CDK Construct to create AWS Config Conformance Pack for common best practices

A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.

This CDK Construct included some Conformance Pack for best practices with Config managed rules.

Conformance Pack

RDS Best practices

Subset of security best practices for Amazon RDS Conformance Packs. Full set of the rules can be found in AWS Config github repository.

RDS_INSTANCE_PUBLIC_ACCESS_CHECK

Make sure the RDS is in the isolated subnet [1].

RDS_STORAGE_ENCRYPTED

RDS has encryption of data at rest [2].

Example usage

Conformance Pack Name: CdkConstructSecuredResourcesConfig.rdsBestPracticesComformancePack

const config = new CdkConstructSecuredResourcesConfig(this, `${stack_id}-config`,{
    conformancePacks: [CdkConstructSecuredResourcesConfig.rdsBestPracticesComformancePack],
    configDeliveryS3Bucket: cdk.aws_s3.Bucket.fromBucketArn(this, `${stack_id}-config-s3`, s3BucketForConfig)  
});

References

• [1]: Network-level security best practices for Amazon RDS https://aws.amazon.com/blogs/database/security-best-practices-for-amazon-rds-for-mysql-and-mariadb-instances/
• [2]: Amazon RDS Security https://aws.amazon.com/rds/features/security/#Encryption_of_Data_at_Rest