AWS awssupport documentation change
Summary
Formatting changes to section headers (e.g., 'Alert Criteria' -> 'Alert criteria') and list item capitalization
Security assessment
These are stylistic changes without security implications
Diff
diff --git a/awssupport/latest/user/security-checks.md b/awssupport/latest/user/security-checks.md index 4d0cb17f1..8c00182ee 100644 --- a//awssupport/latest/user/security-checks.md +++ b//awssupport/latest/user/security-checks.md @@ -5 +5 @@ -Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail LoggingAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on Root AccountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access +Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail LoggingAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on root accountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access @@ -81 +81 @@ You can view all controls in the AWS Foundational Security Best Practices securi - * [MFA on Root Account](./security-checks.html#mfa-root-account) + * [MFA on root account](./security-checks.html#mfa-root-account) @@ -319 +319 @@ If you can’t upgrade your SQL Server on Amazon EC2, consider the End-of-Suppor -This check alerts you if your Microsoft SQL versions are near or have reached the end of support. Each Windows Server version offers 10 years of support, including 5 years of mainstream support and 5 years of extended support. After the end of support, the Windows Server version won't receive regular security updates. Running applications with unsupported Windows Server versions can bring security or compliance risks. +This check alerts you if your Microsoft Windows Server versions are near or have reached the end of support. Each Windows Server version offers 10 years of support, including 5 years of mainstream support and 5 years of extended support. After the end of support, the Windows Server version won't receive regular security updates. Running applications with unsupported Windows Server versions can bring security or compliance risks. @@ -336 +336 @@ For Business, Enterprise On-Ramp, or Enterprise Support customers, you can use t -**Alert Criteria** +**Alert criteria** @@ -339 +339 @@ For Business, Enterprise On-Ramp, or Enterprise Support customers, you can use t - * Red: An EC2 instance has a Windows Server version that reached the end of support (Windows Server 2003, 2003 R2, 2008, and 2008 R2). + * Red: An EC2 instance runs on a Windows Server version that reached the end of support (Windows Server 2003, 2003 R2, 2008, and 2008 R2). @@ -341 +341 @@ For Business, Enterprise On-Ramp, or Enterprise Support customers, you can use t - * Yellow: An EC2 instance has a Windows Server version that will reach the end of support in less than 18 months (Windows Server 2012 and 2012 R2). + * Yellow: An EC2 instance runs on a Windows Server version that will reach the end of support in less than 18 months (Windows Server 2012 and 2012 R2). @@ -346 +346 @@ For Business, Enterprise On-Ramp, or Enterprise Support customers, you can use t -**Recommended Action** +**Recommended action** @@ -353 +353 @@ To upgrade your Windows Server workloads to run on more recent versions of Windo -Please follow the set of steps below: +Complete the following steps: @@ -359 +359 @@ Please follow the set of steps below: - * If using EC2Config, please migrate to EC2Launch + * If using EC2Config, migrate to EC2Launch @@ -393 +393 @@ This check alerts you if the versions are near or have reached the end of standa -Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear. +Results for this check are automatically refreshed at least once daily, and refresh requests are not allowed. It might take a few hours for changes to appear. @@ -2036 +2036 @@ It’s a best practice to manage human users in IAM Identity Center. But you can -## MFA on Root Account +## MFA on root account @@ -2041 +2041 @@ It’s a best practice to manage human users in IAM Identity Center. But you can -Checks the root account and warns if multi-factor authentication (MFA) is not enabled. +Checks the root user credentials of an account and warns if multi-factor authentication (MFA) is not enabled. @@ -2049 +2049 @@ For your AWS Organizations management account, AWS requires multi-factor authent -For your AWS Organizations member accounts, AWS recommends the use of MFA. In addition to applying MFA, if you use AWS Organizations to manage multiple accounts, you can apply an SCP to restrict access to member account root user. For more information, please see [Best practices for member accounts](https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html) in AWS Organizations User Guide. +For your AWS Organizations member accounts, we recommend that you centrally manage root credentials using AWS Identity and Access Management. Member account root user credentials can be deleted centrally, removing the need to manage MFA on root user credentials. For more information, see [Best practices for member accounts](https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html) in the _AWS Organizations User Guide_. @@ -2056 +2056 @@ For your AWS Organizations member accounts, AWS recommends the use of MFA. In ad -**Alert Criteria** +**Alert criteria** @@ -2059 +2059 @@ For your AWS Organizations member accounts, AWS recommends the use of MFA. In ad -Red: MFA is not enabled on the root account. + * Red: MFA is not enabled on the root account. @@ -2061 +2061 @@ Red: MFA is not enabled on the root account. -**Recommended Action** + * Green: No root user credentials (root password) exist or MFA is enabled for the account. @@ -2064 +2063,0 @@ Red: MFA is not enabled on the root account. -Log in to your root account and activate an MFA device. See [Checking MFA Status](https://docs.aws.amazon.com/IAM/latest/UserGuide/MFADeviceStatus.html) and [Setting Up an MFA Device](https://docs.aws.amazon.com/IAM/latest/UserGuide/MFADeviceSetup.html). @@ -2066 +2064,0 @@ Log in to your root account and activate an MFA device. See [Checking MFA Status -You can activate MFA on your account at any time by visiting the Security Credentials page. To do this, choose the account menu drop-down in theAWS Management Console. AWS supports multiple industry standard forms of MFA, such as FIDO2 and virtual authenticators. This gives the flexibility to choose a MFA device that meets your needs. It's a best practice to you register more than one MFA device for resiliency in the event that one of your MFA devices is lost or stops working. @@ -2068 +2066,16 @@ You can activate MFA on your account at any time by visiting the Security Creden -**Additional Resources** +**Recommended action** + + +**If this is a member account in AWS Organizations:** Log in to your management account, enable the root access management feature in IAM, and remove your root user credentials from this member account. See [Centralize root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html). + +**If this is a standalone or management account in AWS Organizations:** Log in to your root account and activate an MFA device. For more information, see [Check MFA status](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_checking-status.html) and [AWS Multi-factor authentication in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) + +**Additional resources** + + + * [Centrally manage root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management) + + * [AWS Multi-factor authentication in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) + + * [Multi-factor authentication for AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-mfa-for-root.html) + @@ -2071 +2083,0 @@ You can activate MFA on your account at any time by visiting the Security Creden -Please refer to [General steps for activating MFA devices](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable-overview.html) and [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in theIAM User Guide for additional information. @@ -2088 +2100,5 @@ Checks if the root user access key is present. It's strongly recommended that yo -Red: The root user access key is present + * Red: The root user access key is present + + * Green: The root user access key isn’t present + + @@ -2090 +2105,0 @@ Red: The root user access key is present -Green: The root user access key isn’t present @@ -2100 +2115 @@ Delete the access key(s) for the root user. See [Deleting access keys for the ro -[Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html) + * [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html) @@ -2102 +2117 @@ Delete the access key(s) for the root user. See [Deleting access keys for the ro -[Resetting a lost or forgotten root user password](https://docs.aws.amazon.com/IAM/latest/UserGuide/reset-root-password.html) + * [Resetting a lost or forgotten root user password](https://docs.aws.amazon.com/IAM/latest/UserGuide/reset-root-password.html) @@ -2104 +2119,4 @@ Delete the access key(s) for the root user. See [Deleting access keys for the ro -**Report columns** + + + +Report columns