aws-cdk-lib
Version:
Version 2 of the AWS Cloud Development Kit library
957 lines • 142 kB
TypeScript
import { Construct } from 'constructs';
import * as events from '../../aws-events';
import * as lambda from '../../aws-lambda';
import { IResource, Resource } from '../../core';
/**
* Interface representing an AWS Config rule
*/
export interface IRule extends IResource {
/**
* The name of the rule.
*
* @attribute
*/
readonly configRuleName: string;
/**
* Defines an EventBridge event rule which triggers for rule events. Use
* `rule.addEventPattern(pattern)` to specify a filter.
*/
onEvent(id: string, options?: events.OnEventOptions): events.Rule;
/**
* Defines a EventBridge event rule which triggers for rule compliance events.
*/
onComplianceChange(id: string, options?: events.OnEventOptions): events.Rule;
/**
* Defines a EventBridge event rule which triggers for rule re-evaluation status events.
*/
onReEvaluationStatus(id: string, options?: events.OnEventOptions): events.Rule;
}
/**
* The mode of evaluation for the rule.
*/
export declare class EvaluationMode {
readonly modes: string[];
/**
* Evaluate resources that have already been deployed
*/
static readonly DETECTIVE: EvaluationMode;
/**
* Evaluate resources before they have been deployed
*/
static readonly PROACTIVE: EvaluationMode;
/**
* Evaluate resources that have already been deployed and before they have been deployed
*/
static readonly DETECTIVE_AND_PROACTIVE: EvaluationMode;
/**
* @param modes The modes of evaluation for the rule
*/
protected constructor(modes: string[]);
}
/**
* A new or imported rule.
*/
declare abstract class RuleBase extends Resource implements IRule {
abstract readonly configRuleName: string;
/**
* Defines an EventBridge event rule which triggers for rule events. Use
* `rule.addEventPattern(pattern)` to specify a filter.
*/
onEvent(id: string, options?: events.OnEventOptions): events.Rule;
/**
* Defines an EventBridge event rule which triggers for rule compliance events.
*/
onComplianceChange(id: string, options?: events.OnEventOptions): events.Rule;
/**
* Defines an EventBridge event rule which triggers for rule re-evaluation status events.
*/
onReEvaluationStatus(id: string, options?: events.OnEventOptions): events.Rule;
}
/**
* A new managed or custom rule.
*/
declare abstract class RuleNew extends RuleBase {
/**
* Imports an existing rule.
*
* @param configRuleName the name of the rule
*/
static fromConfigRuleName(scope: Construct, id: string, configRuleName: string): IRule;
/**
* The arn of the rule.
*/
abstract readonly configRuleArn: string;
/**
* The id of the rule.
*/
abstract readonly configRuleId: string;
/**
* The compliance status of the rule.
*/
abstract readonly configRuleComplianceType: string;
protected ruleScope?: RuleScope;
protected isManaged?: boolean;
protected isCustomWithChanges?: boolean;
}
/**
* Determines which resources trigger an evaluation of an AWS Config rule.
*/
export declare class RuleScope {
/** restricts scope of changes to a specific resource type or resource identifier */
static fromResource(resourceType: ResourceType, resourceId?: string): RuleScope;
/** restricts scope of changes to specific resource types */
static fromResources(resourceTypes: ResourceType[]): RuleScope;
/** restricts scope of changes to a specific tag */
static fromTag(key: string, value?: string): RuleScope;
/** Resource types that will trigger evaluation of a rule */
readonly resourceTypes?: ResourceType[];
/** ID of the only AWS resource that will trigger evaluation of a rule */
readonly resourceId?: string;
/** tag key applied to resources that will trigger evaluation of a rule */
readonly key?: string;
/** tag value applied to resources that will trigger evaluation of a rule */
readonly value?: string;
private constructor();
}
/**
* The maximum frequency at which the AWS Config rule runs evaluations.
*/
export declare enum MaximumExecutionFrequency {
/**
* 1 hour.
*/
ONE_HOUR = "One_Hour",
/**
* 3 hours.
*/
THREE_HOURS = "Three_Hours",
/**
* 6 hours.
*/
SIX_HOURS = "Six_Hours",
/**
* 12 hours.
*/
TWELVE_HOURS = "Twelve_Hours",
/**
* 24 hours.
*/
TWENTY_FOUR_HOURS = "TwentyFour_Hours"
}
/**
* Construction properties for a new rule.
*/
export interface RuleProps {
/**
* A name for the AWS Config rule.
*
* @default - CloudFormation generated name
*/
readonly configRuleName?: string;
/**
* A description about this AWS Config rule.
*
* @default - No description
*/
readonly description?: string;
/**
* Input parameter values that are passed to the AWS Config rule.
*
* @default - No input parameters
*/
readonly inputParameters?: {
[key: string]: any;
};
/**
* The maximum frequency at which the AWS Config rule runs evaluations.
*
* @default MaximumExecutionFrequency.TWENTY_FOUR_HOURS
*/
readonly maximumExecutionFrequency?: MaximumExecutionFrequency;
/**
* Defines which resources trigger an evaluation for an AWS Config rule.
*
* @default - evaluations for the rule are triggered when any resource in the recording group changes.
*/
readonly ruleScope?: RuleScope;
/**
* The modes the AWS Config rule can be evaluated in. The valid values are distinct objects.
*
* @default - Detective evaluation mode only
*/
readonly evaluationModes?: EvaluationMode;
}
/**
* Construction properties for a ManagedRule.
*/
export interface ManagedRuleProps extends RuleProps {
/**
* The identifier of the AWS managed rule.
*
* @see https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
*/
readonly identifier: string;
}
/**
* A new managed rule.
*
* @resource AWS::Config::ConfigRule
*/
export declare class ManagedRule extends RuleNew {
/** Uniquely identifies this class. */
static readonly PROPERTY_INJECTION_ID: string;
/** @attribute */
readonly configRuleName: string;
/** @attribute */
readonly configRuleArn: string;
/** @attribute */
readonly configRuleId: string;
/** @attribute */
readonly configRuleComplianceType: string;
constructor(scope: Construct, id: string, props: ManagedRuleProps);
}
/**
* Construction properties for a CustomRule.
*/
export interface CustomRuleProps extends RuleProps {
/**
* The Lambda function to run.
*/
readonly lambdaFunction: lambda.IFunction;
/**
* Whether to run the rule on configuration changes.
*
* @default false
*/
readonly configurationChanges?: boolean;
/**
* Whether to run the rule on a fixed frequency.
*
* @default false
*/
readonly periodic?: boolean;
}
/**
* A new custom rule.
*
* @resource AWS::Config::ConfigRule
*/
export declare class CustomRule extends RuleNew {
/** Uniquely identifies this class. */
static readonly PROPERTY_INJECTION_ID: string;
/** @attribute */
readonly configRuleName: string;
/** @attribute */
readonly configRuleArn: string;
/** @attribute */
readonly configRuleId: string;
/** @attribute */
readonly configRuleComplianceType: string;
constructor(scope: Construct, id: string, props: CustomRuleProps);
}
/**
* Construction properties for a CustomPolicy.
*/
export interface CustomPolicyProps extends RuleProps {
/**
* The policy definition containing the logic for your AWS Config Custom Policy rule.
*/
readonly policyText: string;
/**
* The boolean expression for enabling debug logging for your AWS Config Custom Policy rule.
*
* @default false
*/
readonly enableDebugLog?: boolean;
}
/**
* A new custom policy.
*
* @resource AWS::Config::ConfigRule
*/
export declare class CustomPolicy extends RuleNew {
/**
* Uniquely identifies this class.
*/
static readonly PROPERTY_INJECTION_ID: string;
/** @attribute */
readonly configRuleName: string;
/** @attribute */
readonly configRuleArn: string;
/** @attribute */
readonly configRuleId: string;
/** @attribute */
readonly configRuleComplianceType: string;
constructor(scope: Construct, id: string, props: CustomPolicyProps);
}
/**
* Managed rules that are supported by AWS Config.
* @see https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
*/
export declare class ManagedRuleIdentifiers {
/**
* Checks that the inline policies attached to your AWS Identity and Access Management users,
* roles, and groups do not allow blocked actions on all AWS Key Management Service keys.
* @see https://docs.aws.amazon.com/config/latest/developerguide/iam-inline-policy-blocked-kms-actions.html
*/
static readonly IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS = "IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS";
/**
* Checks that the managed AWS Identity and Access Management policies that you create do not
* allow blocked actions on all AWS AWS KMS keys.
* @see https://docs.aws.amazon.com/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.html
*/
static readonly IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS = "IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS";
/**
* Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge.
* @see https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
*/
static readonly ACCESS_KEYS_ROTATED = "ACCESS_KEYS_ROTATED";
/**
* Checks whether AWS account is part of AWS Organizations.
* @see https://docs.aws.amazon.com/config/latest/developerguide/account-part-of-organizations.html
*/
static readonly ACCOUNT_PART_OF_ORGANIZATIONS = "ACCOUNT_PART_OF_ORGANIZATIONS";
/**
* Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.
* @see https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html
*/
static readonly ACM_CERTIFICATE_EXPIRATION_CHECK = "ACM_CERTIFICATE_EXPIRATION_CHECK";
/**
* Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode.
* @see https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html
*/
static readonly ALB_DESYNC_MODE_CHECK = "ALB_DESYNC_MODE_CHECK";
/**
* Checks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers.
* @see https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html
*/
static readonly ALB_HTTP_DROP_INVALID_HEADER_ENABLED = "ALB_HTTP_DROP_INVALID_HEADER_ENABLED";
/**
* Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer.
* @see https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html
*/
static readonly ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK = "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK";
/**
* Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs).
* @see https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html
*/
static readonly ALB_WAF_ENABLED = "ALB_WAF_ENABLED";
/**
* Checks if Amazon API Gateway V2 stages have access logging enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-access-logs-enabled.html
*/
static readonly API_GWV2_ACCESS_LOGS_ENABLED = "API_GWV2_ACCESS_LOGS_ENABLED";
/**
* Checks if Amazon API Gatewayv2 API routes have an authorization type set.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gwv2-authorization-type-configured.html
*/
static readonly API_GWV2_AUTHORIZATION_TYPE_CONFIGURED = "API_GWV2_AUTHORIZATION_TYPE_CONFIGURED";
/**
* Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gw-associated-with-waf.html
*/
static readonly API_GW_ASSOCIATED_WITH_WAF = "API_GW_ASSOCIATED_WITH_WAF";
/**
* Checks that all methods in Amazon API Gateway stages have caching enabled and encrypted.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html
*/
static readonly API_GW_CACHE_ENABLED_AND_ENCRYPTED = "API_GW_CACHE_ENABLED_AND_ENCRYPTED";
/**
* Checks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gw-endpoint-type-check.html
*/
static readonly API_GW_ENDPOINT_TYPE_CHECK = "API_GW_ENDPOINT_TYPE_CHECK";
/**
* Checks that all methods in Amazon API Gateway stage has logging enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html
*/
static readonly API_GW_EXECUTION_LOGGING_ENABLED = "API_GW_EXECUTION_LOGGING_ENABLED";
/**
* Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gw-ssl-enabled.html
*/
static readonly API_GW_SSL_ENABLED = "API_GW_SSL_ENABLED";
/**
* Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/api-gw-xray-enabled.html
*/
static readonly API_GW_XRAY_ENABLED = "API_GW_XRAY_ENABLED";
/**
* Checks whether running instances are using specified AMIs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-id.html
*/
static readonly APPROVED_AMIS_BY_ID = "APPROVED_AMIS_BY_ID";
/**
* Checks whether running instances are using specified AMIs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-tag.html
*/
static readonly APPROVED_AMIS_BY_TAG = "APPROVED_AMIS_BY_TAG";
/**
* Checks if a recovery point was created for Amazon Aurora DB clusters.
* @see https://docs.aws.amazon.com/config/latest/developerguide/aurora-last-backup-recovery-point-created.html
*/
static readonly AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED = "AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED";
/**
* Checks if an Amazon Aurora MySQL cluster has backtracking enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-backtracking-enabled.html
*/
static readonly AURORA_MYSQL_BACKTRACKING_ENABLED = "AURORA_MYSQL_BACKTRACKING_ENABLED";
/**
* Checks if Amazon Aurora DB clusters are protected by a backup plan.
* @see https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-protected-by-backup-plan.html
*/
static readonly AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN = "AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN";
/**
* Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-capacity-rebalancing.html
*/
static readonly AUTOSCALING_CAPACITY_REBALANCING = "AUTOSCALING_CAPACITY_REBALANCING";
/**
* Checks whether your Auto Scaling groups that are associated with a load balancer are using
* Elastic Load Balancing health checks.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html
*/
static readonly AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED = "AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED";
/**
* Checks whether only IMDSv2 is enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launchconfig-requires-imdsv2.html
*/
static readonly AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2 = "AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2";
/**
* Checks the number of network hops that the metadata token can travel.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-hop-limit.html
*/
static readonly AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT = "AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT";
/**
* Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html
*/
static readonly AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED = "AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED";
/**
* Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-template.html
*/
static readonly AUTOSCALING_LAUNCH_TEMPLATE = "AUTOSCALING_LAUNCH_TEMPLATE";
/**
* Checks if the Auto Scaling group spans multiple Availability Zones.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-az.html
*/
static readonly AUTOSCALING_MULTIPLE_AZ = "AUTOSCALING_MULTIPLE_AZ";
/**
* Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types.
* @see https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-instance-types.html
*/
static readonly AUTOSCALING_MULTIPLE_INSTANCE_TYPES = "AUTOSCALING_MULTIPLE_INSTANCE_TYPES";
/**
* Checks if a backup plan has a backup rule that satisfies the required frequency and retention period.
* @see https://docs.aws.amazon.com/config/latest/developerguide/backup-plan-min-frequency-and-min-retention-check.html
*/
static readonly BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK = "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK";
/**
* Checks if a recovery point is encrypted.
* @see https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-encrypted.html
*/
static readonly BACKUP_RECOVERY_POINT_ENCRYPTED = "BACKUP_RECOVERY_POINT_ENCRYPTED";
/**
* Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points.
* @see https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-manual-deletion-disabled.html
*/
static readonly BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED = "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED";
/**
* Checks if a recovery point expires no earlier than after the specified period.
* @see https://docs.aws.amazon.com/config/latest/developerguide/backup-recovery-point-minimum-retention-check.html
*/
static readonly BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK";
/**
* Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.
* @see https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html
*/
static readonly BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED = "BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED";
/**
* Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode.
* @see https://docs.aws.amazon.com/config/latest/developerguide/clb-desync-mode-check.html
*/
static readonly CLB_DESYNC_MODE_CHECK = "CLB_DESYNC_MODE_CHECK";
/**
* Checks if a Classic Load Balancer spans multiple Availability Zones (AZs).
* @see https://docs.aws.amazon.com/config/latest/developerguide/clb-multiple-az.html
*/
static readonly CLB_MULTIPLE_AZ = "CLB_MULTIPLE_AZ";
/**
* Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted,
* from it's expected configuration.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html
*/
static readonly CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK = "CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK";
/**
* Checks whether your CloudFormation stacks are sending event notifications to an SNS topic.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-notification-check.html
*/
static readonly CLOUDFORMATION_STACK_NOTIFICATION_CHECK = "CLOUDFORMATION_STACK_NOTIFICATION_CHECK";
/**
* Checks if Amazon CloudFront distributions are configured to capture information from
* Amazon Simple Storage Service (Amazon S3) server access logs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-accesslogs-enabled.html
*/
static readonly CLOUDFRONT_ACCESSLOGS_ENABLED = "CLOUDFRONT_ACCESSLOGS_ENABLED";
/**
* Checks if Amazon CloudFront distributions are associated with either WAF or WAFv2 web access control lists (ACLs).
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-associated-with-waf.html
*/
static readonly CLOUDFRONT_ASSOCIATED_WITH_WAF = "CLOUDFRONT_ASSOCIATED_WITH_WAF";
/**
* Checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-custom-ssl-certificate.html
*/
static readonly CLOUDFRONT_CUSTOM_SSL_CERTIFICATE = "CLOUDFRONT_CUSTOM_SSL_CERTIFICATE";
/**
* Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-default-root-object-configured.html
*/
static readonly CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED = "CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED";
/**
* Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between
* CloudFront edge locations and custom origins.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html
*/
static readonly CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS = "CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS";
/**
* Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-access-identity-enabled.html
*/
static readonly CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED = "CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED";
/**
* Checks whether an origin group is configured for the distribution of at least 2 origins in the
* origin group for Amazon CloudFront.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-failover-enabled.html
*/
static readonly CLOUDFRONT_ORIGIN_FAILOVER_ENABLED = "CLOUDFRONT_ORIGIN_FAILOVER_ENABLED";
/**
* Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or
* greater for viewer connections.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-security-policy-check.html
*/
static readonly CLOUDFRONT_SECURITY_POLICY_CHECK = "CLOUDFRONT_SECURITY_POLICY_CHECK";
/**
* Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured
* to use SNI to serve HTTPS requests.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-sni-enabled.html
*/
static readonly CLOUDFRONT_SNI_ENABLED = "CLOUDFRONT_SNI_ENABLED";
/**
* Checks if Amazon CloudFront distributions are encrypting traffic to custom origins.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html
*/
static readonly CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED = "CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED";
/**
* Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection).
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-viewer-policy-https.html
*/
static readonly CLOUDFRONT_VIEWER_POLICY_HTTPS = "CLOUDFRONT_VIEWER_POLICY_HTTPS";
/**
* Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html
*/
static readonly CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED = "CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED";
/**
* Checks whether AWS CloudTrail is enabled in your AWS account.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html
*/
static readonly CLOUD_TRAIL_ENABLED = "CLOUD_TRAIL_ENABLED";
/**
* Checks whether AWS CloudTrail is configured to use the server side encryption (SSE)
* AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html
*/
static readonly CLOUD_TRAIL_ENCRYPTION_ENABLED = "CLOUD_TRAIL_ENCRYPTION_ENABLED";
/**
* Checks whether AWS CloudTrail creates a signed digest file with logs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html
*/
static readonly CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED = "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED";
/**
* Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html
*/
static readonly CLOUDTRAIL_S3_DATAEVENTS_ENABLED = "CLOUDTRAIL_S3_DATAEVENTS_ENABLED";
/**
* Checks that there is at least one AWS CloudTrail trail defined with security best practices.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-security-trail-enabled.html
*/
static readonly CLOUDTRAIL_SECURITY_TRAIL_ENABLED = "CLOUDTRAIL_SECURITY_TRAIL_ENABLED";
/**
* Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action,
* or one OK action enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-check.html
*/
static readonly CLOUDWATCH_ALARM_ACTION_CHECK = "CLOUDWATCH_ALARM_ACTION_CHECK";
/**
* Checks if Amazon CloudWatch alarms actions are in enabled state.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-enabled-check.html
*/
static readonly CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK = "CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK";
/**
* Checks whether the specified resource type has a CloudWatch alarm for the specified metric.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-resource-check.html
*/
static readonly CLOUDWATCH_ALARM_RESOURCE_CHECK = "CLOUDWATCH_ALARM_RESOURCE_CHECK";
/**
* Checks whether CloudWatch alarms with the given metric name have the specified settings.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-settings-check.html
*/
static readonly CLOUDWATCH_ALARM_SETTINGS_CHECK = "CLOUDWATCH_ALARM_SETTINGS_CHECK";
/**
* Checks whether a log group in Amazon CloudWatch Logs is encrypted with
* a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html
*/
static readonly CLOUDWATCH_LOG_GROUP_ENCRYPTED = "CLOUDWATCH_LOG_GROUP_ENCRYPTED";
/**
* Checks that key rotation is enabled for each key and matches to the key ID of the
* customer created customer master key (CMK).
* @see https://docs.aws.amazon.com/config/latest/developerguide/cmk-backing-key-rotation-enabled.html
*/
static readonly CMK_BACKING_KEY_ROTATION_ENABLED = "CMK_BACKING_KEY_ROTATION_ENABLED";
/**
* Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-artifact-encryption.html
*/
static readonly CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION = "CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION";
/**
* Checks if an AWS CodeBuild project environment has privileged mode enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-environment-privileged-check.html
*/
static readonly CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK = "CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK";
/**
* Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-envvar-awscred-check.html
*/
static readonly CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK = "CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK";
/**
* Checks if an AWS CodeBuild project environment has at least one log option enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-logging-enabled.html
*/
static readonly CODEBUILD_PROJECT_LOGGING_ENABLED = "CODEBUILD_PROJECT_LOGGING_ENABLED";
/**
* Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-s3-logs-encrypted.html
*/
static readonly CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED = "CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED";
/**
* Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens
* or user name and password.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html
*/
static readonly CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK = "CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK";
/**
* Checks if the deployment group is configured with automatic deployment rollback and
* deployment monitoring with alarms attached.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-auto-rollback-monitor-enabled.html
*/
static readonly CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED = "CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED";
/**
* Checks if the deployment group for EC2/On-Premises Compute Platform is configured with
* a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-ec2-minimum-healthy-hosts-configured.html
*/
static readonly CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED = "CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED";
/**
* Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codedeploy-lambda-allatonce-traffic-shift-disabled.html
*/
static readonly CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED = "CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED";
/**
* Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-deployment-count-check.html
*/
static readonly CODEPIPELINE_DEPLOYMENT_COUNT_CHECK = "CODEPIPELINE_DEPLOYMENT_COUNT_CHECK";
/**
* Checks whether each stage in the AWS CodePipeline deploys to more than N times the number of
* the regions the AWS CodePipeline has deployed in all the previous combined stages,
* where N is the region fanout number.
* @see https://docs.aws.amazon.com/config/latest/developerguide/codepipeline-region-fanout-check.html
*/
static readonly CODEPIPELINE_REGION_FANOUT_CHECK = "CODEPIPELINE_REGION_FANOUT_CHECK";
/**
* Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.
* @see https://docs.aws.amazon.com/config/latest/developerguide/cw-loggroup-retention-period-check.html
*/
static readonly CW_LOGGROUP_RETENTION_PERIOD_CHECK = "CW_LOGGROUP_RETENTION_PERIOD_CHECK";
/**
* Checks that DynamoDB Accelerator (DAX) clusters are encrypted.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dax-encryption-enabled.html
*/
static readonly DAX_ENCRYPTION_ENABLED = "DAX_ENCRYPTION_ENABLED";
/**
* Checks whether RDS DB instances have backups enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/db-instance-backup-enabled.html
*/
static readonly RDS_DB_INSTANCE_BACKUP_ENABLED = "DB_INSTANCE_BACKUP_ENABLED";
/**
* Checks instances for specified tenancy.
* @see https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-tenancy.html
*/
static readonly EC2_DESIRED_INSTANCE_TENANCY = "DESIRED_INSTANCE_TENANCY";
/**
* Checks whether your EC2 instances are of the specified instance types.
* @see https://docs.aws.amazon.com/config/latest/developerguide/desired-instance-type.html
*/
static readonly EC2_DESIRED_INSTANCE_TYPE = "DESIRED_INSTANCE_TYPE";
/**
* Checks whether AWS Database Migration Service replication instances are public.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-not-public.html
*/
static readonly DMS_REPLICATION_NOT_PUBLIC = "DMS_REPLICATION_NOT_PUBLIC";
/**
* Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-autoscaling-enabled.html
*/
static readonly DYNAMODB_AUTOSCALING_ENABLED = "DYNAMODB_AUTOSCALING_ENABLED";
/**
* Checks whether Amazon DynamoDB table is present in AWS Backup plans.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-in-backup-plan.html
*/
static readonly DYNAMODB_IN_BACKUP_PLAN = "DYNAMODB_IN_BACKUP_PLAN";
/**
* Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-last-backup-recovery-point-created.html
*/
static readonly DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED = "DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED";
/**
* Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-pitr-enabled.html
*/
static readonly DYNAMODB_PITR_ENABLED = "DYNAMODB_PITR_ENABLED";
/**
* Checks if Amazon DynamoDB tables are protected by a backup plan.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-resources-protected-by-backup-plan.html
*/
static readonly DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN = "DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN";
/**
* Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encrypted-kms.html
*/
static readonly DYNAMODB_TABLE_ENCRYPTED_KMS = "DYNAMODB_TABLE_ENCRYPTED_KMS";
/**
* Checks whether the Amazon DynamoDB tables are encrypted and checks their status.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encryption-enabled.html
*/
static readonly DYNAMODB_TABLE_ENCRYPTION_ENABLED = "DYNAMODB_TABLE_ENCRYPTION_ENABLED";
/**
* Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account.
* @see https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-throughput-limit-check.html
*/
static readonly DYNAMODB_THROUGHPUT_LIMIT_CHECK = "DYNAMODB_THROUGHPUT_LIMIT_CHECK";
/**
* Checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ebs-in-backup-plan.html
*/
static readonly EBS_IN_BACKUP_PLAN = "EBS_IN_BACKUP_PLAN";
/**
* Checks whether Amazon Elastic File System (Amazon EFS) file systems are added
* in the backup plans of AWS Backup.
* @see https://docs.aws.amazon.com/config/latest/developerguide/efs-in-backup-plan.html
*/
static readonly EFS_IN_BACKUP_PLAN = "EFS_IN_BACKUP_PLAN";
/**
* Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-ebs-encryption-by-default.html
*/
static readonly EC2_EBS_ENCRYPTION_BY_DEFAULT = "EC2_EBS_ENCRYPTION_BY_DEFAULT";
/**
* Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ebs-optimized-instance.html
*/
static readonly EBS_OPTIMIZED_INSTANCE = "EBS_OPTIMIZED_INSTANCE";
/**
* Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ebs-resources-protected-by-backup-plan.html
*/
static readonly EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN = "EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN";
/**
* Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html
*/
static readonly EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK = "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK";
/**
* Checks whether detailed monitoring is enabled for EC2 instances.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-detailed-monitoring-enabled.html
*/
static readonly EC2_INSTANCE_DETAILED_MONITORING_ENABLED = "EC2_INSTANCE_DETAILED_MONITORING_ENABLED";
/**
* Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html
*/
static readonly EC2_INSTANCE_MANAGED_BY_SSM = "EC2_INSTANCE_MANAGED_BY_SSM";
/**
* Checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access
* Management (IAM) profile attached to it. This rule is NON_COMPLIANT if no IAM profile is
* attached to the Amazon EC2 instance.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html
*/
static readonly EC2_INSTANCE_PROFILE_ATTACHED = "EC2_INSTANCE_PROFILE_ATTACHED";
/**
* Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces)
* or Elastic Fabric Adapters (EFAs).
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-multiple-eni-check.html
*/
static readonly EC2_INSTANCE_MULTIPLE_ENI_CHECK = "EC2_INSTANCE_MULTIPLE_ENI_CHECK";
/**
* Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-no-public-ip.html
*/
static readonly EC2_INSTANCE_NO_PUBLIC_IP = "EC2_INSTANCE_NO_PUBLIC_IP";
/**
* Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-last-backup-recovery-point-created.html
*/
static readonly EC2_LAST_BACKUP_RECOVERY_POINT_CREATED = "EC2_LAST_BACKUP_RECOVERY_POINT_CREATED";
/**
* Checks whether your EC2 instances belong to a virtual private cloud (VPC).
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html
*/
static readonly EC2_INSTANCES_IN_VPC = "INSTANCES_IN_VPC";
/**
* Checks that none of the specified applications are installed on the instance.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-blacklisted.html
*/
static readonly EC2_MANAGED_INSTANCE_APPLICATIONS_BLOCKED = "EC2_MANAGEDINSTANCE_APPLICATIONS_BLACKLISTED";
/**
* Checks whether all of the specified applications are installed on the instance.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-required.html
*/
static readonly EC2_MANAGED_INSTANCE_APPLICATIONS_REQUIRED = "EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED";
/**
* Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT
* or NON_COMPLIANT after the association execution on the instance.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html
*/
static readonly EC2_MANAGED_INSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK = "EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK";
/**
* Checks whether instances managed by AWS Systems Manager are configured to collect blocked inventory types.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-inventory-blacklisted.html
*/
static readonly EC2_MANAGED_INSTANCE_INVENTORY_BLOCKED = "EC2_MANAGEDINSTANCE_INVENTORY_BLACKLISTED";
/**
* Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is
* COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html
*/
static readonly EC2_MANAGED_INSTANCE_PATCH_COMPLIANCE_STATUS_CHECK = "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK";
/**
* Checks whether EC2 managed instances have the desired configurations.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-platform-check.html
*/
static readonly EC2_MANAGED_INSTANCE_PLATFORM_CHECK = "EC2_MANAGEDINSTANCE_PLATFORM_CHECK";
/**
* Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-no-amazon-key-pair.html
*/
static readonly EC2_NO_AMAZON_KEY_PAIR = "EC2_NO_AMAZON_KEY_PAIR";
/**
* Checks if the virtualization type of an EC2 instance is paravirtual.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-paravirtual-instance-check.html
*/
static readonly EC2_PARAVIRTUAL_INSTANCE_CHECK = "EC2_PARAVIRTUAL_INSTANCE_CHECK";
/**
* Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-resources-protected-by-backup-plan.html
*/
static readonly EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN = "EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN";
/**
* Checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances
* or to an elastic network interface.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni.html
*/
static readonly EC2_SECURITY_GROUP_ATTACHED_TO_ENI = "EC2_SECURITY_GROUP_ATTACHED_TO_ENI";
/**
* Checks if non-default security groups are attached to Elastic network interfaces (ENIs).
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-security-group-attached-to-eni-periodic.html
*/
static readonly EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC = "EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC";
/**
* Checks whether there are instances stopped for more than the allowed number of days.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-stopped-instance.html
*/
static readonly EC2_STOPPED_INSTANCE = "EC2_STOPPED_INSTANCE";
/**
* Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata
* has a specified token hop limit that is below the desired limit.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-token-hop-limit-check.html
*/
static readonly EC2_TOKEN_HOP_LIMIT_CHECK = "EC2_TOKEN_HOP_LIMIT_CHECK";
/**
* Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-transit-gateway-auto-vpc-attach-disabled.html
*/
static readonly EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED = "EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED";
/**
* Checks whether EBS volumes are attached to EC2 instances.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-volume-inuse-check.html
*/
static readonly EC2_VOLUME_INUSE_CHECK = "EC2_VOLUME_INUSE_CHECK";
/**
* Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-image-scanning-enabled.html
*/
static readonly ECR_PRIVATE_IMAGE_SCANNING_ENABLED = "ECR_PRIVATE_IMAGE_SCANNING_ENABLED";
/**
* Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html
*/
static readonly ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED = "ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED";
/**
* Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html
*/
static readonly ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED = "ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED";
/**
* Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-awsvpc-networking-enabled.html
*/
static readonly ECS_AWSVPC_NETWORKING_ENABLED = "ECS_AWSVPC_NETWORKING_ENABLED";
/**
* Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html
*/
static readonly ECS_CONTAINERS_NONPRIVILEGED = "ECS_CONTAINERS_NONPRIVILEGED";
/**
* Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-readonly-access.html
*/
static readonly ECS_CONTAINERS_READONLY_ACCESS = "ECS_CONTAINERS_READONLY_ACCESS";
/**
* Checks if Amazon Elastic Container Service clusters have container insights enabled.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html
*/
static readonly ECS_CONTAINER_INSIGHTS_ENABLED = "ECS_CONTAINER_INSIGHTS_ENABLED";
/**
* Checks if Amazon Elastic Container Service (ECS) Fargate Services
* is running on the latest Fargate platform version.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html
*/
static readonly ECS_FARGATE_LATEST_PLATFORM_VERSION = "ECS_FARGATE_LATEST_PLATFORM_VERSION";
/**
* Checks if secrets are passed as container environment variables.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-no-environment-secrets.html
*/
static readonly ECS_NO_ENVIRONMENT_SECRETS = "ECS_NO_ENVIRONMENT_SECRETS";
/**
* Checks if logConfiguration is set on active ECS Task Definitions.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html
*/
static readonly ECS_TASK_DEFINITION_LOG_CONFIGURATION = "ECS_TASK_DEFINITION_LOG_CONFIGURATION";
/**
* Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-memory-hard-limit.html
*/
static readonly ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT = "ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT";
/**
* Checks if ECSTaskDefinitions specify a user
* for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on.
* @see https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-nonroot-user.html
*/
static readonly ECS_TASK_DEFINITION_NONROOT_USER = "ECS_TASK_DEFINITION_NONROOT_USER";
/**
* Checks if ECSTaskDefinitions are configured to share a host’s process namespace
* with its Amazon Elastic Cont