AWS whitepapers documentation change
Summary
Changed 'Amazon S3 Glacier Vault Lock' to 'Amazon Glacier Vault Lock' in data protection controls section
Security assessment
Updates service name reference but retains the same security context (mandatory access control via vault locking). No new security features or vulnerability mitigations introduced.
Diff
diff --git a/whitepapers/latest/aws-caf-security-perspective/data-protection.md b/whitepapers/latest/aws-caf-security-perspective/data-protection.md index 61f73830c..2f470ee12 100644 --- a//whitepapers/latest/aws-caf-security-perspective/data-protection.md +++ b//whitepapers/latest/aws-caf-security-perspective/data-protection.md @@ -72 +72 @@ Embracing least privilege is critical to the protection of data, both from accid -Different controls including access (using least privilege), backups (see [Reliability Pillar - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html)), isolation, and versioning can all help protect your data at rest. Access to your data should be audited using detective mechanisms covered earlier in this whitepaper including AWS CloudTrail and service level logs, such as [S3 Access Logs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html). You should inventory what data is publicly accessible, and plan for how you can reduce the amount of data available over time. [Amazon S3 Glacier Vault Lock](https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html) and [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html) are capabilities providing mandatory access control. This means that once a vault policy is locked with the compliance option, not even the root user can change it until the lock expires. Access should also directly link to the organizations data classification strategy. This embraces the principal of least privilege, as well as proper scoping of business functions. +Different controls including access (using least privilege), backups (see [Reliability Pillar - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html)), isolation, and versioning can all help protect your data at rest. Access to your data should be audited using detective mechanisms covered earlier in this whitepaper including AWS CloudTrail and service level logs, such as [S3 Access Logs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html). You should inventory what data is publicly accessible, and plan for how you can reduce the amount of data available over time. [Amazon Glacier Vault Lock](https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html) and [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html) are capabilities providing mandatory access control. This means that once a vault policy is locked with the compliance option, not even the root user can change it until the lock expires. Access should also directly link to the organizations data classification strategy. This embraces the principal of least privilege, as well as proper scoping of business functions.