AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-07-04 · Documentation low

File: solutions/latest/scalable-analytics-using-apache-druid-on-aws/security-best-practices.md

Summary

Updated terminology from 'solution' to 'guidance' throughout document, modified URL reference from 'implementations' to 'guidance', and made minor editorial changes to security recommendations

Security assessment

Changes are primarily terminology updates (solution → guidance) and editorial improvements without introducing new security content or addressing specific vulnerabilities. Security recommendations about TLS, AMI updates, and EKS configurations remain substantively unchanged.

Diff

diff --git a/solutions/latest/scalable-analytics-using-apache-druid-on-aws/security-best-practices.md b/solutions/latest/scalable-analytics-using-apache-druid-on-aws/security-best-practices.md
index ea1a697be..46a893b8d 100644
--- a//solutions/latest/scalable-analytics-using-apache-druid-on-aws/security-best-practices.md
+++ b//solutions/latest/scalable-analytics-using-apache-druid-on-aws/security-best-practices.md
@@ -3 +3 @@
-[Documentation](/index.html)[Scalable Analytics Using Apache Druid on AWS](https://aws.amazon.com/solutions/implementations/scalable-analytics-using-apache-druid-on-aws)[Implementation Guide](solution-overview.html)
+[Documentation](/index.html)[Guidance for Scalable Analytics Using Apache Druid on AWS](https://aws.amazon.com/solutions/guidance/scalable-analytics-using-apache-druid-on-aws)[Implementation Guide](solution-overview.html)
@@ -5 +5 @@
-User authentication and authorizationDomain and TLS certificateThird-party extensionsDeploy the solution into existing VPCAMI securityPublic and private mode for EKS cluster endpointEKS master IAM role
+User authentication and authorizationDomain and TLS certificateThird-party extensionsDeploy the guidance into existing VPCAMI securityPublic and private mode for EKS cluster endpointEKS master IAM role
@@ -13 +13 @@ This section provides several security features to consider, as you develop and
-The following best practices are general guidelines and do not represent a complete security solution. These best practices might not be appropriate or sufficient for your specific environment, so treat them as helpful considerations, not prescriptive guidance.
+The following best practices are general guidelines and do not represent a complete security guidance. These best practices might not be appropriate or sufficient for your specific environment, so treat them as helpful considerations, not prescriptive guidance.
@@ -17 +17 @@ The following best practices are general guidelines and do not represent a compl
-The solution is configured to utilize basic authentication by default, offering adaptability for additional support such as OIDC and LDAP authentication through configuration settings. However, we advise caution when customizing user authentication and authorization settings.
+The guidance is configured to utilize basic authentication by default, offering adaptability for additional support such as OIDC and LDAP authentication through configuration settings. However, we advise caution when customizing user authentication and authorization settings.
@@ -30 +30 @@ The solution is configured to utilize basic authentication by default, offering
-The solution integrates with [Amazon Route 53](https://aws.amazon.com/route53/) and [AWS Certificate Manager](https://aws.amazon.com/acm/), streamlining the provisioning of a domain and TLS certificate during deployment when a Route53 hosted zone configuration is specified. Alternatively, it provides the flexibility to deploy without Route 53 configuration, allowing for an external domain setup. In this scenario, a default HTTP listener is established using the application load balancer, and traffic will be exposed over HTTP without encryption in transit.
+The guidance integrates with [Amazon Route 53](https://aws.amazon.com/route53/) and [AWS Certificate Manager](https://aws.amazon.com/acm/), streamlining the provisioning of a domain and TLS certificate during deployment when a Route53 hosted zone configuration is specified. Alternatively, it provides the flexibility to deploy without Route 53 configuration, allowing for an external domain setup. In this scenario, a default HTTP listener is established using the application load balancer, and traffic will be exposed over HTTP without encryption in transit.
@@ -34 +34 @@ This scenario poses significant security risks, such as the potential for eavesd
-Upon completing the external domain setup, it is recommended to configure the TLS certificate ARN along with the domain, and trigger a redeployment of the solution to implement these changes. This verifies that the application load balancer exposes HTTPS, thereby fortifying communication security through TLS encryption.
+Upon completing the external domain setup, it is recommended to configure the TLS certificate ARN along with the domain, and trigger a redeployment of the guidance to implement these changes. This verifies that the application load balancer exposes HTTPS, thereby fortifying communication security through TLS encryption.
@@ -38 +38 @@ Upon completing the external domain setup, it is recommended to configure the TL
-The solution’s default configuration includes a minimum set of essential extensions to enable core functionalities. Users have the flexibility to tailor the list of extensions that can be loaded into the cluster. It is important for users to assume responsibility for the security of the selected extensions.
+The guidance’s default configuration includes a minimum set of essential extensions to enable core functionalities. Users have the flexibility to tailor the list of extensions that can be loaded into the cluster. It is important for users to assume responsibility for the security of the selected extensions.
@@ -42 +42 @@ To uphold a robust security posture, we strongly advise consistently monitoring
-## Deploy the solution into existing VPC
+## Deploy the guidance into existing VPC
@@ -44 +44 @@ To uphold a robust security posture, we strongly advise consistently monitoring
-The solution offers the flexibility to deploy into an existing VPC. When opting for this configuration, it is advisable to ensure that the existing VPC is equipped with three distinct types of subnets: public, private, and isolated, spanning across at least two availability zones.
+The guidance offers the flexibility to deploy into an existing VPC. When opting for this configuration, it is advisable to ensure that the existing VPC is equipped with three distinct types of subnets: public, private, and isolated, spanning across at least two availability zones.
@@ -50 +50 @@ Whether a subnet is public or private refers to whether traffic within the subne
-The solution automatically selects the latest AMI for Amazon Linux 2 in the deployment process. Opting for the most recent AMI ensures that the system benefits from the latest security patches, thereby maintaining an up-to-date and secure environment. This proactive approach aligns with best practices for security and helps safeguard the integrity of the deployed instances. Continuous use of the latest AMI version contributes to a more resilient and well-protected infrastructure.
+The guidance automatically selects the latest AMI for Amazon Linux 2 in the deployment process. Opting for the most recent AMI ensures that the system benefits from the latest security patches, thereby maintaining an up-to-date and secure environment. This proactive approach aligns with best practices for security and helps safeguard the integrity of the deployed instances. Continuous use of the latest AMI version contributes to a more resilient and well-protected infrastructure.
@@ -52 +52 @@ The solution automatically selects the latest AMI for Amazon Linux 2 in the depl
-The solution also supports the flexibility to bring your own AMI. It is important to ensure that your base AMI adheres to security best practices.
+The guidance also supports the flexibility to bring your own AMI. It is important to ensure that your base AMI adheres to security best practices.
@@ -65 +65 @@ The solution also supports the flexibility to bring your own AMI. It is importan
-Amazon EKS offers public-only, public-and-private, and private-only cluster endpoint modes. The default mode is configured to be private-only in the solution, however we recommend configuring cluster endpoint in public and private mode. This option allows Kubernetes API calls within your cluster’s VPC (such as node-to-control-plane communication) to use the private VPC endpoint and traffic to remain within your cluster’s VPC.
+Amazon EKS offers public-only, public-and-private, and private-only cluster endpoint modes. The default mode is configured to be private-only in the guidance, however we recommend configuring cluster endpoint in public and private mode. This option allows Kubernetes API calls within your cluster’s VPC (such as node-to-control-plane communication) to use the private VPC endpoint and traffic to remain within your cluster’s VPC.
@@ -71 +71 @@ You can access your cluster API server from the internet. However, we strongly r
-For EKS deployment, the solution requires the user to supply an ARN for the EKS master role. This role, serving as the IAM principal responsible for creating the cluster, is automatically endowed with `system:masters` permissions within the cluster’s Role-Based Access Control (RBAC) configuration in the Amazon EKS control panel. For more guidance on how to secure the access for this role, refer to the [EKS best practices](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#create-the-cluster-with-a-dedicated-iam-role) topic.
+For EKS deployment, the guidance requires the user to supply an ARN for the EKS master role. This role, serving as the IAM principal responsible for creating the cluster, is automatically endowed with `system:masters` permissions within the cluster’s Role-Based Access Control (RBAC) configuration in the Amazon EKS control panel. For more guidance on how to secure the access for this role, refer to the [EKS best practices](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#create-the-cluster-with-a-dedicated-iam-role) topic.