AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-12-25 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture/foundations.md

Summary

Updated documentation to refine terminology, improve structure, and enhance clarity. Changes include using 'AWS SRA' acronym consistently, updating links to AWS CAF and Well-Architected resources, restructuring content about security foundations, and minor editorial improvements.

Security assessment

The changes are editorial and structural, focusing on terminology consistency (e.g., 'AWS SRA' instead of full name) and updated resource links. No vulnerabilities, weaknesses, or security incidents are addressed. The content describes existing security frameworks (AWS CAF, Well-Architected) but doesn't introduce new security features or mitigation guidance.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/foundations.md b/prescriptive-guidance/latest/security-reference-architecture/foundations.md
index 5d27ff098..1fc63389b 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/foundations.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/foundations.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html)
@@ -12 +12 @@ Influence the future of the AWS Security Reference Architecture (AWS SRA) by tak
-The AWS Security Reference Architecture aligns to three AWS security foundations: the AWS Cloud Adoption Framework (AWS CAF), AWS Well-Architected Framework, and the AWS Shared Responsibility Model.
+The AWS SRA aligns to three AWS security foundations: the AWS Cloud Adoption Framework (AWS CAF), AWS Well-Architected, and the AWS Shared Responsibility Model.
@@ -14 +14 @@ The AWS Security Reference Architecture aligns to three AWS security foundations
-AWS Professional Services created [AWS CAF](https://aws.amazon.com/cloud-adoption-framework/) to help companies design and follow an accelerated path to successful cloud adoption. The guidance and best practices provided by the framework help you build a comprehensive approach to cloud computing across your enterprise and throughout your IT lifecycle. The AWS CAF organizes guidance into six areas of focus, called _perspectives_. Each perspective covers distinct responsibilities owned or managed by functionally related stakeholders. In general, the business, people, and governance perspectives focus on business capabilities; whereas the platform, security, and operations perspectives focus on technical capabilities.
+AWS Professional Services created the [AWS CAF](https://aws.amazon.com/professional-services/CAF/) to help companies design and follow an accelerated path to successful cloud adoption. The guidance and best practices provided by the framework help you build a comprehensive approach to cloud computing across your enterprise and throughout your IT lifecycle. The AWS CAF organizes guidance into six areas of focus, called _perspectives_. Each perspective covers distinct responsibilities owned or managed by functionally related stakeholders. In general, the business, people, and governance perspectives focus on business capabilities; whereas the platform, security, and operations perspectives focus on technical capabilities.
@@ -16 +16 @@ AWS Professional Services created [AWS CAF](https://aws.amazon.com/cloud-adoptio
-  * The [security perspective of the AWS CAF](https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/security-perspective.html) helps you structure the selection and implementation of controls across your business. Following the current AWS recommendations in the security pillar can help you meet your business and regulatory requirements. 
+The [security perspective of the AWS CAF](https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/security-perspective.html) helps you structure the selection and implementation of controls across your business. Following the current AWS recommendations in the security pillar can help you meet your business and regulatory requirements.
@@ -17,0 +18 @@ AWS Professional Services created [AWS CAF](https://aws.amazon.com/cloud-adoptio
+[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected) helps cloud architects build a secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. The framework is based on six pillars—operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability—and provides a consistent approach for AWS customers and Partners to evaluate architectures and implement designs that can scale over time. We believe that having well-architected workloads greatly increases the likelihood of business success.
@@ -18,0 +20 @@ AWS Professional Services created [AWS CAF](https://aws.amazon.com/cloud-adoptio
+The [Well-Architected Framework security pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) describes how to take advantage of cloud technologies to help protect data, systems, and assets in a way that can improve your security posture. This will help you meet your business and regulatory requirements by following current AWS recommendations. There are additional Well-Architected Framework focus areas that provide more context for specific domains such as governance, serverless, AI/ML, and gaming. These are known as AWS Well-Architected lenses.
@@ -20,9 +22 @@ AWS Professional Services created [AWS CAF](https://aws.amazon.com/cloud-adoptio
-
-[AWS Well-Architected Framework](http://aws.amazon.com/architecture/well-architected) helps cloud architects build a secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. The framework is based on six pillars—operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability—and provides a consistent approach for AWS customers and Partners to evaluate architectures and implement designs that can scale over time. We believe that having well-architected workloads greatly increases the likelihood of business success.
-
-  * The [Well-Architected Framework security pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) describes how to take advantage of cloud technologies to help protect data, systems, and assets in a way that can improve your security posture. This will help you meet your business and regulatory requirements by following current AWS recommendations. There are additional Well-Architected Framework focus areas that provide more context for specific domains such as governance, serverless, AI/ML, and gaming. These are known as [AWS Well-Architected lenses](https://aws.amazon.com/architecture/well-architected/#AWS_Well-Architected_Lenses). 
-
-
-
-
-Security and compliance are a [shared responsibility between AWS and the customer](https://aws.amazon.com/compliance/shared-responsibility-model/). This shared model can help relieve your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. For example, you assume responsibility and management of the guest operating system (including updates and security patches), application software, server-side data encryption, network traffic route tables, and the configuration of the AWS provided security group firewall. For abstracted services such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and you access the endpoints to store and retrieve data. You are responsible for managing your data (including encryption options), classifying your assets, and using AWS Identity and Access Management (IAM) tools to apply the appropriate permissions. This shared model is often described by saying that AWS is responsible for the security _of_ the cloud (that is, for protecting the infrastructure that runs all the services offered in the AWS Cloud), and you are responsible for the security _in_ the cloud (as determined by the AWS Cloud services that you select). 
+Security and compliance are a [shared responsibility between AWS and the customer](https://aws.amazon.com/compliance/shared-responsibility-model/). This shared model can help relieve your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. For example, you assume responsibility and management of the guest operating system (including updates and security patches), application software, server-side data encryption, network traffic route tables, and the configuration of the AWS-provided security group firewall. For abstracted services such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and you access the endpoints to store and retrieve data. You are responsible for managing your data (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions. This shared model is often described by saying that AWS is responsible for the security _of_ the cloud (that is, for protecting the infrastructure that runs all the services offered in the AWS Cloud), and you are responsible for the security _in_ the cloud (as determined by the AWS Cloud services that you select).
@@ -34 +28 @@ Within the guidance provided by these foundational documents, two sets of concep
-The security perspective of AWS CAF outlines nine capabilities that help you achieve the confidentiality, integrity, and availability of your data and cloud workloads.
+The security perspective of the AWS CAF outlines nine capabilities that help you achieve the confidentiality, integrity, and availability of your data and cloud workloads.
@@ -61 +55 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-  * _Implement a strong identity foundation_ – Implement the principle of least privilege, and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize identity management, and aim to eliminate reliance on long-term static credentials.
+  * _Implement a strong identity foundation_ ‒ Implement the principle of least privilege, and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize identity management, and aim to eliminate reliance on long-term static credentials.
@@ -63 +57 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-  * _Enable traceability_ – Monitor, generate alerts, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to automatically investigate and take action.
+  * _Enable traceability_ ‒ Monitor, generate alerts, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to automatically investigate and take action.
@@ -65 +59 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-  * _Apply security at all layers_ – Apply a defense-in-depth approach with multiple security controls. Apply multiple types of controls (for example, preventive and detective controls) to all layers, including edge of network, virtual private cloud (VPC), load balancing, instance and compute services, operating system, application configuration, and code.
+  * _Apply security at all layers_ ‒ Apply a defense-in-depth approach with multiple security controls. Apply multiple types of controls (for example, preventive and detective controls) to all layers, including edge of network, virtual private cloud (VPC), load balancing, instance and compute services, operating system, application configuration, and code.
@@ -67 +61 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-  * _Automate security best practices_ – Automated, software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively. Create secure architectures, and implement controls that are defined and managed as code in version-controlled templates.
+  * _Automate security best practices_ ‒ Automated, software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively. Create secure architectures, and implement controls that are defined and managed as code in version-controlled templates.
@@ -69 +63 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-  * _Protect data in transit and at rest_ – Classify your data into sensitivity levels and use mechanisms such as encryption, tokenization, and access control where appropriate.
+  * _Protect data in transit and at rest_ ‒ Classify your data into sensitivity levels and use mechanisms such as encryption, tokenization, and access control where appropriate.
@@ -71 +65 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-  * _Keep people away from data_ – Use mechanisms and tools to reduce or eliminate the need to directly access or manually process data. This reduces the risk of mishandling or modification and human error when handling sensitive data.
+  * _Keep people away from data_ ‒ Use mechanisms and tools to reduce or eliminate the need to directly access or manually process data. This reduces the risk of mishandling or modification and human error when handling sensitive data.
@@ -73 +67 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-  * _Prepare for security events_ – Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
+  * _Prepare for security events_ ‒ Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
@@ -80 +74 @@ The [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/framewo
-AWS CAF, AWS Well-Architected Framework, and AWS SRA are complementary frameworks that work together to support your cloud migration and modernization efforts.
+The AWS CAF, AWS Well-Architected Framework, and AWS SRA are complementary frameworks that work together to support your cloud migration and modernization efforts.
@@ -82 +76 @@ AWS CAF, AWS Well-Architected Framework, and AWS SRA are complementary framework
-  * [AWS CAF](https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/welcome.html) leverages AWS experience and best practices to help you align the values of cloud adoption to your desired business outcomes. Use AWS CAF to identify and prioritize transformation opportunities, evaluate and improve cloud readiness, and iteratively evolve your transformation roadmap.
+  * The [AWS CAF](https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/welcome.html) leverages AWS experience and best practices to help you align the values of cloud adoption to your desired business outcomes. Use the AWS CAF to identify and prioritize transformation opportunities, evaluate and improve cloud readiness, and iteratively evolve your transformation roadmap.
@@ -86 +80 @@ AWS CAF, AWS Well-Architected Framework, and AWS SRA are complementary framework
-  * The AWS SRA helps you understand how to deploy and govern security services in a way that aligns with the recommendations of AWS CAF and the AWS Well-Architected Framework.
+  * The AWS SRA helps you understand how to deploy and govern security services in a way that aligns with the recommendations of the AWS CAF and the AWS Well-Architected Framework. 
@@ -91 +85 @@ AWS CAF, AWS Well-Architected Framework, and AWS SRA are complementary framework
-For example, the AWS CAF security perspective suggests that you evaluate how to centrally manage your workforce identities and their authentication in AWS. Based on this information, you might decide to use a new or existing corporate identity provider (IdP) solution such as Okta, Active Directory, or Ping Identity for this purpose. You follow the guidance in the AWS Well-Architected Framework and decide to integrate your IdP with the AWS IAM Identity Center to give your employees a single sign-on experience that can synchronize their group memberships and permissions. You review the AWS SRA recommendation to enable IAM Identity Center in the management account of your AWS organization and administer it through a security tooling account used by your security operations team. This example illustrates how AWS CAF helps you make initial decisions about your desired security posture, the AWS Well-Architected Framework provides the guidance on how to evaluate the AWS services that are available for meeting that objective, and the AWS SRA then provides recommendations on how to deploy and govern the security services you select.
+For example, the AWS CAF security perspective suggests that you evaluate how to centrally manage your workforce identities and their authentication in AWS. Based on this information, you might decide to use a new or existing corporate identity provider (IdP) solution such as Okta, Active Directory, or Ping Identity for this purpose. You follow the guidance in the AWS Well-Architected Framework and decide to integrate your IdP with the AWS IAM Identity Center to give your employees a single sign-on experience that can synchronize their group memberships and permissions. You review the AWS SRA recommendation to enable IAM Identity Center in the management account of your AWS organization and administer it through a security tooling account used by your security operations team. This example illustrates how the AWS CAF helps you make initial decisions about your desired security posture, the AWS Well-Architected Framework provides the guidance on how to evaluate the AWS services that are available for meeting that objective, and the AWS SRA then provides recommendations on how to deploy and govern the security services you select.