AWS securityhub documentation change
Summary
Fixed an anchor link, removed a stray character, and deleted the entire 'The Amazon EC2 instance is reachable within the Amazon VPC' section which previously contained network security guidance about VPC segmentation, security groups, NACLs, and connectivity restrictions.
Security assessment
The changes include minor documentation fixes and removal of security best practices content about network segmentation. While the removed content was security-related, the deletion itself doesn't indicate addressing a specific security vulnerability or incident. The change actually removes security documentation rather than adding it.
Diff
diff --git a/securityhub/latest/userguide/exposure-ec2-instance.md b/securityhub/latest/userguide/exposure-ec2-instance.md index f8cbe983c..ffad510da 100644 --- a//securityhub/latest/userguide/exposure-ec2-instance.md +++ b//securityhub/latest/userguide/exposure-ec2-instance.md @@ -29 +29 @@ The remediation guidance provided in this topic might require additional consult - * [The IAM role associated with the Amazon EC2 instance has a service admin policy](./exposure-ec2-instance.html#service-administrative-policy) + * [The IAM role associated with the Amazon EC2 instance has a service admin policy](./exposure-ec2-instance.html#service-admin-policy) @@ -39,2 +38,0 @@ The remediation guidance provided in this topic might require additional consult - * [The Amazon EC2 instance is reachable within the Amazon VPC](./exposure-ec2-instance.html#vpc-reachable) - @@ -183 +181 @@ Consider the following options for alternative access methods: - * **Use NAT Gateway for outbound internet connectivity** – For instances in private subnets that require access to the internet (e.g., to download updates), consider using a NAT Gateway instead of assigning a public IP address. A NAT Gateway allows instances in private subnets to initiate outbound connections to the internet while preventing inbound connections from the internet. s + * **Use NAT Gateway for outbound internet connectivity** – For instances in private subnets that require access to the internet (e.g., to download updates), consider using a NAT Gateway instead of assigning a public IP address. A NAT Gateway allows instances in private subnets to initiate outbound connections to the internet while preventing inbound connections from the internet. @@ -192,29 +189,0 @@ Consider the following options for alternative access methods: -### The Amazon EC2 instance is reachable within the Amazon VPC - -Amazon Virtual Private Cloud (Amazon VPC) allows you to launch AWS resources in a defined virtual network. Amazon VPC network configurations that allow unrestricted access between instances can increase the scope of an attack if an instance is compromised. Following security best practices, AWS recommends implementing network segmentation and least-privilege access controls at the subnet and security group levels. - -###### Review Amazon VPC network connectivity patterns - -In the exposure finding, identify the security group ID in the ARN. Identify which instances need to communicate with each other and on which ports. You can use Amazon VPC Flow Logs to analyze existing traffic patterns in your Amazon VPC to help identify which ports are being used. - -###### Modify security group rules - -Modify your security group rules to restrict access to specific trusted IP addresses or ranges. For example, instead of allowing all traffic from the entire VPC CIDR range (e.g., 10.0.0.0/16), restrict access to specific security groups or IP ranges. When updating your security group rules, consider separating access requirements for different network segments by creating rules for each required source IP range or restricting access to specific ports. To modify security group rules, see [Configure security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-security-group-rules.html) in the Amazon EC2 User Guide. - -Consider organizing your Amazon VPC resources into subnets based on security requirements or function. For example, place web servers and database servers in separate subnets. For more information, see [Subnets for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) in the _Amazon Virtual Private Cloud User Guide_. - -###### Configure network ACLs for subnet level protection - -Network Access Control Lists (NACLs) provide an additional layer of security at the subnet level. Unlike security groups, NACLs are stateless and require both inbound and outbound rules to be explicitly defined. For more information, see [Control subnet traffic with network access control lists](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) in the _Amazon Virtual Private Cloud User Guide_. - -###### Additional considerations - -Consider the following when restricting access to your Amazon VPC - - * **Transit Gateway or Amazon VPC Peering with restrictive routing** – If your architecture uses multiple VPCs that need to communicate, consider using AWS Transit Gateway and Amazon VPC peering to provide connectivity between Amazon VPCs while allowing you to control which subnets can communicate with each other. For more information, see [Get started with using Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html) and [VPC peering connections](https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html). - - * **Service endpoints and private links** – Amazon VPC endpoints can be used to keep traffic within the AWS network to communicate with AWS resources rather than over the internet. This reduces the need for direct connectivity between instances accessing the same services. For information on VPC endpoints, see [What are Amazon VPC endpoints?](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the _Amazon Virtual Private Cloud User Guide_. For connectivity to services hosted in other Amazon VPCs, consider using AWS PrivateLink. - - - -