AWS prescriptive-guidance documentation change
Summary
Updated documentation to use full service names (Amazon DynamoDB, Amazon EventBridge), improved code formatting, added AWS services section, restructured deployment instructions with line breaks, and updated references to Security Hub documentation.
Security assessment
Changes are editorial improvements (branding consistency, formatting, and documentation structure). No evidence of addressing vulnerabilities or security incidents. The pattern itself deals with security controls, but the changes only refine existing documentation without introducing new security considerations.
Diff
diff --git a/prescriptive-guidance/latest/patterns/turn-off-security-standard-controls-across-all-security-hub-member-accounts-in-a-multi-account-environment.md b/prescriptive-guidance/latest/patterns/turn-off-security-standard-controls-across-all-security-hub-member-accounts-in-a-multi-account-environment.md index 14488e76c..ee627715a 100644 --- a//prescriptive-guidance/latest/patterns/turn-off-security-standard-controls-across-all-security-hub-member-accounts-in-a-multi-account-environment.md +++ b//prescriptive-guidance/latest/patterns/turn-off-security-standard-controls-across-all-security-hub-member-accounts-in-a-multi-account-environment.md @@ -15 +15 @@ SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resources -AWS Security Hub now supports central configuration for security standards and controls, across accounts. This new feature addresses many of the scenarios that are covered by the solution in this APG pattern. Before you deploy the solution in this pattern, see [Central configuration in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). +AWS Security Hub now supports central configuration for security standards and controls, across accounts. This new feature addresses many of the scenarios that are covered by the solution in this AWS Prescriptive Guidance pattern. Before you deploy the solution in this pattern, see [Central configuration in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). @@ -43,22 +43 @@ In the Amazon Web Services (AWS) Cloud, AWS Security Hub standard controls, such -**Target technology stack** - - * Amazon DynamoDB - - * Amazon EventBridge - - * AWS CLI - - * AWS Lambda - - * AWS SAM CLI - - * AWS Security Hub - - * AWS Step Functions - - - - -**Target architecture** - -The following diagram shows an example of a Step Functions workflow that turns off Security Hub standard controls across multiple Security Hub member accounts (as viewed from the Security Hub administrator account). +The following diagram shows an example of a AWS Step Functions workflow that turns off Security Hub standard controls across multiple Security Hub member accounts (as viewed from the Security Hub administrator account). @@ -70 +49 @@ The diagram includes the following workflow: - 1. An EventBridge rule is initiated on a daily schedule and invokes the state machine. You can modify the timing of the rule by updating the **Schedule** parameter in your AWS CloudFormation template. + 1. An Amazon EventBridge rule is initiated on a daily schedule and invokes the state machine. You can modify the timing of the rule by updating the `Schedule` parameter in your AWS CloudFormation template. @@ -78 +57 @@ The diagram includes the following workflow: - 5. A DynamoDB table contains exceptions and information about which controls to turn on or off in a particular account. This information overrides the configurations fetched from the Security Hub administrator account for the specified member account. + 5. A Amazon DynamoDB table contains exceptions and information about which controls to turn on or off in a particular account. This information overrides the configurations fetched from the Security Hub administrator account for the specified member account. @@ -88,0 +68,2 @@ The purpose of the scheduled EventBridge rule is to ensure that newly added Secu +**AWS services** + @@ -106 +87 @@ The purpose of the scheduled EventBridge rule is to ensure that newly added Secu -**Code** +**Code repository** @@ -110 +91 @@ The code for this pattern is available on the GitHub [AWS Security Hub Cross-Acc - * `UpdateMembers/template.yaml` – This file contains components deployed in the Security Hub administrator account, including the Step Functions state machine and the EventBridge rules. + * **UpdateMembers/template.yaml** – This file contains components deployed in the Security Hub administrator account, including the Step Functions state machine and the EventBridge rules. @@ -112 +93 @@ The code for this pattern is available on the GitHub [AWS Security Hub Cross-Acc - * `member-iam-role/template.yaml` – This file contains the code to deploy the cross-account IAM role in a member account. + * **member-iam-role/template.yaml** – This file contains the code to deploy the cross-account IAM role in a member account. @@ -114 +95 @@ The code for this pattern is available on the GitHub [AWS Security Hub Cross-Acc - * `stateMachine.json` – This file defines the state machine’s workflow. + * **stateMachine.json** – This file defines the state machine’s workflow. @@ -116 +97 @@ The code for this pattern is available on the GitHub [AWS Security Hub Cross-Acc - * `GetMembers/index.py` – This file contains the code for the **GetMembers** state machine. A script retrieves the status of the security standard controls in all existing Security Hub member accounts. + * **GetMembers/index.py** – This file contains the code for the **GetMembers** state machine. A script retrieves the status of the security standard controls in all existing Security Hub member accounts. @@ -118 +99 @@ The code for this pattern is available on the GitHub [AWS Security Hub Cross-Acc - * `UpdateMember/index.py` – This file contains a script that updates the control status in each member account. + * **UpdateMember/index.py** – This file contains a script that updates the control status in each member account. @@ -120 +101 @@ The code for this pattern is available on the GitHub [AWS Security Hub Cross-Acc - * `CheckResult/index.py` – This file contains a script that checks the status of the workflow invocation (accepted or failed). + * **CheckResult/index.py** – This file contains a script that checks the status of the workflow invocation (accepted or failed). @@ -130 +111 @@ Identify the account ID of the Security Hub administrator account.| Set up a [Se -Deploy the CloudFormation template that includes the cross-account IAM role in the member accounts.| To deploy the `member-iam-role/template.yaml` template in all the member accounts managed by the Security Hub administrator account, run the following command: +Deploy the CloudFormation template that includes the cross-account IAM role in the member accounts.| To deploy the **member-iam-role/template.yaml** template in all the member accounts managed by the Security Hub administrator account, run the following command: @@ -133 +114,5 @@ Deploy the CloudFormation template that includes the cross-account IAM role in t - aws cloudformation deploy --template-file member-iam-role/template.yaml --capabilities CAPABILITY_NAMED_IAM --stack-name <your-stack-name> --parameter-overrides SecurityHubAdminAccountId=<your-account-ID> + aws cloudformation deploy \ + --template-file member-iam-role/template.yaml \ + --capabilities CAPABILITY_NAMED_IAM \ + --stack-name <your-stack-name> \ + --parameter-overrides SecurityHubAdminAccountId=<account-ID> @@ -139 +124 @@ Task| Description| Skills required -Package the CloudFormation template that includes the state machine with AWS SAM.| To package the `UpdateMembers/template.yaml` template in the Security Hub administrator account, run the following command: +Package the CloudFormation template that includes the state machine with AWS SAM.| To package the **UpdateMembers/template.yaml** template in the Security Hub administrator account, run the following command: @@ -142 +127,4 @@ Package the CloudFormation template that includes the state machine with AWS SAM - sam package --template-file UpdateMembers/template.yaml --output-template-file UpdateMembers/template-out.yaml --s3-bucket <amzn-s3-demo-bucket> + sam package \ + --template-file UpdateMembers/template.yaml \ + --output-template-file UpdateMembers/template-out.yaml \ + --s3-bucket <amzn-s3-demo-bucket> @@ -150 +138,4 @@ Deploy the packaged CloudFormation template in the Security Hub administrator ac - aws cloudformation deploy --template-file UpdateMembers/template-out.yaml --capabilities CAPABILITY_IAM --stack-name <your-stack-name> + aws cloudformation deploy \ + --template-file UpdateMembers/template-out.yaml \ + --capabilities CAPABILITY_IAM \ + --stack-name <stack-name> @@ -152 +143 @@ Deploy the packaged CloudFormation template in the Security Hub administrator ac -In the `member-iam-role/template.yaml` template, the **MemberIAMRolePath** parameter must match the **IAMRolePath** parameter and **MemberIAMRoleName** must match **IAMRoleName**. +In the **member-iam-role/template.yaml** template, the `MemberIAMRolePath` parameter must match the `IAMRolePath` parameter and `MemberIAMRoleName` must match `IAMRoleName`. @@ -156 +147 @@ In the `member-iam-role/template.yaml` template, the **MemberIAMRolePath** param -Because Security Hub is a regional service, you must deploy the template individually in each AWS Region. Be sure to first package the solution into an S3 bucket in each Region.| AWS DevOps +Because Security Hub is a regional service, you must deploy the template individually in each AWS Region. Be sure to first package the solution into an Amazon S3 bucket in each Region.| AWS DevOps @@ -160 +151 @@ Because Security Hub is a regional service, you must deploy the template individ - * [Designating a Security Hub administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html) (AWS Security Hub documentation) + * [Designating a Security Hub administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html) (Security Hub documentation) @@ -162 +153 @@ Because Security Hub is a regional service, you must deploy the template individ - * [Handling Errors, Retries, and adding Alerting to Step Function State Machine Executions](https://aws.amazon.com/blogs/developer/handling-errors-retries-and-adding-alerting-to-step-function-state-machine-executions/) (AWS blog post) + * [Handling Errors, Retries, and adding Alerting to AWS Step Functions State Machine Executions](https://aws.amazon.com/blogs/developer/handling-errors-retries-and-adding-alerting-to-step-function-state-machine-executions/) (AWS blog post)