AWS prescriptive-guidance documentation change
Summary
Updated breadcrumb navigation, changed apostrophes from curly to straight, removed section about Amazon CodeGuru Security, updated IAM Access Analyzer name formatting, expanded Amazon S3 Block Public Access coverage to include access points and AWS organizations, and updated section headings.
Security assessment
The removal of the CodeGuru Security section reduces security documentation but shows no evidence of addressing a specific vulnerability. The S3 Block Public Access update adds documentation about expanded security features (access points and AWS organizations), enhancing security guidance. Other changes are typographical or structural with no security implications.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/ai-ml.md b/prescriptive-guidance/latest/security-reference-architecture/ai-ml.md index 9ceb9fa70..e95dd8768 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/ai-ml.md +++ b//prescriptive-guidance/latest/security-reference-architecture/ai-ml.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html) @@ -14 +14 @@ Artificial intelligence and machine learning (AI/ML) is transforming businesses. -AI is an advanced technology that allows machines and systems to gain intelligence and prediction capability. AI systems learn from past experience through data that it consumes or is trained on. ML is one of the most important aspects of AI. ML is the ability of computers to learn from data without being explicitly programmed. In traditional programming, the programmer writes rules that define how the program should work on a computer or machine. In ML, the model learns the rules from data. ML models can discover hidden patterns in the data or make accurate predictions on new data that weren’t used during training. Multiple AWS services use AI/ML to learn from huge datasets and make security inferences. +AI is an advanced technology that allows machines and systems to gain intelligence and prediction capability. AI systems learn from past experience through data that it consumes or is trained on. ML is one of the most important aspects of AI. ML is the ability of computers to learn from data without being explicitly programmed. In traditional programming, the programmer writes rules that define how the program should work on a computer or machine. In ML, the model learns the rules from data. ML models can discover hidden patterns in the data or make accurate predictions on new data that weren't used during training. Multiple AWS services use AI/ML to learn from huge datasets and make security inferences. @@ -16 +16 @@ AI is an advanced technology that allows machines and systems to gain intelligen - * [Amazon Macie](https://aws.amazon.com/macie/) is a data security service that uses ML and pattern matching to discover and help protect your sensitive data. Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and financial information such as credit card numbers. It also gives you constant visibility into your data that’s stored in Amazon Simple Storage Service (Amazon S3). Macie uses natural language processing (NLP) and ML models that are trained on different types of datasets to understand your existing data and to assign business values to prioritize business-critical data. Macie then generates [sensitive data findings](https://docs.aws.amazon.com/macie/latest/user/findings-types.html#findings-sensitive-data-types). + * [Amazon Macie](https://aws.amazon.com/macie/) is a data security service that uses ML and pattern matching to discover and help protect your sensitive data. Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and financial information such as credit card numbers. It also gives you constant visibility into your data that's stored in Amazon Simple Storage Service (Amazon S3). Macie uses natural language processing (NLP) and ML models that are trained on different types of datasets to understand your existing data and to assign business values to prioritize business-critical data. Macie then generates [sensitive data findings](https://docs.aws.amazon.com/macie/latest/user/findings-types.html#findings-sensitive-data-types). @@ -27,4 +26,0 @@ AWS develops automated reasoning tools that use mathematical logic to answer cri - * [Amazon CodeGuru Security](https://aws.amazon.com/codeguru/) is a static application security testing (SAST) tool that combines ML and automated reasoning to identify vulnerabilities in your code and to provide recommendations on how to fix these vulnerabilities and track their status until closure. CodeGuru Security detects the top 10 issues identified by [Open Worldwide Application Security Project (OWASP)](https://owasp.org/www-project-top-ten/), the top 25 issues identified by [Common Weakness Enumeration (CWE)](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html), log injection, secrets, and insecure use of AWS APIs and SDKs. CodeGuru Security also borrows from AWS security best practices and was trained on millions of lines of code at Amazon. - -CodeGuru Security can identify code vulnerabilities with a very high true-positive rate because of its deep semantic analysis. This helps developers and security teams have confidence in the guidance, which results in an increase in quality. This service is trained by using rule mining and supervised ML models that use a combination of logistic regression and neural networks. For example, during training for sensitive data leaks, CodeGuru Security performs a full code analysis for code paths that use the resource or access sensitive data, creates a feature set that represents those, and then uses the code paths as inputs for logistic regression models and convolutional neural networks (CNNs). The CodeGuru Security bug-tracking feature automatically detects when a bug is closed. The bug-tracking algorithm makes sure that you have up-to-date information on your organization's security posture without additional effort. To begin reviewing code, you can associate your existing code repositories on GitHub, GitHub Enterprise, Bitbucket, or AWS CodeCommit on the CodeGuru console. The CodeGuru Security API-based design provides integration capabilities that you can use at any stage of the development workflow. - @@ -33 +29 @@ CodeGuru Security can identify code vulnerabilities with a very high true-positi - * [AWS Identity and Access Management (IAM) Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) helps you streamline permissions management. You can use this feature to set fine-grained permissions, verify intended permissions, and refine permissions by removing unused access. IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. It also provides over 100 policy checks to help you author and validate your policies. IAM Access Analyzer uses provable security to analyze access paths and provide comprehensive findings for public and cross-account access to your resources. This tool is built on [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/), which translates IAM policies into equivalent logical statements and runs a suite of general-purpose and specialized logical solvers (satisfiability modulo theories) against the problem. IAM Access Analyzer applies Zelkova repeatedly to a policy with increasingly specific queries to characterize classes of behaviors the policy allows, based on the content of the policy. The analyzer doesn’t examine access logs to determine whether an external entity accessed a resource within your zone of trust. It generates a finding when a resource-based policy allows access to a resource, even if the resource wasn’t accessed by the external entity. To learn more about satisfiability modulo theories, see [Satisfiability Modulo Theories](https://people.eecs.berkeley.edu/~sseshia/pubdir/SMT-BookChapter.pdf) in _Handbook of Satisfiability_.* + * [AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) helps you streamline permissions management. You can use this feature to set fine-grained permissions, verify intended permissions, and refine permissions by removing unused access. IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. It also provides over 100 policy checks to help you author and validate your policies. IAM Access Analyzer uses provable security to analyze access paths and provide comprehensive findings for public and cross-account access to your resources. This tool is built on [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/), which translates IAM policies into equivalent logical statements and runs a suite of general-purpose and specialized logical solvers (satisfiability modulo theories) against the problem. IAM Access Analyzer applies Zelkova repeatedly to a policy with increasingly specific queries to characterize classes of behaviors the policy allows, based on the content of the policy. The analyzer doesn't examine access logs to determine whether an external entity accessed a resource within your zone of trust. It generates a finding when a resource-based policy allows access to a resource, even if the resource wasn't accessed by the external entity. To learn more about satisfiability modulo theories, see [Satisfiability Modulo Theories](https://people.eecs.berkeley.edu/~sseshia/pubdir/SMT-BookChapter.pdf) in _Handbook of Satisfiability._ * @@ -35 +31 @@ CodeGuru Security can identify code vulnerabilities with a very high true-positi - * [Amazon S3 Block Public Access](https://aws.amazon.com/s3/features/block-public-access/) is a feature of Amazon S3 that allows you to block possible misconfigurations that could lead to public access of your buckets and objects. You can enable Amazon S3 Block Public Access at bucket level or account level (which affects both existing and new buckets in the account). Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. The determination of whether a given policy or ACL is considered public is made by using the Zelkova automated reasoning system. Amazon S3 uses Zelkova to check each bucket policy and warns you if an unauthorized user is able to read or write to your bucket. If a bucket is flagged as public, some public requests are allowed to access the bucket. If a bucket is flagged as not public, **all** public requests are denied. Zelkova is able to make such determinations because it has a precise mathematical representation of IAM policies. It creates a formula for each policy and proves a theorem about that formula. + * [Amazon S3 Block Public Access](https://aws.amazon.com/s3/features/block-public-access/) is a feature of Amazon S3 that allows you to block possible misconfigurations that could lead to public access of your buckets and objects. You can enable Amazon S3 Block Public Access for access points, buckets, accounts, and the AWS organization (which affects both existing and new buckets in the account). Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. The determination of whether a given policy or ACL is considered public is made by using the Zelkova automated reasoning system. Amazon S3 uses Zelkova to check each bucket policy and warns you if an unauthorized user is able to read or write to your bucket. If a bucket is flagged as public, some public requests are allowed to access the bucket. If a bucket is flagged as not public, **all** public requests are denied. Zelkova is able to make such determinations because it has a precise mathematical representation of IAM policies. It creates a formula for each policy and proves a theorem about that formula. @@ -39 +35 @@ CodeGuru Security can identify code vulnerabilities with a very high true-positi - * [Amazon VPC Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html) is a feature of Amazon VPC that lets you debug, understand, and visualize connectivity in your AWS network. Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). When the destination is reachable, Reachability Analyzer produces hop-by-hop details of the virtual network path between the source and the destination. When the destination isn’t reachable, Reachability Analyzer identifies the blocking component. Reachability Analyzer uses automated reasoning to identify feasible paths by building a model of the network configuration between a source and destination. It then checks for reachability based on the configuration. It doesn’t send packets or analyze the data plane. + * [Amazon VPC Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html) is a feature of Amazon VPC that lets you debug, understand, and visualize connectivity in your AWS network. Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). When the destination is reachable, Reachability Analyzer produces hop-by-hop details of the virtual network path between the source and the destination. When the destination isn't reachable, Reachability Analyzer identifies the blocking component. Reachability Analyzer uses automated reasoning to identify feasible paths by building a model of the network configuration between a source and destination. It then checks for reachability based on the configuration. It doesn't send packets or analyze the data plane. @@ -52 +48 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Capability 5. Monitoring and incident response +Workloads OU – Application account @@ -54 +50 @@ Capability 5. Monitoring and incident response -Building your security architecture - A phased approach +Building your security architecture – a phased approach