AWS prescriptive-guidance documentation change
Summary
Updated documentation for multiple AWS security services, added a new section for AWS Security Hub, and included new features such as IAM Access Analyzer internal access and Amazon Inspector Code Security.
Security assessment
The changes enhance documentation of security features and best practices but do not address a specific vulnerability. Updates include new capabilities like IAM Access Analyzer's internal access monitoring (paid feature) and Amazon Inspector's code security scanning, which improve security posture but are not fixes for existing vulnerabilities. CloudTrail S3 bucket policy enhancements (aws:SourceArn condition) and encryption details strengthen security guidance without evidence of patching a flaw.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/security-tooling.md b/prescriptive-guidance/latest/security-reference-architecture/security-tooling.md index 9b3d33c4a..ce8099eb9 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/security-tooling.md +++ b//prescriptive-guidance/latest/security-reference-architecture/security-tooling.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html) @@ -5 +5 @@ -Delegated administrator for security servicesCentralized root accessAWS CloudTrailAWS Security Hub CSPMAmazon GuardDutyAWS ConfigAmazon Security LakeAmazon MacieAWS IAM Access AnalyzerAWS Firewall ManagerAmazon EventBridgeAmazon DetectiveAWS Audit ManagerAWS ArtifactAWS KMSAWS Private CAAmazon InspectorAWS Security Incident ResponseDeploying common security services within all AWS accounts +Delegated administrator for security servicesCentralized root accessAWS CloudTrailAWS Security Hub CSPMAWS Security HubAmazon GuardDutyAWS ConfigAmazon Security LakeAmazon MacieIAM Access AnalyzerAWS Firewall ManagerAmazon EventBridgeAmazon DetectiveAWS Audit ManagerAWS ArtifactAWS KMSAWS Private CAAmazon InspectorAWS Security Incident ResponseDeploying common security services within all AWS accounts @@ -7 +7 @@ Delegated administrator for security servicesCentralized root accessAWS CloudTra -# Security OU - Security Tooling account +# Security OU – Security Tooling account @@ -14 +14 @@ The following diagram illustrates the AWS security services that are configured - + @@ -38 +38 @@ The Security Tooling account is dedicated to operating security services, monito -The Security Tooling account serves as the administrator account for security services that are managed in an administrator/member structure throughout the AWS accounts. As mentioned earlier, this is handled through the AWS Organizations delegated administrator functionality. Services in the AWS SRA that [currently support delegated administrator](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) include IAM centralized management of root access, AWS Config, AWS Firewall Manager, Amazon GuardDuty, AWS IAM Access Analyzer, Amazon Macie, AWS Security Hub CSPM, Amazon Detective, AWS Audit Manager, Amazon Inspector, AWS CloudTrail, and AWS Systems Manager. Your security team manages the security features of these services and monitors any security-specific events or findings. +The Security Tooling account serves as the administrator account for security services that are managed in an administrator/member structure throughout the AWS accounts. As mentioned earlier, this is handled through the AWS Organizations delegated administrator functionality. Services in the AWS SRA that [currently support delegated administrator](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) include IAM centralized management of root access, AWS Config, AWS Firewall Manager, Amazon GuardDuty, IAM Access Analyzer, Amazon Macie, AWS Security Hub, AWS Security Hub CSPM, Amazon Detective, AWS Audit Manager, Amazon Inspector, AWS CloudTrail, and AWS Systems Manager. Your security team manages the security features of these services and monitors any security-specific events or findings. @@ -40 +40 @@ The Security Tooling account serves as the administrator account for security se -IAM Identity Center supports delegated administration to a member account. AWS SRA uses the Shared Services account as the delegated administrator account for IAM Identity Center, as explained later in the [IAM Identity Center](./shared-services.html#shared-sso) section of the Shared Services account. +AWS IAM Identity Center supports delegated administration to a member account. AWS SRA uses the Shared Services account as the delegated administrator account for IAM Identity Center, as explained later in the [IAM Identity Center](./shared-services.html#shared-sso) section of the Shared Services account. @@ -44 +44 @@ IAM Identity Center supports delegated administration to a member account. AWS S -The Security Tooling account is the delegated administrator account for IAM centralized management of root access capability. This capability has to be enabled at the organization level by enabling credential management and privileged root action in member accounts. Delegated administrators have to be provided `sts:AssumeRoot` permissions explicitly to be able to take privileged root actions on behalf of member accounts. This permission is available only after privileged root action in a member account is enabled in the Org Management or delegated administrator account. With this permission, users can perform privileged root user tasks on member accounts, centrally from the Security Tooling account. After you launch a privileged session, you can delete a misconfigured S3 bucket policy, delete a misconfigured SQS queue policy, delete the root user credentials for a member account, and reenable root user credentials for a member account. You can perform these actions from the console, by using the AWS CLI, or through APIs.. +The Security Tooling account**** is the delegated administrator account for IAM centralized management of root access capability.**** This capability has to be enabled at the organization level by enabling credential management and privileged root action in member accounts. Delegated administrators have to be provided `sts:AssumeRoot` permissions explicitly to be able to take privileged root actions on behalf of member accounts. This permission is available only after privileged root action in a member account is enabled in the Org Management or delegated administrator account. With this permission, users can perform privileged root user tasks on member accounts, centrally from the Security Tooling account. After you launch a privileged session, you can delete a misconfigured S3 bucket policy, delete a misconfigured SQS queue policy, delete the root user credentials for a member account, and reenable root user credentials for a member account. You can perform these actions from the console, by using the AWS Command Line Interface (AWS CLI) or through APIs. @@ -48 +48 @@ The Security Tooling account is the delegated administrator account for IAM cent -[AWS CloudTrail](https://aws.amazon.com/cloudtrail/) is a service that supports the governance, compliance, and auditing of activity in your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail is integrated with AWS Organizations, and that integration can be used to create a single trail that logs all events for all accounts in the AWS organization. This is referred to as an _organization trail_. You can create and manage an organization trail only from within the management account for the organization or from a delegated administrator account. When you create an organization trail, a trail with the name that you specify is created in every AWS account that belongs to your AWS organization. The trail logs activity for all accounts, including the management account, in the AWS organization and stores the logs in a single S3 bucket. Because of the sensitivity of this S3 bucket, you should secure it by following the best practices outlined in the [Amazon S3 as central log store](./log-archive.html#log-s3) section later in this guide. All accounts in the AWS organization can see the organization trail in their list of trails. However, member AWS accounts have view-only access to this trail. By default, when you create an organization trail in the CloudTrail console, the trail is a multi-Region trail. For additional security best practices, see the [AWS CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html). +[AWS CloudTrail](https://aws.amazon.com/cloudtrail/) is a service that supports the governance, compliance, and auditing of activity in your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail is integrated with AWS Organizations, and that integration can be used to create a single trail that logs all events for all accounts in the AWS organization. This is referred to as an _organization trail_. You can create and manage an organization trail only from within the management account for the organization or from a delegated administrator account. When you create an organization trail, a trail with the name that you specify is created in every AWS account that belongs to your AWS organization. The trail logs activity for all accounts, including the management account, in the AWS organization and stores the logs in a single S3 bucket. Because of the sensitivity of this S3 bucket, you should secure it by following the best practices outlined in the [Amazon S3 as central log store](./log-archive.html#log-s3) section later in this guide. All accounts in the AWS organization can see the organization trail in their list of trails. However, member AWS accounts have view-only access to this trail. By default, when you create an organization trail in the CloudTrail console, the trail is a multi-Region trail. For additional security best practices, see the [CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html). @@ -50 +50 @@ The Security Tooling account is the delegated administrator account for IAM cent -In the AWS SRA, the Security Tooling account is the delegated administrator account for managing CloudTrail. The corresponding S3 bucket to store the organization trail logs is created in the Log Archive account. This is to separate the management and usage of CloudTrail log privileges. For information about how to create or update an S3 bucket to store log files for an organization trail, see the [AWS CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy). +In the AWS SRA, the Security Tooling account is the delegated administrator account for managing CloudTrail. The corresponding S3 bucket to store the organization trail logs is created in the Log Archive account. This is to separate the management and usage of CloudTrail log privileges. For information about how to create or update an S3 bucket to store log files for an organization trail, see the [CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy). As a security best practice, add the `aws:SourceArn` condition key of the organization trail to the resource policy of the S3 bucket (and any other resources such as KMS keys or SNS topics). This ensures that the S3 bucket accepts only data that is associated with the specific trail. The trail is configured with log file validation for log file integrity validation. The log and digest files are encrypted by using SSE-KMS. The organization trail is also integrated with a log group in CloudWatch Logs to send events for long-term retention. @@ -56 +56,3 @@ You can create and manage organization trails from both management and delegated -###### Design consideration +###### Design considerations + + * CloudTrail does not log data events by default, because these are often high-volume activities. However, you should capture data events for specific critical AWS resources such as S3 buckets, Lambda functions, log events from outside AWS that are sent to the CloudTrail lake, and SNS topics. To do this, configure your organization trail to include data events from specific resources by specifying the ARNs of each individual resources. @@ -58 +60 @@ You can create and manage organization trails from both management and delegated - * If a member account requires access to CloudTrail log files for its own account, you can [selectively share](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html) the organization’s CloudTrail log files from the central S3 bucket. However, if member accounts require local CloudWatch log groups for their account’s CloudTrail logs or want to configure log management and data events (read-only, write-only, management events, data events) differently from the organization trail, they can create a local trail with the appropriate controls. Local account-specific trails incur [additional cost](https://aws.amazon.com/cloudtrail/pricing/). + * If a member account requires access to CloudTrail log files for its own account, you can [selectively share](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html) the organization's CloudTrail log files from the central S3 bucket. However, if member accounts require local Amazon CloudWatch log groups for their account's CloudTrail logs or want to configure log management and data events (read-only, write-only, management events, data events) differently from the organization trail, they can create a local trail with the appropriate controls. Local account-specific trails incur [additional cost](https://aws.amazon.com/cloudtrail/pricing/). @@ -65 +67 @@ You can create and manage organization trails from both management and delegated -[AWS Security Hub Cloud Security Posture Management (CSPM)](https://aws.amazon.com/security-hub/cspm/), previously known as AWS Security Hub, provides you with a comprehensive view of your security posture in AWS and helps you check your environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS integrated services, supported third-party products, and other custom security products that you might use. It helps you continuously monitor and analyze your security trends and identify the highest priority security issues. In addition to the ingested sources, Security Hub CSPM generates its own findings, which are represented by security controls that map to one or more security standards. These standards include AWS Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) AWS Foundations Benchmark v1.20 and v1.4.0, National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5, Payment Card Industry Data Security Standard (PCI DSS), and [service-managed standards](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standards.html). For a list of current security standards and details on specific security controls, see the [Security Hub CSPM standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the Security Hub CSPM documentation. +[AWS Security Hub Cloud Security Posture Management](https://aws.amazon.com/security-hub/cspm/) (AWS Security Hub CSPM), previously known as AWS Security Hub, provides you with a comprehensive view of your security posture in AWS and helps you check your environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS integrated services, supported third-party products, and other custom security products that you might use. It helps you continuously monitor and analyze your security trends and identify the highest priority security issues. In addition to the ingested sources, Security Hub CSPM generates its own findings, which are represented by security controls that map to one or more security standards. These standards include AWS Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) AWS Foundations Benchmark v1.20 and v1.4.0, National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5, Payment Card Industry Data Security Standard (PCI DSS), and [service-managed standards](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standards.html). For a list of current security standards and details on specific security controls, see the [Standards reference for Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the Security Hub CSPM documentation. @@ -67 +69 @@ You can create and manage organization trails from both management and delegated -Security Hub CSPM integrates with AWS Organizations to simplify security posture management across all your existing and future accounts in your AWS organization. You can use the Security Hub CSPM [central configuration feature](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) from the delegated administrator account (in this case, Security Tooling) to specify how the Security Hub CSPM service, security standards, and security controls are configured in your organization accounts and organizational units (OUs) across Regions. You can configure these settings in a few steps from one primary Region, which is referred to as the home Region. If you don't use central configuration, you must configure Security Hub CSPM separately in each account and Region. The delegated administrator can designate accounts and OUs as self-managed, where the member can configure settings separately in each Region, or as centrally managed, where the delegated administrator can configure the member account or OU across Regions. You can designate all accounts and OUs in your organization as centrally managed, all self-managed, or a combination of both. This simplifies the enforcement of a consistent configuration while providing the flexibility to modify it for each OU and account. +Security Hub CSPM integrates with AWS Organizations to simplify security posture management across all your existing and future accounts in your AWS organization. You can use the Security Hub CSPM [central configuration feature](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) from the delegated administrator account (in this case, Security Tooling) to specify how the Security Hub CSPM service, security standards, and security controls are configured in your organization accounts and organizational units (OUs) across Regions. You can configure these settings in a few steps from one primary Region, which is referred to as the _home Region_. If you don't use central configuration, you must configure Security Hub CSPM separately in each account and Region. The delegated administrator can designate accounts and OUs as _self-managed_ , where the member can configure settings separately in each Region, or as _centrally managed_ , where the delegated administrator can configure the member account or OU across Regions. You can designate all accounts and OUs in your organization as centrally managed, all self-managed, or a combination of both. This simplifies the enforcement of a consistent configuration while providing the flexibility to modify it for each OU and account. @@ -71 +73 @@ The Security Hub CSPM delegated administrator account can also view findings, vi -Security Hub CSPM supports integrations with several AWS services. Amazon GuardDuty, AWS Config, Amazon Macie, AWS IAM Access Analyzer, AWS Firewall Manager, Amazon Inspector, and AWS Systems Manager Patch Manager can feed findings to Security Hub CSPM. Security Hub CSPM processes findings by using a standard format called the [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html). Security Hub CSPM correlates the findings across integrated products to prioritize the most important ones. You can enrich the metadata of Security Hub CSPM findings to help better contextualize, prioritize, and take action on the security findings. This enrichment adds resource tags, a new AWS application tag, and account name information to every finding that's ingested into Security Hub CSPM. This helps you fine-tune findings for automation rules, search or filter findings and insights, and assess security posture status by application. In addition, you can use [automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html#automation-rules-how-it-works) to automatically update findings. As Security Hub CSPM ingests findings, it can apply a variety of rule actions, such as suppressing findings, changing their severity, and adding notes to findings. These rule actions take effect when findings match your specified criteria, such as the resource or account IDs the finding is associated with, or its title. You can use automation rules to update select finding fields in the ASFF. Rules apply to both new and updated findings. +Security Hub CSPM supports integrations with several AWS services. Amazon GuardDuty, AWS Config, Amazon Macie, IAM Access Analyzer, AWS Firewall Manager, Amazon Inspector, Amazon Route 53 Resolver DNS Firewall, and AWS Systems Manager Patch Manager can feed findings to Security Hub CSPM. Security Hub CSPM processes findings by using a standard format called the [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html). Security Hub CSPM correlates the findings across integrated products to prioritize the most important ones. You can enrich the metadata of Security Hub CSPM findings to help better contextualize, prioritize, and take action on the security findings. This enrichment adds resource tags, a new AWS application tag, and account name information to every finding that's ingested into Security Hub CSPM. This helps you fine-tune findings for automation rules, search or filter findings and insights, and assess security posture status by application. In addition, you can use [automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html#automation-rules-how-it-works) to automatically update findings. As Security Hub CSPM ingests findings, it can apply a variety of rule actions, such as suppressing findings, changing their severity, and adding notes to findings. These rule actions take effect when findings match your specified criteria, such as the resource or account IDs the finding is associated with, or its title. You can use automation rules to update select finding fields in the ASFF. Rules apply to both new and updated findings. @@ -73 +75 @@ Security Hub CSPM supports integrations with several AWS services. Amazon GuardD -During the investigation of a security event, you can navigate from Security Hub CSPM to Amazon Detective to investigate an Amazon GuardDuty finding. Security Hub CSPM recommends aligning the delegated administrator accounts for services such as Detective (where they exist) for smoother integration. For example, if you do not align administrator accounts between Detective and Security Hub CSPM, navigating from findings into Detective will not work. For a comprehensive list, see [Overview of AWS service integrations with Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#internal-integrations-summary) in the Security Hub CSPM documentation. +During the investigation of a security event, you can navigate from Security Hub CSPM to Amazon Detective to investigate a GuardDuty finding. Security Hub CSPM recommends aligning the delegated administrator accounts for services such as Detective (where they exist) for smoother integration. For example, if you do not align administrator accounts between Detective and Security Hub CSPM, navigating from findings into Detective will not work. For a comprehensive list, see [Overview of AWS service integrations with Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#internal-integrations-summary) in the Security Hub CSPM documentation. @@ -77 +79 @@ You can use Security Hub CSPM with the [Network Access Analyzer](https://aws.ama -In addition to its monitoring features, Security Hub CSPM supports integration with Amazon EventBridge to automate the remediation of specific findings. You can define custom actions to take when a finding is received. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system. For additional discussions and examples, see the AWS blog posts [Automated Response and Remediation with AWS Security Hub CSPM](https://aws.amazon.com/blogs/security/automated-response-and-remediation-with-aws-security-hub/) and [How to deploy the AWS Solution for Security Hub Automated Response and Remediation](https://aws.amazon.com/blogs/security/how-to-deploy-the-aws-solution-for-security-hub-automated-response-and-remediation/). +In addition to its monitoring features, Security Hub CSPM supports integration with Amazon EventBridge to automate the remediation of specific findings. You can define custom actions to take when a finding is received. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system. For additional discussions and examples, see the AWS blog posts [Automated response and remediation with AWS Security Hub CSPM](https://aws.amazon.com/blogs/security/automated-response-and-remediation-with-aws-security-hub/) and [How to deploy the AWS solution for Security Hub CSPM automated response and remediation](https://aws.amazon.com/blogs/security/how-to-deploy-the-aws-solution-for-security-hub-automated-response-and-remediation/). @@ -79 +81 @@ In addition to its monitoring features, Security Hub CSPM supports integration w -Security Hub CSPM uses service-linked AWS Config rules to perform most of its security checks for controls. To support these controls, [AWS Config must be enabled on all accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-setup-prereqs.html)—including the administrator (or delegated administrator) account and member accounts—in each AWS Region where Security Hub CSPM is enabled. +Security Hub CSPM uses service-linked AWS Config Rules to perform most of its security checks for controls. To support these controls, [AWS Config must be enabled on all accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html)—including the administrator (or delegated administrator) account and member accounts—in each AWS Region where Security Hub CSPM is enabled. @@ -101,0 +104,39 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference +## AWS Security Hub + +[AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub-v2.html) is a unified cloud security solution that prioritizes your critical security threats and helps you respond at scale. Security Hub detects security issues in near real time by automatically correlating and enriching security signals from multiple sources, such as posture management (AWS Security Hub CSPM), vulnerability management (Amazon Inspector), sensitive data (Amazon Macie), and threat detection (Amazon GuardDuty). This enables security teams to prioritize active risks in their cloud environments through automated analyses and contextual insights. Security Hub provides a visual representation of the potential attack path that attackers can exploit to gain access to resources associated with an exposure finding. This transforms complex security signals into actionable insights, so you can make informed decisions about your security quickly. + +Security Hub has been strategically redesigned to simplify the enablement of associated security service building blocks to arrive at a security outcome. By correlating security findings in a threat matrix across different security signals in near real time, you can prioritize the most critical risks first. The findings are correlated to detect exposure associated with AWS resources. Exposures represent broader weaknesses in security controls, misconfigurations, or other areas that could be exploited by active threats. For example, an exposure might be an EC2 instance that is reachable from the internet and has software vulnerabilities that have high likelihood of exploitation. + +Security Hub and Security Hub CSPM are complementary services. [Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security posture and helps you evaluate your cloud environment against security industry standards and best practices. Security Hub provides a unified experience that helps you prioritize and respond to critical security issues. Security Hub CSPM findings are routed to Security Hub automatically, where they're correlated with findings from other security services, such as Amazon Inspector, to generate exposures. This helps you identify the most critical risks in your environment. + +Security Hub also provides a summary of resources in your AWS environment by type and associated findings. Resources are prioritized by exposures and attack sequences. When you choose a resource type, you can review all the resources associated with that resource type. + +For the optimal experience, we [recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-recommendations.html) enabling Security Hub and Security Hub CSPM as well as enabling these other security services: [Amazon GuardDuty](https://aws.amazon.com/guardduty/), [Amazon Inspector](https://aws.amazon.com/inspector/), and [Amazon Macie](https://aws.amazon.com/macie/). You can gain visibility into whether these services and features are uniformly enabled across all your organization's member accounts by using Security Hub Coverage findings. + +In the AWS SRA, the Security Tooling account acts as the delegated administrator for Security Hub, Security Hub CSPM, and other AWS security services. Within the Security Tooling account you can view all resources associated with member accounts. You can also view all the resources in your home AWS Region from linked AWS Regions. + +###### Implementation note + +[Enabling Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-enable.html#securityhub-v2-enable-management-account) requires three steps, including procedures that take into account whether you have previously enabled Security Hub CSPM. Security Hub is natively integrated with AWS Organizations, which simplifies the configuration and implementation process, and centralizes and aggregates all findings into a single location. In accordance with the AWS SRA best practice, use the [Security Tooling account](./dedicated-accounts.html) as the delegated administrator account to manage and configure Security Hub. Use Security Hub configuration settings to enable all Regions, OUs, and accounts automatically, including future Regions and accounts. You should also set up cross-Region aggregation to aggregate findings, resources, and trends from multiple AWS Regions into a single home Region. During configuration, you can also enable any native integrations such as Jira Cloud or ServiceNow. + +###### Design considerations + + * Security Hub findings are formatted in the Open Cybersecurity Schema Framework (OCSF). Security Hub generates findings in OCSF and receives findings in OCSF from Security Hub CSPM and other AWS services. These OCSF findings can be sent over Amazon EventBridge for automations or stored in a central log aggregation account to perform security log analysis and retention. + + * The AWS Org Management account cannot designate itself as the delegated administrator in Security Hub. This aligns with the AWS SRA best practice of designating the Security Tooling account as the delegated administrator. Also note: + + * The designated administrator account for Security Hub CSPM automatically becomes the designated administrator for Security Hub. + + * Removing delegated administration through Security Hub also removes delegated administration for Security Hub CSPM. Likewise, removing delegated administration through Security Hub CSPM also removes it for Security Hub. + + * Security Hub includes features that automatically modify and take action on findings based on your specifications, Security Hub supports the following types of automations: + + * Automation rules, which automatically update findings, suppress findings, and send findings to ticketing tools in near real time based on defined criteria. + + * Automated response and remediation, which create custom EventBridge rules that define automatic actions to take against specific findings and insights. + + * Security Hub can configure Amazon Inspector across all member accounts and Regions through policies, and can configure GuardDuty and Security Hub CSPM through deployment. Policies generate AWS Organizations policies for accounts and Regions. Deployments are one-time actions that enable a security capability across selected accounts and Regions. Deployments do not apply to newly enabled accounts. As an alternative, you can auto-enable features for new member accounts in GuardDuty and Security Hub CSPM. + + + + @@ -104 +145 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -[Amazon GuardDuty](https://aws.amazon.com/guardduty/) is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. You must always capture and store appropriate logs for monitoring and audit purposes, but Amazon GuardDuty pulls independent streams of data directly from AWS CloudTrail, Amazon VPC flow logs, and AWS DNS logs. You don't have to manage Amazon S3 bucket policies or modify the way you collect and store your logs. GuardDuty permissions are managed as service-linked roles that you can revoke at any time by disabling GuardDuty. This makes it easy to enable the service without complex configuration, and it eliminates the risk that an IAM permission modification or S3 bucket policy change will affect the operation of the service. +[Amazon GuardDuty](https://aws.amazon.com/guardduty/) is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. You must always capture and store appropriate logs for monitoring and audit purposes, but GuardDuty pulls independent streams of data directly from AWS CloudTrail, Amazon VPC flow logs, and AWS DNS logs. You don't have to manage Amazon S3 bucket policies or modify the way you collect and store your logs. GuardDuty permissions are managed as service-linked roles that you can revoke at any time by disabling GuardDuty. This makes it easy to enable the service without complex configuration, and it eliminates the risk that an IAM permission modification or S3 bucket policy change will affect the operation of the service. @@ -114 +155 @@ In addition to providing [foundational data sources](https://docs.aws.amazon.com - * [GuardDuty EKS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html) includes EKS Audit Log Monitoring and EKS Runtime Monitoring. With EKS Audit Log Monitoring, GuardDuty monitors [Kubernetes audit logs](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html#guardduty_k8s-audit-logs) from Amazon EKS clusters and analyzes them for potentially malicious and suspicious activity. EKS Runtime Monitoring uses the GuardDuty security agent (which is an Amazon EKS add-on) to provide runtime visibility into individual Amazon EKS workloads. The GuardDuty security agent helps identify specific containers within your Amazon EKS clusters that are potentially compromised. It can also detect attempts to escalate privileges from an individual container to the underlying Amazon EC2 host or to the broader AWS environment. + * [GuardDuty EKS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html) includes EKS Audit Log Monitoring and EKS Runtime Monitoring. With EKS Audit Log Monitoring, GuardDuty monitors [Kubernetes audit logs](https://docs.aws.amazon.com/guardduty/latest/ug/features-kubernetes-protection.html#guardduty_k8s-audit-logs) from Amazon EKS clusters and analyzes them for potentially malicious and suspicious activity. EKS Runtime Monitoring uses the GuardDuty security agent (which is an Amazon EKS add-on) to provide runtime visibility into individual Amazon EKS workloads. The GuardDuty security agent helps identify specific containers within your Amazon EKS clusters that are potentially compromised. It can also detect attempts to escalate privileges from an individual container to the underlying Amazon EC2 host or to the broader AWS environment. @@ -119 +160 @@ In addition to providing [foundational data sources](https://docs.aws.amazon.com -GuardDuty also provides a feature known as Extended Threat Detection that automatically detects multi-stage attacks that span data sources, multiple types of AWS resources, and time within an AWS account. GuardDuty correlates these events, which are called _signals_ , to identify scenarios that present themselves as potential threats to your AWS environment, and then generates an attack sequence finding. This covers threat scenarios that involve compromise related to AWS credentials misuse, and data compromise attempts in your AWS accounts. GuardDuty considers all attack sequence finding types as **Critical**. This feature is enabled by default, and there is no additional cost associated with it. +GuardDuty also provides a feature known as [Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html) that automatically detects multi-stage attacks that span data sources, multiple types of AWS resources, and time within an AWS account. GuardDuty correlates these events, which are called _signals_ , to identify scenarios that present themselves as potential threats to your AWS environment, and then generates an attack sequence finding. This covers threat scenarios that involve compromise related to AWS credentials misuse, and data compromise attempts in your AWS accounts. GuardDuty considers all attack sequence finding types as **Critical**. This feature is enabled by default, and there is no additional cost associated with it. @@ -121 +162 @@ GuardDuty also provides a feature known as Extended Threat Detection that automa -In the AWS SRA, GuardDuty is enabled in all accounts through AWS Organizations, and all findings are viewable and actionable by appropriate security teams in the GuardDuty delegated administrator account (in this case, the Security Tooling account). +In the AWS SRA, GuardDuty is enabled in all accounts through AWS Organizations, and all findings are viewable and actionable by appropriate security teams in the GuardDuty delegated administrator account (in this case, the Security Tooling account). GuardDuty active findings are exported to a central S3 bucket in the Log Archive account, so you can retain the findings beyond 90 days. The findings are exported from the delegated administrator account and also include all the findings from associated member accounts in the same Region. The findings in the S3 bucket are encrypted with an AWS KMS customer managed key. The S3 bucket policy and KMS key policy are configured to allow only GuardDuty to use the resources. @@ -123 +164 @@ In the AWS SRA, GuardDuty is enabled in all accounts through AWS Organizations, -When AWS Security Hub CSPM is enabled, GuardDuty findings automatically flow to Security Hub CSPM. When Amazon Detective is enabled, GuardDuty findings are included in the Detective log ingest process. GuardDuty and Detective support cross-service user workflows, where GuardDuty provides links from the console that redirect you from a selected finding to a Detective page that contains a curated set of visualizations for investigating that finding. For example, you can also integrate GuardDuty with Amazon EventBridge to automate best practices for GuardDuty, such as [automating responses to new GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html). +When AWS Security Hub CSPM is enabled, GuardDuty findings automatically flow to Security Hub CSPM and Security Hub. When Amazon Detective is enabled, GuardDuty findings are included in the Detective log ingest process. GuardDuty and Detective support cross-service user workflows, where GuardDuty provides links from the console that redirect you from a selected finding to a Detective page that contains a curated set of visualizations for investigating that finding. For example, you can also integrate GuardDuty with Amazon EventBridge to automate best practices for GuardDuty, such as [automating responses to new GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html). @@ -127 +168 @@ When AWS Security Hub CSPM is enabled, GuardDuty findings automatically flow to -The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Amazon GuardDuty](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/guardduty/guardduty_org). It includes encrypted S3 bucket configuration, delegated administration, and GuardDuty enablement for all existing and future accounts in the AWS organization. +The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [GuardDuty](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/guardduty/guardduty_org). It includes encrypted S3 bucket configuration, delegated administration, and GuardDuty enablement for all existing and future accounts in the AWS organization. @@ -133 +174 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -You can evaluate the configuration settings of your AWS resources by using [AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html). AWS Config provides a library of customizable, predefined rules called [managed rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html), or you can write your own [custom rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html). You can run AWS Config rules in proactive mode (before resources have been deployed) or detective mode (after resources have been deployed). Resources can be evaluated when there are configuration changes, on a periodic schedule, or both. +You can evaluate the configuration settings of your AWS resources by using [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html). AWS Config provides a library of customizable, predefined rules called [managed rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html), or you can write your own [custom rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html). You can run AWS Config Rules in proactive mode (before resources have been deployed) or detective mode (after resources have been deployed). Resources can be evaluated when there are configuration changes, on a periodic schedule, or both. @@ -139 +180 @@ AWS Config integrates with AWS Security Hub CSPM to send the results of AWS Conf -AWS Config rules can be used in conjunction with AWS Systems Manager to effectively remediate noncompliant resources. You use AWS Systems Manager Explorer to gather the compliance status of AWS Config rules in your AWS accounts across AWS Regions and then use [Systems Manager Automation documents (runbooks)](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html) to resolve your noncompliant AWS Config rules. For implementation details, see the blog post [Remediate noncompliant AWS Config rules with AWS Systems Manager Automation runbooks](https://aws.amazon.com/blogs/mt/remediate-noncompliant-aws-config-rules-with-aws-systems-manager-automation-runbooks/). +AWS Config Rules can be used in conjunction with AWS Systems Manager to effectively remediate noncompliant resources. You use Systems Manager Explorer to gather the compliance status of AWS Config rules in your AWS accounts across AWS Regions and then use [Systems Manager Automation documents (runbooks)](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html) to resolve your noncompliant AWS Config rules. For implementation details, see the blog post [Remediate noncompliant AWS Config rules with AWS Systems Manager Automation runbooks](https://aws.amazon.com/blogs/mt/remediate-noncompliant-aws-config-rules-with-aws-systems-manager-automation-runbooks/). @@ -143 +184,3 @@ The AWS Config aggregator collects configuration and compliance data across mult -If you use AWS Control Tower to manage your AWS organization, it will deploy [a set of AWS Config rules as detective guardrails](https://docs.aws.amazon.com/controltower/latest/controlreference/detective-controls.html) (categorized as mandatory, strongly recommended, or elective). These guardrails help you govern your resources and monitor compliance across accounts in your AWS organization. These AWS Config rules will automatically use an `aws-control-tower` tag that has a value of `managed-by-control-tower`. +If you use AWS Control Tower to manage your AWS organization, it will deploy [a set of AWS Config rules as detective guardrails](https://docs.aws.amazon.com/controltower/latest/userguide/how-controls-work.html) (categorized as mandatory, strongly recommended, or elective). These guardrails help you govern your resources and monitor compliance across accounts in your AWS organization. These AWS Config rules will automatically use an `aws-control-tower` tag that has a value of `managed-by-control-tower`. + +AWS Config must be enabled for each member account in the AWS organization and AWS Region that contains the resources that you want to protect. You can centrally manage (for example, create, update, and delete) AWS Config rules across all accounts within your AWS organization. From the AWS Config delegated administrator account, you can deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created. The AWS Config delegated administrator account can also aggregate resource configuration and compliance data from all member accounts to provide a single view. Use the APIs from the delegated administrator account to enforce governance by ensuring that the underlying AWS Config rules cannot be modified by the member accounts in your AWS organization. AWS Config is natively integrated to send findings to AWS Security Hub CSPM, if Security Hub CSPM is enabled and at least one AWS Config managed or custom rule exists. @@ -145 +188 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy [a -AWS Config must be enabled for each member account in the AWS organization and AWS Region that contains the resources that you want to protect. You can centrally manage (for example, create, update, and delete) AWS Config rules across all accounts within your AWS organization. From the AWS Config delegated administrator account, you can deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created. The AWS Config delegated administrator account can also aggregate resource configuration and compliance data from all member accounts to provide a single view. Use the APIs from the delegated administrator account to enforce governance by ensuring that the underlying AWS Config rules cannot be modified by the member accounts in your AWS organization. +In the AWS SRA, the AWS Config delegated administrator account is the Security Tooling account. The AWS Config [delivery channel](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html) is configured to deliver resource configuration snapshots in a centralized S3 bucket in the Log Archive account. Because the Log Archive account is the central log repository store, it is used to store resource configuration. @@ -158 +201 @@ AWS Config must be enabled for each member account in the AWS organization and A -The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a [sample implementation](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_conformance_pack_org) that deploys AWS Config conformance packs to all AWS accounts and Regions within an AWS organization. The [AWS Config Aggregator](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_aggregator_org) module helps you configure an AWS Config aggregator by delegating administration to a member account (Security Tooling) within the Org Management account and then configuring AWS Config Aggregator within the delegated administrator account for all existing and future accounts in the AWS organization. You can use the [AWS Config Control Tower Management Account](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_management_account) module to enable AWS Config within the Org Management account—it isn't enabled by AWS Control Tower. +The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a [sample implementation](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_conformance_pack_org) that deploys AWS Config conformance packs to all AWS accounts and Regions within an AWS organization. The [AWS Config Aggregator](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_aggregator_org) module helps you configure an AWS Config aggregator by delegating administration to a member account (Security Tooling) within the Org Management account and then configuring AWS Config Aggregator within the delegated administrator account for all existing and future accounts in the AWS organization. You can use the [AWS Config Control Tower Management Account](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_management_account) module to enable AWS Config within the Org Management account―it isn't enabled by AWS Control Tower. @@ -162 +205 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -[Amazon Security Lake](https://aws.amazon.com/security-lake/) is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS environments, software as a service (SaaS) providers, on premises, and [third-party sources](https://docs.aws.amazon.com/security-lake/latest/userguide/integrations-third-party.html). Security Lake helps you build a normalized data source that simplifies the usage of analytics tools over security data, so you can get a more complete understanding of your security posture across the entire organization. The data lake is backed by Amazon Simple Storage Service (Amazon S3) buckets, and you retain ownership over your data. Security Lake automatically collects logs for AWS services, including AWS CloudTrail, Amazon VPC, Amazon Route 53, Amazon S3, AWS Lambda, and Amazon EKS audit logs. +[Amazon Security Lake](https://aws.amazon.com/security-lake/) is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS environments, software as a service (SaaS) providers, on premises, and [third-party sources](https://docs.aws.amazon.com/security-lake/latest/userguide/integrations-third-party.html). Security Lake helps you build a normalized data source that simplifies the usage of analytics tools over security data, so you can get a more complete understanding of your security posture across the entire organization. The data lake is backed by Amazon Simple Storage Service (Amazon S3) buckets, and you retain ownership over your data. Security Lake automatically collects logs for AWS services, including AWS CloudTrail, Amazon VPC, Amazon Route 53, Amazon S3, AWS Lambda, Amazon EKS audit logs, AWS Security Hub CSPM findings, and AWS WAF logs. @@ -164 +207 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -AWS SRA recommends that you use the Log Archive account as the delegated administrator account for Security Lake. For more information about setting up the delegated administrator account, see [Amazon Security Lake](./log-archive.html#log-security-lake) in the _Security OU – Log Archive account_ section. Security teams that want to access Security Lake data or need the ability to write non-native logs to the Security Lake buckets by using custom extract, transform, and load (ETL) functions should operate within the Security Tooling account. +AWS SRA recommends that you use the Log Archive account as the delegated administrator account for Security Lake. For more information about setting up the delegated administrator account, see [Amazon Security Lake](./log-archive.html#log-security-lake) in the _Security OU ‒ Log Archive account_ section. Security teams that want to access Security Lake data or need the ability to write non-native logs to the Security Lake buckets by using custom extract, transform, and load (ETL) functions should operate within the Security Tooling account. @@ -166 +209 @@ AWS SRA recommends that you use the Log Archive account as the delegated adminis -Security Lake can collect logs from different cloud providers, logs from third-party solutions, or other custom logs. We recommend that you use the Security Tooling account to perform the ETL functions to convert the logs to Open Cybersecurity Schema Framework (OCSF) format and output a file in Apache Parquet format. Security Lake creates the cross-account role with the proper permissions for the Security Tooling account and the custom source backed by AWS Lambda functions or AWS Glue crawlers, to write data to the S3 buckets for Security Lake. +Security Lake can collect logs from different cloud providers, logs from third-party solutions, or other custom logs. We recommend that you use the Security Tooling account to perform the ETL functions to convert the logs to Open Cybersecurity Schema Framework (OCSF) format and output a file in Apache Parquet format. Security Lake creates the cross-account role with the proper permissions for the Security Tooling account and the custom source backed by Lambda functions or AWS Glue crawlers, to write data to the S3 buckets for Security Lake. @@ -172 +215 @@ The Security Lake administrator should configure security teams that use the Sec - * **Query access** – Subscribers can query source data from AWS Lake Formation tables in your S3 bucket by using services such as Amazon Athena. Cross-account access is automatically set up for query access by using AWS Lake Formation. When you configure the Security Tooling account as a Security Lake query access subscriber, the account is given read-only access to the logs in the Security Lake account. When you use this subscriber type, the Athena and AWS Glue tables are shared from the Security Lake Log Archive account with the Security Tooling account through AWS Resource Access Manager (AWS RAM). To enable this capability, you have to update the cross-account data sharing settings to version 3. + * **Query access** – Subscribers can query source data from AWS Lake Formation tables in your S3 bucket by using services such as Amazon Athena. Cross-account access is automatically set up for query access by using Lake Formation. When you configure the Security Tooling account as a Security Lake query access subscriber, the account is given read-only access to the logs in the Security Lake account. When you use this subscriber type, the Athena and AWS Glue tables are shared from the Security Lake Log Archive account with the Security Tooling account through AWS Resource Access Manager (AWS RAM). To enable this capability, you have to update the cross-account data sharing settings to version 3. @@ -181 +224 @@ For best practices for ingesting custom sources, see [Collecting data from custo -You can use [Amazon QuickSight](https://github.com/aws-samples/amazon-security-lake-quicksight), [Amazon OpenSearch](https://aws.amazon.com/blogs/big-data/ingest-transform-and-deliver-events-published-by-amazon-security-lake-to-amazon-opensearch-service/), and [Amazon SageMaker](https://github.com/aws-samples/amazon-security-lake-machine-learning) to set up analytics against the security data that you store in Security Lake. +You can use [Amazon Quick Sight](https://github.com/aws-samples/amazon-security-lake-quicksight), [Amazon OpenSearch Service](https://aws.amazon.com/blogs/big-data/ingest-transform-and-deliver-events-published-by-amazon-security-lake-to-amazon-opensearch-service), and [Amazon SageMaker](https://github.com/aws-samples/amazon-security-lake-machine-learning) to set up analytics against the security data that you store in Security Lake. @@ -185 +228 @@ You can use [Amazon QuickSight](https://github.com/aws-samples/amazon-security-l -If an application team needs query access to Security Lake data to meet a business requirement, the Security Lake administrator should configure that Application account as a subscriber. +If an application team needs query access to Security Lake data to meet a business requirement, the Security Lake administrator should configure that Application account**** as a subscriber**.** @@ -191 +234 @@ If an application team needs query access to Security Lake data to meet a busine -Macie is enabled in all accounts through AWS Organizations. Principals who have the appropriate permissions in the delegated administrator account (in this case, the Security Tooling account) can enable or suspend Macie in any account, create sensitive data discovery jobs for buckets that are owned by member accounts, and view all policy findings for all member accounts. Sensitive data findings can be viewed only by the account that created the sensitive findings job. For more information, see [Managing multiple accounts in Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/macie-accounts.html) in the Macie documentation. +Macie is enabled in all accounts through AWS Organizations. Principals who have the appropriate permissions in the delegated administrator account (in this case, the Security Tooling account) can enable or suspend Macie in any account, create sensitive data discovery jobs for buckets that are owned by member accounts, and view all policy findings for all member accounts. Sensitive data findings can be viewed only by the account that created the sensitive findings job. For more information, see [Managing multiple Macie accounts as an organization](https://docs.aws.amazon.com/macie/latest/user/macie-accounts.html) in the Macie documentation. @@ -199 +242 @@ Macie findings flow to AWS Security Hub CSPM for review and analysis. Macie also - * Macie is optimized for scanning objects in Amazon S3. As a result, any Macie-supported object type that can be placed in Amazon S3 (permanently or temporarily) can be scanned for sensitive data. This means that data from other sources—for example, [periodic snapshot exports of Amazon Relational Database Service (Amazon RDS) or Amazon Aurora databases](https://aws.amazon.com/about-aws/whats-new/2020/01/announcing-amazon-relational-database-service-snapshot-export-to-s3/), [exported Amazon DynamoDB tables](https://aws.amazon.com/blogs/big-data/how-to-export-an-amazon-dynamodb-table-to-amazon-s3-using-aws-step-functions-and-aws-glue/), or extracted text files from native or third-party applications—can be moved to Amazon S3 and evaluated by Macie. + * Macie is optimized for scanning objects in Amazon S3. As a result, any Macie-supported object type that can be placed in Amazon S3 (permanently or temporarily) can be scanned for sensitive data. This means that data from other sources—for example, [periodic snapshot exports of Amazon Relational Database Service (Amazon RDS) or Amazon Aurora databases, exported Amazon DynamoDB tables](https://aws.amazon.com/about-aws/whats-new/2020/01/announcing-amazon-relational-database-service-snapshot-export-to-s3/), or extracted text files from native or third-party applications—can be moved to Amazon S3 and evaluated by Macie. @@ -208 +251 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -## AWS IAM Access Analyzer +## IAM Access Analyzer @@ -210 +253 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -As you accelerate your AWS Cloud adoption journey and continue to innovate, it’s critical to maintain tight control over fine-grained access (permissions), contain access proliferation, and ensure that permissions are used effectively. Excessive and unused access presents security challenges and makes it harder for enterprises to enforce the principle of least privilege. This principle is an important security architecture pillar that involves continually right-sizing IAM permissions to balance security requirements with operational and application development requirements. This effort involves multiple stakeholder personas, including central security and Cloud Center of Excellence (CCoE) teams as well as decentralized development teams. +As you accelerate your AWS Cloud adoption journey and continue to innovate, it's critical to maintain tight control over fine-grained access (permissions), contain access proliferation, and ensure that permissions are used effectively. Excessive and unused access presents security challenges and makes it harder for enterprises to enforce the [principle of least privilege](https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_permissions_least_privileges.html). This principle is an important security architecture pillar that involves continually right-sizing IAM permissions to balance security requirements with operational and application development requirements. This effort involves multiple stakeholder personas, including central security and Cloud Center of Excellence (CCoE) teams as well as decentralized development teams. @@ -212 +255 @@ As you accelerate your AWS Cloud adoption journey and continue to innovate, it -[AWS IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) provides tools to efficiently set fine-grained permissions, verify intended permissions, and refine permissions by removing unused access to help you meet your enterprise security standards. It gives you visibility into [external and unused access findings](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) through [dashboards](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-dashboard.html) and [AWS Security Hub CSPM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-securityhub-integration.html). Additionally, it supports [Amazon EventBridge](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-eventbridge.html) for event-based custom notification and remediation workflows. +[AWS Identity and Access Management Access Analyzer](https://aws.amazon.com/iam/access-analyzer) provides tools to efficiently set fine-grained permissions, verify intended permissions, and refine permissions by removing unused access to help you meet your enterprise security standards. It gives you visibility into [external and internal access to AWS resources and unused access findings](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) through [dashboards](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-dashboard.html) and [AWS Security Hub CSPM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-securityhub-integration.html). Additionally, it supports [Amazon EventBridge](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-eventbridge.html) for event-based custom notification and remediation workflows. @@ -214 +257,3 @@ As you accelerate your AWS Cloud adoption journey and continue to innovate, it -The IAM Access Analyzer external findings feature helps you identify the resources in your AWS organization and accounts, such as [Amazon S3 buckets or IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html), that are shared with an external entity. The AWS organization or account you choose is known as the _zone of trust_. The analyzer uses [automated reasoning](https://aws.amazon.com/what-is/automated-reasoning/) to analyze all [supported resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html) within the zone of trust, and generates findings for principals that can access the resources from outside the zone of trust. These findings help identify resources that are shared with an external entity and help you preview how your policy affects public and cross-account access to your resource before you deploy resource permissions. +The IAM Access Analyzer external access analyzer findings feature helps you identify the resources in your AWS organization and accounts, such as [Amazon S3 buckets or IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html), that are shared with an external entity. The AWS organization or account you choose is known as the _zone of trust_. The analyzer uses[ automated reasoning ](https://aws.amazon.com/what-is/automated-reasoning/)to analyze all [supported resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html) within the zone of trust, and generates findings for principals that can access the resources from outside the zone of trust. These findings help identify resources that are shared with an external entity and help you preview how your policy affects public and cross-account access to your resource before you deploy resource permissions. This is available at no additional cost. + +Similarly, the IAM Access Analyzer internal access analyzer finding feature helps you identify the resources in your AWS organization and accounts that are shared with principals internally within your organization or account. This analysis supports the principle of least privilege by ensuring that your specified resources can be accessed only by the intended principals within your organization. This is a paid feature and requires explicit configuration of resources to inspect. Use this feature judiciously to monitor specific sensitive resources that, by design, need to be locked down even internally. @@ -229 +274 @@ You can use the findings generated from IAM Access Analyzer to gain visibility i -As a builder, you can use IAM Access Analyzer to perform automated [IAM policy checks](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-checks-validating-policies.html) earlier in your development and deployment (CI/CD) process to adhere to your corporate security standards. You can integrate IAM Access Analyzer custom policy checks and policy reviews with AWS CloudFormation to automate policy reviews as a part of your development team’s CI/CD pipelines. This includes: +As a builder, you can use IAM Access Analyzer to perform automated [IAM policy checks](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-checks-validating-policies.html) earlier in your development and deployment (CI/CD) process to adhere to your corporate security standards. You can integrate IAM Access Analyzer custom policy checks and policy reviews with AWS CloudFormation to automate policy reviews as a part of your development team's CI/CD pipelines. This includes: @@ -231 +276 @@ As a builder, you can use IAM Access Analyzer to perform automated [IAM policy c - * **IAM policy validation** – IAM Access Analyzer validates your policies against [IAM policy grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) and [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). You can view findings for policy validation checks, including security warnings, errors, general warnings, and suggestions for your policy. Over 100 [policy validation checks](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html) are currently available and can be automated by using the AWS Command Line Interface (AWS CLI) and APIs. + * **IAM policy validation** – IAM Access Analyzer validates your policies against [IAM policy grammar and AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html). You can view findings for policy validation checks, including security warnings, errors, general warnings, and suggestions for your policy. Over 100 [policy validation checks](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html) are currently available and can be automated by using the AWS Command Line Interface (AWS CLI) and APIs. @@ -242 +287 @@ As a builder, you can use IAM Access Analyzer to perform automated [IAM policy c -Security teams and other IAM policy authors can use IAM Access Analyzer to author policies that comply with IAM policy grammar and security standards. Authoring right-sized policies manually can be error prone and time consuming. The IAM Access Analyzer [policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html) feature assists in authoring IAM policies that are based on a principal’s access activity. IAM Access Analyzer reviews AWS CloudTrail logs for [supported services](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation-action-last-accessed-support.html) and generates a policy template that contains the permissions that were used by the principal in the specified date range. You can then use this template to create a policy with fine-grained permissions that grants only the necessary permissions. +Security teams and other IAM policy authors can use IAM Access Analyzer to author policies that comply with IAM policy grammar and security standards. Authoring right-sized policies manually can be error prone and time consuming. The IAM Access Analyzer [policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html) feature assists in authoring IAM policies that are based on a principal's access activity. IAM Access Analyzer reviews AWS CloudTrail logs for [supported services](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation-action-last-accessed-support.html) and generates a policy template that contains the permissions that were used by the principal in the specified date range. You can then use this template to create a policy with fine-grained permissions that grants only the necessary permissions. @@ -253 +298 @@ Security teams and other IAM policy authors can use IAM Access Analyzer to autho -Access Analyzer is deployed in the Security Tooling account through the delegated administrator functionality in AWS Organizations. The delegated administrator has permissions to create and manage analyzers with the AWS organization as the zone of trust. +IAM Access Analyzer is deployed in the Security Tooling account through the delegated administrator functionality in AWS Organizations. The delegated administrator has permissions to create and manage analyzers with the AWS organization as the zone of trust. @@ -257,4 +302 @@ Access Analyzer is deployed in the Security Tooling account through the delegate - * To get account-scoped findings (where the account serves as the trusted boundary), you create an account-scoped analyzer in each member account. This can be done as part of the account pipeline. Account-scoped findings flow into Security Hub CSPM at the member account level. From there, they flow to the Security Hub CSPM delegated administrator account (Security Tooling). - - - +To get account-scoped findings (where the account serves as the trusted boundary), you create an account-scoped analyzer in each member account. This can be done as part of the account pipeline. Account-scoped findings flow into Security Hub CSPM at the member account level. From there, they flow to the Security Hub CSPM delegated administrator account (Security Tooling). @@ -273 +315 @@ Access Analyzer is deployed in the Security Tooling account through the delegate -[AWS Firewall Manager](https://aws.amazon.com/firewall-manager/) helps protect your network by simplifying your administration and maintenance tasks for AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Route 53 Resolver DNS Firewall across multiple accounts and resources. With Firewall Manager, you set up your AWS WAF firewall rules, Shield Advanced protections, Amazon VPC security groups, AWS Network Firewall firewalls, and DNS Firewall rule group associations only once. The service automatically applies the rules and protections across your accounts and resources, even as you add new resources. +[AWS Firewall Manager](https://aws.amazon.com/firewall-manager/) helps protect your network by simplifying your administration and maintenance tasks for AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall across multiple accounts and resources. With Firewall Manager, you set up your AWS WAF firewall rules, Shield Advanced protections, Amazon VPC security groups, Network Firewall firewalls, and DNS Firewall rule group associations only once. The service automatically applies the rules and protections across your accounts and resources, even as you add new resources. @@ -279,4 +321 @@ You must enable AWS Config for each AWS Region that contains the resources that -###### Design consideration - - * Account managers of individual member accounts in the AWS organization can configure additional controls (such as AWS WAF rules and Amazon VPC security groups) in the Firewall Manager managed services according to their particular needs. - +With Firewall Manager you can have one or multiple administrators who can manage the firewall resources of your organization. When you assign multiple administrators, you can apply restrictive administrative scope conditions to define the resources (accounts, OUs, Regions, policy types) that each administrator can manage. This gives you the flexibility to have different administrator roles within your organization, and helps you maintain the principal of least privileged access. The AWS SRA uses one administrator with full administrative scope delegated to the Security Tooling account. @@ -283,0 +323 @@ You must enable AWS Config for each AWS Region that contains the resources that +###### Design consideration @@ -284,0 +325 @@ You must enable AWS Config for each AWS Region that contains the resources that