AWS prescriptive-guidance documentation change
Summary
Updated document history with multiple changes including new security service guidance, architectural updates, CloudTrail Lake deprecation, and documentation restructuring
Security assessment
Adds documentation for security features like Security Hub CSPM, post-quantum key exchange in Secrets Manager, and Security Incident Response AI. Removes deprecated CloudTrail Lake references but provides alternative logging solutions. While these updates improve security guidance, there's no explicit evidence of addressing specific vulnerabilities or incidents.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/doc-history.md b/prescriptive-guidance/latest/security-reference-architecture/doc-history.md index 7406b2b0d..d2c7506d7 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/doc-history.md +++ b//prescriptive-guidance/latest/security-reference-architecture/doc-history.md @@ -9 +9 @@ -The following table describes significant changes to this guide. If you want to be notified about future updates, you can subscribe to an [RSS feed](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-reference-architecture.rss). +The following table describes significant changes to this guide. @@ -12,0 +13,12 @@ Change| Description| Date +Major updates| + + * Added guidance around building architectures for multi-Region environments. + * Various AWS service updates: CloudWatch support for ingesting Security Hub CSPM findings, availability of IAM policy autopilot MCP server, AWS Managed Microsoft AD support for STIG-aligned configurations, AWS Secrets Manager support for hybrid post-quantum key exchange, and AWS Security Incident Response AI-powered investigative agent + * Updated AWS Audit Manager to note that service is not available to new customers + * Added CloudWatch Unified Data Store as the recommended primary option for centralized log collection and analytics across the organization. Amazon Security Lake is recommended as the secondary option. + * Removed all references to AWS CloudTrail Lake following service deprecation. + * Added new services to the checklist: AWS Security Hub, AWS Network Firewall, Route 53 Resolver DNS Firewall, AWS KMS, AWS Private CA, AWS IAM Identity Center, AWS Systems Manager, and AWS Secrets Manager. + * In the checklist, added new checks for existing services: AWS Security Hub CSPM, Amazon GuardDuty, and AWS Firewall Manager + * Updated the appendix with new AWS services + +| June 30, 2026 @@ -15 +27 @@ Content restructure and updates| - * Added guidance for [Security Hub](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-security-hub) and [AWS Nitro Enclaves](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/application.html#app-nitro-enclaves). + * Added guidance for [AWS Security Hub](./security-tooling.html#tool-security-hub) and [AWS Nitro Enclaves](./application.html#app-nitro-enclaves). @@ -22,4 +34,4 @@ Major updates| - * Added information about new [IAM centralized root user access management, [resource control policies (RCPs)](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/org-management.html#mgmt-rcps), and [declarative policies](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/org-management.html#mgmt-declarative-policies)](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/org-management.html#mgmt-central-root-access). - * Updated Security Hub CSPM references to new Security Hub CSPM. - * Included new service features for [Amazon GuardDuty](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-guardduty) and [Security Hub CSPM](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-security-hub). - * Added [AWS Security Incident Response service guidance](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-incident-response). + * Added information about new IAM centralized root user access management, resource control policies (RCPs), and declarative policies. + * Updated references to new Security Hub CSPM. + * Included new service features for Amazon GuardDuty and Security Hub CSPM. + * Added AWS Security Incident Response service guidance. @@ -32,4 +44,4 @@ Additions and clarifications| - * In the [Security Tooling account](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-kms) section, updated the AWS KMS guidance. - * In the _Customer identity management_ section, expanded the information about authorizing API Gateway. - * Updated the _Generative AI_ section to add a design consideration for OU and account design. - * In the [AWS SRA code repository](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/code-repo.html) section, added information about the new [Patch Management solution](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org). + * In the Security Tooling account section, updated the AWS KMS guidance. + * In the Customer identity management section, expanded the information about authorizing API Gateway. + * Updated the Generative AI section to add a design consideration for OU and account design. Removed explicit callout to prompt injection attack as the security controls referenced is more at infrastructure layer and not at application layer. + * In the [Code repository](./code-repo.html) section, added information about the new [Patch Manager solution](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org). @@ -40,3 +52,3 @@ Major updates| - * Added two sections for deep dive architectural guidance: _Generative AI using Amazon Bedrock_ and _Identity management_. - * Updated the [AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-iam-analyzer), [Amazon Detective](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-detective), [Amazon Inspector](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-inspector), [AWS Artifact](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-artifact), [AWS Config](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-config), [Amazon Security Lake](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-security-lake), [AWS Security Hub CSPM](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html#tool-security-hub), and [Amazon CloudFront](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/network.html#network-cf) sections with new service features. - * Updated the [AWS SRA code repository](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/code-repo.html) section to include the new Terraform deployment option and the addition of AWS Shield Advanced and AMI Bakery solutions. + * Added two sections for deep dive architectural guidance: Generative AI using Amazon Bedrock and Identity management. + * Updated the IAM Access Analyzer, Amazon Inspector, AWS WAF, AWS Config, Amazon Security Lake, and AWS Security Hub CSPM sections with new service features. + * Updated the [AWS SRA code repository](./code-repo.html) section to include the new Terraform deployment option and the addition of AWS Shield Advanced and AMI Bakery solutions. @@ -47 +59 @@ Major updates| - * Updated the [Network account](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/network.html) and [Application account](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/application.html) sections to add architectural guidance for Amazon Verified Permissions, AWS Verified Access, and Amazon VPC Lattice. + * Updated the [Network account](./network.html) and [Application account](./application.html) sections to add architectural guidance for Amazon Verified Permissions, AWS Verified Access, and Amazon VPC Lattice. @@ -49,2 +61,2 @@ Major updates| - * Added [new guidance](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/ai-ml.html) around how AWS services use AI/ML to provide better security outcomes. - * Added [guidance](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/phases.html) on how plan your security architecture in a phased manner. + * Added new guidance around how AWS services use AI/ML to provide better security outcomes. + * Added [guidance](./phases.html) on how plan your security architecture in a phased manner. @@ -53 +65 @@ Major updates| -Security Lake addition| Updated the [Security Tooling account](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html) and [Log Archive account](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/log-archive.html) sections to add design guidance related to Amazon Security Lake.| September 22, 2023 +Security Lake addition| Updated the [Security Tooling account](./security-tooling.html#tool-security-lake) and [Log Archive account](./log-archive.html#log-security-lake) sectionsto add design guidance related to Amazon Security Lake.| September 22, 2023 @@ -56 +68 @@ Minor updates| - * Updated existing guidance to reflect new AWS services features and best practices. + * Updated existing guidance to reflect new AWS service features and best practices. @@ -59,5 +71,5 @@ Minor updates| -| May 10, 2023 -Survey| Added a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua) to gain a better understanding of how you use the AWS SRA in your organization.| December 14, 2022 -Source files for reference architecture diagrams| In the [AWS Security Reference Architecture section](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html), added a [download file](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/samples/aws-security-reference-architecture-diagrams.zip) that provides the architecture diagrams for this guide in editable PowerPoint format.| November 17, 2022 -Updates to Security foundations section| In the [Security foundations section](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/foundations.html), updated the information about Well-Architected Framework pillars and security design principles.| September 27, 2022 -Major additions and updates| +| May 11, 2023 +Survey| Added a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_ctNSJq5QX1JMPiu) to gain a better understanding of how you use the AWS SRA in your organization.| December 14, 2022 +Source files for reference architecture diagrams| Added a downloadable file that provides the architecture diagrams for this guide in editable PowerPoint format.| November 17, 2022 +Updates to [Security foundations](./foundations.html) section| Updated the information about Well-Architected pillars and security design principles.| September 27, 2022 +Added new guidance, updated and clarified existing guidance | @@ -65 +77 @@ Major additions and updates| - * Added information about [how to use the AWS SRA and key implementation guidelines](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/value.html). + * Added information about [how to use the AWS SRA and key implementation guidelines](./value.html). @@ -70 +82 @@ Major additions and updates| -—| Initial publication| June 23, 2021 +Initial publication| —| June 23, 2021