本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 統籌 SCPs 和 Config 規則
AMS Advanced 的統籌 SCPs 和 Config 規則。
+ **服務控制政策 (SCPs)**:提供的 SCPs 是預設 AMS 政策的補充。
您可以將這些程式庫控制與預設的程式庫控制搭配使用,以滿足特定的安全需求。
+ **組態規則**:AMS 建議除了預設 AMS 組態規則之外,還要套用一致性套件 (請參閱 AWS Config 指南中的[一致性套件](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html)) (如需預設規則,請參閱 AMS 成品)。一致性套件涵蓋大部分的合規要求,AWS 會定期更新這些要求。
此處列出的規則可用於涵蓋 Conformance Packs 未涵蓋的使用案例特定差距
**注意**
隨著 AMS 預設規則和一致性套件隨著時間更新,您可能會看到這些規則的重複。
AMS 建議定期清除重複的 Config 規則。
對於 AMS Advanced,Config 規則不應使用自動修復 (請參閱[透過 AWS Config 規則修復不合規 AWS 資源](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html)),以避免out-of-band變更。
## SCP-AMS-001:限制 EBS 建立
如果您未啟用加密,請防止建立 EBS 磁碟區。
```
{
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
},
"Action": "ec2:CreateVolume",
"Resource": "*",
"Effect": "Deny"
}
```
## SCP-AMS-002:限制 EC2 啟動
如果未加密 EBS 磁碟區,請防止 EC2 執行個體啟動。這包括拒絕從未加密 AMIs 啟動 EC2,因為此 SCP 也適用於根磁碟區。
```
{
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
},
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:volume/*",
"Effect": "Deny"
}
```
## SCP-ADV-001:限制 RFC 提交
限制預設 AMS 角色提交特定的自動化 RFCs例如**建立 VPC** **或刪除 VPC**。如果您想要將更精細的許可套用至聯合角色,這會很有幫助。
例如,您可能希望預設值`AWSManagedServicesChangeManagement Role`能夠提交大多數可用的 RFCs,但允許建立和刪除 VPC、建立其他子網路、終止應用程式帳戶、更新或刪除 SAML 身分提供者的 RFC 除外:
## SCP-AMS-003:限制在 AMS 中建立 EC2 或 RDS
防止建立沒有特定標籤的 Amazon EC2 和 RDS 執行個體,同時允許 AMS 預設`AMS Backup IAM`角色這樣做。這是災難復原或 DR 的必要項目。
```
{
"Sid": "DenyRunInstanceWithNoOrganizationTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:rds:*:*:db:*"
],
"Condition": {
"Null": {
"aws:RequestTag/organization": "true"
},
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/ams-backup-iam-role"
]
}
}
}
```
## SCP-AMS-004:限制 S3 上傳
防止上傳未加密的 S3 物件。
```
{
"Sid": "DenyUnencryptedS3Uploads",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"StringNotLike": {
"s3:x-amz-server-side-encryption": ["aws:kms", "AES256"]
},
"Null": {
"s3:x-amz-server-side-encryption": "false"
}
}
}
]
}
```
## SCP-AMS-005:限制 API 和主控台存取
針對來自已知不良 IP 地址的請求,防止 AWS 主控台和 API 存取,視客戶 InfoSec 的判斷而定。
## SCP-AMS-006:防止 IAM 實體從組織中移除成員帳戶
防止 AWS Identity and Access Management 實體從組織中移除成員帳戶。
```
{
"Effect": "Deny",
"Action": ["organizations:LeaveOrganization"],
"Resource": ["*"]
}
```
## SCP-AMS-007:防止與您組織外部的帳戶共用資源
防止與 AWS 組織外部帳戶共用資源
```
{
"Effect": "Deny",
"Action": [
"ram:*"
],
"Resource": [
"*"
],
"Condition": {
"Bool": {
"ram:AllowsExternalPrincipals": "true"
}
}
},
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"ram:RequestedAllowsExternalPrincipals": "true"
}
}
}
```
## SCP-AMS-008:防止與組織或組織單位 (OUs共用
防止與組織中的帳戶和/或 OU 共用資源。
```
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"ram:Principal": [
"arn:aws:organizations::*:account/o-${OrganizationId}/${AccountId}",
"arn:aws:organizations::*:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}"
]
}
}
}
```
## SCP-AMS-009:防止使用者接受資源共用邀請
防止成員帳戶接受來自 AWS RAM 的邀請加入資源共享。此 API 不支援任何條件,並防止僅從外部帳戶共用。
```
{
"Effect": "Deny",
"Action": ["ram:AcceptResourceShareInvitation"],
"Resource": ["*"]
}
```
## SCP-AMS-010:防止帳戶區域啟用和停用動作
防止啟用或停用您 AWS 帳戶的任何新 AWS 區域。
```
{
"Effect": "Deny",
"Action": [
"account:EnableRegion",
"account:DisableRegion"
],
"Resource": "*"
}
```
## SCP-AMS-011:防止帳單修改動作
防止修改帳單和付款組態。
```
{
"Effect": "Deny",
"Action": [
"aws-portal:ModifyBilling",
"aws-portal:ModifyAccount",
"aws-portal:ModifyPaymentMethods"
],
"Resource": "*"
}
```
## SCP-AMS-012:防止刪除或修改特定 CloudTrails
防止修改特定 AWS CloudTrail 線索。
```
{
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteEventDataStore",
"cloudtrail:DeleteTrail",
"cloudtrail:PutEventSelectors",
"cloudtrail:PutInsightSelectors",
"cloudtrail:UpdateEventDataStore",
"cloudtrail:UpdateTrail",
"cloudtrail:StopLogging"
],
"Resource": [
"arn:${Partition}:cloudtrail:${Region}:${Account}:trail/${TrailName}"
]
}
```
## SCP-AMS-013:防止停用預設 EBS 加密
防止停用預設 Amazon EBS 加密。
```
{
"Effect": "Deny",
"Action": [
"ec2:DisableEbsEncryptionByDefault"
],
"Resource": "*"
}
```
## SCP-AMS-014:防止建立預設 VPC 和子網路
防止建立預設 Amazon VPC 和子網路。
```
{
"Effect": "Deny",
"Action": [
"ec2:CreateDefaultSubnet",
"ec2:CreateDefaultVpc"
],
"Resource": "*"
}
```
## SCP-AMS-015:防止停用和修改 GuardDuty
防止修改或停用 Amazon GuardDuty。
```
{
"Effect": "Deny",
"Action": [
"guardduty:AcceptInvitation",
"guardduty:ArchiveFindings",
"guardduty:CreateDetector",
"guardduty:CreateFilter",
"guardduty:CreateIPSet",
"guardduty:CreateMembers",
"guardduty:CreatePublishingDestination",
"guardduty:CreateSampleFindings",
"guardduty:CreateThreatIntelSet",
"guardduty:DeclineInvitations",
"guardduty:DeleteDetector",
"guardduty:DeleteFilter",
"guardduty:DeleteInvitations",
"guardduty:DeleteIPSet",
"guardduty:DeleteMembers",
"guardduty:DeletePublishingDestination",
"guardduty:DeleteThreatIntelSet",
"guardduty:DisableOrganizationAdminAccount",
"guardduty:DisassociateFromMasterAccount",
"guardduty:DisassociateMembers",
"guardduty:InviteMembers",
"guardduty:StartMonitoringMembers",
"guardduty:StopMonitoringMembers",
"guardduty:TagResource",
"guardduty:UnarchiveFindings",
"guardduty:UntagResource",
"guardduty:UpdateDetector",
"guardduty:UpdateFilter",
"guardduty:UpdateFindingsFeedback",
"guardduty:UpdateIPSet",
"guardduty:UpdateMalwareScanSettings",
"guardduty:UpdateMemberDetectors",
"guardduty:UpdateOrganizationConfiguration",
"guardduty:UpdatePublishingDestination",
"guardduty:UpdateThreatIntelSet"
],
"Resource": "*"
}
```
## SCP-AMS-016:防止根使用者活動
防止根使用者執行任何動作。
```
{
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:root"
]
}
}
}
```
## SCP-AMS-017:防止為根使用者建立存取金鑰
防止為根使用者建立存取金鑰。
```
{
"Effect": "Deny",
"Action": "iam:CreateAccessKey",
"Resource": "arn:aws:iam::*:root"
}
```
## SCP-AMS-018:防止停用 S3 帳戶公有存取區塊
防止停用 Amazon S3 帳戶公有存取區塊。這可防止帳戶中的任何儲存貯體變成公有。
```
{
"Effect": "Deny",
"Action": "s3:PutAccountPublicAccessBlock",
"Resource": "*"
}
```
## SCP-AMS-019:防止停用 AWS Config 或修改 Config 規則
防止停用或修改 AWS Config 規則。
```
{
"Effect": "Deny",
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DeleteEvaluationResults",
"config:StopConfigurationRecorder"
],
"Resource": "*"
}
```
## SCP-AMS-020:防止所有 IAM 動作
防止所有 IAM 動作。
```
{
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": "*"
}
```
## SCP-AMS-021:防止刪除 CloudWatch Logs 群組和串流
防止刪除 Amazon CloudWatch Logs 群組和串流。
```
{
"Effect": "Deny",
"Action": [
"logs:DeleteLogGroup",
"logs:DeleteLogStream"
],
"Resource": "*"
}
```
## SCP-AMS-022:防止 Glacier 刪除
防止刪除 Amazon Glacier。
```
{
"Effect": "Deny",
"Action": [
"glacier:DeleteArchive",
"glacier:DeleteVault"
],
"Resource": "*"
}
```
## SCP-AMS-023:防止刪除 IAM Access Analyzer
防止刪除 IAM Access Analyzer。
```
{
"Action": [
"access-analyzer:DeleteAnalyzer"
],
"Resource": "*",
"Effect": "Deny"
}
```
## SCP-AMS-024:防止修改 Security Hub CSPM
防止刪除 AWS Security Hub CSPM。
```
{
"Action": [
"securityhub:DeleteInvitations",
"securityhub:DisableSecurityHub",
"securityhub:DisassociateFromMasterAccount",
"securityhub:DeleteMembers",
"securityhub:DisassociateMembers"
],
"Resource": "*",
"Effect": "Deny"
}
```
## SCP-AMS-025:防止在 Directory Service 下刪除
防止刪除 下的資源 Directory Service。
```
{
"Action": [
"ds:DeleteDirectory",
"ds:DeleteLogSubscription",
"ds:DeleteSnapshot",
"ds:DeleteTrust",
"ds:DeregisterCertificate",
"ds:DeregisterEventTopic",
"ds:DisableLDAPS",
"ds:DisableRadius",
"ds:DisableSso",
"ds:UnshareDirectory"
],
"Resource": "*",
"Effect": "Deny"
}
```
## SCP-AMS-026:防止使用列入拒絕清單的服務
防止使用拒絕清單的服務。
**注意**
將 *service1* 和 *service2* 取代為您的服務名稱。*Access-analyzer* 或 *IAM* 範例。
```
{
"Effect": "Deny",
"Resource": "*",
"Action": ["service1:*", "service2:*"]
}
```
## SCP-AMS-027:防止在特定區域中使用列入拒絕清單的服務
防止在特定 AWS 區域中使用列入拒絕清單的服務。
**注意**
將 *service1* 和 *service2* 取代為您的服務名稱。*Access-analyzer* 或 *IAM* 範例。
將 *region1* 和 *region2* 取代為您的服務名稱。範例 *us-west-2* 或 *use-east-1*。
```
{
"Effect": "Deny",
"Resource": "*",
"Action": ["service1:*", "service2:*"],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"region1",
"region2"
]
}
}
}
```
## SCP-AMS-028:防止修改標籤,授權委託人除外
防止授權委託人以外的任何使用者修改標籤。使用授權標籤來授權委託人。授權標籤必須與資源和主體建立關聯。只有在資源和委託人上的標籤都相符時,使用者/角色才會被視為已授權。如需詳細資訊,請參閱下列資源:
+ [使用 中的服務控制政策保護用於授權的資源標籤 AWS Organizations](https://aws.amazon.com/blogs/security/securing-resource-tags-used-for-authorization-using-service-control-policy-in-aws-organizations/)
+ [防止修改標籤,但授權委託人除外](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html#example-require-restrict-tag-mods-to-admin)
```
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ec2:ResourceTag/access-project": "${aws:PrincipalTag/access-project}",
"aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}"
},
"Null": {
"ec2:ResourceTag/access-project": false
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}",
"aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"access-project"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}"
},
"Null": {
"aws:PrincipalTag/access-project": true
}
}
}
```
## SCP-AMS-029:防止使用者刪除 Amazon VPC 流程日誌
防止刪除 Amazon VPC 流程日誌。
```
{
"Action": [
"ec2:DeleteFlowLogs",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"firehose:DeleteDeliveryStream"
],
"Resource": "*",
"Effect": "Deny"
}
```
## SCP-AMS-030:防止與網路帳戶以外的帳戶共用 VPC 子網路
防止與網路帳戶以外的帳戶共用 Amazon VPC 子網路。
**注意**
將 *NETWORK\$1ACCOUNT\$1ID* 取代為您的網路帳戶 ID。
```
{
"Effect": "Deny",
"Action": [
"ram:AssociateResourceShare",
"ram:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ram:Principal": "NETWORK_ACCOUNT_ID"
},
"StringEquals": {
"ram:RequestedResourceType": "ec2:Subnet"
}
}
}
```
## SCP-AMS-031:防止啟動具有禁止執行個體類型的執行個體
防止延遲禁止的 Amazon EC2 執行個體類型。
**注意**
將 *instance\$1type1* 和 *instance\$1type2* 取代為您想要限制的執行個體類型,例如 *t2.micro* 或萬用字元字串,例如 *\$1.nano。*
```
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringLike": {
"ec2:InstanceType": [
"instance_type1",
"instance_type2"
]
}
}
}
```
## SCP-AMS-032:防止在沒有 IMDSv2 的情況下啟動執行個體
防止沒有 IMDSv2 的 Amazon EC2 執行個體。 IMDSv2
```
[
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"NumericGreaterThan": {
"ec2:MetadataHttpPutResponseHopLimit": "3"
}
}
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NumericLessThan": {
"ec2:RoleDelivery": "2.0"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:ModifyInstanceMetadataOptions",
"Resource": "*"
}
]
```
## SCP-AMS-033:防止修改特定 IAM 角色
防止修改指定的 IAM 角色。
```
{
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:TagRole",
"iam:UntagRole",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}"
],
"Effect": "Deny"
}
```
## SCP-AMS-034:防止在特定 IAM 角色上修改 AssumeRolePolicy
防止修改指定 IAM 角色的 AssumeRolePolicy。
```
{
"Action": [
"iam:UpdateAssumeRolePolicy"
],
"Resource": [
"arn:aws:iam::{ACCOUNT_ID}:role/{RESOURCE_NAME}"
],
"Effect": "Deny"
}
```
## ConfigRule:必要標籤
檢查 EC2 執行個體是否有您需要的自訂標籤。除了 InfoSec 之外,這也適用於您的成本管理
```
ConfigRuleName: required-tags
Description: >-
A Config rule that checks whether EC2 instances have the required tags.
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
InputParameters:
tag1Key: COST_CENTER
tag2Key: APP_ID
Source:
Owner: AWS
SourceIdentifier: REQUIRED_TAGS
```
## ConfigRule:已輪換存取金鑰
檢查存取金鑰是否在指定的期間內輪換。根據典型的合規要求,這通常設定為 90 天。
```
ConfigRuleName: access-keys-rotated
Description: >-
A config rule that checks whether the active access keys are rotated
within the number of days specified in maxAccessKeyAge. The rule is
NON_COMPLIANT if the access keys have not been rotated for more than
maxAccessKeyAge number of days.
InputParameters:
maxAccessKeyAge: '90'
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: TwentyFour_Hours
```
## ConfigRule:AMS 中的 IAM 根存取金鑰
檢查 帳戶中沒有根存取金鑰。對於 AMS Advanced 帳戶,預期這是out-of-the-box可用的合規。
```
ConfigRuleName: iam-root-access-key-check
Description: >-
A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
```
## ConfigRule:SSM 受管 EC2
檢查您的 EC2s是否由 SSM Systems Manager 管理。
```
ConfigRuleName: ec2-instance-managed-by-systems-manager
Description: >-
A Config rule that checks whether the EC2 instances in the
account are managed by AWS Systems Manager.
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
- 'AWS::SSM::ManagedInstanceInventory'
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM
```
## ConfigRule:AMS 中未使用的 IAM 使用者
檢查是否有指定期間內未使用的 IAM 使用者登入資料。與金鑰輪換檢查一樣,這通常根據典型的合規要求預設為 90 天。
```
ConfigRuleName: iam-user-unused-credentials-check
Description: >-
A config rule that checks whether IAM users have passwords
or active access keys that have not been used within the
specified number of days provided.
InputParameters:
maxCredentialUsageAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
```
## ConfigRule:S3 儲存貯體記錄
檢查帳戶中的 S3 儲存貯體是否已啟用記錄。
```
ConfigRuleName: s3-bucket-logging-enabled
Description: >-
A Config rule that checks whether logging is enabled for S3 buckets.
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
```
## ConfigRule:S3 儲存貯體版本控制
檢查是否已在所有 S3 儲存貯體上啟用版本控制和 MFA-delete (選用)
```
ConfigRuleName: s3-bucket-versioning-enabled
Description: >-
A Config rule that checks whether versioning is enabled for S3
buckets. Optionally, the rule checks if MFA delete is enabled for S3 buckets.
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
```
## ConfigRule:S3 公有存取
檢查公有存取設定 (公有 ACL、公有政策、公有儲存貯體) 是否在帳戶間受到限制
```
ConfigRuleName: s3-account-level-public-access-blocks
Description: >-
A Config rule that checks whether the required public access block
settings are configured from account level. The rule is only
NON_COMPLIANT when the fields set below do not match the corresponding
fields in the configuration item.
Scope:
ComplianceResourceTypes:
- 'AWS::S3::AccountPublicAccessBlock'
InputParameters:
IgnorePublicAcls: 'True'
BlockPublicPolicy: 'True'
BlockPublicAcls: 'True'
RestrictPublicBuckets: 'True'
Source:
Owner: AWS
SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
```
## ConfigRule:非封存的 GuardDuty 調查結果
檢查是否有任何非封存的 GuardDuty 調查結果早於指定的持續時間。低 sev 的預設持續時間為 30 天,中 sev 為 7 天,高 sev 調查結果為 1 天。
```
ConfigRuleName: guardduty-non-archived-findings
Description: >-
A Config rule that checks whether the Amazon GuardDuty has findings that
are non archived. The rule is NON_COMPLIANT if GuardDuty has non
archived low/medium/high severity findings older than the specified number.
InputParameters:
daysLowSev: '30'
daysMediumSev: '7'
daysHighSev: '1'
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
MaximumExecutionFrequency: TwentyFour_Hours
```
## ConfigRule:CMK 刪除
檢查是否有任何已排程 (也稱為待定) 要刪除的 AWS Key Management Service 自訂主金鑰 (CMKs)。這很重要,因為 CMK 刪除的不知道可能會導致資料無法復原
```
ConfigRuleName: kms-cmk-not-scheduled-for-deletion
Description: >-
A config rule that checks whether customer master keys (CMKs) are not
scheduled for deletion in AWS Key Management Service (AWS KMS). The rule is
NON_COMPLIANT if CMKs are scheduled for deletion.
Source:
Owner: AWS
SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
MaximumExecutionFrequency: TwentyFour_Hours
```
## ConfigRule:CMK 輪換
檢查帳戶中的每個 CMK 是否已啟用自動輪換
```
ConfigRuleName: cmk-backing-key-rotation-enabled
Description: >-
A config rule that checks that key rotation is enabled for each customer
master key (CMK). The rule is COMPLIANT, if the key rotation is enabled
for specific key object. The rule is not applicable to CMKs that have
imported key material.
Source:
Owner: AWS
SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
```