Package com.cloudforgeci.api.core.rules

Enum Class AwsConfigRule

java.lang.Object
java.lang.Enum<AwsConfigRule>
com.cloudforgeci.api.core.rules.AwsConfigRule
All Implemented Interfaces:
Serializable, Comparable<AwsConfigRule>, Constable
public enum AwsConfigRule extends Enum<AwsConfigRule>
AWS Config managed rules mapped to ComplianceMatrix SecurityControls.

This enum provides a single source of truth for:

  • Which AWS Config rules exist
  • Which SecurityControl each rule validates
  • Whether a rule is required based on compliance frameworks

Usage in ConfigRulesFactory:


 Set<AwsConfigRule> rulesToDeploy = AwsConfigRule.getRequiredRules(frameworks, mode);
 for (AwsConfigRule rule : rulesToDeploy) {
     deployConfigRule(rule.getRuleName());
 }

Multiple frameworks requiring the same SecurityControl will only deploy the Config rule once (deduplication via Set).

Since:
3.2.0
See Also:

  • Enum Constant Details

    • GUARDDUTY_ENABLED

      public static final AwsConfigRule GUARDDUTY_ENABLED

    • CLOUDTRAIL_ENABLED

      public static final AwsConfigRule CLOUDTRAIL_ENABLED

    • CLOUDTRAIL_LOG_FILE_VALIDATION

      public static final AwsConfigRule CLOUDTRAIL_LOG_FILE_VALIDATION

    • MULTI_REGION_CLOUDTRAIL

      public static final AwsConfigRule MULTI_REGION_CLOUDTRAIL

    • VPC_FLOW_LOGS_ENABLED

      public static final AwsConfigRule VPC_FLOW_LOGS_ENABLED

    • ELB_LOGGING_ENABLED

      public static final AwsConfigRule ELB_LOGGING_ENABLED

    • S3_BUCKET_ENCRYPTION

      public static final AwsConfigRule S3_BUCKET_ENCRYPTION

    • EBS_ENCRYPTION_BY_DEFAULT

      public static final AwsConfigRule EBS_ENCRYPTION_BY_DEFAULT

    • RDS_STORAGE_ENCRYPTED

      public static final AwsConfigRule RDS_STORAGE_ENCRYPTED

    • EFS_ENCRYPTED

      public static final AwsConfigRule EFS_ENCRYPTED

    • CLOUDWATCH_LOG_GROUP_ENCRYPTED

      public static final AwsConfigRule CLOUDWATCH_LOG_GROUP_ENCRYPTED

    • CLOUDTRAIL_ENCRYPTION_ENABLED

      public static final AwsConfigRule CLOUDTRAIL_ENCRYPTION_ENABLED

    • ALB_HTTPS_ONLY

      public static final AwsConfigRule ALB_HTTPS_ONLY

    • ELB_TLS_HTTPS_LISTENERS

      public static final AwsConfigRule ELB_TLS_HTTPS_LISTENERS

    • S3_BUCKET_SSL_REQUESTS

      public static final AwsConfigRule S3_BUCKET_SSL_REQUESTS

    • IAM_USER_GROUP_MEMBERSHIP

      public static final AwsConfigRule IAM_USER_GROUP_MEMBERSHIP

    • IAM_NO_ADMIN_ACCESS

      public static final AwsConfigRule IAM_NO_ADMIN_ACCESS

    • IAM_USER_MFA_ENABLED

      public static final AwsConfigRule IAM_USER_MFA_ENABLED

    • IAM_PASSWORD_POLICY

      public static final AwsConfigRule IAM_PASSWORD_POLICY

    • EC2_INSTANCES_IN_VPC

      public static final AwsConfigRule EC2_INSTANCES_IN_VPC

    • VPC_DEFAULT_SG_CLOSED

      public static final AwsConfigRule VPC_DEFAULT_SG_CLOSED

    • RESTRICTED_SSH

      public static final AwsConfigRule RESTRICTED_SSH

    • S3_BUCKET_LOGGING_ENABLED

      public static final AwsConfigRule S3_BUCKET_LOGGING_ENABLED

    • S3_BUCKET_VERSIONING_ENABLED

      public static final AwsConfigRule S3_BUCKET_VERSIONING_ENABLED

    • S3_BUCKET_DEFAULT_LOCK_ENABLED

      public static final AwsConfigRule S3_BUCKET_DEFAULT_LOCK_ENABLED

    • DB_INSTANCE_BACKUP_ENABLED

      public static final AwsConfigRule DB_INSTANCE_BACKUP_ENABLED

    • S3_BUCKET_REPLICATION

      public static final AwsConfigRule S3_BUCKET_REPLICATION

    • DYNAMODB_PITR_ENABLED

      public static final AwsConfigRule DYNAMODB_PITR_ENABLED

    • RDS_MULTI_AZ

      public static final AwsConfigRule RDS_MULTI_AZ

    • ELB_DELETION_PROTECTION

      public static final AwsConfigRule ELB_DELETION_PROTECTION

    • KMS_CMK_NOT_SCHEDULED_FOR_DELETION

      public static final AwsConfigRule KMS_CMK_NOT_SCHEDULED_FOR_DELETION

    • CMK_BACKING_KEY_ROTATION

      public static final AwsConfigRule CMK_BACKING_KEY_ROTATION

    • SECURITYHUB_ENABLED

      public static final AwsConfigRule SECURITYHUB_ENABLED

    • ECR_PRIVATE_IMAGE_SCANNING

      public static final AwsConfigRule ECR_PRIVATE_IMAGE_SCANNING

    • WAFV2_LOGGING_ENABLED

      public static final AwsConfigRule WAFV2_LOGGING_ENABLED

    • ALB_WAF_ENABLED

      public static final AwsConfigRule ALB_WAF_ENABLED

    • ROOT_ACCOUNT_MFA_ENABLED

      public static final AwsConfigRule ROOT_ACCOUNT_MFA_ENABLED

    • ROOT_ACCOUNT_HARDWARE_MFA_ENABLED

      public static final AwsConfigRule ROOT_ACCOUNT_HARDWARE_MFA_ENABLED

    • IAM_ROOT_ACCESS_KEY_CHECK

      public static final AwsConfigRule IAM_ROOT_ACCESS_KEY_CHECK

    • ACCESS_KEYS_ROTATED

      public static final AwsConfigRule ACCESS_KEYS_ROTATED

    • IAM_USER_UNUSED_CREDENTIALS_CHECK

      public static final AwsConfigRule IAM_USER_UNUSED_CREDENTIALS_CHECK

    • MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

      public static final AwsConfigRule MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

    • RDS_INSTANCE_PUBLIC_ACCESS_CHECK

      public static final AwsConfigRule RDS_INSTANCE_PUBLIC_ACCESS_CHECK

    • RDS_CLUSTER_PUBLIC_ACCESS_CHECK

      public static final AwsConfigRule RDS_CLUSTER_PUBLIC_ACCESS_CHECK

    • RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED

      public static final AwsConfigRule RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED

    • RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED

      public static final AwsConfigRule RDS_CLUSTER_IAM_AUTHENTICATION_ENABLED

    • REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK

      public static final AwsConfigRule REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK

    • RDS_LOGGING_ENABLED

      public static final AwsConfigRule RDS_LOGGING_ENABLED

    • REDSHIFT_AUDIT_LOGGING_ENABLED

      public static final AwsConfigRule REDSHIFT_AUDIT_LOGGING_ENABLED

    • RDS_CLUSTER_DELETION_PROTECTION_ENABLED

      public static final AwsConfigRule RDS_CLUSTER_DELETION_PROTECTION_ENABLED

    • RDS_INSTANCE_DELETION_PROTECTION_ENABLED

      public static final AwsConfigRule RDS_INSTANCE_DELETION_PROTECTION_ENABLED

    • EKS_ENDPOINT_NO_PUBLIC_ACCESS

      public static final AwsConfigRule EKS_ENDPOINT_NO_PUBLIC_ACCESS

    • EKS_SECRETS_ENCRYPTED

      public static final AwsConfigRule EKS_SECRETS_ENCRYPTED

    • EKS_CLUSTER_LOGGING_ENABLED

      public static final AwsConfigRule EKS_CLUSTER_LOGGING_ENABLED

    • EKS_CLUSTER_OLDEST_SUPPORTED_VERSION

      public static final AwsConfigRule EKS_CLUSTER_OLDEST_SUPPORTED_VERSION

    • API_GW_EXECUTION_LOGGING_ENABLED

      public static final AwsConfigRule API_GW_EXECUTION_LOGGING_ENABLED

    • API_GW_SSL_ENABLED

      public static final AwsConfigRule API_GW_SSL_ENABLED

    • API_GW_ASSOCIATED_WITH_WAF

      public static final AwsConfigRule API_GW_ASSOCIATED_WITH_WAF

    • API_GW_XRAY_ENABLED

      public static final AwsConfigRule API_GW_XRAY_ENABLED

    • CLOUDFRONT_VIEWER_POLICY_HTTPS

      public static final AwsConfigRule CLOUDFRONT_VIEWER_POLICY_HTTPS

    • CLOUDFRONT_ASSOCIATED_WITH_WAF

      public static final AwsConfigRule CLOUDFRONT_ASSOCIATED_WITH_WAF

    • CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED

      public static final AwsConfigRule CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED

    • CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED

      public static final AwsConfigRule CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED

    • CLOUDFRONT_ACCESSLOGS_ENABLED

      public static final AwsConfigRule CLOUDFRONT_ACCESSLOGS_ENABLED

    • CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS

      public static final AwsConfigRule CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS

    • EC2_IMDSV2_CHECK

      public static final AwsConfigRule EC2_IMDSV2_CHECK

    • EC2_INSTANCE_PROFILE_ATTACHED

      public static final AwsConfigRule EC2_INSTANCE_PROFILE_ATTACHED

    • EC2_LAUNCH_TEMPLATE_PUBLIC_IP_DISABLED

      public static final AwsConfigRule EC2_LAUNCH_TEMPLATE_PUBLIC_IP_DISABLED

    • ACM_CERTIFICATE_EXPIRATION_CHECK

      public static final AwsConfigRule ACM_CERTIFICATE_EXPIRATION_CHECK

    • ACM_CERTIFICATE_RSA_CHECK

      public static final AwsConfigRule ACM_CERTIFICATE_RSA_CHECK

    • LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

      public static final AwsConfigRule LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

    • LAMBDA_DLQ_CHECK

      public static final AwsConfigRule LAMBDA_DLQ_CHECK

    • LAMBDA_INSIDE_VPC

      public static final AwsConfigRule LAMBDA_INSIDE_VPC

    • LAMBDA_FUNCTION_SETTINGS_CHECK

      public static final AwsConfigRule LAMBDA_FUNCTION_SETTINGS_CHECK

    • REDSHIFT_REQUIRE_TLS_SSL

      public static final AwsConfigRule REDSHIFT_REQUIRE_TLS_SSL

    • REDSHIFT_CLUSTER_KMS_ENABLED

      public static final AwsConfigRule REDSHIFT_CLUSTER_KMS_ENABLED

    • DYNAMODB_TABLE_ENCRYPTED_KMS

      public static final AwsConfigRule DYNAMODB_TABLE_ENCRYPTED_KMS

    • DYNAMODB_AUTOSCALING_ENABLED

      public static final AwsConfigRule DYNAMODB_AUTOSCALING_ENABLED

    • CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK

      public static final AwsConfigRule CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK

    • CODEBUILD_PROJECT_LOGGING_ENABLED

      public static final AwsConfigRule CODEBUILD_PROJECT_LOGGING_ENABLED

  • Method Details

    • values

      public static AwsConfigRule[] values()
      Returns an array containing the constants of this enum class, in the order they are declared.
      Returns:
      an array containing the constants of this enum class, in the order they are declared

    • valueOf

      public static AwsConfigRule valueOf(String name)
      Returns the enum constant of this class with the specified name. The string must match exactly an identifier used to declare an enum constant in this class. (Extraneous whitespace characters are not permitted.)
      Parameters:
      name - the name of the enum constant to be returned.
      Returns:
      the enum constant with the specified name
      Throws:
      IllegalArgumentException - if this enum class has no constant with the specified name
      NullPointerException - if the argument is null

    • getRuleName

      public String getRuleName()
      Get the AWS Config rule identifier.

    • getSecurityControl

      public ComplianceMatrix.SecurityControl getSecurityControl()
      Get the SecurityControl this rule validates.

    • getDescription

      public String getDescription()
      Get a human-readable description of what this rule checks.

    • isRequired

      public boolean isRequired(String frameworks, ComplianceMode mode)
      Check if this Config rule is required based on compliance frameworks and mode.
      Parameters:
      frameworks - Comma-separated list of frameworks (e.g., "PCI-DSS,HIPAA")
      mode - Compliance mode (ENFORCE, ADVISORY, DISABLED)
      Returns:
      true if this rule should be deployed

    • getRequiredRules

      public static Set<AwsConfigRule> getRequiredRules(String frameworks, ComplianceMode mode)
      Get all Config rules required for the given compliance frameworks and mode.

      This automatically deduplicates rules - if multiple frameworks require the same SecurityControl, the rule is only included once.

      Parameters:
      frameworks - Comma-separated list of frameworks (e.g., "PCI-DSS,HIPAA")
      mode - Compliance mode (ENFORCE, ADVISORY, DISABLED)
      Returns:
      Set of required Config rules (no duplicates)

    • getRulesForControl

      public static Set<AwsConfigRule> getRulesForControl(ComplianceMatrix.SecurityControl control)
      Get all Config rules that validate a specific SecurityControl.
      Parameters:
      control - The SecurityControl to get rules for
      Returns:
      Set of Config rules for this control

    • fromRuleName

      public static AwsConfigRule fromRuleName(String ruleName)
      Find a Config rule by its AWS rule name.
      Parameters:
      ruleName - AWS Config rule identifier
      Returns:
      The matching AwsConfigRule, or null if not found