AWS prescriptive-guidance documentation change
Summary
Updated internal links, added IAM documentation reference, clarified vault sharing includes users, added IAM Access Analyzer link, and renumbered section headings
Security assessment
Changes primarily improve documentation clarity and link accuracy. Adding IAM Access Analyzer reference enhances security guidance but does not address a specific vulnerability. The 'user' addition in vault sharing clarifies existing capabilities without introducing new security features.
Diff
diff --git a/prescriptive-guidance/latest/security-best-practices/access-control.md b/prescriptive-guidance/latest/security-best-practices/access-control.md index 188682220..34b72ae5d 100644 --- a//prescriptive-guidance/latest/security-best-practices/access-control.md +++ b//prescriptive-guidance/latest/security-best-practices/access-control.md @@ -5 +5 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Top 10 security best practices for securing backups in AWS](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Top 10 security best practices for securing backups in AWS](introduction.html) @@ -9 +9 @@ -When thinking about security in the cloud, your foundational strategy should begin with a strong identity foundation to ensure a user has the right permissions to access data. Appropriate authentication and authorization can mitigate the risk of security events. The shared responsibility model requires AWS customers to implement access control policies. To create and manage access policies at scale, you can use AWS Identity and Access Management (IAM). +When thinking about security in the cloud, your foundational strategy should begin with a strong identity foundation to ensure a user has the right permissions to access data. Appropriate authentication and authorization can mitigate the risk of security events. The shared responsibility model requires AWS customers to implement access control policies. To create and manage access policies at scale, you can use [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/). @@ -13 +13 @@ When configuring access rights and permissions, implement the principle of least -For example, by implementing access control policies, you can grant users access to create backup plans and on-demand backups while limiting their ability to delete recovery points. Using vault access policies, you can share a destination backup vault with a source AWS account or IAM role, as required by your business needs. You can also use access policies to share a backup vault with one or multiple accounts, or with your entire organization in AWS Organizations. For more information, see the [AWS Backup documentation](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html#share-vault-cab). +For example, by implementing access control policies, you can grant users access to create backup plans and on-demand backups while limiting their ability to delete recovery points. Using vault access policies, you can share a destination backup vault with a source AWS account, user, or IAM role, as required by your business needs. You can also use access policies to share a backup vault with one or multiple accounts, or with your entire organization in AWS Organizations. For more information, see the [AWS Backup documentation](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html#share-vault-cab). @@ -17 +17 @@ As you scale your workloads or migrate into AWS, you might need to centrally man -To mitigate security risks such as unintended access to your backup resources and data, use IAM Access Analyzer to identify any AWS Backup IAM role shared with the following: +To mitigate security risks such as unintended access to your backup resources and data, use [IAM Access Analyzer](https://aws.amazon.com/blogs/aws/identify-unintended-resource-access-with-aws-identity-and-access-management-iam-access-analyzer/) to identify any AWS Backup IAM role shared with the following: @@ -42 +42 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Automate backup +Step 3. Automate backup operations @@ -44 +44 @@ Automate backup -Encrypt backup data and vault +Step 5. Encrypt backup data and vault