AWS config medium security documentation change
Summary
Clarified rule logic for TLS encryption checks and added 'excludeTlsParameters' parameter
Security assessment
Enhanced documentation for a security-focused rule (encryption in transit) and added configurability to exclude specific TLS parameters, directly related to security controls.
Diff
diff --git a/config/latest/developerguide/docdb-cluster-encrypted-in-transit.md b/config/latest/developerguide/docdb-cluster-encrypted-in-transit.md index a944894d0..3877593c6 100644 --- a//config/latest/developerguide/docdb-cluster-encrypted-in-transit.md +++ b//config/latest/developerguide/docdb-cluster-encrypted-in-transit.md @@ -9 +9 @@ AWS CloudFormation template -Checks if connections to Amazon Document DB clusters are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated cluster parameter group is not 'in-sync' or if the tls cluster parameter is not set to 'enabled' or 'fips-140-3'. +Checks if connections to Amazon DocumentDB clusters are configured to use encryption in transit. The rule is NON_COMPLIANT if the parameter group is not "in-sync", or the TLS parameter is set to either "disabled" or a value in `excludeTlsParameters`. @@ -21 +21,2 @@ Checks if connections to Amazon Document DB clusters are configured to use encry -None +excludeTlsParameters (Optional) +Type: CSV @@ -23,0 +25,2 @@ None +Comma-separated list of TLS cluster parameters for the rule to NOT check. Default value: 'disabled'. +