AWS wellarchitected documentation change
Summary
Clarified shared responsibilities for patch management in AWS managed services, distinguishing between single-tenant and multi-tenant architectures.
Security assessment
Expands documentation about security responsibilities (patch management) without referencing a specific vulnerability. This strengthens security guidance but doesn't address an incident.
Diff
diff --git a/wellarchitected/latest/security-pillar/shared-responsibility.md b/wellarchitected/latest/security-pillar/shared-responsibility.md index 7d57e9202..178f42137 100644 --- a//wellarchitected/latest/security-pillar/shared-responsibility.md +++ b//wellarchitected/latest/security-pillar/shared-responsibility.md @@ -21 +21 @@ This customer/AWS shared responsibility model also extends to IT controls. Just -**Inherited Controls** – Controls that a customer fully inherits from AWS. +**Inherited controls:** Controls that a customer fully inherits from AWS. @@ -23 +23 @@ This customer/AWS shared responsibility model also extends to IT controls. Just - * Physical and Environmental controls + * Physical and environmental controls @@ -28 +28 @@ This customer/AWS shared responsibility model also extends to IT controls. Just -**Shared Controls** – Controls that apply to both the infrastructure layer and customer layers, but in separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include: +**Shared controls:** Controls that apply to both the infrastructure layer and customer layers, but in separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include: @@ -30 +30 @@ This customer/AWS shared responsibility model also extends to IT controls. Just - * Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest operating system and applications. + * **Patch management:** AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest operating system and applications. @@ -32 +32 @@ This customer/AWS shared responsibility model also extends to IT controls. Just - * Configuration Management – AWS maintains the configuration of its infrastructure devices, but customers are responsible for configuring their own guest operating systems, databases, and applications. + * For AWS managed services operating on single-tenant architectures (such as Amazon ElastiCache, Amazon RDS, and Amazon OpenSearch Service), patch management responsibility is shared as follows: @@ -34 +34 @@ This customer/AWS shared responsibility model also extends to IT controls. Just - * Awareness and Training – AWS trains AWS employees, but customers must train their own employees. + * **AWS responsibility:** Identify vulnerabilities, develop and validate patches, release patches within the service's patching SLA, and notify customers of available updates through the service's documented notification mechanism. @@ -35,0 +36 @@ This customer/AWS shared responsibility model also extends to IT controls. Just + * **Customer responsibility:** Review available updates and facilitate patching by selecting maintenance windows, applying service updates, or scheduling required restarts within the timeframes communicated by AWS. @@ -36,0 +38 @@ This customer/AWS shared responsibility model also extends to IT controls. Just + * For AWS managed services operating on multi-tenant architectures (such as Amazon ElastiCache Serverless, Amazon DynamoDB, and Amazon S3), patch management responsibility is shared as follows: @@ -37,0 +40 @@ This customer/AWS shared responsibility model also extends to IT controls. Just + * **AWS responsibility:** Apply patches without requiring customer action. @@ -39 +42,10 @@ This customer/AWS shared responsibility model also extends to IT controls. Just -**Customer Specific** – Controls that are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include: + * **Customer responsibility:** Consult patching and maintenance documentation for each AWS managed service they use to understand specific notification mechanisms, maintenance window options, and update application processes available to them. + + * **Configuration management:** AWS maintains the configuration of its infrastructure devices, but customers are responsible for configuring their own guest operating systems, databases, and applications. + + * **Awareness and training:** AWS trains AWS employees, but customers must train their own employees. + + + + +**Customer specific:** Controls that are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include: