AWS prescriptive-guidance documentation change
Summary
Updated decision tree documentation for evaluating AWS security services, including refined risk assessment language, expanded TCO analysis, added references to AWS Security Reference Architecture and free trials, and enhanced trade-off decision guidance.
Security assessment
The changes primarily focus on improving the decision-making process for selecting AWS security services, including more detailed risk analysis and cost considerations. While it discusses security services and risk management, there is no evidence of addressing a specific security vulnerability or incident. The changes add general security documentation but are not directly related to a security issue.
Diff
diff --git a/prescriptive-guidance/latest/strategy-evaluating-security-service/decision-tree.md index ba7e446e9..428aba7b6 100644 --- a/prescriptive-guidance/latest/strategy-evaluating-security-service/decision-tree.md +++ b/prescriptive-guidance/latest/strategy-evaluating-security-service/decision-tree.md @@ -21 +21 @@ Organizations are under the scope of laws and regulations regarding data securit -### 1.2 Do you have high risks (above appetite) that are not addressed? +### 1.2 Do you have a high risk that is not addressed? @@ -23 +23 @@ Organizations are under the scope of laws and regulations regarding data securit -_Risk appetite_ refers to the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. If your current solution (or absence of it) is not mitigating risks to an acceptable level, you should evaluate the AWS security service. +Organizations need to identify and manage significant security risks in their environment. A high risk could involve potential data breaches, system vulnerabilities, operational disruptions, or other critical security concerns. If your current solution (or absence of it) is not adequately mitigating these high risks, proceed with evaluating the AWS security service. @@ -27 +27 @@ _Risk appetite_ refers to the amount and type of risk that an organization is wi -Solutions that require manual steps or human interaction are more error prone. Inconsistency, low data reliability, noncompliant assets, and lack of scalability are common in these scenarios. Automated controls are fundamentally important for IT systems and workloads. If your current solution does not support full automation, you should evaluate the AWS security service. +Solutions that require manual steps or human interaction are more error prone. Inconsistency, low data reliability, noncompliant assets, and lack of scalability are common in these scenarios. Automated controls are fundamentally important for IT systems and workloads. If your current solution does not support full automation, consider evaluating the AWS security service. @@ -33 +33 @@ It is important to map any problem related to management. The following are some -### 1.5 Do you have a higher total cost of ownership (TCO) than your industry segment? +### 1.5 Do you have a high total cost of ownership? @@ -35 +35 @@ It is important to map any problem related to management. The following are some -You can compare your costs to market benchmarks for your industry segment from research institutes. As a baseline, it's common to invest 6–14% of an IT budget in cybersecurity, and an average is 10%. Another point of comparison could be your internal tools covering the same number of assets to be protected. If you have a high TCO and want to reduce costs, you should evaluate the AWS security service. +Evaluate the total cost of ownership (TCO) for your current security solution by comparing costs against industry benchmarks and internal metrics. Generally, organizations invest 6–14% of their IT budget in cybersecurity, and 10% is the average. Consider factors such as licensing, implementation, maintenance, support, and operational costs for protecting your assets. You can include your internal tools that cover the same number of assets to be protected. An unbalanced security budget for tools can also indicate a high TCO, such as if 60% of the budget is directed to a single tool. If your TCO is higher than these benchmarks, proceed with evaluating the AWS security service. @@ -39 +39,5 @@ You can compare your costs to market benchmarks for your industry segment from r -A _proof of technology_ (POT) is similar to a proof of concept. The goal of a POT is to determine whether a potential solution to a technical problem is viable. For example, you might use a POT to prove that a specific configuration can achieve a certain outcome. In this section, you use a POT to evaluate and demonstrate whether a given AWS security service meets your business and technical requirements. +A _proof of technology (POT)_ is similar to a proof of concept. The goal of a POT is to determine whether a potential solution to a technical problem is viable. For example, you might use a POT to prove that a specific configuration can achieve a certain outcome. In this section, you use a POT to evaluate and demonstrate whether a given AWS security service meets your business and technical requirements. + +The [AWS Security Reference Architecture (AWS SRA)](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/) provides prescriptive guidance for deploying the full complement of AWS security services in a multi-account environment. This architecture can help you plan and execute your POT evaluation. + +This decision guide applies to all AWS security services, including the latest offerings. For an up-to-date list of services and current best practices, see [AWS Cloud Security](https://aws.amazon.com/security/). @@ -66 +70 @@ The effectiveness of the AWS security service must be demonstrated through a POT -Lower TCO can help you optimize costs in your organization. Some common metrics used in these comparisons are: acquisition and implementation costs, fixed and variable expenses, operation costs, maintenance and support costs, expansion and reliability costs, and training costs. There are other cost measurements and comparisons that you can perform based on your specific use case. The [AWS Pricing Calculator](https://calculator.aws/) can help you estimate costs for AWS services. +Lower TCO can help you optimize costs in your organization. Some common metrics used in these comparisons are: acquisition and implementation costs, fixed and variable expenses, operation costs, maintenance and support costs, expansion and reliability costs, and training costs. There are other cost measurements and comparisons that you can perform based on your specific use case. The [AWS Pricing Calculator](https://calculator.aws/) can help you estimate costs for AWS services. Additionally, you can use products in the AWS Free Tier and free trails to evaluate many AWS services. For more information, see [Free AWS Cloud Security Trials](https://aws.amazon.com/free/security/). @@ -70 +74,5 @@ Lower TCO can help you optimize costs in your organization. Some common metrics -Sometimes, it can be difficult to accurately calculate the TCO or determine whether your current control or solution meets your business and technical requirements better than the AWS service. In this case, you can balance all of the information you have to determine an overall positive or negative balance. Therefore, you need to make a trade-off decision. To help you make this decision, one approach is to use the [Free AWS Cloud Security Trials](https://aws.amazon.com/free/security/) and then monitor the costs during the trial period. +The trade-off decision requires balancing multiple factors, particularly service effectiveness and TCO considerations. When exact calculations or clear-cut determinations aren't possible, evaluate the overall balance of benefits and limitations. + +A positive balance might emerge even when factors seem to conflict. For example, a service might increase costs but provide enhanced scalability. This represents a positive balance where the improved effectiveness justifies the additional costs. Conversely, a reduction in capabilities might not be acceptable even if a service offers significant cost savings. + +You should balance all available information to determine an overall positive or negative outcome. Based on this analysis, you can make your trade-off decision. @@ -80 +88 @@ Introduction -Resources +AWS Well-Architected Framework