AWS prescriptive-guidance documentation change
Summary
Updated navigation link and added documentation about VPC endpoints and AWS Systems Manager Session Manager as a bastion host alternative
Security assessment
Added security documentation about VPC endpoints keeping management traffic on AWS network (improving security) and Session Manager reducing attack surface/eliminating SSH keys. No specific vulnerability is being addressed.
Diff
diff --git a/prescriptive-guidance/latest/migration-sas-grid/target-architecture.md b/prescriptive-guidance/latest/migration-sas-grid/target-architecture.md index aa4a88792..36ff12c2b 100644 --- a//prescriptive-guidance/latest/migration-sas-grid/target-architecture.md +++ b//prescriptive-guidance/latest/migration-sas-grid/target-architecture.md @@ -5 +5 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Migrating SAS Grid to the AWS Cloud](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Migrating SAS Grid to the AWS Cloud](introduction.html) @@ -22,0 +23,2 @@ This architecture includes the following components: + * VPC endpoints – Gateway endpoints for Amazon S3 and DynamoDB eliminate NAT Gateway data transfer costs for these services. Interface endpoints for AWS Systems Manager, CloudWatch, and the Amazon EC2 API help keep management traffic on the AWS network, improving security and reducing costs. + @@ -24,0 +27,4 @@ This architecture includes the following components: +###### Note + +While bastion hosts are included for traditional access patterns, consider [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) to eliminate bastion hosts entirely. This reduces your attack surface, eliminates the need to manage SSH keys, and provides centralized audit logging of all access sessions. +