Best Practices for Network and Content Delivery Service Operations

apig-instances-execution-logging-enabled

apig

If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant.

apig-instances-ssl-enabled

apig

If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant.

as-group-elb-healthcheck-required

as

If an AS group does not have health check enabled, this AS group is noncompliant.

elb-tls-https-listeners-only

elb

If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant.

vpc-sg-restricted-ssh

vpc

If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0 or ::/0) and opens the TCP 22 port, this security group is noncompliant.

ecs-instance-in-vpc

ecs, vpc

If an ECS is not within the specified VPC, this ECS is noncompliant.

private-nat-gateway-authorized-vpc-only

nat

If a private NAT gateway is not in a specified VPC, this gateway is noncompliant.

vpc-sg-restricted-common-ports

vpc

If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is noncompliant.

vpc-default-sg-closed

vpc

If a default security group allows all inbound or outbound traffic, this security group is noncompliant.

vpc-flow-logs-enabled

vpc

If a VPC does not have the flow log enabled, this VPC is noncompliant.

vpc-acl-unused-check

vpc

If a network ACL is not attached to any subnets, this ACL is noncompliant.

vpc-sg-ports-check

vpc

If a security group has the source address set to 0.0.0.0/0 or ::/0 and opens all TCP/UDP ports, this security group is noncompliant.

vpn-connections-active

vpnaas

If a VPN is not normally connected, this rule is noncompliant.