From 2e3dfd8e49212059ca013c707d850ab9f67184fa Mon Sep 17 00:00:00 2001 From: juan-vg Date: Fri, 5 May 2023 12:27:45 +0200 Subject: [PATCH 1/2] Standardize RedshiftClusterConfigurationCheck across Low-Medium-High --- ...nal-Best-Practices-for-CCN-ENS-Medium.yaml | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml b/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml index fddc4a6a..727a5f17 100644 --- a/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml +++ b/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml @@ -31,6 +31,12 @@ Parameters: IamPasswordPolicyParamRequireUppercaseCharacters: Default: 'true' Type: String + RedshiftClusterConfigurationCheckParamClusterDbEncrypted: + Default: 'true' + Type: String + RedshiftClusterConfigurationCheckParamLoggingEnabled: + Default: 'true' + Type: String RestrictedIncomingTrafficParamBlockedPort1: Default: '20' Type: String @@ -806,8 +812,16 @@ Resources: Properties: ConfigRuleName: redshift-cluster-configuration-check InputParameters: - clusterDbEncrypted: 'TRUE' - loggingEnabled: 'TRUE' + clusterDbEncrypted: + Fn::If: + - redshiftClusterConfigurationCheckParamClusterDbEncrypted + - Ref: RedshiftClusterConfigurationCheckParamClusterDbEncrypted + - Ref: AWS::NoValue + loggingEnabled: + Fn::If: + - redshiftClusterConfigurationCheckParamLoggingEnabled + - Ref: RedshiftClusterConfigurationCheckParamLoggingEnabled + - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster @@ -1228,6 +1242,16 @@ Conditions: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireUppercaseCharacters + redshiftClusterConfigurationCheckParamClusterDbEncrypted: + Fn::Not: + - Fn::Equals: + - '' + - Ref: RedshiftClusterConfigurationCheckParamClusterDbEncrypted + redshiftClusterConfigurationCheckParamLoggingEnabled: + Fn::Not: + - Fn::Equals: + - '' + - Ref: RedshiftClusterConfigurationCheckParamLoggingEnabled restrictedIncomingTrafficParamBlockedPort1: Fn::Not: - Fn::Equals: From 4d2fef1455e2732e6c8006d124b9390ea027b3bc Mon Sep 17 00:00:00 2001 From: juan-vg Date: Fri, 5 May 2023 12:29:49 +0200 Subject: [PATCH 2/2] Remove failing check RedshiftClusterConfigurationCheck2 According to https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-configuration-check.html this check makes no sense because 2 parameters are mandatory and they are already checked in RedshiftClusterConfigurationCheck --- .../Operational-Best-Practices-for-CCN-ENS-Medium.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml b/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml index 727a5f17..712a8239 100644 --- a/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml +++ b/aws-config-conformance-packs/Operational-Best-Practices-for-CCN-ENS-Medium.yaml @@ -829,16 +829,6 @@ Resources: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK Type: AWS::Config::ConfigRule - RedshiftClusterConfigurationCheck2: - Properties: - ConfigRuleName: redshift-cluster-configuration-check-2 - Scope: - ComplianceResourceTypes: - - AWS::Redshift::Cluster - Source: - Owner: AWS - SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK - Type: AWS::Config::ConfigRule RedshiftClusterKmsEnabled: Properties: ConfigRuleName: redshift-cluster-kms-enabled