AWS Security ChangesHomeSearch

AWS managedservices medium security documentation change

Service: managedservices · 2025-08-10 · Security-related medium

File: managedservices/latest/accelerate-guide/tr-supported-checks.md

Summary

Added new Trusted Remediator checks (e.g., EC2 instance termination, S3 logging) and expanded parameters for security-focused automation.

Security assessment

The changes document security automation for terminating inactive EC2 instances (preventing resource misuse) and enforcing S3 bucket access logging (improving auditability). These directly address security best practices and misconfiguration risks. Specific evidence includes parameters like 'CreateAMIBeforeTermination' and 'TargetBucketTagKey' for securing resources.

Diff

diff --git a/managedservices/latest/accelerate-guide/tr-supported-checks.md b/managedservices/latest/accelerate-guide/tr-supported-checks.md
index 4aef567f5..9e6120989 100644
--- a//managedservices/latest/accelerate-guide/tr-supported-checks.md
+++ b//managedservices/latest/accelerate-guide/tr-supported-checks.md
@@ -17,0 +18,6 @@ Check ID and name | SSM document name and expected outcome | Supported preconfig
+[c18d2gz150](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#ec2-instance-stopped-for-thirty-days) \- Amazon EC2 instances stopped | **AWSManagedServices-TerminateEC2InstanceStoppedForPeriodOfTime** \- Amazon EC2 instances stopped for number of days are terminated. | 
+
+  * **CreateAMIBeforeTermination** : To create the instance AMI as a backup before terminating the Amazon EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. 
+  * **AllowedDays** : The number of days the instance in stopped state before it's getting terminated. The default is 30.
+
+No constraints  
@@ -87 +93,2 @@ The instance is rebooted as a part of the remediation and rollback is possible i
-Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateInstance** Amazon EC2 instances stopped for 30 days are terminated. | **CreateAMIBeforeTermination:**. To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints  
+Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateInstance** (default SSM document for both auto and manual execution mode) Amazon EC2 instances stopped for 30 days are terminated. | **CreateAMIBeforeTermination:**. To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints  
+Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateEC2InstanceStoppedForPeriodOfTime** \- Amazon EC2 instances stopped for number of days defined in Security Hub (default value is 30) are terminated. | **CreateAMIBeforeTermination:** To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints  
@@ -139 +146 @@ Hs4Ma3G173 - S3 Block Public Access setting should be enabled at the bucket-leve
-Hs4Ma3G230 - S3 bucket server access logging should be enabled Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-EnableBucketAccessLogging** Amazon S3 server access logging is enabled. | 
+Hs4Ma3G230 - S3 bucket server access logging should be enabled  Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-EnableBucketAccessLogging** (default SSM document for both auto and manual execution mode) Amazon S3 server access logging is enabled. | 
@@ -142 +149 @@ Hs4Ma3G230 - S3 bucket server access logging should be enabled Corresponding AWS
-  * **TargetObjectKeyFormat:** Amazon S3 key format for log objects, to use the simple format for S3 keys for log objects, choose`SimplePrefix`. To use Partitioned S3 key for log objects and use EventTime for the partitioned prefix, choose `PartitionedPrefixEventTime`. To use Partitioned S3 key for log objects and use DeliveryTime for the partitioned prefix, choose `PartitionedPrefixDeliveryTime`. Valid values are `SimplePrefix`, `PartitionedPrefixEventTime` and `PartitionedPrefixDeliveryTime` (case-sensitive).
+  * **TargetObjectKeyFormat:** Amazon S3 key format for log objects (values are case-sensitive). To use the simple format for S3 keys for log objects, choose`SimplePrefix`. To use Partitioned S3 key for log objects and use EventTime for the partitioned prefix, choose `PartitionedPrefixEventTime`. To use Partitioned S3 key for log objects and use DeliveryTime for the partitioned prefix, choose `PartitionedPrefixDeliveryTime`. Valid values are `SimplePrefix`, `PartitionedPrefixEventTime` and `PartitionedPrefixDeliveryTime`.
@@ -144,0 +152,7 @@ To enable auto remediation, the following preconfigured parameter must be provid
+Hs4Ma3G230 – S3 bucket server access logging should be enabled Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-TrustedRemediatorEnableBucketAccessLoggingV2** \- Amazon S3 bucket logging is enabled. | 
+
+  * **TargetBucketTagKey** : The tag name (case-sensitive) to identify the target bucket. Use this and **TargetBucketTagValue** to tag the bucket to be used as the destination bucket for access logging.
+  * **TargetBucketTagValue** : The tag value (case-sensitive) to identify the target bucket, use this and **TargetBucketTagKey** to tag the bucket to be used as the destination bucket for access logging.
+  * **TargetObjectKeyFormat** : Amazon S3 key format for log objects (values are case-sensitive): To use the simple format for S3 keys for log objects, choose **SimplePrefix**. To use Partitioned S3 key for log objects and use EventTime for the partitioned prefix, choose **PartitionedPrefixEventTime**. To use Partitioned S3 key for log objects and use DeliveryTime for the partitioned prefix, choose **PartitionedPrefixDeliveryTime**. The default is PartitionedPrefixEventTime.
+
+To enable auto remediation, the following parameters must be provided: **TargetBucketTagKey** and **TargetBucketTagValue**. The destination bucket must be in the same AWS Region and AWS account as the source bucket, with correct permissions for log delivery. For more information, see [Enabling Amazon S3 server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html).