AWS fedramp documentation change
Summary
Added security feature explanations for RDS command parameters, updated PostgreSQL engine version, and modified Security Hub standards ARNs to newer versions.
Security assessment
The changes document security controls (encryption, network isolation, credential management) but don't address a specific vulnerability. The engine version update likely includes security patches but lacks explicit vulnerability context. The ARN updates reflect newer compliance standards without security incident evidence.
Diff
diff --git a/fedramp/latest/userguide/privileged-account-guidance.md b/fedramp/latest/userguide/privileged-account-guidance.md index a06cfe734..68206f859 100644 --- a//fedramp/latest/userguide/privileged-account-guidance.md +++ b//fedramp/latest/userguide/privileged-account-guidance.md @@ -255,0 +256,23 @@ This subsection covers accounts responsible for managing database services, conf +This command creates a PostgreSQL database instance with multiple security layers to protect sensitive data and meet compliance requirements: + +**Security Features Explained:** + + * **Credential Management** (`--manage-master-user-password`, `--master-user-secret-kms-key-id`): Automatically stores the master password in AWS Secrets Manager with KMS encryption, eliminating the need to handle passwords directly and enabling automatic rotation + + * **Encryption at Rest** (`--storage-encrypted`, `--kms-key-id`): Encrypts all database storage using customer-managed KMS keys, providing control over encryption key policies and audit trails for data access + + * **Network Isolation** (`--vpc-security-group-ids`, `--db-subnet-group-name`): Deploys the database in private subnets with restrictive security groups, preventing direct internet access and limiting connections to authorized resources only + + * **Backup Protection** (`--backup-retention-period 30`, `--copy-tags-to-snapshot`): Maintains 30 days of automated backups with proper tagging for compliance tracking and disaster recovery + + * **Monitoring & Auditing** (`--enable-performance-insights`, `--enable-cloudwatch-logs-exports`): Enables comprehensive logging and performance monitoring with encrypted insights data for security analysis and troubleshooting + + * **Deletion Protection** (`--deletion-protection`): Prevents accidental database deletion, requiring explicit removal of this flag before the database can be deleted + + + + +**Why These Settings Matter for Security:** + +These configurations implement defense-in-depth by combining encryption, access controls, monitoring, and operational safeguards. Together, they help prevent unauthorized access, detect security incidents, maintain audit trails, and ensure data can be recovered in case of failure or attack. + @@ -261 +284 @@ This subsection covers accounts responsible for managing database services, conf - --engine-version 13.7 \ + --engine-version 13.18 \ @@ -547,2 +570,2 @@ This subsection covers AWS security services that can only be configured at the - "arn:aws:securityhub::ruleset/finding-format/aws-foundational-security-standard/v/1.0.0", - "arn:aws:securityhub:us-east-1:standard/cis-aws-foundations-benchmark/v/1.2.0" + "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", + "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/3.0.0"