQS.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sqs", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sqs.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssqs.html" + ], + "service_id": "sqs", + "service_page": "./AWS_SQS.html" + }, + "ssm": { + "cloudformation_prefix": "AWS::SSM::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSM.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssm", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssm.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssm.html" + ], + "service_id": "ssm", + "service_page": "./AWS_SSM.html" + }, + "ssmcontacts": { + "cloudformation_prefix": "AWS::SSMContacts::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMContacts.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmcontacts", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmcontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmcontacts.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmcontacts.html" + ], + "service_id": "ssmcontacts", + "service_page": "./AWS_SSMContacts.html" + }, + "ssmguiconnect": { + "cloudformation_prefix": "AWS::SSMGuiConnect::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMGuiConnect.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmguiconnect", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmguiconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmguiconnect.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmguiconnect.html" + ], + "service_id": "ssmguiconnect", + "service_page": "./AWS_SSMGuiConnect.html" + }, + "ssmincidents": { + "cloudformation_prefix": "AWS::SSMIncidents::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMIncidents.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmincidents", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmincidents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmincidents.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmincidents.html" + ], + "service_id": "ssmincidents", + "service_page": "./AWS_SSMIncidents.html" + }, + "ssmquicksetup": { + "cloudformation_prefix": "AWS::SSMQuickSetup::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSMQuickSetup.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "ssmquicksetup", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonssmquicksetup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_ssmquicksetup.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssmquicksetup.html" + ], + "service_id": "ssmquicksetup", + "service_page": "./AWS_SSMQuickSetup.html" + }, + "sso": { + "cloudformation_prefix": "AWS::SSO::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SSO.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "sso", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsso.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_sso.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssso.html" + ], + "service_id": "sso", + "service_page": "./AWS_SSO.html" + }, + "stepfunctions": { + "cloudformation_prefix": "AWS::StepFunctions::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_StepFunctions.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "states", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html" + ], + "service_id": "stepfunctions", + "service_page": "./AWS_StepFunctions.html" + }, + "supportapp": { + "cloudformation_prefix": "AWS::SupportApp::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SupportApp.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "supportapp", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsupportapp.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_supportapp.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupportapp.html" + ], + "service_id": "supportapp", + "service_page": "./AWS_SupportApp.html" + }, + "synthetics": { + "cloudformation_prefix": "AWS::Synthetics::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Synthetics.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "synthetics", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsynthetics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_synthetics.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssynthetics.html" + ], + "service_id": "synthetics", + "service_page": "./AWS_Synthetics.html" + }, + "systemsmanagersap": { + "cloudformation_prefix": "AWS::SystemsManagerSAP::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_SystemsManagerSAP.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "systemsmanagersap", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsystemsmanagersap.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_systemsmanagersap.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagersap.html" + ], + "service_id": "systemsmanagersap", + "service_page": "./AWS_SystemsManagerSAP.html" + }, + "timestream": { + "cloudformation_prefix": "AWS::Timestream::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Timestream.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "timestream", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontimestream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_timestream.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstimestream.html" + ], + "service_id": "timestream", + "service_page": "./AWS_Timestream.html" + }, + "transfer": { + "cloudformation_prefix": "AWS::Transfer::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Transfer.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "transfer", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontransfer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_transfer.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransfer.html" + ], + "service_id": "transfer", + "service_page": "./AWS_Transfer.html" + }, + "verifiedpermissions": { + "cloudformation_prefix": "AWS::VerifiedPermissions::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_VerifiedPermissions.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "verifiedpermissions", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonverifiedpermissions.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_verifiedpermissions.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsverifiedpermissions.html" + ], + "service_id": "verifiedpermissions", + "service_page": "./AWS_VerifiedPermissions.html" + }, + "voiceid": { + "cloudformation_prefix": "AWS::VoiceID::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_VoiceID.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "voiceid", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvoiceid.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_voiceid.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsvoiceid.html" + ], + "service_id": "voiceid", + "service_page": "./AWS_VoiceID.html" + }, + "vpclattice": { + "cloudformation_prefix": "AWS::VpcLattice::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_VpcLattice.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "vpclattice", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvpclattice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_vpclattice.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsvpclattice.html" + ], + "service_id": "vpclattice", + "service_page": "./AWS_VpcLattice.html" + }, + "waf": { + "cloudformation_prefix": "AWS::WAF::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WAF.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "waf", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwaf.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_waf.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswaf.html" + ], + "service_id": "waf", + "service_page": "./AWS_WAF.html" + }, + "wafregional": { + "cloudformation_prefix": "AWS::WAFRegional::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WAFRegional.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "wafregional", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwafregional.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_wafregional.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafregional.html" + ], + "service_id": "wafregional", + "service_page": "./AWS_WAFRegional.html" + }, + "wafv2": { + "cloudformation_prefix": "AWS::WAFv2::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WAFv2.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "wafv2", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwafv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_wafv2.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html" + ], + "service_id": "wafv2", + "service_page": "./AWS_WAFv2.html" + }, + "wisdom": { + "cloudformation_prefix": "AWS::Wisdom::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_Wisdom.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "wisdom", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonwisdom.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_wisdom.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswisdom.html" + ], + "service_id": "wisdom", + "service_page": "./AWS_Wisdom.html" + }, + "workspaces": { + "cloudformation_prefix": "AWS::WorkSpaces::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WorkSpaces.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "workspaces", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_workspaces.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsworkspaces.html" + ], + "service_id": "workspaces", + "service_page": "./AWS_WorkSpaces.html" + }, + "workspacesthinclient": { + "cloudformation_prefix": "AWS::WorkSpacesThinClient::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WorkSpacesThinClient.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "workspacesthinclient", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesthinclient.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_workspacesthinclient.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsworkspacesthinclient.html" + ], + "service_id": "workspacesthinclient", + "service_page": "./AWS_WorkSpacesThinClient.html" + }, + "workspacesweb": { + "cloudformation_prefix": "AWS::WorkSpacesWeb::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_WorkSpacesWeb.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "workspacesweb", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesweb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_workspacesweb.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsworkspacesweb.html" + ], + "service_id": "workspacesweb", + "service_page": "./AWS_WorkSpacesWeb.html" + }, + "xray": { + "cloudformation_prefix": "AWS::XRay::", + "common_actions": [], + "documentation_urls": [ + "https://docs.aws.amazon.com/AWS_XRay.html" + ], + "has_cloudformation_resources": false, + "has_iam_actions": true, + "iam_service_name": "xray", + "last_updated": "2025-11-05 18:16:44 UTC", + "resource_types": [], + "service_authorization_url": [ + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonxray.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_xray.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsxray.html" + ], + "service_id": "xray", + "service_page": "./AWS_XRay.html" + } + } +} \ No newline at end of file diff --git a/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/service-mapping/extract_service_mappings.py b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/service-mapping/extract_service_mappings.py new file mode 100644 index 00000000..cca01f14 --- /dev/null +++ b/industry-specific-pocs/financial-services/gensec-automated-cloud-security-controls/scripts/service-mapping/extract_service_mappings.py @@ -0,0 +1,352 @@ +#!/usr/bin/env python3 +""" +Script to extract AWS service mappings from CloudFormation documentation. +This script scrapes the AWS CloudFormation Template Reference page to build +a comprehensive service mapping file. +""" + +import requests +from bs4 import BeautifulSoup +import json +import re +from urllib.parse import urljoin, urlparse +import time +import logging + +# Configure logging +logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') +logger = logging.getLogger(__name__) + +class CloudFormationServiceExtractor: + def __init__(self): + self.base_url = "https://docs.aws.amazon.com" + self.session = requests.Session() + self.session.headers.update({ + 'User-Agent': 'AWS-Service-Mapping-Extractor/1.0' + }) + + def extract_services_from_main_page(self): + """Extract all AWS services and their resource types from the main CloudFormation reference page""" + url = "https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-template-resource-type-ref.html" + + logger.info(f"Fetching main CloudFormation reference page: {url}") + + try: + response = self.session.get(url, timeout=30) + response.raise_for_status() + + soup = BeautifulSoup(response.content, 'html.parser') + + # Use the existing full page extraction method + services = self._extract_services_from_full_page(soup) + + logger.info(f"Total services extracted: {len(services)}") + return services + + except Exception as e: + logger.error(f"Error extracting services: {str(e)}") + return {} + + def _process_resource_links(self, resource_links): + """Process resource links to extract services""" + services = {} + for link in resource_links: + resource_type = self._extract_resource_type_from_url(link['href']) + if resource_type: + service_id = resource_type.split('::')[1].lower() + if service_id not in services: + services[service_id] = [] + services[service_id].append(resource_type) + return services + + def _extract_from_page_content(self, soup): + """Alternative method to extract services from page content""" + return self._extract_services_from_full_page(soup) + + def _extract_service_name(self, text): + """Extract service name from heading text""" + # Remove common prefixes and clean up + text = text.strip() + + # Handle AWS:: prefixed services + if text.startswith('AWS::'): + parts = text.split('::') + if len(parts) >= 2: + return parts[1] + + # Handle other patterns + service_patterns = [ + r'^([A-Z][a-zA-Z0-9]+)\s+resource', + r'^([A-Z][a-zA-Z0-9]+)\s+types', + r'^([A-Z][a-zA-Z0-9]+)$' + ] + + for pattern in service_patterns: + match = re.match(pattern, text, re.IGNORECASE) + if match: + return match.group(1).lower() + + return None + + def _extract_resource_types_for_service(self, section): + """Extract resource types following a service section""" + resource_types = [] + + # Look for lists or tables following this section + current = section.find_next_sibling() + + while current and current.name not in ['h1', 'h2', 'h3']: + if current.name in ['ul', 'ol']: + # Extract from list + for li in current.find_all('li'): + link = li.find('a') + if link: + href = link.get('href', '') + resource_type = self._extract_resource_type_from_url(href) + if resource_type: + resource_types.append(resource_type) + + elif current.name == 'table': + # Extract from table + for row in current.find_all('tr'): + for cell in row.find_all(['td', 'th']): + link = cell.find('a') + if link: + href = link.get('href', '') + resource_type = self._extract_resource_type_from_url(href) + if resource_type: + resource_types.append(resource_type) + + current = current.find_next_sibling() + + return list(set(resource_types)) # Remove duplicates + + def _extract_resource_type_from_url(self, url): + """Extract resource type from CloudFormation documentation URL""" + # Pattern: aws-resource-service-resourcetype.html + pattern = r'aws-resource-([a-z0-9]+)-([a-z0-9]+)\.html' + match = re.search(pattern, url.lower()) + + if match: + service = match.group(1) + resource = match.group(2) + return f"{service}-{resource}" + + return None + + def _extract_services_from_full_page(self, soup): + """Extract services by parsing service-level links""" + services = {} + + # Find all links that could be CloudFormation service documentation + all_links = soup.find_all('a', href=True) + logger.info(f"Found {len(all_links)} total links on page") + + for link in all_links: + href = link.get('href', '') + text = link.get_text().strip() + + # Look for service-level pages like ./AWS_ServiceName.html + if href.startswith('./AWS_') and href.endswith('.html'): + # Extract service name from filename + service_file = href.replace('./', '').replace('.html', '') + if service_file.startswith('AWS_'): + service_name = service_file[4:].lower() # Remove 'AWS_' prefix + + logger.info(f"Found service: {service_name} from {href}") + + services[service_name] = { + 'service_id': service_name, + 'resource_types': [], + 'cloudformation_prefix': f"AWS::{service_file[4:]}::", + 'documentation_urls': [urljoin(self.base_url, href)], + 'service_page': href + } + + # Add services that don't have CloudFormation resources but have IAM actions + services_without_cf = { + 'q': { + 'service_id': 'q', + 'resource_types': [], + 'cloudformation_prefix': 'AWS::Q::', + 'documentation_urls': [], + 'service_page': None, + 'has_iam_actions': True, + 'has_cloudformation_resources': False + }, + 'amazonq': { + 'service_id': 'amazonq', + 'resource_types': [], + 'cloudformation_prefix': 'AWS::Q::', + 'documentation_urls': [], + 'service_page': None, + 'has_iam_actions': True, + 'has_cloudformation_resources': False + }, + 'qbusiness': { + 'service_id': 'qbusiness', + 'resource_types': ['qbusiness-application', 'qbusiness-dataaccessor', 'qbusiness-datasource', 'qbusiness-index', 'qbusiness-permission', 'qbusiness-plugin', 'qbusiness-retriever', 'qbusiness-webexperience'], + 'cloudformation_prefix': 'AWS::QBusiness::', + 'documentation_urls': [], + 'service_page': None, + 'has_iam_actions': True, + 'has_cloudformation_resources': True + } + } + + # Add services without CloudFormation resources + for service_id, service_data in services_without_cf.items(): + if service_id not in services: + services[service_id] = service_data + logger.info(f"Added service without CloudFormation resources: {service_id}") + + logger.info(f"Extracted {len(services)} services from page content") + return services + + def _get_documentation_urls(self, resource_types): + """Generate documentation URLs for resource types""" + urls = [] + for resource_type in resource_types: + url = f"{self.base_url}/AWSCloudFormation/latest/UserGuide/aws-resource-{resource_type}.html" + urls.append(url) + return urls + + def enhance_service_mappings(self, services): + """Enhance service mappings with additional metadata""" + enhanced_services = {} + + for service_id, service_data in services.items(): + enhanced_services[service_id] = { + **service_data, + 'iam_service_name': self._get_iam_service_name(service_id), + 'service_authorization_url': self._get_service_authorization_url(service_id), + 'common_actions': self._get_common_actions(service_id), + 'has_iam_actions': service_data.get('has_iam_actions', True), + 'has_cloudformation_resources': service_data.get('has_cloudformation_resources', len(service_data.get('resource_types', [])) > 0), + 'last_updated': time.strftime('%Y-%m-%d %H:%M:%S UTC', time.gmtime()) + } + + return enhanced_services + + def _get_iam_service_name(self, service_id): + """Map CloudFormation service ID to IAM service name""" + # Common mappings where CloudFormation and IAM service names differ + iam_mappings = { + 'apigateway': 'apigateway', + 'apigatewayv2': 'apigateway', + 'applicationautoscaling': 'application-autoscaling', + 'autoscaling': 'autoscaling', + 'cloudformation': 'cloudformation', + 'cloudfront': 'cloudfront', + 'cloudtrail': 'cloudtrail', + 'cloudwatch': 'cloudwatch', + 'dynamodb': 'dynamodb', + 'ec2': 'ec2', + 'ecs': 'ecs', + 'eks': 'eks', + 'elasticloadbalancing': 'elasticloadbalancing', + 'elasticloadbalancingv2': 'elasticloadbalancing', + 'iam': 'iam', + 'lambda': 'lambda', + 'logs': 'logs', + 'rds': 'rds', + 's3': 's3', + 'sns': 'sns', + 'sqs': 'sqs', + 'stepfunctions': 'states' + } + + return iam_mappings.get(service_id, service_id) + + def _get_service_authorization_url(self, service_id): + """Generate service authorization documentation URL""" + iam_service = self._get_iam_service_name(service_id) + + # Handle special cases with explicit URLs + special_cases = { + 'amazonq': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonq.html"], + 'q': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonq.html"], + 'qbusiness': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqbusiness.html"], + 'accessanalyzer': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html"], + 'acm': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html"], + 'apigateway': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html"], + 'autoscaling': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html"], + 'elasticloadbalancing': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancing.html"], + 'elasticloadbalancingv2': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancingv2.html"], + 'stepfunctions': ["https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html"] + } + + if service_id in special_cases: + return special_cases[service_id] + + # Standard patterns + patterns = [ + f"https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazon{iam_service}.html", + f"https://docs.aws.amazon.com/service-authorization/latest/reference/list_{iam_service}.html", + f"https://docs.aws.amazon.com/service-authorization/latest/reference/list_aws{iam_service}.html" + ] + + return patterns + + def _get_common_actions(self, service_id): + """Get common actions for a service""" + common_actions = { + 'dynamodb': ['CreateTable', 'DeleteTable', 'DescribeTable', 'PutItem', 'GetItem', 'UpdateItem', 'DeleteItem'], + 'lambda': ['CreateFunction', 'DeleteFunction', 'InvokeFunction', 'UpdateFunctionCode', 'GetFunction'], + 's3': ['CreateBucket', 'DeleteBucket', 'GetObject', 'PutObject', 'DeleteObject', 'ListBucket'], + 'ec2': ['RunInstances', 'TerminateInstances', 'DescribeInstances', 'CreateVpc', 'DeleteVpc'], + 'iam': ['CreateRole', 'DeleteRole', 'AttachRolePolicy', 'DetachRolePolicy', 'CreatePolicy'], + 'sns': ['CreateTopic', 'DeleteTopic', 'Publish', 'Subscribe', 'Unsubscribe'], + 'sqs': ['CreateQueue', 'DeleteQueue', 'SendMessage', 'ReceiveMessage', 'DeleteMessage'] + } + + return common_actions.get(service_id, []) + +def main(): + """Main function to extract and save service mappings""" + extractor = CloudFormationServiceExtractor() + + logger.info("Starting AWS service mapping extraction...") + + # Extract services from CloudFormation documentation + services = extractor.extract_services_from_main_page() + + if not services: + logger.error("No services extracted. Exiting.") + return + + # Enhance with additional metadata + enhanced_services = extractor.enhance_service_mappings(services) + + # Create output structure matching config-example format + output_structure = { + "metadata": { + "version": "1.0.0", + "description": "AWS Service mappings for CloudFormation resource types and IAM service authorization", + "last_updated": time.strftime('%Y-%m-%d %H:%M:%S UTC', time.gmtime()), + "total_services": len(enhanced_services), + "usage": "This file maps AWS service IDs to their CloudFormation resource types and IAM service names for documentation collection" + }, + "services": enhanced_services + } + + # Save to file + output_file = '/Users/roficas/aws-infrastructure-reverse-engineering/scripts/aws_service_mappings.json' + + with open(output_file, 'w') as f: + json.dump(output_structure, f, indent=2, sort_keys=True) + + logger.info(f"Service mappings saved to: {output_file}") + logger.info(f"Total services: {len(enhanced_services)}") + + # Print summary + print("\n=== EXTRACTION SUMMARY ===") + print(f"Total services extracted: {len(enhanced_services)}") + print("\nServices found:") + for service_id, data in sorted(enhanced_services.items()): + print(f" {service_id}: {len(data['resource_types'])} resource types") + + print(f"\nOutput saved to: {output_file}") + +if __name__ == "__main__": + main()