AWS Security ChangesHomeSearch

AWS solutions high security documentation change

Service: solutions · 2025-07-18 · Security-related high

File: solutions/latest/automated-security-response-on-aws/playbooks-1.md

Summary

Added multiple new security controls including IMDSv2 enforcement for Auto Scaling, HTTPS enforcement for ALB, ECS root filesystem access restriction, ElastiCache backup/version upgrades/failover, DynamoDB scaling/tagging/deletion protection

Security assessment

Added documentation for security controls addressing vulnerabilities like IMDSv1 exploitation (CVE-2021-4043), insecure HTTP traffic, container privilege escalation risks, and data loss prevention. IMDSv2 requirement specifically mitigates SSRF vulnerabilities.

Diff

diff --git a/solutions/latest/automated-security-response-on-aws/playbooks-1.md b/solutions/latest/automated-security-response-on-aws/playbooks-1.md
index eb0ed4718..71e1dc13a 100644
--- a//solutions/latest/automated-security-response-on-aws/playbooks-1.md
+++ b//solutions/latest/automated-security-response-on-aws/playbooks-1.md
@@ -21 +21,2 @@ Description | AWS FSBP | CIS v1.2.0 | PCI v3.2.1 | CIS v1.4.0 | NIST | CIS v3.0.
-**ASR-CreateMultiRegionTrail** CloudTrail should be activated and configured with at least one multi-Region trail |  CloudTrail.1 |  2.1 |  CloudTrail.2 |  3.1 |  CloudTrail.1 |  3.1 |  CloudTrail.1  
+**ASR-ConfigureAutoScalingLaunchConfigToRequireIMDSv2** Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) |  |  |  |  |  Autoscaling.3 |  |  Autoscaling.3  
+**ASR-CreateCloudTrailMultiRegionTrail** CloudTrail should be activated and configured with at least one multi-Region trail |  CloudTrail.1 |  2.1 |  CloudTrail.2 |  3.1 |  CloudTrail.1 |  3.1 |  CloudTrail.1  
@@ -110,0 +112,8 @@ INSERT TITLE HERE Security groups should not allow unrestricted access to ports
+**ASR-EnforceHTTPSForALB** Application Load Balancer should be configured to redirect all HTTP requests to HTTPS |  ELB.1 |  |  ELB.1 |  |  ELB.1 |  |  ELB.1  
+**ASR-LimitECSRootFilesystemAccess** ECS containers should be limited to read-only access to root filesystems |  ECS.5 |  |  |  |  ECS.5 |  |  ECS.5  
+**ASR-EnableElastiCacheBackups** ElastiCache (Redis OSS) clusters should have automatic backups enabled |  ElastiCache.1 |  |  |  |  ElastiCache.1 |  |  ElastiCache.1  
+**ASR-EnableElastiCacheVersionUpgrades** ElastiCache clusters should have automatic minor version upgrades enabled |  ElastiCache.2 |  |  |  |  ElastiCache.2 |  |  ElastiCache.2  
+**ASR-EnableElastiCacheReplicationGroupFailover** ElastiCache replication groups should have automatic failover enabled |  ElastiCache.3 |  |  |  |  ElastiCache.3 |  |  ElastiCache.3  
+**ASR-ConfigureDynamoDBAutoScaling** DynamoDB tables should automatically scale capacity with demand |  DynamoDB.1 |  |  |  |  DynamoDB.1 |  |  DynamoDB.1  
+**ASR-TagDynamoDBTableResource** DynamoDB tables should be tagged |  |  |  |  |  |  |  DynamoDB.5  
+**ASR-EnableDynamoDBDeletionProtection** DynamoDB tables should have deletion protection enabled |  |  |  |  |  DynamoDB.6 |  |  DynamoDB.6