AWS solutions high security documentation change
Summary
Added multiple new security controls including IMDSv2 enforcement for Auto Scaling, HTTPS enforcement for ALB, ECS root filesystem access restriction, ElastiCache backup/version upgrades/failover, DynamoDB scaling/tagging/deletion protection
Security assessment
Added documentation for security controls addressing vulnerabilities like IMDSv1 exploitation (CVE-2021-4043), insecure HTTP traffic, container privilege escalation risks, and data loss prevention. IMDSv2 requirement specifically mitigates SSRF vulnerabilities.
Diff
diff --git a/solutions/latest/automated-security-response-on-aws/playbooks-1.md b/solutions/latest/automated-security-response-on-aws/playbooks-1.md index eb0ed4718..71e1dc13a 100644 --- a//solutions/latest/automated-security-response-on-aws/playbooks-1.md +++ b//solutions/latest/automated-security-response-on-aws/playbooks-1.md @@ -21 +21,2 @@ Description | AWS FSBP | CIS v1.2.0 | PCI v3.2.1 | CIS v1.4.0 | NIST | CIS v3.0. -**ASR-CreateMultiRegionTrail** CloudTrail should be activated and configured with at least one multi-Region trail | CloudTrail.1 | 2.1 | CloudTrail.2 | 3.1 | CloudTrail.1 | 3.1 | CloudTrail.1 +**ASR-ConfigureAutoScalingLaunchConfigToRequireIMDSv2** Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) | | | | | Autoscaling.3 | | Autoscaling.3 +**ASR-CreateCloudTrailMultiRegionTrail** CloudTrail should be activated and configured with at least one multi-Region trail | CloudTrail.1 | 2.1 | CloudTrail.2 | 3.1 | CloudTrail.1 | 3.1 | CloudTrail.1 @@ -110,0 +112,8 @@ INSERT TITLE HERE Security groups should not allow unrestricted access to ports +**ASR-EnforceHTTPSForALB** Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | ELB.1 | | ELB.1 | | ELB.1 | | ELB.1 +**ASR-LimitECSRootFilesystemAccess** ECS containers should be limited to read-only access to root filesystems | ECS.5 | | | | ECS.5 | | ECS.5 +**ASR-EnableElastiCacheBackups** ElastiCache (Redis OSS) clusters should have automatic backups enabled | ElastiCache.1 | | | | ElastiCache.1 | | ElastiCache.1 +**ASR-EnableElastiCacheVersionUpgrades** ElastiCache clusters should have automatic minor version upgrades enabled | ElastiCache.2 | | | | ElastiCache.2 | | ElastiCache.2 +**ASR-EnableElastiCacheReplicationGroupFailover** ElastiCache replication groups should have automatic failover enabled | ElastiCache.3 | | | | ElastiCache.3 | | ElastiCache.3 +**ASR-ConfigureDynamoDBAutoScaling** DynamoDB tables should automatically scale capacity with demand | DynamoDB.1 | | | | DynamoDB.1 | | DynamoDB.1 +**ASR-TagDynamoDBTableResource** DynamoDB tables should be tagged | | | | | | | DynamoDB.5 +**ASR-EnableDynamoDBDeletionProtection** DynamoDB tables should have deletion protection enabled | | | | | DynamoDB.6 | | DynamoDB.6