AWS prescriptive-guidance documentation change
Summary
Updated documentation with formatting fixes, service name corrections (AWS Organizations), clarified security solution names (Security Hub CSPM), and markdown formatting improvements
Security assessment
Changes primarily improve documentation clarity and formatting. The explicit mention of Security Hub CSPM (Cloud Security Posture Management) and IAM Access Analyzer configurations enhances documentation about existing security features, but there's no evidence of addressing specific vulnerabilities or security incidents.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/code-repo.md b/prescriptive-guidance/latest/security-reference-architecture/code-repo.md index 2c01c9d2f..edb84cca6 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/code-repo.md +++ b//prescriptive-guidance/latest/security-reference-architecture/code-repo.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html) @@ -12 +12 @@ To help you get started building and implementing the guidance in the AWS SRA, a -The AWS SRA code repository provides code samples with both AWS CloudFormation and Terraform deployment options. The solution patterns support two environments: one requires AWS Control Tower and the other uses AWS Organizations without AWS Control Tower. The solutions in this repository that require AWS Control Tower have been deployed and tested within an AWS Control Tower environment by using AWS CloudFormation and [Customizations for AWS Control Tower (CfCT)](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/). Solutions that don’t require AWS Control Tower have been tested within an AWS Organizations environment by using AWS CloudFormation. The CfCT solution helps customers quickly set up a secure, multi-account AWS environment based on AWS best practices. It helps save time by automating the setup of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of accounts and resources. AWS Control Tower also provides a baseline environment to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. The solutions in the AWS SRA repository provide additional security configurations to implement the patterns described in this document. +The AWS SRA code repository provides code samples with both AWS CloudFormation and Terraform deployment options. The solution patterns support two environments: one requires AWS Control Tower and the other uses AWS Organizations without AWS Control Tower. The solutions in this repository that require AWS Control Tower have been deployed and tested within an AWS Control Tower environment by using AWS CloudFormation and [Customizations for AWS Control Tower (CfCT)](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/). Solutions that don't require AWS Control Tower have been tested within an AWS Organizations environment by using AWS CloudFormation. The CfCT solution helps customers quickly set up a secure, multi-account AWS environment based on AWS best practices. It helps save time by automating the setup of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of accounts and resources. AWS Control Tower also provides a baseline environment to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. The solutions in the AWS SRA repository provide additional security configurations to implement the patterns described in this document. @@ -14 +14 @@ The AWS SRA code repository provides code samples with both AWS CloudFormation a -Here is a summary of the solutions in the [AWS SRA repository](https://github.com/aws-samples/aws-security-reference-architecture-examples). Each solution includes a README.md file with details. +Here is a summary of the solutions in the [AWS SRA repository](https://github.com/aws-samples/aws-security-reference-architecture-examples). Each solution includes a `README.md` file with details. @@ -20 +20 @@ Here is a summary of the solutions in the [AWS SRA repository](https://github.co - * The [Security Hub Organization](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/securityhub/securityhub_org)**** solution configures AWS Security Hub CSPM by delegating administration to the Security Tooling account. It configures Security Hub CSPM within the Security Tooling account for all existing and future AWS organization accounts. The solution also provides parameters for synchronizing the enabled security standards across all accounts and Regions as well as configuring a Region aggregator within the Security Tooling account. Centralizing Security Hub CSPM within the Security Tooling account provides a cross-account view of security standards compliance and findings from both AWS services and third-party AWS Partner integrations. + * The [Security Hub CSPM Organization](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/securityhub/securityhub_org)**** solution configures Security Hub CSPM by delegating administration to the Security Tooling account. It configures Security Hub CSPM within the Security Tooling account for all existing and future AWS organization accounts. The solution also provides parameters for synchronizing the enabled security standards across all accounts and Regions as well as configuring a Region aggregator within the Security Tooling account. Centralizing Security Hub CSPM within the Security Tooling account provides a cross-account view of security standards compliance and findings from both AWS services and third-party AWS Partner integrations. @@ -24 +24 @@ Here is a summary of the solutions in the [AWS SRA repository](https://github.co - * The [Firewall Manager](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/firewall_manager/firewall_manager_org)**** solution**** configures AWS Firewall Manager security policies by delegating administration to the Security Tooling account and configuring Firewall Manager with a security group policy and multiple AWS WAF policies. The security group policy requires a maximum allowed security group within a VPC (existing or created by the solution), which is deployed by the solution. + * The [Firewall Manager](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/firewall_manager/firewall_manager_org) solution**** configures AWS Firewall Manager security policies by delegating administration to the Security Tooling account and configuring Firewall Manager with a security group policy and multiple AWS WAF policies. The security group policy requires a maximum allowed security group within a VPC (existing or created by the solution), which is deployed by the solution. @@ -28 +28 @@ Here is a summary of the solutions in the [AWS SRA repository](https://github.co - * AWS Config + * AWS Config: @@ -32 +32 @@ Here is a summary of the solutions in the [AWS SRA repository](https://github.co - * The [Conformance Pack Organization Rules](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/config/config_conformance_pack_org) solution deploys AWS Config rules by delegating administration to the Security Tooling account. It then creates an organization conformance pack within the delegated administrator account for all existing and future accounts in the AWS organization. The solution is configured to deploy the [Operational Best Practices for Encryption and Key Management](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-Encryption-and-Keys.html) conformance pack sample template. + * The [Conformance Pack Organization Rules](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/config/config_conformance_pack_org) solution deploys AWS Config Rules by delegating administration to the Security Tooling account. It then creates an organization conformance pack within the delegated administrator account for all existing and future accounts in the AWS organization. The solution is configured to deploy the [Operational Best Practices for Encryption and Key Management](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-Encryption-and-Keys.html) conformance pack sample template. @@ -36 +36 @@ Here is a summary of the solutions in the [AWS SRA repository](https://github.co - * IAM + * IAM: @@ -38 +38 @@ Here is a summary of the solutions in the [AWS SRA repository](https://github.co - * The [Access Analyzer](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/iam/iam_access_analyzer) solution enables AWS IAM Access Analyzer by delegating administration to the Security Tooling account. It then configures an organization-level Access Analyzer within the Security Tooling account for all existing and future accounts in the AWS organization. The solution also deploys Access Analyzer to all member accounts and Regions to support analyzing account-level permissions. + * The [Access Analyzer](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/iam/iam_access_analyzer) solution enables IAM Access Analyzer by delegating administration to the Security Tooling account. It then configures an organization-level IAM Access Analyzer within the Security Tooling account for all existing and future accounts in the AWS organization. The solution also deploys IAM Access Analyzer to all member accounts and Regions to support analyzing account-level permissions. @@ -46 +46 @@ Here is a summary of the solutions in the [AWS SRA repository](https://github.co - * The [Detective Organization](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/detective/detective_org) solution automates enabling Amazon Detective by delegating administration to an account (such as the Audit or Security Tooling account) and configuring Detective for all existing and future AWS Organization accounts. + * The [Detective Organization](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/detective/detective_org) solution automates enabling Amazon Detective by delegating administration to an account (such as the Audit or Security Tooling account) and configuring Detective for all existing and future AWS Organizations accounts. @@ -65 +65 @@ IAM resources -AWS Privacy Reference Architecture (AWS PRA) +Contributors