AWS Security ChangesHomeSearch

AWS prescriptive-guidance medium security documentation change

Service: prescriptive-guidance · 2026-07-10 · Security-related medium

File: prescriptive-guidance/latest/security-controls-by-caf-capability/data-controls.md

Summary

Enhanced security control descriptions with action-oriented language (e.g., 'Block public access') and clarified service names.

Security assessment

Explicitly adds 'Block public access' directives for multiple services (EBS, RDS, S3, KMS) and emphasizes critical configurations like MFA for S3 deletions. These changes directly address security vulnerabilities from accidental public exposure.

Diff

diff --git a/prescriptive-guidance/latest/security-controls-by-caf-capability/data-controls.md b/prescriptive-guidance/latest/security-controls-by-caf-capability/data-controls.md
index 46312453c..355b9d053 100644
--- a//prescriptive-guidance/latest/security-controls-by-caf-capability/data-controls.md
+++ b//prescriptive-guidance/latest/security-controls-by-caf-capability/data-controls.md
@@ -7 +7 @@
-Classify data at the workload levelEstablish controls for each data classification levelEncrypt data at restEncrypt data in transitPublic access to Amazon EBS snapshotsPublic access to Amazon RDS snapshotsPublic access to Amazon RDS, Amazon Redshift, and AWS DMS resourcesPublic access to S3 bucketsRequire MFA to delete S3 bucket dataOpenSearch Service domains in VPCsAlerts for KMS key deletionPublic access to KMS keysListeners use secure protocols
+Identify and classify data at the workload levelEstablish controls for each data classification levelEncrypt data at restEncrypt data in transitBlock public access to Amazon EBS snapshotsBlock public access to Amazon RDS snapshotsBlock public access to Amazon RDS, Amazon Redshift, and AWS DMS resourcesBlock public access to Amazon S3 bucketsRequire MFA to delete data in critical Amazon S3 bucketsConfigure Amazon OpenSearch Service domains in a VPCConfigure alerts for AWS KMS key deletionBlock public access to AWS KMS keysConfigure load balancer listeners to use secure protocols
@@ -13 +13 @@ The AWS Well-Architected Framework groups the best practices for protecting data
-###### Controls in this section:
+Controls in this section: