AWS managedservices medium security documentation change
Summary
Added new EC2 instance termination check [c18d2gz150] with AMI backup option and days parameter. Updated S3 logging check Hs4Ma3G230 with new remediation document and clarified parameters. Modified Hs4Ma3G120 check to reference Security Hub default values.
Security assessment
Changes enforce security best practices by automating termination of inactive EC2 instances (preventing resource sprawl) and improving S3 access logging configurations. Specific security evidence includes references to AWS Security Hub controls (EC2.4/S3.9) and remediation of findings related to public access and logging.
Diff
diff --git a/managedservices/latest/userguide/tr-supported-checks.md b/managedservices/latest/userguide/tr-supported-checks.md index c77873994..8075f66cd 100644 --- a//managedservices/latest/userguide/tr-supported-checks.md +++ b//managedservices/latest/userguide/tr-supported-checks.md @@ -17,0 +18,6 @@ Check ID and name | SSM document name and expected outcome | Supported preconfig +[c18d2gz150](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#ec2-instance-stopped-for-thirty-days) \- Amazon EC2 instances stopped | **AWSManagedServices-TerminateEC2InstanceStoppedForPeriodOfTime** \- Amazon EC2 instances stopped for number of days are terminated. | + + * **CreateAMIBeforeTermination** : To create the instance AMI as a backup before terminating the Amazon EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. + * **AllowedDays** : The number of days the instance in stopped state before it's getting terminated. The default is 30. + +No constraints @@ -87 +93,2 @@ The instance is rebooted as a part of the remediation and rollback is possible i -Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateInstance** Amazon EC2 instances stopped for 30 days are terminated. | **CreateAMIBeforeTermination:**. To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints +Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateInstance** (default SSM document for both auto and manual execution mode) Amazon EC2 instances stopped for 30 days are terminated. | **CreateAMIBeforeTermination:**. To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints +Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateEC2InstanceStoppedForPeriodOfTime** \- Amazon EC2 instances stopped for number of days defined in Security Hub (default value is 30) are terminated. | **CreateAMIBeforeTermination:** To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints @@ -139 +146 @@ Hs4Ma3G173 - S3 Block Public Access setting should be enabled at the bucket-leve -Hs4Ma3G230 - S3 bucket server access logging should be enabled Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-EnableBucketAccessLogging** Amazon S3 server access logging is enabled. | +Hs4Ma3G230 - S3 bucket server access logging should be enabled Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-EnableBucketAccessLogging** (default SSM document for both auto and manual execution mode) Amazon S3 server access logging is enabled. | @@ -142 +149 @@ Hs4Ma3G230 - S3 bucket server access logging should be enabled Corresponding AWS - * **TargetObjectKeyFormat:** Amazon S3 key format for log objects, to use the simple format for S3 keys for log objects, choose`SimplePrefix`. To use Partitioned S3 key for log objects and use EventTime for the partitioned prefix, choose `PartitionedPrefixEventTime`. To use Partitioned S3 key for log objects and use DeliveryTime for the partitioned prefix, choose `PartitionedPrefixDeliveryTime`. Valid values are `SimplePrefix`, `PartitionedPrefixEventTime` and `PartitionedPrefixDeliveryTime` (case-sensitive). + * **TargetObjectKeyFormat:** Amazon S3 key format for log objects (values are case-sensitive). To use the simple format for S3 keys for log objects, choose`SimplePrefix`. To use Partitioned S3 key for log objects and use EventTime for the partitioned prefix, choose `PartitionedPrefixEventTime`. To use Partitioned S3 key for log objects and use DeliveryTime for the partitioned prefix, choose `PartitionedPrefixDeliveryTime`. Valid values are `SimplePrefix`, `PartitionedPrefixEventTime` and `PartitionedPrefixDeliveryTime`. @@ -144,0 +152,7 @@ To enable auto remediation, the following preconfigured parameter must be provid +Hs4Ma3G230 – S3 bucket server access logging should be enabled Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-TrustedRemediatorEnableBucketAccessLoggingV2** \- Amazon S3 bucket logging is enabled. | + + * **TargetBucketTagKey** : The tag name (case-sensitive) to identify the target bucket. Use this and **TargetBucketTagValue** to tag the bucket to be used as the destination bucket for access logging. + * **TargetBucketTagValue** : The tag value (case-sensitive) to identify the target bucket, use this and **TargetBucketTagKey** to tag the bucket to be used as the destination bucket for access logging. + * **TargetObjectKeyFormat** : Amazon S3 key format for log objects (values are case-sensitive): To use the simple format for S3 keys for log objects, choose **SimplePrefix**. To use Partitioned S3 key for log objects and use EventTime for the partitioned prefix, choose **PartitionedPrefixEventTime**. To use Partitioned S3 key for log objects and use DeliveryTime for the partitioned prefix, choose **PartitionedPrefixDeliveryTime**. The default is PartitionedPrefixEventTime. + +To enable auto remediation, the following parameters must be provided: **TargetBucketTagKey** and **TargetBucketTagValue**. The destination bucket must be in the same AWS Region and AWS account as the source bucket, with correct permissions for log delivery. For more information, see [Enabling Amazon S3 server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html).