AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-05-16 · Documentation low

File: prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.md

Summary

Formatting and capitalization changes (e.g., 'AWS Config rules' to 'AWS Config Rules'), markdown link improvements, and restructuring of FAQ section into dedicated headers with expanded explanations of AWS Config and Security Hub integration.

Security assessment

The changes primarily improve documentation clarity and structure. The expanded explanations about AWS Config's role in compliance and its integration with AWS Security Hub add context about security features (encryption enforcement, compliance monitoring). However, there is no evidence of addressing a specific security vulnerability or incident.

Diff

diff --git a/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.md b/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.md
index 44476bd7c..1f76168ea 100644
--- a//prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.md
+++ b//prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.md
@@ -17 +17 @@ Encrypted RDS DB instances provide an additional layer of data protection by sec
-This pattern uses AWS Config rules to evaluate RDS DB instances and clusters. It applies remediation by using AWS Systems Manager runbooks, which define the actions to be performed on noncompliant Amazon RDS resources, and AWS KMS keys to encrypt the DB snapshots. It then enforces service control policies (SCPs) to prevent the creation of new DB instances and clusters without encryption.
+This pattern uses AWS Config Rules to evaluate RDS DB instances and clusters. It applies remediation by using AWS Systems Manager runbooks, which define the actions to be performed on noncompliant Amazon RDS resources, and AWS KMS keys to encrypt the DB snapshots. It then enforces service control policies (SCPs) to prevent the creation of new DB instances and clusters without encryption.
@@ -86 +86 @@ The following diagram illustrates the architecture for the AWS CloudFormation im
-  * [ AWS Config](https://aws.amazon.com/config/) keeps track of the configuration of your AWS resources and their relationships to your other resources. It can also evaluate those AWS resources for compliance. This service uses rules that can be configured to evaluate AWS resources against desired configurations. You can use a set of AWS Config managed rules for common compliance scenarios, or you can create your own rules for custom scenarios. When an AWS resource is found to be noncompliant, you can specify a remediation action through an AWS Systems Manager runbook and optionally send an alert through an Amazon Simple Notification Service (Amazon SNS) topic. In other words, you can associate remediation actions with AWS Config rules and choose to run them automatically to address noncompliant resources without manual intervention. If a resource is still noncompliant after automatic remediation, you can set the rule to try automatic remediation again.
+  * [ AWS Config](https://aws.amazon.com/config/) keeps track of the configuration of your AWS resources and their relationships to your other resources. It can also evaluate those AWS resources for compliance. This service uses rules that can be configured to evaluate AWS resources against desired configurations. You can use a set of AWS Config managed rules for common compliance scenarios, or you can create your own rules for custom scenarios. When an AWS resource is found to be noncompliant, you can specify a remediation action through an AWS Systems Manager runbook and optionally send an alert through an Amazon Simple Notification Service (Amazon SNS) topic. In other words, you can associate remediation actions with AWS Config Rules and choose to run them automatically to address noncompliant resources without manual intervention. If a resource is still noncompliant after automatic remediation, you can set the rule to try automatic remediation again.
@@ -103 +103 @@ The source code and templates for this pattern are available in a [GitHub reposi
-The _Epics_ section provides step-by-step instructions for deploying the CloudFormation template. If you want to use the AWS CDK, follow the instructions in the README.md file in the GitHub repository.
+The Epics section provides step-by-step instructions for deploying the CloudFormation template. If you want to use the AWS CDK, follow the instructions in the `README.md` file in the GitHub repository.
@@ -127 +127 @@ Create the CloudFormation stack.|
-  1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation/](https://console.aws.amazon.com/cloudformation/). 
+  1. Sign in to the AWS Management Console and open the [CloudFormation console](https://console.aws.amazon.com/cloudformation/). 
@@ -137 +137 @@ Review CloudFormation parameters and values.|
-Review the resources.| When the stack has been created, its status changes to **CREATE_COMPLETE**. Review the created resources (IAM role, AWS Systems Manager runbook) in the CloudFormation console.| DevOps engineer  
+Review the resources.| When the stack has been created, its status changes to **CREATE_COMPLETE**. Review the created resources (IAM role, Systems Manager runbook) in the CloudFormation console.| DevOps engineer  
@@ -180 +180 @@ View noncompliant resources.|
-  1. To view a list of noncompliant resources, open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 
+  1. To view a list of noncompliant resources, open the [AWS Config console](https://console.aws.amazon.com/config/). 
@@ -187 +187 @@ Remediate noncompliant resources.|
-  2. View the progress and status of the remediation in Systems Manager. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). In the navigation pane, choose **Automation** , and then select the execution ID of the corresponding automation to view further details.
+  2. View the progress and status of the remediation in Systems Manager. Open the [Systems Manager console](https://console.aws.amazon.com/systems-manager/). In the navigation pane, choose **Automation** , and then select the execution ID of the corresponding automation to view further details.
@@ -232 +232 @@ Enforce SCPs.| Enforce SCPs to prevent DB instances and clusters from being crea
-**FAQ**
+**How does AWS Config work?**
@@ -234 +234 @@ Enforce SCPs.| Enforce SCPs to prevent DB instances and clusters from being crea
-**Q.** How does AWS Config work?
+When you use AWS Config, it first discovers the supported AWS resources that exist in your account and generates a [configuration item](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-items) for each resource. AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the AWS Region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
@@ -236 +236 @@ Enforce SCPs.| Enforce SCPs to prevent DB instances and clusters from being crea
-**A.** When you turn on AWS Config, it first discovers the supported AWS resources that exist in your account and generates a [configuration item](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-items) for each resource. AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the AWS Region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
+**How are AWS Config and AWS Config Rules related to AWS Security Hub?**
@@ -238,3 +238 @@ Enforce SCPs.| Enforce SCPs to prevent DB instances and clusters from being crea
-**Q.** How are AWS Config and AWS Config rules related to AWS Security Hub?
-
-**A.** AWS Security Hub is a security and compliance service that provides security and compliance posture management as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to evaluate resource configuration directly. Config rules are also used by other AWS services, such AWS Control Tower and AWS Firewall Manager.
+AWS Security Hub is a security and compliance service that provides security and compliance posture management as a service. It uses AWS Config and AWS Config Rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config Rules can also be used to evaluate resource configuration directly. Other AWS services, such AWS Control Tower and AWS Firewall Manager, also use AWS Config Rules.