Merge pull request #47 from mdr-engineering/feature/ftd_MSOCI-1314_ConfigRules

Adds CIS Conformance Pack Config Rules

base/account_standards/CIS_conformance_pack.tf

@@ -0,0 +1,16 @@
+# Installs the CIS Conformance Pack via cloudformation
+#
+# CFT Source: https://docs.aws.amazon.com/config/latest/developerguide/cis-conformance-pack.html
+#
+# This is easier in commercial, but can't do the pack method in govcloud, so we're just applying
+# the CFT itself.
+resource "aws_cloudformation_stack" "CIS-Conformance-Pack" {
+  name = "CIS-Conformance-Pack"
+
+  parameters = {
+  }
+
+  template_body = file("files/CIS_conformance_pack.cft")
+
+  tags = merge(var.standard_tags, var.tags)
+}

base/account_standards/config.tf

@@ -12,6 +12,7 @@ output authorizations {
 ########### IAM Role for AWS Config
 data "aws_iam_policy_document" "awsconfig" {
   statement {
+    sid = "PutConfigS3BucketObjects"
     effect  = "Allow"
     actions = ["s3:PutObject"]
     resources = [
@@ -24,6 +25,7 @@ data "aws_iam_policy_document" "awsconfig" {
     }
   }
   statement {
+    sid = "GetConfigS3BucketACL"
     effect  = "Allow"
     actions = ["s3:GetBucketAcl"]
     resources = [
@@ -32,10 +34,20 @@ data "aws_iam_policy_document" "awsconfig" {
   }
 
   statement {
+    sid = "PublishAlertsToSNS"
     effect = "Allow"
     actions = [ "sns:Publish" ]
     resources = [ "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:account-alerts" ]
   }
+
+  statement {
+    sid = "PermissionsForRuleChecks"
+    effect = "Allow"
+    actions = [
+      "kms:DescribeKey"
+    ]
+    resources = [ "*" ]
+  }
 }
 
 resource "aws_iam_policy" "awsconfig" {

base/account_standards/files/CIS_conformance_pack.cft

@@ -0,0 +1,287 @@
+################################################################################
+#
+#   Conformance Pack:
+#     Operational Best Practices for CIS
+#
+#   This conformance pack helps verify compliance with CIS requirements. Note that
+#   this will not cover all CIS requirements but only those that can be covered
+#   using AWS Config Rules.
+#
+# XDR Notes:
+#
+#   Source: https://docs.aws.amazon.com/config/latest/developerguide/cis-conformance-pack.html
+#
+#   Changelog:
+#      * 2020-08-26 FTD Added these notes
+#      * 2020-08-27 FTD Removed ROOT_ACCOUNT_HARDWARE_MFA_ENABLED and ROOT_ACCOUNT_MFA_ENABLED
+#
+#   Recommend you do a 'diff' with the .dist to see all changes
+#
+################################################################################
+       
+Resources:
+  MFAEnabledForIamConsoleAccess:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: MFAEnabledForIamConsoleAccess
+      Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled
+        for all AWS Identity and Access Management (IAM) users that use a console
+        password. The rule is compliant if MFA is enabled.
+      Source:
+        Owner: AWS
+        SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMUserUnusedCredentialCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMUserUnusedCredentialCheck
+      Description: Checks whether your AWS Identity and Access Management (IAM) users
+        have passwords or active access keys that have not been used within the specified
+        number of days you provided.
+      InputParameters:
+        maxCredentialUsageAge: 90
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
+      MaximumExecutionFrequency: Twelve_Hours
+  AccessKeysRotated:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: AccessKeysRotated
+      Description: Checks whether the active access keys are rotated within the number
+        of days specified in maxAccessKeyAge. The rule is non-compliant if the access
+        keys have not been rotated for more than maxAccessKeyAge number of days.
+      InputParameters:
+        maxAccessKeyAge: 90
+      Source:
+        Owner: AWS
+        SourceIdentifier: ACCESS_KEYS_ROTATED
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMPasswordPolicyCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMPasswordPolicyCheck
+      Description: Checks whether the account password policy for IAM users meets
+        the specified requirements.
+      InputParameters:
+        RequireUppercaseCharacters: true
+        RequireLowercaseCharacters: true
+        RequireSymbols: true
+        RequireNumbers: true
+        MinimumPasswordLength: 14
+        PasswordReusePrevention: 24
+        MaxPasswordAge: 90
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_PASSWORD_POLICY
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMRootAccessKeyCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMRootAccessKeyCheck
+      Description: Checks whether the root user access key is available.
+        The rule is compliant if the user access key does not exist.
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
+      MaximumExecutionFrequency: Twelve_Hours
+# These are not in the catalog in govcloud
+#  RootAccountMFAEnabled:
+#    Type: AWS::Config::ConfigRule
+#    Properties:
+#      ConfigRuleName: RootAccountMFAEnabled
+#      Description: Checks whether the root user of your AWS account requires multi-factor
+#        authentication for console sign-in.
+#      Source:
+#        Owner: AWS
+#        SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
+#      MaximumExecutionFrequency: Twelve_Hours
+#  RootAccountHardwareMFAEnabled:
+#    Type: AWS::Config::ConfigRule
+#    Properties:
+#      ConfigRuleName: RootAccountHardwareMFAEnabled
+#      Description: Checks whether your AWS account is enabled to use multi-factor
+#        authentication (MFA) hardware device to sign in with root credentials.
+#      Source:
+#        Owner: AWS
+#        SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
+#      MaximumExecutionFrequency: Twelve_Hours
+  IAMUserNoPoliciesCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMUserNoPoliciesCheck
+      Description: Checks that none of your IAM users have policies attached. IAM
+        users must inherit permissions from IAM groups or roles.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::IAM::User
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
+  IAMSupportPolicyInUse:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMSupportPolicyInUse
+      Description: Checks that the 'AWSSupportAccess' managed policy is attached to any IAM user, group, or role
+      InputParameters:
+        policyARN: arn:aws:iam::aws:policy/AWSSupportAccess
+        policyUsageType: ANY
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_POLICY_IN_USE
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMPolicyNoStatementWithAdminAccess:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMPolicyNoStatementWithAdminAccess
+      Description: Checks whether the default version of AWS Identity and Access
+        Management (IAM) policies do not have administrator access.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::IAM::Policy
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
+  MultiRegionCloudTrailEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: MultiRegionCloudTrailEnabled
+      Description: Checks that there is at least one multi-region AWS CloudTrail.
+        The rule is non-compliant if the trails do not match input parameters
+      Source:
+        Owner: AWS
+        SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  CloudTrailLogFileValidationEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CloudTrailLogFileValidationEnabled
+      Description: Checks whether AWS CloudTrail creates a signed digest file with
+        logs
+      Source:
+        Owner: AWS
+        SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  S3BucketPublicReadProhibited:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: S3BucketPublicReadProhibited
+      Description: Checks that your Amazon S3 buckets do not allow public read access.
+        The rule checks the Block Public Access settings, the bucket policy, and the
+        bucket access control list (ACL).
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::S3::Bucket
+      Source:
+        Owner: AWS
+        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
+      MaximumExecutionFrequency: Twelve_Hours
+  S3BucketPublicWriteProhibited:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: S3BucketPublicWriteProhibited
+      Description: Checks that your Amazon S3 buckets do not allow public write access.
+        The rule checks the Block Public Access settings, the bucket policy, and the
+        bucket access control list (ACL).
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::S3::Bucket
+      Source:
+        Owner: AWS
+        SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
+      MaximumExecutionFrequency: Twelve_Hours
+  CloudTrailCloudWatchLogsEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CloudTrailCloudWatchLogsEnabled
+      Description: Checks whether AWS CloudTrail trails are configured to send logs
+        to Amazon CloudWatch logs.
+      Source:
+        Owner: AWS
+        SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  S3BucketLoggingEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: S3BucketLoggingEnabled
+      Description: Checks whether logging is enabled for your S3 buckets.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::S3::Bucket
+      Source:
+        Owner: AWS
+        SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
+  CloudTrailEncryptionEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CloudTrailEncryptionEnabled
+      Description: Checks whether AWS CloudTrail is configured to use the server side
+        encryption (SSE) AWS Key Management Service (AWS KMS) customer master key
+        (CMK) encryption.
+      Source:
+        Owner: AWS
+        SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  CMKBackingKeyRotationEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CMKBackingKeyRotationEnabled
+      Description: Checks that key rotation is enabled for each key and matches to
+        the key ID of the customer created customer master key (CMK). The rule is
+        compliant, if the key rotation is enabled for specific key object.
+      Source:
+        Owner: AWS
+        SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  VPCFlowLogsEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: VPCFlowLogsEnabled
+      Description: Checks whether Amazon Virtual Private Cloud flow logs are found
+        and enabled for Amazon VPC.
+      InputParameters:
+        trafficType: REJECT
+      Source:
+        Owner: AWS
+        SourceIdentifier: VPC_FLOW_LOGS_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  IncomingSSHDisabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IncomingSSHDisabled
+      Description: Checks whether the incoming SSH traffic for the security groups is accessible.
+        The rule is COMPLIANT when the IP addresses of the incoming SSH traffic in the security
+        groups are restricted. This rule applies only to IPv4.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::EC2::SecurityGroup
+      Source:
+        Owner: AWS
+        SourceIdentifier: INCOMING_SSH_DISABLED
+  RestrictedIncomingTraffic:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: RestrictedIncomingTraffic
+      Description: Checks whether security groups that are in use disallow unrestricted
+        incoming TCP traffic to the specified ports.
+      InputParameters:
+        blockedPort1: 3389
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::EC2::SecurityGroup
+      Source:
+        Owner: AWS
+        SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
+  VPCDefaultSecurityGroupClosed:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: VPCDefaultSecurityGroupClosed
+      Description: Checks that the default security group of any Amazon Virtual Private
+        Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant
+        if the default security group has one or more inbound or outbound traffic.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::EC2::SecurityGroup
+      Source:
+        Owner: AWS
+        SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED

base/account_standards/files/CIS_conformance_pack.cft.dist

@@ -0,0 +1,275 @@
+################################################################################
+#
+#   Conformance Pack:
+#     Operational Best Practices for CIS
+#
+#   This conformance pack helps verify compliance with CIS requirements. Note that
+#   this will not cover all CIS requirements but only those that can be covered
+#   using AWS Config Rules.
+################################################################################
+       
+Resources:
+  MFAEnabledForIamConsoleAccess:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: MFAEnabledForIamConsoleAccess
+      Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled
+        for all AWS Identity and Access Management (IAM) users that use a console
+        password. The rule is compliant if MFA is enabled.
+      Source:
+        Owner: AWS
+        SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMUserUnusedCredentialCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMUserUnusedCredentialCheck
+      Description: Checks whether your AWS Identity and Access Management (IAM) users
+        have passwords or active access keys that have not been used within the specified
+        number of days you provided.
+      InputParameters:
+        maxCredentialUsageAge: 90
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
+      MaximumExecutionFrequency: Twelve_Hours
+  AccessKeysRotated:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: AccessKeysRotated
+      Description: Checks whether the active access keys are rotated within the number
+        of days specified in maxAccessKeyAge. The rule is non-compliant if the access
+        keys have not been rotated for more than maxAccessKeyAge number of days.
+      InputParameters:
+        maxAccessKeyAge: 90
+      Source:
+        Owner: AWS
+        SourceIdentifier: ACCESS_KEYS_ROTATED
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMPasswordPolicyCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMPasswordPolicyCheck
+      Description: Checks whether the account password policy for IAM users meets
+        the specified requirements.
+      InputParameters:
+        RequireUppercaseCharacters: true
+        RequireLowercaseCharacters: true
+        RequireSymbols: true
+        RequireNumbers: true
+        MinimumPasswordLength: 14
+        PasswordReusePrevention: 24
+        MaxPasswordAge: 90
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_PASSWORD_POLICY
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMRootAccessKeyCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMRootAccessKeyCheck
+      Description: Checks whether the root user access key is available.
+        The rule is compliant if the user access key does not exist.
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
+      MaximumExecutionFrequency: Twelve_Hours
+  RootAccountMFAEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: RootAccountMFAEnabled
+      Description: Checks whether the root user of your AWS account requires multi-factor
+        authentication for console sign-in.
+      Source:
+        Owner: AWS
+        SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  RootAccountHardwareMFAEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: RootAccountHardwareMFAEnabled
+      Description: Checks whether your AWS account is enabled to use multi-factor
+        authentication (MFA) hardware device to sign in with root credentials.
+      Source:
+        Owner: AWS
+        SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMUserNoPoliciesCheck:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMUserNoPoliciesCheck
+      Description: Checks that none of your IAM users have policies attached. IAM
+        users must inherit permissions from IAM groups or roles.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::IAM::User
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
+  IAMSupportPolicyInUse:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMSupportPolicyInUse
+      Description: Checks that the 'AWSSupportAccess' managed policy is attached to any IAM user, group, or role
+      InputParameters:
+        policyARN: arn:aws:iam::aws:policy/AWSSupportAccess
+        policyUsageType: ANY
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_POLICY_IN_USE
+      MaximumExecutionFrequency: Twelve_Hours
+  IAMPolicyNoStatementWithAdminAccess:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IAMPolicyNoStatementWithAdminAccess
+      Description: Checks whether the default version of AWS Identity and Access
+        Management (IAM) policies do not have administrator access.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::IAM::Policy
+      Source:
+        Owner: AWS
+        SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
+  MultiRegionCloudTrailEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: MultiRegionCloudTrailEnabled
+      Description: Checks that there is at least one multi-region AWS CloudTrail.
+        The rule is non-compliant if the trails do not match input parameters
+      Source:
+        Owner: AWS
+        SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  CloudTrailLogFileValidationEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CloudTrailLogFileValidationEnabled
+      Description: Checks whether AWS CloudTrail creates a signed digest file with
+        logs
+      Source:
+        Owner: AWS
+        SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  S3BucketPublicReadProhibited:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: S3BucketPublicReadProhibited
+      Description: Checks that your Amazon S3 buckets do not allow public read access.
+        The rule checks the Block Public Access settings, the bucket policy, and the
+        bucket access control list (ACL).
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::S3::Bucket
+      Source:
+        Owner: AWS
+        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
+      MaximumExecutionFrequency: Twelve_Hours
+  S3BucketPublicWriteProhibited:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: S3BucketPublicWriteProhibited
+      Description: Checks that your Amazon S3 buckets do not allow public write access.
+        The rule checks the Block Public Access settings, the bucket policy, and the
+        bucket access control list (ACL).
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::S3::Bucket
+      Source:
+        Owner: AWS
+        SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
+      MaximumExecutionFrequency: Twelve_Hours
+  CloudTrailCloudWatchLogsEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CloudTrailCloudWatchLogsEnabled
+      Description: Checks whether AWS CloudTrail trails are configured to send logs
+        to Amazon CloudWatch logs.
+      Source:
+        Owner: AWS
+        SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  S3BucketLoggingEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: S3BucketLoggingEnabled
+      Description: Checks whether logging is enabled for your S3 buckets.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::S3::Bucket
+      Source:
+        Owner: AWS
+        SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
+  CloudTrailEncryptionEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CloudTrailEncryptionEnabled
+      Description: Checks whether AWS CloudTrail is configured to use the server side
+        encryption (SSE) AWS Key Management Service (AWS KMS) customer master key
+        (CMK) encryption.
+      Source:
+        Owner: AWS
+        SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  CMKBackingKeyRotationEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: CMKBackingKeyRotationEnabled
+      Description: Checks that key rotation is enabled for each key and matches to
+        the key ID of the customer created customer master key (CMK). The rule is
+        compliant, if the key rotation is enabled for specific key object.
+      Source:
+        Owner: AWS
+        SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  VPCFlowLogsEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: VPCFlowLogsEnabled
+      Description: Checks whether Amazon Virtual Private Cloud flow logs are found
+        and enabled for Amazon VPC.
+      InputParameters:
+        trafficType: REJECT
+      Source:
+        Owner: AWS
+        SourceIdentifier: VPC_FLOW_LOGS_ENABLED
+      MaximumExecutionFrequency: Twelve_Hours
+  IncomingSSHDisabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: IncomingSSHDisabled
+      Description: Checks whether the incoming SSH traffic for the security groups is accessible.
+        The rule is COMPLIANT when the IP addresses of the incoming SSH traffic in the security
+        groups are restricted. This rule applies only to IPv4.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::EC2::SecurityGroup
+      Source:
+        Owner: AWS
+        SourceIdentifier: INCOMING_SSH_DISABLED
+  RestrictedIncomingTraffic:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: RestrictedIncomingTraffic
+      Description: Checks whether security groups that are in use disallow unrestricted
+        incoming TCP traffic to the specified ports.
+      InputParameters:
+        blockedPort1: 3389
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::EC2::SecurityGroup
+      Source:
+        Owner: AWS
+        SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
+  VPCDefaultSecurityGroupClosed:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: VPCDefaultSecurityGroupClosed
+      Description: Checks that the default security group of any Amazon Virtual Private
+        Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant
+        if the default security group has one or more inbound or outbound traffic.
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::EC2::SecurityGroup
+      Source:
+        Owner: AWS
+        SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED