AWS prescriptive-guidance documentation change
Summary
Clarified centralized egress implementation by changing 'inspection point' to 'entry point' and adding inspection setup note
Security assessment
Improves explanation of existing security practice (traffic inspection) but doesn't introduce new security features or address specific vulnerabilities
Diff
diff --git a/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md b/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md index 4d5391927..5d88fce3f 100644 --- a//prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md +++ b//prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md @@ -9 +9 @@ Best practices for securing egress traffic - _Centralized egress_ is the principle of using a single, common inspection point for all network traffic destined to the internet. At this inspection point, you can allow traffic only to specified domains or only through specified ports or protocols. Centralizing egress also can help you reduce costs by eliminating the need to deploy NAT gateways in each of your VPCs in order to reach the internet. This is beneficial from a security perspective because it limits exposure to externally accessible malicious resources, such as malware command and control (C&C) infrastructure. For more information and architecture options for centralized egress, see [Centralized egress to internet](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html) (AWS Whitepaper). + _Centralized egress_ is the principle of using a single, common entry point for all network traffic that is destined to the internet. You can set up inspection at this entry point, and you can allow traffic only to specified domains or only through specified ports or protocols. Centralizing egress also can help you reduce costs by eliminating the need to deploy NAT gateways in each of your VPCs in order to reach the internet. This is beneficial from a security perspective because it limits exposure to externally accessible malicious resources, such as malware command and control (C&C) infrastructure. For more information and architecture options for centralized egress, see [Centralized egress to internet](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html) (AWS Whitepaper).