AWS wellarchitected documentation change
Summary
Updated references from 'AWS Security Hub' to 'AWS Security Hub CSPM' in two places to clarify the specific service capability being referenced
Security assessment
The change only updates product naming conventions without altering security guidance. IMDSv2 security controls remain unchanged, and there is no evidence of addressing a specific vulnerability.
Diff
diff --git a/wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.md b/wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.md index aa820d65f..4291e4864 100644 --- a//wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.md +++ b//wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.md @@ -32 +32 @@ Automation also plays a role in deploying workloads that are trustworthy, descri -Beyond these preventative controls, you can use automation in your detective controls for your compute resources as well. As one example, [AWS Security Hub](https://aws.amazon.com/security-hub/) offers the [NIST 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) standard that includes checks such as [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8). IMDSv2 uses the techniques of session authentication, blocking requests that contain an X-Forwarded-For HTTP header, and a network TTL of 1 to stop traffic originating from external sources to retrieve information about the EC2 instance. This check in Security Hub can detect when EC2 instances use IMDSv1 and initiate automated remediation. Learn more about automated detection and remediations in [SEC04-BP04 Initiate remediation for non-compliant resources](https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_detect_investigate_events_noncompliant_resources.html). +Beyond these preventative controls, you can use automation in your detective controls for your compute resources as well. As one example, [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/) offers the [NIST 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) standard that includes checks such as [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8). IMDSv2 uses the techniques of session authentication, blocking requests that contain an X-Forwarded-For HTTP header, and a network TTL of 1 to stop traffic originating from external sources to retrieve information about the EC2 instance. This check in Security Hub CSPM can detect when EC2 instances use IMDSv1 and initiate automated remediation. Learn more about automated detection and remediations in [SEC04-BP04 Initiate remediation for non-compliant resources](https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_detect_investigate_events_noncompliant_resources.html). @@ -42 +42 @@ Beyond these preventative controls, you can use automation in your detective con - 2. Automated security and compliance posture management using [AWS Security Hub](https://aws.amazon.com/security-hub/) + 2. Automated security and compliance posture management using [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/)