AWS managedservices documentation change
Summary
Removed RDP session timeout requirement and consolidated IAM user policies for ServiceNow/CloudEndure integrations
Security assessment
Changes involve removing specific technical controls (RDP timeout) and reorganizing existing policies without introducing new security content. No evidence of addressing vulnerabilities or incidents.
Diff
diff --git a/managedservices/latest/userguide/ams-sec-stand-controls.md b/managedservices/latest/userguide/ams-sec-stand-controls.md index 1de544b92..6e7570b9a 100644 --- a//managedservices/latest/userguide/ams-sec-stand-controls.md +++ b//managedservices/latest/userguide/ams-sec-stand-controls.md @@ -117,2 +117 @@ ID | Technical standard -1.2 | RDP session timeout for Microsoft Windows Server is set to 15 minutes and can be extended based on use case. -1.3 | Default Stack Access Time is 12 hours. +1.2 | Default Stack Access Time is 12 hours. @@ -127,3 +126,2 @@ ID | Technical standard -3.3 | On Microsoft Windows Servers, only Microsoft group Managed Service Account (gMSA) must be created. -3.4 | IAM users with programmatic access, named `customer_servicenow_user` and `customer_servicenow_logging_user` required for ServiceNow integration in SALZ or MALZ application account and *core accounts* can be created without any time-limited policy. -3.5 | IAM users with programmatic access, using `customer_cloud_endure_policy` and `customer_cloud_endure_deny_policy` (with read-only access) required for CloudEndure integration in SALZ and MALZ accounts can be created but need a time-limited policy for the period of the planned migration. The time-limit can be for a maximum period of 180 days without any RA. The SCP is also authorized for change for MALZ accounts to allow these policies to function for the required period. You define appropriate migration windows for your needs and adjust as required. +3.3 | IAM users with programmatic access, named `customer_servicenow_user` and `customer_servicenow_logging_user` required for ServiceNow integration in SALZ or MALZ application account and *core accounts* can be created without any time-limited policy. +3.4 | IAM users with programmatic access, using `customer_cloud_endure_policy` and `customer_cloud_endure_deny_policy` (with read-only access) required for CloudEndure integration in SALZ and MALZ accounts can be created but need a time-limited policy for the period of the planned migration. The time-limit can be for a maximum period of 180 days without any RA. The SCP is also authorized for change for MALZ accounts to allow these policies to function for the required period. You define appropriate migration windows for your needs and adjust as required.