AWS prescriptive-guidance documentation change
Summary
Updated documentation for consistency in AWS service naming conventions (e.g., 'EC2 instances' to 'Amazon EC2 instances', 'SNS' to 'Amazon SNS'), restructured workflow steps, simplified prerequisite requirements, and added explicit links to CloudFormation console. Removed redundant technology stack section and improved formatting.
Security assessment
Changes focus on branding consistency, documentation clarity, and formatting improvements rather than addressing security vulnerabilities or introducing new security features. No evidence of patching vulnerabilities, mitigating exploits, or responding to security incidents. The pattern itself describes security scanning automation, but the changes do not alter security guidance or add new security capabilities.
Diff
diff --git a/prescriptive-guidance/latest/patterns/automate-security-scans-for-cross-account-workloads-using-amazon-inspector-and-aws-security-hub.md b/prescriptive-guidance/latest/patterns/automate-security-scans-for-cross-account-workloads-using-amazon-inspector-and-aws-security-hub.md index d17863cf0..4fddf5f36 100644 --- a//prescriptive-guidance/latest/patterns/automate-security-scans-for-cross-account-workloads-using-amazon-inspector-and-aws-security-hub.md +++ b//prescriptive-guidance/latest/patterns/automate-security-scans-for-cross-account-workloads-using-amazon-inspector-and-aws-security-hub.md @@ -17 +17 @@ The pattern helps create a schedule for host-based scans of Amazon Elastic Compu -The Amazon Inspector findings are exported to AWS Security Hub and provide insights into vulnerabilities across your accounts, AWS Regions, virtual private clouds (VPCs), and EC2 instances. You can receive these findings by email or you can create an Amazon Simple Notification Service (Amazon SNS) topic that uses an HTTP endpoint to send the findings to ticketing tools, security information and event management (SIEM) software, or other third-party security solutions. +The Amazon Inspector findings are exported to AWS Security Hub and provide insights into vulnerabilities across your accounts, AWS Regions, virtual private clouds (VPCs), and Amazon EC2 instances. You can receive these findings by email or you can create an Amazon Simple Notification Service (Amazon SNS) topic that uses an HTTP endpoint to send the findings to ticketing tools, security information and event management (SIEM) software, or other third-party security solutions. @@ -22,0 +23,2 @@ The Amazon Inspector findings are exported to AWS Security Hub and provide insig + * Active AWS accounts that host cross-account workloads, including a central audit account. + @@ -27,3 +29 @@ The Amazon Inspector findings are exported to AWS Security Hub and provide insig - * Active AWS accounts that host cross-account workloads, including a central audit account. - - * Security Hub, enabled and configured. You can use this pattern without Security Hub, but we recommend using Security Hub because of the insights it generates. For more information, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the AWS Security Hub documentation. + * Security Hub, enabled and configured. You can use this pattern without Security Hub, but we recommend using Security Hub because of the insights it generates. For more information, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the Security Hub documentation. @@ -38 +38 @@ The Amazon Inspector findings are exported to AWS Security Hub and provide insig - * Experience using `self-managed` and `service-managed` permissions for stack sets in AWS CloudFormation. If you want to use `self-managed` permissions to deploy stack instances to specific accounts in specific Regions, you must create the required AWS Identity and Access Management (IAM) roles. If you want to use `service-managed` permissions to deploy stack instances to accounts managed by AWS Organizations in specific Regions, you don’t need to create the required IAM roles. For more information, see [Create a stack set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html) in the AWS CloudFormation documentation. + * Experience using `self-managed` and `service-managed` permissions for stack sets in CloudFormation. If you want to use `self-managed` permissions to deploy stack instances to specific accounts in specific Regions, you must create the required AWS Identity and Access Management (IAM) roles. If you want to use `service-managed` permissions to deploy stack instances to accounts managed by AWS Organizations in specific Regions, you don’t need to create the required IAM roles. For more information, see [Create a stack set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html) in the CloudFormation documentation. @@ -45 +45 @@ The Amazon Inspector findings are exported to AWS Security Hub and provide insig - * If no tags are applied to EC2 instances in an account, then Amazon Inspector scans all the EC2 instances in that account. + * If no tags are applied to Amazon EC2 instances in an account, then Amazon Inspector scans all the instances in that account. @@ -47 +47 @@ The Amazon Inspector findings are exported to AWS Security Hub and provide insig - * The AWS CloudFormation stack sets and the onboard-audit-account.yaml file (attached) must be deployed in the same Region. + * The CloudFormation stack sets and the `onboard-audit-account.yaml` file (attached) must be deployed in the same Region. @@ -51 +51 @@ The Amazon Inspector findings are exported to AWS Security Hub and provide insig - * This pattern’s approach can scale under the publish quota of 30,000 transactions per second (TPS) for an SNS topic in the US East (N. Virginia) Region (us-east-1), although limits vary by Region. To scale more effectively and avoid data loss, we recommend using Amazon Simple Queue Service (Amazon SQS) in front of the SNS topic. + * This pattern’s approach can scale under the publish quota of 30,000 transactions per second (TPS) for an Amazon SNS topic in the US East (N. Virginia) Region (`us-east-1`), although limits vary by Region. To scale more effectively and avoid data loss, we recommend using Amazon Simple Queue Service (Amazon SQS) in front of the Amazon SNS topic. @@ -58,3 +58 @@ The Amazon Inspector findings are exported to AWS Security Hub and provide insig -The following diagram illustrates the workflow for automatically scanning EC2 instances. - - +The following diagram illustrates the workflow for automatically scanning Amazon EC2 instances. @@ -64,15 +62 @@ The workflow consists of the following steps: -1\. An Amazon EventBridge rule uses a cron expression to self-initiate on a specific schedule and initiates Amazon Inspector. - -2\. Amazon Inspector scans the tagged EC2 instances in the account. - -3\. Amazon Inspector sends the findings to Security Hub, which generates insights for workflow, prioritization, and remediation. - -4\. Amazon Inspector also sends the assessment’s status to an SNS topic in the audit account. An AWS Lambda function is invoked if a `findings reported` event is published to the SNS topic. - -5\. The Lambda function fetches, formats, and sends the findings to another SNS topic in the audit account. - -6\. Findings are sent to the email addresses that are subscribed to the SNS topic. The full details and recommendations are sent in JSON format to the subscribed HTTP endpoint. - -**Technology stack** - - * AWS Control Tower + @@ -80 +64 @@ The workflow consists of the following steps: - * EventBridge + 1. An Amazon EventBridge rule uses a cron expression to self-initiate on a specific schedule and initiates Amazon Inspector. @@ -82 +66 @@ The workflow consists of the following steps: - * IAM + 2. Amazon Inspector scans the tagged Amazon EC2 instances in the account. @@ -84 +68 @@ The workflow consists of the following steps: - * Amazon Inspector + 3. Amazon Inspector sends the findings to Security Hub, which generates insights for workflow, prioritization, and remediation. @@ -86 +70 @@ The workflow consists of the following steps: - * Lambda + 4. Amazon Inspector also sends the assessment’s status to an Amazon SNS topic in the audit account. An AWS Lambda function is invoked if a `findings reported` event is published to the Amazon SNS topic. @@ -88 +72 @@ The workflow consists of the following steps: - * Security Hub + 5. The Lambda function fetches, formats, and sends the findings to another Amazon SNS topic in the audit account. @@ -90 +74 @@ The workflow consists of the following steps: - * Amazon SNS + 6. Findings are sent to the email addresses that are subscribed to the Amazon SNS topic. The full details and recommendations are sent in JSON format to the subscribed HTTP endpoint. @@ -97 +81 @@ The workflow consists of the following steps: - * [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) – AWS CloudFormation helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications. + * [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications. @@ -99 +83 @@ The workflow consists of the following steps: - * [AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) – AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation. + * [AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation. @@ -101 +85 @@ The workflow consists of the following steps: - * [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) – AWS Control Tower creates an abstraction or orchestration layer that combines and integrates the capabilities of several other AWS services, including AWS Organizations. + * [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) creates an abstraction or orchestration layer that combines and integrates the capabilities of several other AWS services, including AWS Organizations. @@ -103 +87 @@ The workflow consists of the following steps: - * [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html) – EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. + * [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html) is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. @@ -105 +89 @@ The workflow consists of the following steps: - * [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) – Lambda is a compute service that helps you run code without provisioning or managing servers. + * [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without provisioning or managing servers. @@ -107 +91 @@ The workflow consists of the following steps: - * [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. + * [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. @@ -109 +93 @@ The workflow consists of the following steps: - * [Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) – Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers. + * [Amazon Simple Notification Service (Amazon SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) is a managed service that provides message delivery from publishers to subscribers. @@ -118,5 +102 @@ Task| Description| Skills required -Deploy the AWS CloudFormation template in the audit account.| Download and save the `onboard-audit-account.yaml` file (attached) to a local path on your computer. Sign in to the AWS Management Console for your audit account, open the AWS CloudFormation console, and then choose **Create stack**. Choose **Prepare template** in the **Prerequisites** section, and then choose **Template is ready**. Choose **Template source** in the **Specify template** section, and then choose **Template is ready**. Upload the `onboard-audit-account.yaml` file and then configure the remaining options according to your requirements. - -###### Important - -Make sure that you configure the following input parameters: +Deploy the CloudFormation template in the audit account.| Download and save the `onboard-audit-account.yaml` file (attached) to a local path on your computer. Sign in to the AWS Management Console for your audit account, open the [CloudFormation console](https://console.aws.amazon.com/cloudformation/), and then choose **Create stack**. Choose **Prepare template** in the **Prerequisites** section, and then choose **Template is ready**. Choose **Template source** in the **Specify template** section, and then choose **Template is ready**. Upload the `onboard-audit-account.yaml` file and then configure the remaining options according to your requirements. Make sure that you configure the following input parameters: @@ -127 +107,5 @@ Make sure that you configure the following input parameters: -You can also deploy the AWS CloudFormation template by using AWS Command Line Interface (AWS CLI). For more information about this, see [Creating a stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html) in the AWS CloudFormation documentation.| Developer, Security engineer + + +###### Note + +You can also deploy the CloudFormation template by using AWS Command Line Interface (AWS CLI). For more information about this, see [Creating a stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html) in the CloudFormation documentation.| Developer, Security engineer @@ -132,5 +116 @@ Task| Description| Skills required -Create stack sets in the audit account.| Download the `vulnerability-management-program.yaml` file (attached) to a local path on your computer.On the AWS CloudFormation console, choose **View stacksets** and then choose **Create StackSet**. Choose**Template is ready** , choose **Upload a template file** , and then upload the****`vulnerability-management-program.yaml` file. If you want to use `self-managed` permissions, follow the instructions from [Create a stack set with self-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-getting-started-create-self-managed-console) in the AWS CloudFormation documentation. This creates stack sets in individual accounts. If you want to use `service-managed`**** permissions, follow the instructions from [Create a stack set with service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org-console) in the AWS CloudFormation documentation. This creates stack sets in your entire organization or specified organizational units (OUs). - -###### Important - -Make sure that the following input parameters are configured for your stack sets: +Create stack sets in the audit account.| Download the `vulnerability-management-program.yaml` file (attached) to a local path on your computer.On the [CloudFormation console](https://console.aws.amazon.com/cloudformation/), choose **View stacksets** and then choose **Create StackSet**. Choose**Template is ready** , choose **Upload a template file** , and then upload the****`vulnerability-management-program.yaml` file. If you want to use `self-managed` permissions, follow the instructions from [Create a stack set with self-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-getting-started-create-self-managed-console) in the CloudFormation documentation. This creates stack sets in individual accounts. If you want to use `service-managed`**** permissions, follow the instructions from [Create a stack set with service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org-console) in the CloudFormation documentation. This creates stack sets in your entire organization or specified organizational units (OUs).Make sure that the following input parameters are configured for your stack sets: @@ -140 +120 @@ Make sure that the following input parameters are configured for your stack sets - * `CentralSNSTopicArn` – The Amazon Resource Name (ARN) for the central SNS topic. + * `CentralSNSTopicArn` – The Amazon Resource Name (ARN) for the central Amazon SNS topic. @@ -144 +124 @@ Make sure that the following input parameters are configured for your stack sets -If you want to scan EC2 instances in the audit account, you must run the `vulnerability-management-program.yaml `file as an AWS CloudFormation stack in the audit account.| Developer, Security engineer +If you want to scan Amazon EC2 instances in the audit account, you must run the `vulnerability-management-program.yaml` file as a CloudFormation stack in the audit account.| Developer, Security engineer @@ -149 +129 @@ Validate the solution.| Check that you receive findings by email or HTTP endpoin - * [Scale your security vulnerability testing with Amazon Inspector](https://aws.amazon.com/blogs/aws/scale-your-security-vulnerability-testing-with-amazon-inspector/) + * [Scale your security vulnerability testing with Amazon Inspector](https://aws.amazon.com/blogs/aws/scale-your-security-vulnerability-testing-with-amazon-inspector/) (AWS blog post) @@ -151 +131 @@ Validate the solution.| Check that you receive findings by email or HTTP endpoin - * [Automatically remediate Amazon Inspector security findings](https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/) + * [Automatically remediate Amazon Inspector security findings](https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/) (AWS blog post) @@ -153 +133 @@ Validate the solution.| Check that you receive findings by email or HTTP endpoin - * [How to simplify security assessment setup by using Amazon EC2, AWS Systems Manager, and Amazon Inspector](https://aws.amazon.com/blogs/security/how-to-simplify-security-assessment-setup-using-ec2-systems-manager-and-amazon-inspector/) + * [How to simplify security assessment setup by using Amazon EC2, AWS Systems Manager, and Amazon Inspector](https://aws.amazon.com/blogs/security/how-to-simplify-security-assessment-setup-using-ec2-systems-manager-and-amazon-inspector/) (AWS blog post)