AWS awssupport medium security documentation change
Summary
Removed AWS CloudTrail Logging check documentation (marked as deprecated), changed Trusted Advisor S3 bucket permissions check status from Yellow to Red for access issues, and removed related section/references.
Security assessment
The status color change from Yellow to Red for S3 bucket permission checks elevates the severity of misconfigured permissions, directly impacting security prioritization. The removal of CloudTrail Logging documentation (deprecated) reduces visibility into API activity monitoring, but no explicit vulnerability is mentioned. The severity change reflects a security-focused adjustment to risk assessment.
Diff
diff --git a/awssupport/latest/user/security-checks.md b/awssupport/latest/user/security-checks.md index 7dcd66fae..f1c28916c 100644 --- a//awssupport/latest/user/security-checks.md +++ b//awssupport/latest/user/security-checks.md @@ -5 +5 @@ -Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail LoggingAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on root accountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access +Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on root accountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access @@ -55,2 +54,0 @@ You can view all controls in the AWS Foundational Security Best Practices securi - * [AWS CloudTrail Logging](./security-checks.html#aws-cloudtrail-logging) - @@ -989 +987 @@ This check examines explicit bucket permissions, as well as bucket policies that - * Yellow: Trusted Advisor does not have permission to check the policy or ACL, or the policy or ACL could not be evaluated for other reasons. + * Red: Trusted Advisor does not have permission to check the policy or ACL, or the policy or ACL could not be evaluated for other reasons. @@ -1218,67 +1215,0 @@ For more information, see [Set access policies on backup vaults](https://docs.aw -## AWS CloudTrail Logging - -**Description** - - -###### Important - -This check is deprecated in the commercial [AWS Regions](https://docs.aws.amazon.com/https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#region). - -Checks your use of AWS CloudTrail. CloudTrail provides increased visibility into activity in your AWS account by recording information about AWS API calls made on the account. You can use these logs to determine, for example, what actions a particular user has taken during a specified time period, or which users have taken actions on a particular resource during a specified time period. - -Because CloudTrail delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have write permissions for the bucket. If a trail applies to all Regions (the default when creating a new trail), the trail appears multiple times in the Trusted Advisor report. - -**Check ID** - - -`vjafUGJ9H0` - -**Alert Criteria** - - - * Yellow: CloudTrail reports log delivery errors for a trail. - - * Red: A trail has not been created for a Region, or logging is turned off for a trail. - - - - -**Recommended Action** - - -To create a trail and start logging from the console, go to the [AWS CloudTrail console](https://console.aws.amazon.com/cloudtrail/home). - -To start logging, see [Stopping and Starting Logging for a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_using_cli.html#stopstartclil). - -If you receive log delivery errors, check to make sure that the bucket exists and that the necessary policy is attached to the bucket. See [Amazon S3 Bucket Policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_bucket_policy.html). - -**Additional Resources** - - - * [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/) - - * [Supported Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_supported_regions.html) - - * [Supported Services](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_supported_services.html) - - - - -**Report columns** - - - * Status - - * Region - - * Trail Name - - * Logging Status - - * Bucket Name - - * Last Delivery Date - - - -