AWS AmazonECS documentation change
Summary
Updated security compliance documentation with revised wording, removed redundant links, added Security Hub details, and clarified shared responsibility model reference
Security assessment
Changes focus on improving clarity of security best practices (encryption, logging, Security Hub usage) but don't address specific vulnerabilities. Enhanced documentation about security controls and compliance frameworks constitutes added security documentation.
Diff
diff --git a/AmazonECS/latest/developerguide/security-compliance.md b/AmazonECS/latest/developerguide/security-compliance.md index abb0e9e9a..2c6164517 100644 --- a//AmazonECS/latest/developerguide/security-compliance.md +++ b//AmazonECS/latest/developerguide/security-compliance.md @@ -9,10 +9 @@ Payment Card Industry Data Security Standards (PCI DSS) HIPAA (U.S. Health Insur -Your compliance responsibility when using Amazon ECS is determined by the sensitivity of your data, and the compliance objectives of your company, and applicable laws and regulations. - -AWS provides the following resources to help with compliance: - - * [Security and compliance quick start guides](http://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance): These deployment guides discuss architectural considerations and provide steps for deploying security and compliance-focused baseline environments on AWS. - - * [AWS Services in Scope by Compliance Program](http://aws.amazon.com/compliance/services-in-scope/): This list contains the AWS services in scope of specific compliance programs. For more information, see [AWS Compliance Programs](http://aws.amazon.com/compliance/programs/). - - - +Your compliance responsibility when using Amazon ECS is determined by the sensitivity of your data, the compliance objectives of your company, and applicable laws and regulations. @@ -37 +28 @@ Using Amazon ECS with workloads that process protected health information (PHI) -Various mechanisms for encrypting at-rest are available with each AWS storage option, such as Amazon S3, Amazon EBS, and AWS KMS. You may deploy an overlay network (such as VNS3 or Weave Net) to ensure complete encryption of PHI transferred between containers or to provide a redundant layer of encryption. Complete logging should also be enabled and all container logs should be directed to Amazon CloudWatch. To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in _Security Pillar AWS Well‐Architected Framework_. +Various mechanisms for encrypting at-rest are available with each AWS storage option, such as Amazon S3, Amazon EBS, and AWS KMS. You can deploy an overlay network (such as VNS3 or Weave Net) to ensure complete encryption of PHI transferred between containers or to provide a redundant layer of encryption. You should also use complete logging, and direct all container logs to Amazon CloudWatch. For information about using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in _Security Pillar AWS Well‐Architected Framework_. @@ -41 +32 @@ Various mechanisms for encrypting at-rest are available with each AWS storage op -Use AWS Security Hub to monitor your usage of Amazon ECS as it relates to security best practices. Security Hub uses controls to evaluate resource configurations and security standards to help you comply with various compliance frameworks. For more information about using Security Hub to evaluate Amazon ECS resources, see [Amazon ECS controls ](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html)in the _AWS Security Hub User Guide_. +Use AWS Security Hub. This AWS service provides a comprehensive view of your security state within AWS. Security Hub uses security controls to evaluate your AWS resources and to check your compliance against security industry standards and best practices. For a list of supported services and controls, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html). @@ -51 +42 @@ Use Runtime Monitoring in GuardDuty to identify malicious or unauthorized behavi -You should engage the compliance program owners within your business early and use the [AWS shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) to identify compliance control ownership for success with the relevant compliance programs. +We recommend that you engage the compliance program owners within your business early and use the AWS shared responsibility model to identify compliance control ownership for success with the relevant compliance programs. For more information, see [AWS shared responsibility model for Amazon ECS ](./security-shared-model.html).