AWS prescriptive-guidance documentation change
Summary
Updated terminology from 'AWS Direct Connect' to 'Direct Connect' in two places for consistency, and modified a link title accordingly
Security assessment
Changes are purely terminological updates without altering security meaning. The MACsec encryption recommendation remains unchanged, and no vulnerabilities are addressed.
Diff
diff --git a/prescriptive-guidance/latest/hybrid-cloud-best-practices/security.md b/prescriptive-guidance/latest/hybrid-cloud-best-practices/security.md index 208009add..0b4006d57 100644 --- a//prescriptive-guidance/latest/hybrid-cloud-best-practices/security.md +++ b//prescriptive-guidance/latest/hybrid-cloud-best-practices/security.md @@ -44 +44 @@ Amazon S3 on Outposts doesn't support server-side encryption with KMS keys (SSE- -For AWS Outposts, the service link is a necessary connection between your Outposts server and your chosen AWS Region (or home Region) and allows for the management of the Outpost and the exchange of traffic to and from the AWS Region. The service link uses an AWS managed VPN to communicate with the home Region. Each host inside AWS Outposts creates a set of VPN tunnels to split control plane traffic and VPC traffic. Depending on the service link connectivity (internet or AWS Direct Connect) for AWS Outposts, those tunnels require firewall ports to be opened for the service link to create the overlay on top of it. For detailed technical information about the security of AWS Outposts and the service link, see [Connectivity through service link](https://docs.aws.amazon.com/outposts/latest/userguide/service-links.html) and [Infrastructure security in AWS Outposts](https://docs.aws.amazon.com/outposts/latest/server-userguide/infrastructure-security.html) in the AWS Outposts documentation. +For AWS Outposts, the service link is a necessary connection between your Outposts server and your chosen AWS Region (or home Region) and allows for the management of the Outpost and the exchange of traffic to and from the AWS Region. The service link uses an AWS managed VPN to communicate with the home Region. Each host inside AWS Outposts creates a set of VPN tunnels to split control plane traffic and VPC traffic. Depending on the service link connectivity (internet or Direct Connect) for AWS Outposts, those tunnels require firewall ports to be opened for the service link to create the overlay on top of it. For detailed technical information about the security of AWS Outposts and the service link, see [Connectivity through service link](https://docs.aws.amazon.com/outposts/latest/userguide/service-links.html) and [Infrastructure security in AWS Outposts](https://docs.aws.amazon.com/outposts/latest/server-userguide/infrastructure-security.html) in the AWS Outposts documentation. @@ -57 +57 @@ TCP | 1025-65535 | AWS Outposts service link /26 | 443 | AWS Outposts Region's p -Local Zones are also connected to the parent Region through the redundant and very high-bandwidth global private backbone of Amazon. This connection gives applications that are running in Local Zones fast, secure, and seamless access to other AWS services. As long as Local Zones are part of the AWS global infrastructure, all data flowing over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. If you have specific requirements to encrypt the data in transit between your on-premises locations and AWS Direct Connect PoPs to access a Local Zone, you can enable MAC Security (MACsec) between your on-premises router or switch and the AWS Direct Connect endpoint. For more information, see the AWS blog post [Adding MACsec security to AWS Direct Connect connections](https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws-direct-connect-connections/). +Local Zones are also connected to the parent Region through the redundant and very high-bandwidth global private backbone of Amazon. This connection gives applications that are running in Local Zones fast, secure, and seamless access to other AWS services. As long as Local Zones are part of the AWS global infrastructure, all data flowing over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. If you have specific requirements to encrypt the data in transit between your on-premises locations and Direct Connect PoPs to access a Local Zone, you can enable MAC Security (MACsec) between your on-premises router or switch and the Direct Connect endpoint. For more information, see the AWS blog post [Adding MACsec security to Direct Connect connections](https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws-direct-connect-connections/).