Description: Checks to see if there is a password policy section enabled in IAM.
node/iam_password_policy_enabled-periodic.js
Trigger Type: Periodic
Required Paramters: None
Description: Checks that the IAM password policy requires minimum number of characters
node/iam_password_minimum_length-periodic.js
Trigger Type: Periodic
Required Parameter: MinimumPasswordLength
Example Value: 12
Description: Checks that the IAM password policy enforces a maximum password age
node/iam_password_maximum_age-periodic.js
Trigger Type: Periodic
Required Parameter: MaxPasswordAge
Example Value: 90
Description: Checks that the IAM password policy requires an uppercase character
node/iam_password_require_uppercase-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that the IAM password policy requires a lowercase character
node/iam_password_require_lowercase-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that the IAM password policy requires a number
node/iam_password_require_number-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that the IAM password policy requires a symbol
node/iam_password_require_symbol-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that the IAM password policy prevents password reuse
node/iam_password_require_reuse-periodic.js
Trigger Type: Periodic
Required Parameter: PasswordReusePrevention
Example Value: 24
Description: Checks that EC2 Instances have desired tenancy
node/instance_desired_tenancy-triggered.js
Trigger Type: Change Triggered
Scope of Changes: EC2:Instance
Required Parameter: DesiredTenancy
Example Value: dedicated
Description: Checks that CloudTrail is enabled in all regions. Use this rule only in your home region
node/cloudtrail_enabled_all_regions-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that the IAM User's Access Keys have been rotated within the specified number of days.
node/iam_access_key_rotation-triggered.js
Trigger Type: Change Triggered
Scope of Changes: IAM:User
Required Parameter: MaximumAPIKeyAge
Example Value: 90
Description: Checks that the Root Account's Access Keys have been disabled.
node/iam_access_key_root_disabled-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that the Root Account has MFA Enabled
node/iam_mfa_require_root-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that all IAM Users have MFA Enabled
node/iam_mfa_require-triggered.js
Trigger Type: Change Triggered
Scope of Changes: IAM:User
Required Parameter: None
Description: Checks that CloudTrail Log Validation is Enabled in All Regions
node/cloudtrail_validation_all_regions-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that AWS Config is Enabled in All Regions
node/config_enabled_in_region-periodic.js
Trigger Type: Periodic
Required Parameter: None
Description: Checks that all EC2 instances are of the type specified
python/ec2_desired_instance_type-triggered.py
Trigger Type: Change Triggered
Scope of Changes: EC2:Instance
Required Parameter: desiredInstanceType
Example Value: t2.small
See https://aws.amazon.com/ec2/instance-types/ for more instance types
Description: Checks that the number of resources that are active is lower than specified count for a given resource type.
python/resource_type_max_count-periodic.py
Trigger Type: Periodic
Required Parameters: applicableResourceType, maxCount
Example Value: AWS::EC2::Instance, 10
See http://docs.aws.amazon.com/config/latest/APIReference/API_ListDiscoveredResources.html for resource types.
Description: Checks that VPC Flow Logs is enabled at specific VPC
python/vpc_flow_logs_enabled.py
Trigger Type: Change Triggered
Scope of Changes: EC2:VPC
Required Resource Identifier: VPC ID
Example Value: vpc-xxxxxxxx