[アップデート] AWS Config の適合パックに「CIS コンプライアンスパック」および「AWS Control Tower Detective Guardrails」2 つのテンプレートが追加されました

適合パックに「CIS ベンチマーク」および「AWS Control Tower」 向けの 2 つのテンプレートが追加されました。CIS ベンチマークの Config ルールって Security Hub と被ってません、、?
2020.04.30

先日のアップデートで AWS Config の適合パック(コンフォーマンスパック)に以下 2 つのテンプレートが追加されました。

  • CISコンプライアンスパックテンプレート
    • CIS 要件への準拠を検証するのに役立ちます。ただし、すべての CIS 要件すべてをカバーするものではありません。Config ルールを使用してカバーできる要件のみであることに注意してください。
  • AWS Control Tower Detective Guardrails Conformance Pack
    • AWS Control Tower の AWS Config ルールベースのガードレールがすべて含まれています。この適合パックを使用して、AWS Control Tower に登録する前に AWS Control Tower 検出ガードレールを既存のアカウントに適用するか、現在 AWS Control Tower でサポートされていないリージョンのアカウントのリソースを管理することもできます。

何がうれしいのか

適合パックとは?

適合パックは AWS Config ルールと修復アクションの集まりであり、アカウントやリージョン、または AWS Organizations の組織全体に 1 つのエンティティとして簡単にデプロイできます。

CloudFormation でデプロイされるのでカスタマイズが可能

今回リリースされた 「CIS コンプライアンスパックテンプレート」 を例にすると、CIS ベンチマーク向けの AWS Config ルールであれば AWS Security Hub の 「CIS AWS Foundations Benchmark v1.2.0」 を有効にしたら良いのでは? と思いますよね。私も思いました。

社内のメンバーに「これって、Security Hub でえぇんちゃうの?」て聞いたところ、Security Hub の場合、ルールはフルマネージドであるため個別調整できるのは有効か無効の二択のみ。

一方、適合パックの場合はカスタマイズが可能なので、スコープのチューニングなどの個別調整がきく点がメリット、とのことです。なるほど!

あと、Security Hub や Control Tower が利用できないリージョンの場合、この適合パックで代用することも可能ですね。

やってみる

それでは、さっそくやってみましょう。

手順

適合パックをデプロイするまでの手順は、以下の 3 ステップ。

  1. Service-Linked Roleの作成
  2. テンプレート配置用のS3バケットの作成およびバケットポリシーの作成
  3. 適合パックのデプロイ

Service-Linked Role の作成

Service-Linked Role の作成は、公式ガイドに従い、AWS CLI で作成します。

$ aws iam create-service-linked-role --aws-service-name config-conforms.amazonaws.com \
    --description "my service linked role for config-conforms"
    
Role:
  Arn: arn:aws:iam::xxxxxxxxxxxx:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms
  AssumeRolePolicyDocument:
    Statement:
    - Action:
      - sts:AssumeRole
      Effect: Allow
      Principal:
        Service:
        - config-conforms.amazonaws.com
    Version: '2012-10-17'
  CreateDate: '2020-04-30T08:52:00+00:00'
  Path: /aws-service-role/config-conforms.amazonaws.com/
  RoleId: AROAXXXXXXXXXXXXXXXXX
  RoleName: AWSServiceRoleForConfigConforms

テンプレート配置用のS3バケットの作成およびバケットポリシーの作成

次に、テンプレートを配置するための S3 バケットを作成し、先程の Service-Linked Role がアクセスできるようにバケットポリシーを記載します。<AccountId>, <delivery-bucket-name>, <[optional] prefix> は環境によって読み替えてください。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSConfigConformsBucketPermissionsCheck",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::<AccountId>:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
        ]
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::<delivery-bucket-name>"
    },
    {
      "Sid": "AWSConfigConformsBucketDelivery",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::<AccountId>:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
        ]
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<delivery-bucket-name>/<[optional] prefix>/AWSLogs/<AccountId>/Config/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Sid": " AWSConfigConformsBucketReadAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::<AccountId>:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
        ]
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<delivery-bucket-name>/<[optional] prefix>/AWSLogs/<AccountId>/Config/*"
    }
  ]
}

AWS Config 管理コンソールを開き、[適合パックをデプロイ] をクリックします。

[サンプルテンプレートを使用] を選択し、サンプルテンプレートをプルダウンメニューから選びます。AWS Control Tower Detective Guardrails および Operational Best Practices for CIS が追加されていますね。

今回は Operational Best Practices for CIS を試してみましょう。

任意の適合パック名を入力し、先程、作成した S3 バケットを選択し、次へ。

内容を確認し、[適合パックをデプロイ]をクリックします。

しばらく待つとデプロイが完了します。

確認

デプロイされた適合パックを確認してみると、以下のようなルールとなっていました。修復アクションは組み込まれていないようですね。

サンプルテンプレート

テンプレートは yaml で記述された CloudFormation です。サンプルテンプレートをもとに個別カスタマイズしてデプロイすることも可能です。

CIS コンプライアンスパックテンプレート

################################################################################
#
#   Conformance Pack:
#     CIS compliance rules
#
#   This conformance pack helps verify compliance with CIS requirements. Note that
#   this will not cover all CIS requirements but only those that can be covered
#   using Config Rules
################################################################################
       
Resources:
  MFAEnabledForIamConsoleAccess:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: MFAEnabledForIamConsoleAccess
      Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled
        for all AWS Identity and Access Management (IAM) users that use a console
        password. The rule is compliant if MFA is enabled.
      Source:
        Owner: AWS
        SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
      MaximumExecutionFrequency: Twelve_Hours
  IAMUserUnusedCredentialCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: IAMUserUnusedCredentialCheck
      Description: Checks whether your AWS Identity and Access Management (IAM) users
        have passwords or active access keys that have not been used within the specified
        number of days you provided.
      InputParameters:
        maxCredentialUsageAge: 90
      Source:
        Owner: AWS
        SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
      MaximumExecutionFrequency: Twelve_Hours
  AccessKeysRotated:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: AccessKeysRotated
      Description: Checks whether the active access keys are rotated within the number
        of days specified in maxAccessKeyAge. The rule is non-compliant if the access
        keys have not been rotated for more than maxAccessKeyAge number of days.
      InputParameters:
        maxAccessKeyAge: 90
      Source:
        Owner: AWS
        SourceIdentifier: ACCESS_KEYS_ROTATED
      MaximumExecutionFrequency: Twelve_Hours
  IAMPasswordPolicyCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: IAMPasswordPolicyCheck
      Description: Checks whether the account password policy for IAM users meets
        the specified requirements.
      InputParameters:
        RequireUppercaseCharacters: true
        RequireLowercaseCharacters: true
        RequireSymbols: true
        RequireNumbers: true
        MinimumPasswordLength: 14
        PasswordReusePrevention: 24
        MaxPasswordAge: 90
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
      MaximumExecutionFrequency: Twelve_Hours
  IAMRootAccessKeyCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: IAMRootAccessKeyCheck
      Description: Checks whether the root user access key is available.
        The rule is compliant if the user access key does not exist.
      Source:
        Owner: AWS
        SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
      MaximumExecutionFrequency: Twelve_Hours
  RootAccountMFAEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: RootAccountMFAEnabled
      Description: Checks whether the root user of your AWS account requires multi-factor
        authentication for console sign-in.
      Source:
        Owner: AWS
        SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  RootAccountHardwareMFAEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: RootAccountHardwareMFAEnabled
      Description: Checks whether your AWS account is enabled to use multi-factor
        authentication (MFA) hardware device to sign in with root credentials.
      Source:
        Owner: AWS
        SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  IAMUserNoPoliciesCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: IAMUserNoPoliciesCheck
      Description: Checks that none of your IAM users have policies attached. IAM
        users must inherit permissions from IAM groups or roles.
      Scope:
        ComplianceResourceTypes:
          - AWS::IAM::User
      Source:
        Owner: AWS
        SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
  IAMSupportPolicyInUse:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: IAMSupportPolicyInUse
      Description: Checks that the 'AWSSupportAccess' managed policy is attached to any IAM user, group, or role
      InputParameters:
        policyARN: arn:aws:iam::aws:policy/AWSSupportAccess
        policyUsageType: ANY
      Source:
        Owner: AWS
        SourceIdentifier: IAM_POLICY_IN_USE
      MaximumExecutionFrequency: Twelve_Hours
  IAMPolicyNoStatementWithAdminAccess:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: IAMPolicyNoStatementWithAdminAccess
      Description: Checks whether the default version of AWS Identity and Access
        Management (IAM) policies do not have administrator access.
      Scope:
        ComplianceResourceTypes:
          - AWS::IAM::Policy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
  MultiRegionCloudTrailEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: MultiRegionCloudTrailEnabled
      Description: Checks that there is at least one multi-region AWS CloudTrail.
        The rule is non-compliant if the trails do not match input parameters
      Source:
        Owner: AWS
        SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  CloudTrailLogFileValidationEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CloudTrailLogFileValidationEnabled
      Description: Checks whether AWS CloudTrail creates a signed digest file with
        logs
      Source:
        Owner: AWS
        SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  S3BucketPublicReadProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: S3BucketPublicReadProhibited
      Description: Checks that your Amazon S3 buckets do not allow public read access.
        The rule checks the Block Public Access settings, the bucket policy, and the
        bucket access control list (ACL).
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
      MaximumExecutionFrequency: Twelve_Hours
  S3BucketPublicWriteProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: S3BucketPublicWriteProhibited
      Description: Checks that your Amazon S3 buckets do not allow public write access.
        The rule checks the Block Public Access settings, the bucket policy, and the
        bucket access control list (ACL).
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
      MaximumExecutionFrequency: Twelve_Hours
  CloudTrailCloudWatchLogsEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CloudTrailCloudWatchLogsEnabled
      Description: Checks whether AWS CloudTrail trails are configured to send logs
        to Amazon CloudWatch logs.
      Source:
        Owner: AWS
        SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  S3BucketLoggingEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: S3BucketLoggingEnabled
      Description: Checks whether logging is enabled for your S3 buckets.
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
  CloudTrailEncryptionEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CloudTrailEncryptionEnabled
      Description: Checks whether AWS CloudTrail is configured to use the server side
        encryption (SSE) AWS Key Management Service (AWS KMS) customer master key
        (CMK) encryption.
      Source:
        Owner: AWS
        SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  CMKBackingKeyRotationEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CMKBackingKeyRotationEnabled
      Description: Checks that key rotation is enabled for each key and matches to
        the key ID of the customer created customer master key (CMK). The rule is
        compliant, if the key rotation is enabled for specific key object.
      Source:
        Owner: AWS
        SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  VPCFlowLogsEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: VPCFlowLogsEnabled
      Description: Checks whether Amazon Virtual Private Cloud flow logs are found
        and enabled for Amazon VPC.
      InputParameters:
        trafficType: REJECT
      Source:
        Owner: AWS
        SourceIdentifier: VPC_FLOW_LOGS_ENABLED
      MaximumExecutionFrequency: Twelve_Hours
  IncomingSSHDisabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: IncomingSSHDisabled
      Description: Checks whether the incoming SSH traffic for the security groups is accessible.
        The rule is COMPLIANT when the IP addresses of the incoming SSH traffic in the security
        groups are restricted. This rule applies only to IPv4.
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup
      Source:
        Owner: AWS
        SourceIdentifier: INCOMING_SSH_DISABLED
  RestrictedIncomingTraffic:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: RestrictedIncomingTraffic
      Description: Checks whether security groups that are in use disallow unrestricted
        incoming TCP traffic to the specified ports.
      InputParameters:
        blockedPort1: 3389
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup
      Source:
        Owner: AWS
        SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
  VPCDefaultSecurityGroupClosed:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: VPCDefaultSecurityGroupClosed
      Description: Checks that the default security group of any Amazon Virtual Private
        Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant
        if the default security group has one or more inbound or outbound traffic.
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup
      Source:
        Owner: AWS
        SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED

AWS Control Tower Detective Guardrails Conformance Pack

###################################################################################
#
#   Conformance Pack:
#     AWS Control Tower Detective Guardrails Conformance Pack
#
#    The AWS Control Tower detective guardrails conformance pack contains all of the 
#    AWS Config Rules based guardrails from AWS Control Tower. Use this conformance 
#    pack to apply AWS Control Tower detective guardrails to your existing accounts 
#    prior to enrolling them in AWS Control Tower or to manage resources in your 
#    accounts in regions not currently supported by AWS Control Tower.
###################################################################################

Resources:
  CheckForEbsOptimizedInstance:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEbsOptimizedInstance
      Description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized
      Source:
        Owner: AWS
        SourceIdentifier: EBS_OPTIMIZED_INSTANCE
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Instance
  CheckForEc2VolumesInUse:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEc2VolumesInUs
      Description: Disallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances
      InputParameters:
        deleteOnTermination: None
      Source:
        Owner: AWS
        SourceIdentifier: EC2_VOLUME_INUSE_CHECK
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Volume
  CheckForEncryptedVolumes:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEncryptedVolumes
      Description: Enable encryption for EBS volumes attached to EC2 instances - Checks whether EBS volumes that are in an attached state are encrypted.
      Source:
        Owner: AWS
        SourceIdentifier: ENCRYPTED_VOLUMES
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Volume
  CheckForIAMUserMFA:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForIAMUserMFA
      Description: Disallow access to IAM users without MFA - Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. The rule is COMPLIANT if MFA is enabled.
      Source:
        Owner: AWS
        SourceIdentifier: IAM_USER_MFA_ENABLED
      MaximumExecutionFrequency: One_Hour
  CheckForIAMUserConsoleMFA:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForIAMUserConsoleMFA
      Description: Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.
      Source:
        Owner: AWS
        SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
      MaximumExecutionFrequency: One_Hour
  CheckForRdsPublicAccess:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForRdsPublicAccess
      Description: Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.
      Source:
        Owner: AWS
        SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
      Scope:
        ComplianceResourceTypes:
          - AWS::RDS::DBInstance
  CheckForPublicRdsSnapshots:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForPublicRdsSnapshots
      Description: Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.
      Source:
        Owner: AWS
        SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::RDS::DBSnapshot
  CheckForRdsStorageEncryption:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForRdsStorageEncryption
      Description: Disallow RDS database instances that are not storage encrypted - Checks whether storage encryption is enabled for your RDS DB instances.
      Source:
        Owner: AWS
        SourceIdentifier: RDS_STORAGE_ENCRYPTED
      Scope:
        ComplianceResourceTypes:
          - AWS::RDS::DBInstance
  CheckForRestrictedCommonPortsPolicy:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForRestrictedCommonPortsPolicy
      Description: Disallow internet connection through RDP - Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports.
      InputParameters:
        blockedPort1: 20
        blockedPort2: 21
        blockedPort3: 3389
        blockedPort4: 3306
        blockedPort5: 4333
      Scope:
        ComplianceResourceTypes:
        - AWS::EC2::SecurityGroup
      Source:
        Owner: AWS
        SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
  CheckForRestrictedSshPolicy:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForRestrictedSshPolicy
      Description: Disallow internet connection through SSH - Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.
      Scope:
        ComplianceResourceTypes:
        - AWS::EC2::SecurityGroup
      Source:
        Owner: AWS
        SourceIdentifier: INCOMING_SSH_DISABLED
  CheckForRootMfa:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForRootMfa
      Description: Enable MFA for the root user - Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.
      Source:
        Owner: AWS
        SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
      MaximumExecutionFrequency: One_Hour
  CheckForS3PublicRead:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForS3PublicRead
      Description: Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
  CheckForS3PublicWrite:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForS3PublicWrite
      Description: Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
  CheckForS3VersioningEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForS3VersioningEnabled
      Description: Disallow S3 buckets that are not versioning enabled - Checks whether versioning is enabled for your S3 buckets.
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket

さいごに

Security Hub のセキュリティ基準を使用すると同様に AWS Config でルールのデプロイが出来ますが、ルール毎の個別調整は ON か OFF しか出来ません。個別ルールのスコープ調整などの自由度が必要な場合は適合パックを検討してみてはいかがでしょうか。

以上!大阪オフィスの丸毛(@marumo1981)でした!