Rules List

Revision	Date	Description
`1.0`	24.07.2024	Init Changelog

AWS Managed Rules

AWS Managed Rules are rules used in AWS Config that are made and managed by AWS.

List of AWS Managed Rules is available at: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

In Tameshi AWS Config solution, classes responsible for registering rules have the same class name as rule Identifier.

Example:

Below we can see that Identifier for rule is ACCESS_KEYS_ROTATED, so the name of the registered rule is also ACCESS_KEYS_ROTATED.

Custom Tameshi rules

In Tameshi AWS Config solution, classes resposible for registering rules have the same class name as “Name” parameter of the rule.

Name: SearchForUntrustedVpcEndpointPolicyPrincipals

Description: "Find untrusted principals in VPC endpoint service policies."
Trigger type: Periodic
Parameters:
TrustedPrincipalsInVpce Type: String A comma-separated list of principal definitions, which are in format type:arn. Valid types: Service, OrganizationUnit, Account, User, Role. example value: 'Account:111122223333, User:arn:aws:iam::123412341234:root'.

Name: FindUntrustedConnectionsInVpcEndpoints

Description: "Find connections to untrusted accounts in VPC endpoint services."
Trigger type: Periodic
Parameters:
TrustedAccountsInVpceConnections Type: String A comma-separated list of accounts, to which VPC endpoint service connections are trusted. Example value: '111122223333, 123412341234'

Name: EksAuditLoggingEnabledRule

Description: "Checks if EKS clusters have audit logging enabled."
Trigger type: Periodic
Parameters: None

Name: NoOldEc2Instances

Description: "Checks if all ec2 instances are younger than the specified value."
Trigger type: Periodic
Parameters:
Age Type: Int Age in days

Name: AccessAnalyzerNoFindings

Description: "Checks if all access analyzers are working and if all findings are archived or resolved."
Trigger type: Periodic
Parameters: None

Name: ACMCertificateTransparencyLogging

Description: "Checks if ACM certificates have certificate transparency logging enabled."
Trigger type: Periodic
Parameters: None

Name: AllElasticLoadBalancersAreNotInternetFacing

Description: "Checks if Elastic Load Balancers don't have internet-facing schema."
Trigger type: Periodic
Parameters: None

Name: AmisArePrivate

Description: "Check if all Amazon Machine Images are not publically accessible."
Trigger type: Periodic
Parameters: None

Name: CheckTrustedAdvisor

Description: "Checks Trusted Advisor checks for errors and warnings."
Trigger type: Periodic
Parameters: None

Name: CloudtrailLogsBucketIsPrivate

Description: "Checks if S3 bucket, that stores cloudtrail logs, is not publicly accessible."
Trigger type: Periodic
Parameters: None

Name: Ec2SnapshotsAreEncrypted

Description: "Checks if all Ec2 snapshots owned by this account are encrypted."
Trigger type: Periodic
Parameters: None

Name: EcrReposArePrivate

Description: "Check if all ECR repositories don't allow access from principal "*"."
Trigger type: Periodic
Parameters: None

Name: EcrScanFoundVulnerabilities

Description: "Check if all ECR images passed vulnerability scan."
Trigger type: Periodic
Parameters: None

Name: IAMUserActiveKeys

Description: "Checks if there are no IAM users with two or more active access keys."
Trigger type: Periodic
Parameters: None

Name: LambdasInvokeAPICloudtrail

Description: "Checks if Lambdas API invocations are recorder by Cloudtrail."
Trigger type: Periodic
Parameters: None

Name: PublicHostedZonesLogging

Description: "Checks if Route53 public hosted zones are logging to CloudWatch."
Trigger type: Periodic
Parameters: None

Name: SecurityGroupNoEmptyIngress

Description: "Checks if all SG groups have ingress filtering."
Trigger type: Periodic
Parameters: None

Name: SgHasNoPublicIngress

Description: "Checks if security groups don't allow ingress from non-private ip address ranges (both v4 and v6)."
Trigger type: Periodic
Parameters: None

Name: SNSAccessNotPublic

Description: "Checks if sns topics policies are not public."
Trigger type: Periodic
Parameters: None

Name: SQSAccessNotPublic

Description: "Checks if sqs queues policies are not public."
Trigger type: Periodic
Parameters: None

Name: SqsEncryptedAtRest

Description: "Checks if SQS queues are encrypted at rest."
Trigger type: Periodic
Parameters: None

Name: SsmSessionDocumentsHaveLogging

Description: "Checks if ssm session documents have either s3 or cloudwatch loggin enabled."
Trigger type: Periodic
Parameters: None

Name: Ec2RootVolume

Description: "Checks if EC2 Instance root volume is of proper type and size, based on specified parameters. StorageTypeWindows parameter refers to EC2 Windows Instances and StorageTypeOthers parameter refers to all other instances types(ex. linux). StorageSizeWindows parameter refers to expected root volume size for EC2 Windows Instance and StorageSizeOthers paramter refers to root volume size for all others instances types(ex. linux). All parameters are required."
Trigger type: Periodic
Parameters:
StorageTypeWindows Type: string — StorageSizeWindows Type: int — StorageTypeOthers Type: string — StorageSizeOthers Type: int

Name: RdsClusterStorageEncrypted

Description: "Checks if RDS cluster storage has encryption enabled."
Trigger type: Configuration changes
Parameters: None

Name: ElasticacheRedisEncryptedAtRest

Description: "Checks if elasticache redis storage is encrypted at rest."
Trigger type: Periodic
Parameters: None

Name: ElasticacheRedisTransitEncryption

Description: "Checks if elasticache with redis engine is encrypted in transit."
Trigger type: Periodic
Parameters: None

Name: CheckSNSEmailSubscribers

Description: "Checks if SNS Topic subscribers are from specified domain."
Trigger type: Configuration changes
Parameters:
domain_regex Type: string

Tag Enforcing Rules

All the rules below, responsible for checking tags, accept the same parameters:

Tags
Type: object
List of dicts consisting of keys "Key" and "Value"/"ValueRegex". "Value" represents static value for given key and ValueRegex checks if tag value match given regex. Defining "Value" with empty string("Value": "") means that any non-empty value is correct. Defining only "Key" without "Value" or "ValueRegex" means that any value is correct for given tag(key), including empty value.
Exceptions (Optional)
Type: List
List of ARNs or IDs representing resources that will be excluded from rule evaluation.
ExceptionsTags (Optional)
Type: object
List of dicts consisting of keys "Key" and "Value"/"ValueRegex". "Value" represents static value for given key and ValueRegex checks if tag value match given regex. If any tag in resource matches any "Key"-"Value" passed in ExceptionsTags, then such resource is excluded from rule evaluation.

Tag Rules list

Name: CustomerGatewayRequiredTags

Description: "Checks if EC2 Customer Gateway resources have all required tags set properly."
Trigger type: Configuration changes

Name: InternetGatewayRequiredTags

Description: "Checks if EC2 Internet Gateway resources have all required tags set properly."
Trigger type: Configuration changes

Name: RouteTableRequiredTags

Description: "Checks if EC2 Route Table resources have all required tags set properly."
Trigger type: Configuration changes

Name: SubnetRequiredTags

Description: "Checks if EC2 Subnet resources have all required tags set properly."
Trigger type: Configuration changes

Name: VPCRequiredTags

Description: "Checks if EC2 VPC resources have all required tags set properly."
Trigger type: Configuration changes

Name: VPNConnectionRequiredTags

Description: "Checks if EC2 VPNConnection resources have all required tags set properly."
Trigger type: Configuration changes

Name: VPNGatewayRequiredTags

Description: "Checks if EC2 VPNGateway resources have all required tags set properly."
Trigger type: Configuration changes

Name: EC2InstanceRequiredTags

Description: "Checks if EC2 Instance have all required tags set properly."
Trigger type: Configuration changes

Name: EBSVolumeRequiredTags

Description: "Checks if EBS Volume resources have all required tags set properly."
Trigger type: Configuration changes

Name: SecurityGroupRequiredTags

Description: "Checks if EC2 SecurityGroup resources have all required tags set properly."
Trigger type: Configuration changes

Name: NatGatewayRequiredTags

Description: "Checks if EC2 NatGateway resources have all required tags set properly."
Trigger type: Configuration changes

Name: FlowLogRequiredTags

Description: "Checks if EC2 FlowLog resources have all required tags set properly."
Trigger type: Configuration changes

Name: TransitGatewayRequiredTags

Description: "Checks if EC2 TransitGateway resources have all required tags set properly."
Trigger type: Configuration changes

Name: VPCEndpointRequiredTags

Description: "Checks if EC2 VPCEndpoint resources have all required tags set properly."
Trigger type: Configuration changes

Name: VPCEndpointServiceRequiredTags

Description: "Checks if EC2 VPCEndpointService resources have all required tags set properly."
Trigger type: Configuration changes

Name: VPCPeeringConnectionRequiredTags

Description: "Checks if EC2 VPCPeeringConnection resources have all required tags set properly."
Trigger type: Configuration changes

Name: RDSDBInstanceRequiredTags

Description: "Checks if RDS DBSnapshot resources have all required tags set properly."
Trigger type: Configuration changes

Name: RDSDBClusterRequiredTags

Description: "Checks if RDS DBCluster resources have all required tags set properly."
Trigger type: Configuration changes

Name: RDSDBClusterSnapshotRequiredTags

Description: "Checks if RDS DBClusterSnapshot resources have all required tags set properly."
Trigger type: Configuration changes

Name: ElasticsearchDomainRequiredTags

Description: "Checks if Elasticsearch Domain resources have all required tags set properly."
Trigger type: Configuration changes

Name: EKSClusterRequiredTags

Description: "Checks if EKS Cluster resources have all required tags set properly."
Trigger type: Configuration changes

Name: ECSClusterRequiredTags

Description: "Checks if ECS Cluster resources have all required tags set properly."
Trigger type: Configuration changes

Name: LambdaFunctionRequiredTags

Description: "Checks if Lambda Function resources have all required tags set properly."
Trigger type: Configuration changes

Name: S3BucketRequiredTags

Description: "Checks if S3 Bucket resources have all required tags set properly."
Trigger type: Configuration changes

Name: DynamoDBTableRequiredTags

Description: "Checks if DynamoDB Table resources have all required tags set properly."
Trigger type: Configuration changes

Name: AutoScalingGroupRequiredTags

Description: "Checks if AutoScalingGroup resources have all required tags set properly."
Trigger type: Configuration changes

Name: ElasticLoadBalancerV2RequiredTags

Description: "Checks if Application/Network Load Balancer resources have all required tags set properly."
Trigger type: Configuration changes

Name: ClassicLoadBalancerRequiredTags

Description: "Checks if Classic Load Balancer resources have all required tags set properly."
Trigger type: Configuration changes

Name: IamGroupRequiredTags

Description: "Checks if Iam Groups have all required tags set properly."
Trigger type: Configuration changes

Name: IamRoleRequiredTags

Description: "Checks if Iam Roles have all required tags set properly."
Trigger type: Configuration changes

Name: IamPolicyRequiredTags

Description: "Checks if Iam Policies have all required tags set properly."
Trigger type: Configuration changes

Name: ECSTaskDefinitionRequiredTags

Description: "Checks if ECS TaskDefinition resources have all required tags set properly."
Trigger type: Configuration changes

Name: ECSServiceRequiredTags

Description: "Checks if ECS Service resources have all required tags set properly."
Trigger type: Configuration changes

Last modified: 17 February 2025