AWS prescriptive-guidance documentation change
Summary
Updated documentation to standardize service name references (e.g., 'EC2 instance' to 'Amazon EC2 instance'), removed redundant 'Target technology stack' section, fixed typos (e.g., 'Session Manger' to 'Session Manager'), improved note formatting, and clarified operational steps for script execution and resource management.
Security assessment
Changes focus on naming consistency, documentation structure, and operational clarity rather than addressing security vulnerabilities or introducing new security features. While the document discusses security tools (IAM roles, Security Hub), the changes themselves are editorial improvements without evidence of patching vulnerabilities or expanding security guidance.
Diff
diff --git a/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.md b/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.md index 821eeb3b4..7eadfb064 100644 --- a//prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.md +++ b//prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.md @@ -53 +53 @@ This solution was designed with the following in mind: - * If you’re uploading the findings to Security Hub, Security Hub must be enabled in the account and AWS Region where the EC2 instance is provisioned. For more information, see [Setting up AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). + * If you’re uploading the findings to Security Hub, Security Hub must be enabled in the account and AWS Region where the Amazon EC2 instance is provisioned. For more information, see [Setting up AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). @@ -64 +64 @@ This solution was designed with the following in mind: - * The CloudFormation template is designed to deploy the EC2 instance in a private subnet that has outbound internet access. The AWS Systems Manager Agent (SSM Agent) requires outbound access to reach the Systems Manager service endpoint, and you need outbound access to clone the code repository and install dependencies. If you want to use a public subnet, you must modify the **naa-resources.yaml** template to associate an [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) with the EC2 instance. + * The CloudFormation template is designed to deploy the Amazon EC2 instance in a private subnet that has outbound internet access. The AWS Systems Manager Agent (SSM Agent) requires outbound access to reach the Systems Manager service endpoint, and you need outbound access to clone the code repository and install dependencies. If you want to use a public subnet, you must modify the **naa-resources.yaml** template to associate an [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) with the Amazon EC2 instance. @@ -71,17 +70,0 @@ This solution was designed with the following in mind: -**Target technology stack** - - * Network Access Analyzer - - * Amazon EC2 instance - - * AWS Identity and Access Management (IAM) roles - - * Amazon Simple Storage Service (Amazon S3) bucket - - * Amazon Simple Notification Service (Amazon SNS) topic - - * AWS Security Hub (Option 2 only) - - - - @@ -96 +79 @@ The diagram shows the following process: - 1. If you’re manually running the solution, the user authenticates to the EC2 instance by using Session Manager and then runs the **naa-script.sh** script. This shell script performs steps 2–7. + 1. If you’re manually running the solution, the user authenticates to the Amazon EC2 instance by using Session Manager and then runs the **naa-script.sh** script. This shell script performs steps 2–7. @@ -100 +83 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 2. The EC2 instance downloads the latest **naa-exception.csv** file from the S3 bucket. This file is used later in the process when the Python script processes the exclusions. + 2. The Amazon EC2 instance downloads the latest **naa-exception.csv** file from the Amazon S3 bucket. This file is used later in the process when the Python script processes the exclusions. @@ -102 +85 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 3. The EC2 instance assumes the `NAAEC2Role` IAM role, which grants permissions to access the S3 bucket and to assume the `NAAExecRole` IAM roles in the other accounts in the organization. + 3. The Amazon EC2 instance assumes the `NAAEC2Role` AWS Identity and Access Management (IAM) role, which grants permissions to access the Amazon S3 bucket and to assume the `NAAExecRole` IAM roles in the other accounts in the organization. @@ -104 +87 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 4. The EC2 instance assumes the `NAAExecRole` IAM role in the organization’s management account and generates a list of the accounts in the organization. + 4. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s management account and generates a list of the accounts in the organization. @@ -106 +89 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 5. The EC2 instance assumes the `NAAExecRole` IAM role in the organization’s member accounts (called _workload accounts_ in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the EC2 instance. + 5. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s member accounts (called _workload accounts_ in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the Amazon EC2 instance. @@ -108 +91 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 6. The EC2 instance uses a Python script to process the JSON files, extract the data fields, and create a CSV report. + 6. The Amazon EC2 instance uses a Python script to process the JSON files, extract the data fields, and create a CSV report. @@ -110 +93 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 7. The EC2 instance uploads the CSV file to the S3 bucket. + 7. The Amazon EC2 instance uploads the CSV file to the Amazon S3 bucket. @@ -114 +97 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 9. The user downloads the CSV file from the S3 bucket. The user imports the results into the Excel template and reviews the results. + 9. The user downloads the CSV file from the Amazon S3 bucket. The user imports the results into the Excel template and reviews the results. @@ -125 +108 @@ The diagram shows the following process: - 1. If you’re manually running the solution, the user authenticates to the EC2 instance by using Session Manager and then runs the **naa-script.sh** script. This shell script performs steps 2–7. + 1. If you’re manually running the solution, the user authenticates to the Amazon EC2 instance by using Session Manager and then runs the **naa-script.sh** script. This shell script performs steps 2–7. @@ -129 +112 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 2. The EC2 instance downloads the latest **naa-exception.csv** file from the S3 bucket. This file is used later in the process when the Python script processes the exclusions. + 2. The Amazon EC2 instance downloads the latest **naa-exception.csv** file from the Amazon S3 bucket. This file is used later in the process when the Python script processes the exclusions. @@ -131 +114 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 3. The EC2 instance assumes the `NAAEC2Role` IAM role, which grants permissions to access the S3 bucket and to assume the `NAAExecRole` IAM roles in the other accounts in the organization. + 3. The Amazon EC2 instance assumes the `NAAEC2Role` IAM role, which grants permissions to access the Amazon S3 bucket and to assume the `NAAExecRole` IAM roles in the other accounts in the organization. @@ -133 +116 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 4. The EC2 instance assumes the `NAAExecRole` IAM role in the organization’s management account and generates a list of the accounts in the organization. + 4. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s management account and generates a list of the accounts in the organization. @@ -135 +118 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 5. The EC2 instance assumes the `NAAExecRole` IAM role in the organization’s member accounts (called _workload accounts_ in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the EC2 instance. + 5. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s member accounts (called _workload accounts_ in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the Amazon EC2 instance. @@ -137 +120 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 6. The EC2 instance uses a Python script to process the JSON files and extract the data fields for import into Security Hub. + 6. The Amazon EC2 instance uses a Python script to process the JSON files and extract the data fields for import into Security Hub. @@ -139 +122 @@ If you’re automatically running the solution, the **naa-script.sh** script sta - 7. The EC2 instance imports the Network Access Analyzer findings to Security Hub. + 7. The Amazon EC2 instance imports the Network Access Analyzer findings to Security Hub. @@ -172 +155 @@ If you want adjust the schedule after the `NAA-Resources` stack has been deploye - * [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale. This pattern uses Session Manger, a capability of Systems Manager. + * [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale. This pattern uses Session Manager, a capability of Systems Manager. @@ -181 +164 @@ The code for this pattern is available in the GitHub [Network Access Analyzer Mu - * **naa-script.sh** – This bash script is used to start a Network Access Analyzer analysis of multiple AWS accounts, in parallel. As defined in the **naa-resources.yaml** CloudFormation template, this script is automatically deployed to the `/usr/local/naa` folder on the EC2 instance. + * **naa-script.sh** – This bash script is used to start a Network Access Analyzer analysis of multiple AWS accounts, in parallel. As defined in the **naa-resources.yaml** CloudFormation template, this script is automatically deployed to the `/usr/local/naa` folder on the Amazon EC2 instance. @@ -185,2 +168,3 @@ The code for this pattern is available in the GitHub [Network Access Analyzer Mu -_Note_ : If this stack is deleted and redeployed, you must rebuild the `NAAExecRole` stack set in order to rebuild the cross-account dependencies between the IAM roles. ---- +###### Note + +If this stack is deleted and redeployed, you must rebuild the `NAAExecRole` stack set in order to rebuild the cross-account dependencies between the IAM roles. @@ -202 +186 @@ Clone the code repository.| - 2. Enter the following command.`git clone https://github.com/aws-samples/network-access-analyzer-multi-account-analysis.git` + 2. Enter the following command:`git clone https://github.com/aws-samples/network-access-analyzer-multi-account-analysis.git` @@ -221 +205,5 @@ Provision resources in the security account.| Using the **naa-resources.yaml** t - * `SubnetId` – Select a private subnet that has internet access._Note:_ If you select a public subnet, the EC2 instance might not be assigned a public IP address because the CloudFormation template, by default, doesn’t provision and attach an Elastic IP address. + * `SubnetId` – Select a private subnet that has internet access. + +###### Note + +If you select a public subnet, the Amazon EC2 instance might not be assigned a public IP address because the CloudFormation template, by default, doesn’t provision and attach an Elastic IP address. @@ -227 +215,5 @@ Provision resources in the security account.| Using the **naa-resources.yaml** t - * `EmailAddress` – Specify an email address for an Amazon SNS notification when the analysis is complete._Note:_ The Amazon SNS subscription configuration must be confirmed prior to completion of the analysis, or a notification will not be sent. + * `EmailAddress` – Specify an email address for an Amazon SNS notification when the analysis is complete. + +###### Note + +The Amazon SNS subscription configuration must be confirmed prior to completion of the analysis, or a notification will not be sent. @@ -254,2 +246,6 @@ Provision the IAM role in the member accounts.| In the AWS Organizations managem - 5. On the **Set deployment options** page, under **Deployment targets** , choose **Deploy to organization** and accept all defaults._Note:_ If you want the stacks deployed to all member accounts simultaneously, set **Maximum concurrent accounts** and **Failure tolerance** to a high value, such as 100. - 6. Under **Deployment regions** , choose the Region where the EC2 instance for Network Access Analyzer is deployed. Because IAM resources are global and not Regional, this deploys the IAM role in all active Regions. + 5. On the **Set deployment options** page, under **Deployment targets** , choose **Deploy to organization** and accept all defaults. + +###### Note + +If you want the stacks deployed to all member accounts simultaneously, set **Maximum concurrent accounts** and **Failure tolerance** to a high value, such as `100`. + 6. Under **Deployment regions** , choose the Region where the Amazon EC2 instance for Network Access Analyzer is deployed. Because IAM resources are global and not Regional, this deploys the IAM role in all active Regions. @@ -276,2 +272,2 @@ Customize the shell script.| - 2. Using Session Manager, connect to the EC2 instance for Network Access Analyzer that you previously provisioned. For instructions, see [Connect to your Linux instance using Session Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html). If you’re unable to connect, see the Troubleshooting section of this pattern. - 3. Enter the following commands to open the **naa-script.sh** file for editing. + 2. Using Session Manager, connect to the Amazon EC2 instance for Network Access Analyzer that you previously provisioned. For instructions, see [Connect to your Linux instance using Session Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html). If you’re unable to connect, see the Troubleshooting section of this pattern. + 3. Enter the following commands to open the **naa-script.sh** file for editing: @@ -289 +285 @@ Analyze the target accounts.| - 1. Enter the following commands. This runs the **naa-script.sh** script. + 1. Enter the following commands. This runs the **naa-script.sh** script: @@ -301 +297 @@ Note the following: - 3. Wait for the analysis to complete. If you configured email notifications, you receive an email when the results have been uploaded to the S3 bucket or imported into Security Hub. + 3. Wait for the analysis to complete. If you configured email notifications, you receive an email when the results have been uploaded to the Amazon S3 bucket or imported into Security Hub. @@ -304 +300 @@ Note the following: -Option 1 – Retrieve the results from the S3 bucket.| +Option 1 – Retrieve the results from the Amazon S3 bucket.| @@ -307 +303 @@ Option 1 – Retrieve the results from the S3 bucket.| - 2. Delete the CSV file from the S3 bucket. This is a best practice for cost optimization. For instructions, see [Deleting objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html) in the Amazon S3 documentation. + 2. Delete the CSV file from the Amazon S3 bucket. This is a best practice for cost optimization. For instructions, see [Deleting objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html) in the Amazon S3 documentation. @@ -312 +308 @@ Option 2 – Review the results in Security Hub.| - 1. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/). + 1. Open the [Security Hub console](https://console.aws.amazon.com/securityhub/). @@ -314 +310,5 @@ Option 2 – Review the results in Security Hub.| - 3. Review the Network Access Analyzer findings. For instructions, see [Viewing finding lists and details](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html) in the Security Hub documentation._Note_ : You can search findings by adding a **Title starts with** filter and entering `Network Access Analyzer`. + 3. Review the Network Access Analyzer findings. For instructions, see [Viewing finding lists and details](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html) in the Security Hub documentation. + +###### Note + +You can search findings by adding a **Title starts with** filter and entering `Network Access Analyzer`. @@ -324 +324,5 @@ Exclude resources with known-good network paths.| If Network Access Analyzer gen - 2. If the value of the `S3_EXCLUSION_FILE` variable is `true`, download the **naa-exclusions.csv** file from the `naa-<accountID>-<region>` bucket. For instructions, see [Downloading an object](https://docs.aws.amazon.com/AmazonS3/latest/userguide/download-objects.html) in the Amazon S3 documentation.If the value of the `S3_EXCLUSION_FILE` variable is `false`, navigate to `/usr/local/naa` and then open the **naa-exclusions.csv** file._Note_ : If the value of the `S3_EXCLUSION_FILE` variable is `false`, the script uses a local version of the exclusions file. If you later change the value to `true`, then the script overwrites the local version with the file in the S3 bucket. + 2. If the value of the `S3_EXCLUSION_FILE` variable is `true`, download the **naa-exclusions.csv** file from the `naa-<accountID>-<region>` bucket. For instructions, see [Downloading an object](https://docs.aws.amazon.com/AmazonS3/latest/userguide/download-objects.html) in the Amazon S3 documentation.If the value of the `S3_EXCLUSION_FILE` variable is `false`, navigate to `/usr/local/naa` and then open the **naa-exclusions.csv** file. + +###### Note + +If the value of the `S3_EXCLUSION_FILE` variable is `false`, the script uses a local version of the exclusions file. If you later change the value to `true`, then the script overwrites the local version with the file in the Amazon S3 bucket. @@ -327 +331 @@ Exclude resources with known-good network paths.| If Network Access Analyzer gen - 5. If you downloaded the **naa-exclusions.csv** file from the S3 bucket, upload the new version. For instructions, see [Uploading objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html) in the Amazon S3 documentation. + 5. If you downloaded the **naa-exclusions.csv** file from the Amazon S3 bucket, upload the new version. For instructions, see [Uploading objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html) in the Amazon S3 documentation. @@ -335,2 +339,2 @@ Update the naa-script.sh script.| If you want to update the **naa-script.sh** sc - 1. Connect to the EC2 instance by using Session Manager. For instructions, see [Connect to your Linux instance using Session Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html). - 2. Enter the following command. + 1. Connect to the Amazon EC2 instance by using Session Manager. For instructions, see [Connect to your Linux instance using Session Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html). + 2. Enter the following command: @@ -340 +344 @@ Update the naa-script.sh script.| If you want to update the **naa-script.sh** sc - 3. Navigate to the **naa-script.sh** script directory. + 3. Navigate to the **naa-script.sh** script directory: @@ -344 +348 @@ Update the naa-script.sh script.| If you want to update the **naa-script.sh** sc - 4. Enter the following command to stash the local script so that you can merge custom changes into the newest version. + 4. Enter the following command to stash the local script so that you can merge custom changes into the newest version: @@ -348 +352 @@ Update the naa-script.sh script.| If you want to update the **naa-script.sh** sc - 5. Enter the following command to get the latest version of the script. + 5. Enter the following command to get the latest version of the script: @@ -352 +356 @@ Update the naa-script.sh script.| If you want to update the **naa-script.sh** sc - 6. Enter the following command to merge the custom script with the latest version of the script. + 6. Enter the following command to merge the custom script with the latest version of the script: @@ -365 +369 @@ Delete all deployed resources.| You can leave the resources deployed in the acco - 3. Delete all objects in the `naa-<accountID>-<region>` S3 bucket. For instructions, see [Deleting objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html) in the Amazon S3 documentation. + 3. Delete all objects in the `naa-<accountID>-<region>` Amazon S3 bucket. For instructions, see [Deleting objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html) in the Amazon S3 documentation. @@ -374 +378 @@ Issue| Solution -Unable to connect to the EC2 instance by using Session Manager.| The SSM Agent must be able to communicate with the Systems Manager endpoint. Do the following: +Unable to connect to the Amazon EC2 instance by using Session Manager.| The SSM Agent must be able to communicate with the Systems Manager endpoint. Do the following: @@ -376,2 +380,2 @@ Unable to connect to the EC2 instance by using Session Manager.| The SSM Agent m - 1. Validate the subnet where the EC2 instance is deployed has internet access. - 2. Reboot the EC2 instance. + 1. Validate the subnet where the Amazon EC2 instance is deployed has internet access. + 2. Reboot the Amazon EC2 instance.