AWS wellarchitected documentation change
Summary
Updated references to AWS Security Hub by specifying the CSPM (Cloud Security Posture Management) feature in three locations for accuracy
Security assessment
The changes clarify the use of Security Hub's CSPM capabilities for security posture management but don't address vulnerabilities or incidents. This enhances documentation of existing security features without indicating a security fix.
Diff
diff --git a/wellarchitected/latest/management-and-governance-guide/implementation-priorities.md b/wellarchitected/latest/management-and-governance-guide/implementation-priorities.md index e3624a580..c23100920 100644 --- a//wellarchitected/latest/management-and-governance-guide/implementation-priorities.md +++ b//wellarchitected/latest/management-and-governance-guide/implementation-priorities.md @@ -23 +23 @@ Separating OUs by regulatory and SDLC environments is a commonly used pattern. W -AWS Control Tower uses AWS Organizations service control policies (SCPs) to provide preventive guardrails. SCPs define the guardrails or limits that IAM roles and users can have in the accounts located within the OU. Review the _[strongly recommended](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html)_ and _[elective](https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html)_ detective guardrails AWS Control Tower provides, and choose which guardrails to apply. Use the AWS Security Foundations best practices in AWS Security Hub to identify controls that apply to your enterprise, and add any specific open standard controls required for your workloads. Create additional preventive controls as required, and group them by OUs to align them to your multi-account strategy. +AWS Control Tower uses AWS Organizations service control policies (SCPs) to provide preventive guardrails. SCPs define the guardrails or limits that IAM roles and users can have in the accounts located within the OU. Review the _[strongly recommended](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html)_ and _[elective](https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html)_ detective guardrails AWS Control Tower provides, and choose which guardrails to apply. Use the AWS Security Foundations best practices in AWS Security Hub CSPM to identify controls that apply to your enterprise, and add any specific open standard controls required for your workloads. Create additional preventive controls as required, and group them by OUs to align them to your multi-account strategy. @@ -35 +35 @@ Annotate and prioritize your detective guardrail findings so that they can be re -Centrally view the resource configuration and compliance data recorded in your observability findings. AWS Security Hub is a security and compliance service that provides security and compliance posture management, as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to aggregate and evaluate resource configuration. Other AWS services, such as AWS Control Tower and AWS Firewall Manager, also provide an aggregated view of controls in their console view. Regularly review aggregated views of guardrails to alert you on any deviation of expected controls in your environments. +Centrally view the resource configuration and compliance data recorded in your observability findings. AWS Security Hub CSPM is a security and compliance service that provides security and compliance posture management, as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to aggregate and evaluate resource configuration. Other AWS services, such as AWS Control Tower and AWS Firewall Manager, also provide an aggregated view of controls in their console view. Regularly review aggregated views of guardrails to alert you on any deviation of expected controls in your environments. @@ -47 +47 @@ Make sure that your monitoring and observability capabilities are updated as new -You might need to register new accounts with your security tools (SIEM, GuardDuty, Security Hub, etc.), or deploy security capabilities to specific accounts (XDR, CSPM, etc.). +You might need to register new accounts with your security tools (SIEM, GuardDuty, Security Hub CSPM, etc.), or deploy security capabilities to specific accounts (XDR, CSPM, etc.).