AWS prescriptive-guidance documentation change
Summary
Restructured design considerations into bullet points, updated FIPS validation level to 140-3, added hybrid post-quantum TLS documentation for Secrets Manager, replaced Amazon Cognito Sync with AWS AppSync, updated image path, and removed survey link.
Security assessment
The changes primarily improve documentation structure and clarify security best practices. The update to FIPS 140-3 reflects current standards but doesn't address a specific vulnerability. The hybrid post-quantum TLS addition documents new security features for Secrets Manager to protect against future quantum computing threats (HNDL attacks), which enhances security posture but doesn't fix an existing vulnerability.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/application.md b/prescriptive-guidance/latest/security-reference-architecture/application.md index e6bb0effa..d96db2316 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/application.md +++ b//prescriptive-guidance/latest/security-reference-architecture/application.md @@ -11,3 +10,0 @@ Application VPCVPC endpointsAmazon EC2AWS Nitro EnclavesApplication Load Balance -Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua). ---- - @@ -16 +13 @@ The following diagram illustrates the AWS security services that are configured - + @@ -20 +17,5 @@ The Application account hosts the primary infrastructure and services to run and -###### Design consideration +**Design consideration:** + + * In your organization you are likely to have more than one business application. The Workloads OU is intended to house most of your business-specific workloads, including both production and non-production environments. These workloads can be a mix of commercial off-the-shelf (COTS) applications and your own internally developed custom applications and data services. There are few patterns for organizing different business applications along with their development environments. One pattern is to have multiple child OUs based on your development environment, such as production, staging, test, and development, and to use separate child AWS accounts under those OUs that pertain to different applications. Another common pattern is to have separate child OUs per application and then use separate child AWS accounts for individual development environments. The exact OU and account structure depends on your application design and the teams that manage those applications. Consider the security controls that you want to enforce, whether they are environment-specific or application-specific, because it is easier to implement those controls as SCPs on OUs. For further considerations on organizing workload-oriented OUs, see the [Application OUs](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/application-ous.html) section of the AWS whitepaper _Organizing your AWS environment using multiple accounts_. + + @@ -22 +22,0 @@ The Application account hosts the primary infrastructure and services to run and -In your organization you are likely to have more than one business application. The Workloads OU is intended to house most of your business-specific workloads, including both production and non-production environments. These workloads can be a mix of commercial off-the-shelf (COTS) applications and your own internally developed custom applications and data services. There are few patterns for organizing different business applications along with their development environments. One pattern is to have multiple child OUs based on your development environment, such as production, staging, test, and development, and to use separate child AWS accounts under those OUs that pertain to different applications. Another common pattern is to have separate child OUs per application and then use separate child AWS accounts for individual development environments. The exact OU and account structure depends on your application design and the teams that manage those applications. Consider the security controls that you want to enforce, whether they are environment-specific or application-specific, because it is easier to implement those controls as SCPs on OUs. For further considerations on organizing workload-oriented OUs, see the [Application OUs](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/application-ous.html) section of the AWS whitepaper _Organizing your AWS environment using multiple accounts_. @@ -28 +28,5 @@ The virtual private cloud (VPC) in the Application account needs both inbound ac -###### Design consideration +**Design consideration:** + + * You can use [Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html) to copy network traffic from an elastic network interface of EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring, or troubleshooting. For example, you might want to monitor the traffic that is leaving your VPC or the traffic whose source is outside your VPC. In this case, you will mirror all traffic except for the traffic passing within your VPC and send it to a single monitoring appliance. Amazon VPC flow logs do not capture mirrored traffic; they generally capture information from packet headers only. Traffic Mirroring provides deeper insight into the network traffic by allowing you to analyze actual traffic content, including payload. Enable Traffic Mirroring only for the elastic network interface of EC2 instances that might be operating as part of sensitive workloads or for which you expect to need detailed diagnostics in the event of an issue. + + @@ -30 +33,0 @@ The virtual private cloud (VPC) in the Application account needs both inbound ac -You can use [Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html) to copy network traffic from an elastic network interface of EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring, or troubleshooting. For example, you might want to monitor the traffic that is leaving your VPC or the traffic whose source is outside your VPC. In this case, you will mirror all traffic except for the traffic passing within your VPC and send it to a single monitoring appliance. Amazon VPC flow logs do not capture mirrored traffic; they generally capture information from packet headers only. Traffic Mirroring provides deeper insight into the network traffic by allowing you to analyze actual traffic content, including payload. Enable Traffic Mirroring only for the elastic network interface of EC2 instances that might be operating as part of sensitive workloads or for which you expect to need detailed diagnostics in the event of an issue. @@ -44 +47,5 @@ Use separate VPCs (as subset of account boundaries) to isolate infrastructure by -###### Implementation example +**Implementation example:** + + * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [default Amazon EBS encryption in Amazon EC2](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption). It demonstrates how you can enable the account-level default Amazon EBS encryption within each AWS account and AWS Region in the AWS organization. + + @@ -46 +52,0 @@ Use separate VPCs (as subset of account boundaries) to isolate infrastructure by -The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [default Amazon EBS encryption in Amazon EC2](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption). It demonstrates how you can enable the account-level default Amazon EBS encryption within each AWS account and AWS Region in the AWS organization. @@ -62 +68 @@ AWS Certificate Manager (ACM) natively integrates with Application Load Balancer -###### Design considerations +**Design considerations:** @@ -87 +93,5 @@ Amazon Inspector in member accounts is centrally managed by the delegated admini -###### Design consideration +**Design consideration:** + + * You can use [Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html), a capability of AWS Systems Manager, to trigger on-demand patching to remediate Amazon Inspector zero-day or other critical security vulnerabilities. Patch Manager helps you patch those vulnerabilities without having to wait for your normal patching schedule. The remediation is carried out by using the Systems Manager Automation runbook. For more information, see the two-part blog series [Automate vulnerability management and remediation in AWS using Amazon Inspector and AWS Systems Manager](https://aws.amazon.com/blogs/mt/automate-vulnerability-management-and-remediation-in-aws-using-amazon-inspector-and-aws-systems-manager-part-1/). + + @@ -89 +98,0 @@ Amazon Inspector in member accounts is centrally managed by the delegated admini -You can use [Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html), a capability of AWS Systems Manager, to trigger on-demand patching to remediate Amazon Inspector zero-day or other critical security vulnerabilities. Patch Manager helps you patch those vulnerabilities without having to wait for your normal patching schedule. The remediation is carried out by using the Systems Manager Automation runbook. For more information, see the two-part blog series [Automate vulnerability management and remediation in AWS using Amazon Inspector and AWS Systems Manager](https://aws.amazon.com/blogs/mt/automate-vulnerability-management-and-remediation-in-aws-using-amazon-inspector-and-aws-systems-manager-part-1/). @@ -101 +110 @@ The AWS SRA also uses [Automation](https://docs.aws.amazon.com/systems-manager/l -###### Design considerations +**Design considerations:** @@ -116 +125,5 @@ In the AWS SRA, [Amazon Aurora](https://aws.amazon.com/rds/aurora/) and [Amazon -###### Design consideration +**Design consideration:** + + * As in many database services, security for Aurora is managed at three levels. To control who can perform Amazon Relational Database Service (Amazon RDS) management actions on Aurora DB clusters and DB instances, you use IAM. To control which devices and EC2 instances can open connections to the cluster endpoint and port of the DB instance for Aurora DB clusters in a VPC, you use a VPC security group. To authenticate logins and permissions for an Aurora DB cluster, you can take the same approach as with a stand-alone DB instance of MySQL or PostgreSQL, or you can use IAM database authentication for Aurora MySQL-Compatible Edition. With this latter approach, you authenticate to your Aurora MySQL-Compatible DB cluster by using an IAM role and an authentication token. + + @@ -118 +130,0 @@ In the AWS SRA, [Amazon Aurora](https://aws.amazon.com/rds/aurora/) and [Amazon -As in many database services, security for Aurora is managed at three levels. To control who can perform Amazon Relational Database Service (Amazon RDS) management actions on Aurora DB clusters and DB instances, you use IAM. To control which devices and EC2 instances can open connections to the cluster endpoint and port of the DB instance for Aurora DB clusters in a VPC, you use a VPC security group. To authenticate logins and permissions for an Aurora DB cluster, you can take the same approach as with a stand-alone DB instance of MySQL or PostgreSQL, or you can use IAM database authentication for Aurora MySQL-Compatible Edition. With this latter approach, you authenticate to your Aurora MySQL-Compatible DB cluster by using an IAM role and an authentication token. @@ -128 +140 @@ The AWS SRA illustrates the recommended distribution model for key management, w -###### Design consideration +**Design consideration:** @@ -130 +142 @@ The AWS SRA illustrates the recommended distribution model for key management, w -In a distributed model, the AWS KMS key management responsibility resides with the application team. However, your central security team can be responsible for the governance and [monitoring](https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-cloudwatch.html) of important cryptographic events such as the following: + * In a distributed model, the AWS KMS key management responsibility resides with the application team. However, your central security team can be responsible for the governance and [monitoring](https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-cloudwatch.html) of important cryptographic events such as the following: @@ -145 +157,6 @@ In a distributed model, the AWS KMS key management responsibility resides with t -[AWS CloudHSM](https://aws.amazon.com/cloudhsm/) provides managed hardware security modules (HSMs) in the AWS Cloud. It enables you to generate and use your own encryption keys on AWS by using FIPS 140-2 level 3 validated HSMs that you control access to. You can use AWS CloudHSM to offload SSL/TLS processing for your web servers. This reduces the burden on the web server and provides extra security by storing the web server's private key in AWS CloudHSM. You could similarly deploy an HSM from AWS CloudHSM in the inbound VPC in the Network account to store your private keys and sign certificate requests if you need to act as an issuing certificate authority. +[AWS CloudHSM](https://aws.amazon.com/cloudhsm/) provides managed hardware security modules (HSMs) in the AWS Cloud. It enables you to generate and use your own encryption keys on AWS by using FIPS 140-3 level 3 validated HSMs that you control access to. You can use AWS CloudHSM to offload SSL/TLS processing for your web servers. This reduces the burden on the web server and provides extra security by storing the web server's private key in AWS CloudHSM. You could similarly deploy an HSM from AWS CloudHSM in the inbound VPC in the Network account to store your private keys and sign certificate requests if you need to act as an issuing certificate authority. + +**Design consideration:** + + * If you have a hard requirement for FIPS 140-3 level 3, you can also choose to configure AWS KMS to use the AWS CloudHSM cluster as a custom key store rather than using the native KMS key store. By doing this, you benefit from the integration between AWS KMS and AWS services that encrypt your data, while being responsible for the HSMs that protect your KMS keys. This combines single-tenant HSMs under your control with the ease of use and integration of AWS KMS. To manage your AWS CloudHSM infrastructure, you have to employ a public key infrastructure (PKI) and have a team that has experience managing HSMs. + @@ -147 +163,0 @@ In a distributed model, the AWS KMS key management responsibility resides with t -###### Design consideration @@ -149 +164,0 @@ In a distributed model, the AWS KMS key management responsibility resides with t -If you have a hard requirement for FIPS 140-2 level 3, you can also choose to configure AWS KMS to use the AWS CloudHSM cluster as a custom key store rather than using the native KMS key store. By doing this, you benefit from the integration between AWS KMS and AWS services that encrypt your data, while being responsible for the HSMs that protect your KMS keys. This combines single-tenant HSMs under your control with the ease of use and integration of AWS KMS. To manage your AWS CloudHSM infrastructure, you have to employ a public key infrastructure (PKI) and have a team that has experience managing HSMs. @@ -159 +174 @@ Secrets Manager uses [envelope encryption](https://docs.aws.amazon.com/kms/lates -As a best practice, you can monitor your secrets to log any changes to them. This helps you ensure that any unexpected usage or change can be investigated. Unwanted changes can be rolled back. Secrets Manager currently supports two AWS services that enable you to monitor your organization and activity: AWS CloudTrail and AWS Config. CloudTrail captures all API calls for Secrets Manager as events, including calls from the Secrets Manager console and from code calls to the Secrets Manager APIs. In addition, CloudTrail captures other related (non-API) events that might have a security or compliance impact on your AWS account or might help you troubleshoot operational problems. These include certain secrets rotation events and deletion of secret versions. AWS Config can provide detective controls by tracking and monitoring changes to secrets in Secrets Manager. These changes include a secret's description, rotation configuration, tags, and relationship to other AWS sources such as the KMS encryption key or the AWS Lambda functions used for secret rotation. You can also configure Amazon EventBridge, which receives configuration and compliance change notifications from AWS Config, to route particular secrets events for notification or remediation actions. +As a best practice, you can monitor your secrets to log any changes to them. This helps you ensure that any unexpected usage or change can be investigated. Unwanted changes can be rolled back. Secrets Manager currently supports two AWS services that enable you to monitor your organization and activity: AWS CloudTrail and AWS Config. CloudTrail captures all API calls for Secrets Manager as events, including calls from the Secrets Manager console and from code calls to the Secrets Manager APIs. In addition, CloudTrail captures other related (non-API) events that might have a security or compliance impact on your AWS account or might help you troubleshoot operational problems. These include certain secrets rotation events and deletion of secret versions. AWS Config can provide detective controls by tracking and monitoring changes to secrets in Secrets Manager. These changes include a secret's description, rotation configuration, tags, and relationship to other AWS sources such as the AWS KMS encryption key or the AWS Lambda functions used for secret rotation. You can also configure Amazon EventBridge, which receives configuration and compliance change notifications from AWS Config, to route particular secrets events for notification or remediation actions. @@ -163 +178,7 @@ In the AWS SRA, Secrets Manager is located in the Application account to support -###### Design consideration +**Design considerations:** + + * In general, configure and manage Secrets Manager in the account that is closest to where the secrets will be used. This approach takes advantage of the local knowledge of the use case and provides speed and flexibility to application development teams. For tightly controlled information where an additional layer of control might be appropriate, secrets can be centrally managed by Secrets Manager in the Security Tooling account. + + * Secrets Manager supports hybrid post-quantum TLS using Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) to protect secrets against harvest now, decrypt later (HNDL) attacks. You can use this TLS option when you connect to Secrets Manager API endpoints. This feature is automatically enabled in Secrets Manager Agent (version 2.0.0 or later), AWS Lambda extension (version 19 or later), and Secrets Manager CSI Driver (version 2.0.0 or later). However, because the performance characteristics and bandwidth requirements of hybrid cipher suites are different from those of classic key exchange mechanisms, we recommend that you test them on your API calls. + + @@ -165 +185,0 @@ In the AWS SRA, Secrets Manager is located in the Application account to support -In general, configure and manage Secrets Manager in the account that is closest to where the secrets will be used. This approach takes advantage of the local knowledge of the use case and provides speed and flexibility to application development teams. For tightly controlled information where an additional layer of control might be appropriate, secrets can be centrally managed by Secrets Manager in the Security Tooling account. @@ -171 +191 @@ In general, configure and manage Secrets Manager in the account that is closest -Amazon Cognito provides a built-in and customizable UI for user sign-up and sign-in. You can use Android, iOS, and JavaScript SDKs for Amazon Cognito to add user sign-up and sign-in pages to your apps. [Amazon Cognito Sync](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sync.html) is an AWS service and client library that enables cross-device syncing of application-related user data. +Amazon Cognito provides a built-in and customizable UI for user sign-up and sign-in. You can use Android, iOS, and JavaScript SDKs for Amazon Cognito to add user sign-up and sign-in pages to your apps. [AWS AppSync](https://docs.aws.amazon.com/appsync/latest/devguide/what-is-appsync.html) is an AWS service and client library that enables cross-device syncing of application-related user data. @@ -175 +195 @@ Amazon Cognito supports multi-factor authentication and encryption of data at re -###### Design considerations +**Design considerations:** @@ -219 +239 @@ Infrastructure OU – Shared Services account -AI/ML for security +Multi-Region Architecture