AWS managedservices medium security documentation change
Summary
Added RDP session timeout control (15 minutes), enforced gMSA usage, and renumbered security controls
Security assessment
Introduction of 15-minute RDP timeout reduces session hijacking risk. Mandating gMSA accounts improves credential management security. These changes directly address security best practices for access control and session management.
Diff
diff --git a/managedservices/latest/userguide/ams-sec-stand-controls.md b/managedservices/latest/userguide/ams-sec-stand-controls.md index 6e7570b9a..1de544b92 100644 --- a//managedservices/latest/userguide/ams-sec-stand-controls.md +++ b//managedservices/latest/userguide/ams-sec-stand-controls.md @@ -117 +117,2 @@ ID | Technical standard -1.2 | Default Stack Access Time is 12 hours. +1.2 | RDP session timeout for Microsoft Windows Server is set to 15 minutes and can be extended based on use case. +1.3 | Default Stack Access Time is 12 hours. @@ -126,2 +127,3 @@ ID | Technical standard -3.3 | IAM users with programmatic access, named `customer_servicenow_user` and `customer_servicenow_logging_user` required for ServiceNow integration in SALZ or MALZ application account and *core accounts* can be created without any time-limited policy. -3.4 | IAM users with programmatic access, using `customer_cloud_endure_policy` and `customer_cloud_endure_deny_policy` (with read-only access) required for CloudEndure integration in SALZ and MALZ accounts can be created but need a time-limited policy for the period of the planned migration. The time-limit can be for a maximum period of 180 days without any RA. The SCP is also authorized for change for MALZ accounts to allow these policies to function for the required period. You define appropriate migration windows for your needs and adjust as required. +3.3 | On Microsoft Windows Servers, only Microsoft group Managed Service Account (gMSA) must be created. +3.4 | IAM users with programmatic access, named `customer_servicenow_user` and `customer_servicenow_logging_user` required for ServiceNow integration in SALZ or MALZ application account and *core accounts* can be created without any time-limited policy. +3.5 | IAM users with programmatic access, using `customer_cloud_endure_policy` and `customer_cloud_endure_deny_policy` (with read-only access) required for CloudEndure integration in SALZ and MALZ accounts can be created but need a time-limited policy for the period of the planned migration. The time-limit can be for a maximum period of 180 days without any RA. The SCP is also authorized for change for MALZ accounts to allow these policies to function for the required period. You define appropriate migration windows for your needs and adjust as required.