AWS prescriptive-guidance documentation change
Summary
Updated terminology from 'Security Hub CSPM' to 'Security Hub' in table, text descriptions, and SCP example; corrected image path
Security assessment
Changes involve terminology updates (removing 'CSPM' from Security Hub references) and an image path correction. No security vulnerability fixes or new security features are introduced. Security controls (Security Hub, GuardDuty, S3 Object Lock) remain functionally unchanged.
Diff
diff --git a/prescriptive-guidance/latest/cmmc-level-2-compliance-on-aws/design-a-multi-account-architecture-for-cmmc.md b/prescriptive-guidance/latest/cmmc-level-2-compliance-on-aws/design-a-multi-account-architecture-for-cmmc.md index bb63159e9..fdd4e2cf7 100644 --- a//prescriptive-guidance/latest/cmmc-level-2-compliance-on-aws/design-a-multi-account-architecture-for-cmmc.md +++ b//prescriptive-guidance/latest/cmmc-level-2-compliance-on-aws/design-a-multi-account-architecture-for-cmmc.md @@ -22 +22 @@ Shared Services Account | Centralized security services shared across the CUI bo -Security and Log Archive Account | Aggregates SPD: AWS Security Hub CSPM findings, CloudTrail logs, AWS Config evaluations, Amazon VPC Flow Logs. Protected by Amazon S3 Object Lock for immutability. Also serves as the evidence pipeline, transforming SPD into assessment-ready artifacts using Amazon Athena. | Security Protection Asset +Security and Log Archive Account| Aggregates SPD: AWS Security Hub findings, CloudTrail logs, AWS Config evaluations, Amazon VPC Flow Logs. Protected by Amazon S3 Object Lock for immutability. Also serves as the evidence pipeline, transforming SPD into assessment-ready artifacts using Amazon Athena.| Security Protection Asset @@ -28 +28 @@ This figure shows the multi-account architecture in relation to CMMC scope and s - + @@ -74 +74 @@ This account supports the services that multiple workloads use to deliver their -This account serves a dual purpose. First, it acts as the audit trail consolidation point for SPD collected from the accounts in the organization, including the CUI Workload accounts. This includes CloudTrail logs, AWS Config evaluations, Security Hub CSPM findings, Amazon VPC Flow Logs, and Amazon Inspector reports. The log data housed in this account is immutable and protected from being changed or deleted using Amazon S3 Object Lock in compliance mode. +This account serves a dual purpose. First, it acts as the audit trail consolidation point for SPD collected from the accounts in the organization, including the CUI Workload accounts. This includes CloudTrail logs, AWS Config evaluations, Security Hub findings, Amazon VPC Flow Logs, and Amazon Inspector reports. The log data housed in this account is immutable and protected from being changed or deleted using Amazon S3 Object Lock in compliance mode. @@ -78 +78 @@ Second, this account hosts the automated evidence pipeline that transforms SPD i -This account is also typically one that has been delegated access from services like Security Hub CSPM and GuardDuty for centralized management of your security posture tooling in your AWS organization. +This account is also typically one that has been delegated access from services like Security Hub and GuardDuty for centralized management of your security posture tooling in your AWS organization. @@ -92 +92 @@ SCPs on the Management Account enforce baseline guardrails across all other acco - * Deny disabling GuardDuty, Security Hub CSPM, or Amazon Inspector + * Deny disabling GuardDuty, Security Hub, or Amazon Inspector