AWS managedservices high security documentation change
Summary
Added new security controls (4.15.1, 8.1), modified IAM policy rules (9.1), and updated logging requirements (1.3)
Security assessment
Added control 8.1 explicitly addresses public exposure prevention of customer data storage resources. Modified IAM policy rules (9.1) and logging changes (1.3) impact security configurations. New S3 access control (4.15.1) adds security documentation
Diff
diff --git a/managedservices/latest/userguide/ams-sec-stand-controls.md b/managedservices/latest/userguide/ams-sec-stand-controls.md index b7f3f209f..6fe24f60d 100644 --- a/managedservices/latest/userguide/ams-sec-stand-controls.md +++ b/managedservices/latest/userguide/ams-sec-stand-controls.md @@ -145,0 +146 @@ ID | Technical standard +4.15.1 | You can have view, create, list, and delete access to your S3 storage lens custom dashboard. @@ -181 +182 @@ ID | Technical standard -9.1 | AMS default IAM role or policy (including instance profile, SSPS, pattern) must not be modified with or without any risk acceptance. Only trust policies related changes are permitted in the default SSPS roles. Only trust policies and tagging of the role/policy/user changes are permitted in the default SSPS roles. +9.1 | AMS default IAM role or policy (including instance profile, SSPS, pattern) must not be modified with or without any risk acceptance. Exceptions are allowed (without risk acceptance) for trust policies. Tagging of the role, policy, or user changes, is also permitted in the default SSP roles. @@ -197,0 +199 @@ ID | Technical standard +8.1 | Any resource where customer data can be stored should not be exposed to public internet directly. @@ -293 +295 @@ ID | Technical standard -1.3 | VPC Flow Logs: All the network traffic logs must be logged via VPC Flow Logs and must be sent to S3 bucket and can optionally be sent to CloudWatch Logs. +1.3 | VPC Flow Logs: All the network traffic logs must be logged via VPC Flow Logs.