Table of contents

24 June 2021 - Rule Update Notice

Rule Update

Custom Policy Updates

The custom policy has been updated to version 1.31 as a result of the new deployment. You’ll need to update your custom policy to the latest version.

The following permissions have been removed as they are no longer recognised in AWS:

  1. config:GetResources
  2. config:GetTagKeys

Click here to access the new Custom Policy.

New Rules


  1. VPC-016: VPC Endpoints In Use

    Ensure that Amazon Virtual Private Cloud (VPC) endpoints are being used to allow you to securely connect your VPC to other AWS services and VPC endpoint services without the need of an Internet Gateway (IGW), NAT device, VPN connection or an AWS Direct Connect connection.

  2. IAM-069: Check for Overly Permissive IAM Group Policies

    Ensure that both managed and inline policies attached to your Amazon Identity and Access Management (IAM) groups are not too permissive.

  3. AG-009 : Check if API gateway has encryption enabled

    Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit (as it travels to and from Amazon API Gateway).

  4. AG-010: Check if API gateway has response caching enabled

    Ensure that response caching is enabled for your Amazon API Gateway REST APIs in order to enhance API responsiveness and decrease latency.

Rule Updates

  1. Backup-002: Configure AWS Backup Vault Access Policy
    Fixed a bug where this rule generated false positives with an access policy preventing the deletion of AWS backups. The access policy containing `"Principal" : { "AWS" : "*" }` now returns a “success” check.
  2. KMS-006: KMS Cross Account Access
    Fixed a bug where the rule generated failed checks with cross account access specified in the policy using wildcards.
  3. ES-006: Elasticsearch Accessible Only From Safelisted IP Addresses
    Updated the rule setting so that it stays in 'Requires configuration' state by default.
  4. Updated the following rules to no longer generate failure checks in absence of RDS instances in a region(s):
    • RDS-027: Instance Level Events Subscriptions
    • RDS-028: Security Groups Events Subscriptions
  5. Fixed the following Guard Duty, Glue, EKS, and Backup rules to no longer generate false positives in the Osaka region:
    • GD-001: GuardDuty Enabled
    • GD-002: GuardDuty Findings
    • Glue -001: Glue Data Catalog Encryption At Rest
    • Glue-002: Glue Data Catalog Encrypted With KMS Customer Master Keys
    • Glue-003: S3 Encryption Mode
    • Glue-004: CloudWatch Logs Encryption Mode
    • Glue-005: Job Bookmark Encryption Mode
    • EKS-001: EKS Cluster Endpoint Public Access
    • EKS-002: Kubernetes Cluster Version
    • EKS-003: Kubernetes Cluster Logging
    • EKS-004: EKS Security Groups
    • Backup-001: Snapshot Backup Service
    • Backup-002: Configure AWS Backup Vault Access Policy