AWS prescriptive-guidance documentation change
Summary
Restructured section headings, fixed a link, removed AWS Lambda reference from detective controls, and introduced a typo in a heading.
Security assessment
Changes are structural/formatting improvements without security context. Removal of 'AWS Lambda functions' doesn't indicate a security fix but rather documentation refinement.
Diff
diff --git a/prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md b/prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md index 878c17bd8..a36022554 100644 --- a//prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md +++ b//prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md @@ -6,0 +7,2 @@ +Control guidance levelsLimitations for preventive controlsAutomating controls + @@ -13 +15 @@ - * **Detective controls** continuously monitor resources to detect non-compliance in your accounts, and then provide alerts through the dashboard. For example, the control [Detect Whether Unrestricted Incoming TCP Traffic is Allowed](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#rdp-disallow-internet) can detect whether a security group is set up with unrestricted incoming TCP traffic and alert the user to restrict their incoming protocols. Detective controls are implemented by using [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) and AWS Lambda functions. + * **Detective controls** continuously monitor resources to detect non-compliance in your accounts, and then provide alerts through the dashboard. For example, the control [Detect Whether Unrestricted Incoming TCP Traffic is Allowed ](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#rdp-disallow-internet)can detect whether a security group is set up with unrestricted incoming TCP traffic and alert the user to restrict their incoming protocols. Detective controls are implemented by using [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html). @@ -24 +26 @@ SCPs (preventive controls) don't have any effect in the management account. The -**Control guidance levels** +## Control guidance levels @@ -34 +36 @@ You can use custom SCPs and AWS Config Rules for additional detection and preven -**Limitations for preventive controls** +## Limitations for preventive controls @@ -38 +40 @@ You can have a maximum of five SCPs attached to an OU and a maximum of five OU l -**Automating controls** +## Automating controls @@ -53 +55 @@ You can automatically activate and deactivate controls by using any of the follo -For more information about automating controls, see [About controls in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) in the AWS Control Tower documentation. The following sections discuss [mandatory controls](./mandatory.html), [optional controls](./optional.html), and [custom controls](./custom.html) in more detail. +For more information about automating controls, see [About controls in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) in the AWS Control Tower documentation. The following sections discuss [mandatory controls](./mandatory.html), [optional controls,](./optional.html) and [custom controls](./custom.html) in more detail. @@ -61 +63 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Configuring account structure and OUs +Configuring acount structure and OUs @@ -63 +65 @@ Configuring account structure and OUs -Mandatory controls +Networking integration