AWS prescriptive-guidance documentation change
Summary
Expanded security services coverage and added detailed configuration requirements for AWS Security Hub, Network Firewall, DNS Firewall, KMS, Private CA, IAM Identity Center, Systems Manager, and Secrets Manager. Updated existing sections with encryption requirements, service integrations, and delegated administrator changes.
Security assessment
Changes enhance security documentation by adding best practices for encryption (KMS secrets/GuardDuty findings), network protections (Firewall/DNS rules), access control (IAM Identity Center), and service hardening. No specific vulnerability is addressed; rather, these are proactive security controls. Security impact includes improved data protection and threat prevention through expanded guidance.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/checklist.md b/prescriptive-guidance/latest/security-reference-architecture/checklist.md index 416c16b6e..8310ce44c 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/checklist.md +++ b//prescriptive-guidance/latest/security-reference-architecture/checklist.md @@ -7 +7 @@ -AWS OrganizationsAWS CloudTrailAWS Security Hub CSPMAWS ConfigAmazon GuardDutyIAMIAM Access AnalyzerAmazon DetectiveAWS Firewall ManagerAmazon InspectorAmazon MacieAmazon Security LakeAWS WAFAWS Shield AdvancedAWS Security Incident ResponseAWS Audit Manager +AWS OrganizationsAWS CloudTrailAWS Security Hub CSPMAWS ConfigAmazon GuardDutyIAMIAM Access AnalyzerAmazon DetectiveAWS Firewall ManagerAmazon InspectorAmazon MacieAmazon Security LakeAWS WAFAWS Shield AdvancedAWS Security Incident ResponseAWS Audit ManagerAWS Security HubAWS Network FirewallAmazon Route 53 Resolver DNS FirewallAWS Key Management ServiceAWS Private Certificate AuthorityAWS IAM Identity CenterAWS Systems ManagerAWS Secrets Manager @@ -11,3 +10,0 @@ AWS OrganizationsAWS CloudTrailAWS Security Hub CSPMAWS ConfigAmazon GuardDutyIA -Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua). ---- - @@ -109,0 +107,2 @@ SRA Verify contains checks for several services, but might not contain a check f + * Security Hub CSPM findings are consumed by Security Hub for exposure correlation. + @@ -113,0 +113,2 @@ SRA Verify contains checks for several services, but might not contain a check f + * An Amazon CloudWatch telemetry enablement rule is created to ingest Security Hub CSPM findings into CloudWatch, for the entire organization. + @@ -161,0 +163,6 @@ SRA Verify contains checks for several services, but might not contain a check f + * GuardDuty findings automatically flow to Security Hub CSPM and Security Hub. + + * GuardDuty is integrated with Amazon Detective for finding investigation. + + * GuardDuty findings exported to Amazon S3 are encrypted with a customer managed KMS key. + @@ -164 +171 @@ SRA Verify contains checks for several services, but might not contain a check f - * GuardDuty findings are exported to a central S3 bucket in the Log Archive account for retention. + * GuardDuty findings are exported to a central S3 bucket in the Log Archive account for retention and encrypted with a customer managed KMS key. @@ -251,0 +259,4 @@ SRA Verify contains checks for several services, but might not contain a check f + * A Firewall Manager security policy is defined for AWS Network Firewall. + + * A Firewall Manager security policy is defined for Route 53 DNS Firewall. + @@ -297 +308 @@ SRA Verify contains checks for several services, but might not contain a check f - * The Security Lake delegated administrator is set to the Security Tooling account. + * The Security Lake delegated administrator is set to the Log Archive account. @@ -365 +376,3 @@ SRA Verify contains checks for several services, but might not contain a check f - * Shield Advanced is configured for all Network Load Balancers. + * Shield Advanced is configured for all Elastic IP addresses associated with Network Load Balancers. + + * Shield Advanced is configured for all Elastic IP addresses associated with EC2 instances. @@ -417,0 +431,156 @@ SRA Verify contains checks for several services, but might not contain a check f +## AWS Security Hub + + * AWS Security Hub is enabled for all member accounts and the management account. + + * The Security Tooling account is set as a delegated administrator for Security Hub. + + * Security Hub is configured to enable all Regions, OUs, and accounts automatically, including future Regions and accounts. + + * Cross-Region aggregation is set up to aggregate findings, resources, and trends from multiple Regions into a single home Region. + + * Security Hub CSPM, Amazon GuardDuty, Amazon Inspector, and Amazon Macie are enabled as building block services for Security Hub. + + * Security Hub coverage findings are used to validate that security services are uniformly enabled across all member accounts. + + * Findings are formatted in Open Cybersecurity Schema Framework (OCSF). + + * EventBridge integration is configured for automated response and remediation workflows. + + + + +## AWS Network Firewall + + * AWS Network Firewall is deployed in the inspection VPC within the Network account. + + * All traffic between VPCs passes through the inspection VPC for Network Firewall inspection. + + * The Network Firewall subnet is dedicated exclusively to firewall endpoints (no other workloads deployed in the firewall subnet). + + * Stateful inspection, intrusion prevention, and web filtering rules are configured. + + * Network Firewall activity is visible in real time through CloudWatch metrics. + + * Network Firewall logs are sent to Amazon S3, CloudWatch, or Amazon Data Firehose. + + * AWS Firewall Manager is used to centrally configure and deploy Network Firewall rules across the organization. + + * Firewall endpoints are deployed in every Availability Zone that contains protected subnets. + + + + +## Amazon Route 53 Resolver DNS Firewall + + * DNS Firewall is used to prevent DNS exfiltration of data from VPCs that require DNS-level protection. + + * DNS Firewall rule groups are configured to block or allow queries to specific domains. + + * DNS Firewall blocks resolution requests to unauthorized private hosted zones, VPC endpoint names, and public or private EC2 instance names. + + * DNS Firewall rule groups are managed centrally through AWS Firewall Manager or AWS Resource Access Manager (AWS RAM). + + + + +## AWS Key Management Service + + * Customer managed keys are used for encryption of all sensitive data at rest. + + * Separate KMS keys are created per service and per account where appropriate. + + * Key policies are defined to restrict usage to intended services and principals only. + + * Automatic annual key rotation is enabled for all customer managed symmetric keys. + + * Key administration is separated from key usage through distinct IAM permissions. + + * Key policies use condition keys (such as `kms:ViaService`) to restrict which services can use a key. + + * KMS key usage is audited through AWS CloudTrail. + + * AWS managed keys are acceptable only for non-sensitive or public-classified data. + + + + +## AWS Private Certificate Authority + + * A private CA hierarchy (root CA and subordinate CAs) is created in the Security Tooling account. + + * The root CA is protected with stringent security controls in the Security Tooling account. + + * Subordinate CAs are shared with Application accounts through AWS RAM for issuing end-entity certificates. + + * Private certificates are used for internal application communications (TLS between services and load balancers). + + * Certificate lifecycle management (issuance, renewal, revocation) is automated through AWS Certificate Manager (ACM) integration. + + * CA hierarchy design follows the principle of limited revocable trust with separate CAs per domain of responsibility. + + + + +## AWS IAM Identity Center + + * IAM Identity Center is enabled in the Org Management account. + + * Delegated administration for IAM Identity Center is configured to the Shared Services account. + + * IAM Identity Center is integrated with a corporate identity provider (IdP) via SAML 2.0 or SCIM. + + * Permission sets are centrally managed and provisioned to member accounts. + + * Multi-factor authentication (MFA) is enforced for all IAM Identity Center users. + + * Access to the delegated administrator account for IAM Identity Center is tightly controlled. + + * IAM Identity Center is used instead of IAM users for all human access to AWS accounts. + + * IAM Identity Center multi-Region replication is enabled for workforce identity management across multiple AWS Regions. + + + + +## AWS Systems Manager + + * Systems Manager is deployed across all member accounts using delegated administrator functionality. + + * All EC2 instances are registered as managed instances through SSM Agent. + + * Session Manager is used for interactive access to instances instead of SSH or RDP (no inbound ports required). + + * Patch Manager is used to automate patching for operating systems and applications. + + * Systems Manager Automation runbooks are used for standardized remediation actions. + + * Systems Manager Explorer is configured with cross-account data synchronization through AWS Organizations. + + * VPC endpoints are provisioned for Systems Manager to enable private network connectivity. + + * Compliance data from Systems Manager is integrated with AWS Config and Security Hub CSPM. + + + + +## AWS Secrets Manager + + * All application credentials, database passwords, and API keys are stored in Secrets Manager (not hardcoded in code or environment variables). + + * Automatic rotation is configured for all secrets that support it. + + * Fine-grained IAM policies and resource-based policies control access to each secret. + + * Secrets are encrypted with customer managed KMS keys for sensitive workloads. + + * Secret access is monitored through AWS CloudTrail. + + * AWS Config rules are configured to detect changes to secrets. + + * Secrets Manager is integrated with Amazon Relational Database Service (Amazon RDS) for automatic database credential management. + + * Secrets are managed locally in the account closest to where they are used. + + + +