Merge pull request #163 from aliaksei-ivanou/security-patterns-docs-u…

…pdate Security patterns docs update
aws-samples · Mar 14, 2024 · e4a411f · e4a411f
2 parents 4ce8350 + 8eb2193
commit e4a411f
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 34 deletions.
diff --git a/docs/patterns/gmaestro.md b/docs/patterns/gmaestro.md
@@ -1,7 +1,7 @@
 # gMaestro on EKS pattern
 
 gMaestro is a Kubernetes cost optimization solution that helps companies reduce spending on un-utilized resources.
-For additional information, visit [gMaestro documentation](https://gmaestro.gitbook.io/gmaestro-docs/).
+For additional information, visit [gMaestro documentation](https://docs.gomaestro.org/).
 
 
 This pattern deploys the following resources:

diff --git a/docs/patterns/security/eks-config-rules.md b/docs/patterns/security/eks-config-rules.md
@@ -2,9 +2,7 @@
 
 ## Objective
 
-The objective of this pattern is to demonstrate how to enable AWS Config Managed Rules for EKS Security Best Practices to your AWS account, verify that it is enabled, and get findings from Security Hub.
-
-The pattern will enable Security Hub in the `CDK_DEFAULT_ACCOUNT` and `CDK_DEFAULT_REGION`, but only if it is not already enabled. If Security Hub is already enabled in the target AWS account and region the stack will fail and be rolled back.
+The objective of this pattern is to demonstrate how to enable AWS Config configuration recorder and AWS Config managed rules for EKS security best practices in your AWS account `CDK_DEFAULT_ACCOUNT` and region `CDK_DEFAULT_REGION` and verify the status of the rules.
 
 ## Prerequisites
 
@@ -27,17 +25,17 @@ cdk bootstrap
 make list
 ```
 
-### Deploy AWS Config
+### Deploy AWS Config Configuration Recorder
 
-Use the AWS Config setup blueprints pattern enable AWS Config in your account and region by running the following command.
+Use the AWS Config setup blueprints pattern to enable AWS Config in your account and region by running the following command:
 
 ```bash
 make pattern eks-config-rules deploy eks-config-setup
 ```
 
 ### Deploy Config Rules for EKS Security Best Practices
 
-Now enable the AWS Config managed rules for EKS security best practices by running the following command.
+Now enable the AWS Config managed rules for EKS security best practices by running the following command:
 
 ```bash
 make pattern eks-config-rules deploy eks-config-rules-setup
@@ -47,7 +45,7 @@ make pattern eks-config-rules deploy eks-config-rules-setup
 
 ### Verify the status of the AWS Config managed rules for EKS security best practices
 
-Using the following AWS CLI command, get a list Config rules with their evaluation status.
+Using the following AWS CLI command, get a list of the AWS Config rules with their evaluation status.
 
 ```bash
 aws configservice describe-config-rule-evaluation-status
@@ -100,9 +98,9 @@ The output will look something like the following.
 }
 ```
 
-You can search for the EKS specific rules. Make a note of the unique `ConfigRuleName` of each of the Config rules for EKS security best practices.
+You can search for the EKS specific rules. Make a note of the unique `ConfigRuleName` of each of the AWS Config rules for EKS security best practices.
 
-Using the unique names of the EKS Config rules from **your account and region** shown after running the previous AWS CLI command, you can verify each EKS Config rule configuration and state using the following AWS CLI command (Remember to replace the rule names below with your rule names).
+Using the unique names of the EKS Config rules from **your account and region** shown after running the previous AWS CLI command, you can verify each EKS Config rule configuration and state using the following AWS CLI command (remember to replace the rule names below with your rule names).
 
 ```bash
 aws configservice describe-config-rules --config-rule-names "eks-config-rules-setup-EksEndpointNoPublicAccess<your rule id>" "eks-config-rules-setup-EksOldestSupportedVersion<your rule id>" "eks-config-rules-setup-EksSecretsEncrypted<your rule id>" "eks-config-rules-set

diff --git a/docs/patterns/security/encryption-at-rest.md b/docs/patterns/security/encryption-at-rest.md
@@ -4,9 +4,9 @@
 
 The objective of this pattern is to demonstrate how to enable encryption at rest for EKS cluster using EBS/EFS storage.
 
-To achieve this objective, the pattern utilizes [EBS CSI Driver Amazon EKS Add-on](https://aws-quickstart.github.io/cdk-eks-blueprints/addons/ebs-csi-driver/) to enable encryption-at-rest for EBS volumes. The pattern also leverages [EFS CSI Driver Amazon EKS Add-on](https://aws-quickstart.github.io/cdk-eks-blueprints/addons/efs-csi-driver/) to enable encryption-at-rest for EFS volumes.
+To achieve this objective, the pattern utilizes [EBS CSI Driver Amazon EKS Add-on](https://aws-quickstart.github.io/cdk-eks-blueprints/addons/ebs-csi-driver/) to enable encryption-at-rest for EBS volumes and [EFS CSI Driver Amazon EKS Add-on](https://aws-quickstart.github.io/cdk-eks-blueprints/addons/efs-csi-driver/) to enable encryption-at-rest for EFS volumes.
 
-The pattern also leverages KMS resource provider to create KMS keys for EBS/EFS encryption-at-rest and EFS File System resource provider to create an encrypted EFS file system.
+The pattern also leverages [KMS resource provider](https://aws-quickstart.github.io/cdk-eks-blueprints/resource-providers/kms-key-providers/) to create KMS keys for EBS/EFS encryption-at-rest and [EFS File System resource provider](https://aws-quickstart.github.io/cdk-eks-blueprints/resource-providers/efs-providers/) to create an encrypted EFS file system.
 
 ## GitOps confguration
 

diff --git a/docs/patterns/security/guardduty.md b/docs/patterns/security/guardduty.md
@@ -2,7 +2,7 @@
 
 ## Objective
 
-The objective of this pattern is to demonstrate how to enable Amazon GuardDuty Detector across your AWS accounts, use GuardDuty optional features, and how to automate notifications via Amazon SNS based on security vulnerabilities triggered by Amazon GuardDuty.
+The objective of this pattern is to demonstrate how to enable Amazon GuardDuty Detector across your AWS accounts, use GuardDuty optional features, and how to automate notifications via Amazon SNS based on security findings generated by GuardDuty.
 
 Supported features:
 

diff --git a/docs/patterns/security/image-scanning.md b/docs/patterns/security/image-scanning.md
@@ -6,8 +6,8 @@ The objective of this pattern is to demonstrate how to enable and configure Amaz
 
 The following scanning types are offered:
 
-- Enhanced scanning—Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programing language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.
-- Basic scanning—Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project. With basic scanning, you configure your repositories to scan on push or you can perform manual scans and Amazon ECR provides a list of scan findings.
+- **Enhanced scanning** — Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programing language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.
+- **Basic scanning** — Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project. With basic scanning, you configure your repositories to scan on push or you can perform manual scans and Amazon ECR provides a list of scan findings.
 
 The pattern consists of two components:
 

diff --git a/docs/patterns/security/securityhub.md b/docs/patterns/security/securityhub.md
@@ -2,9 +2,9 @@
 
 ## Objective
 
-The objective of this pattern is to demonstrate how to enable Security Hub in your AWS account, verify that it is enabled, and get findings from Security Hub.
+The objective of this pattern is to demonstrate how to enable AWS Security Hub and default security standards in your AWS account, verify that it is enabled, and get findings from AWS Security Hub.
 
-The pattern will enable Security Hub in the `CDK_DEFAULT_ACCOUNT` and `CDK_DEFAULT_REGION`.
+The pattern will enable AWS Security Hub in the `CDK_DEFAULT_ACCOUNT` and `CDK_DEFAULT_REGION`.
 
 ## Prerequisites
 
@@ -13,7 +13,7 @@ The pattern will enable Security Hub in the `CDK_DEFAULT_ACCOUNT` and `CDK_DEFAU
 3. `argo-admin-password` secret must be defined in Secrets Manager in the same region as the EKS cluster.
 4. Complete the steps to [enable AWS Config and deploy the Security Best Practices for Amazon EKS AWS Config managed rules](eks-config-rules.md).
 
-**Optional (but recommended):**  If you have not done so already, follow the steps to deploy the [GuardDuty stack and blueprint](guardduty.md). Since GuardDuty automatically sends its findings to Security Hub, the sample EKS finding will appear in Security Hub about five minutes after it has been enabled in the same region.
+**Optional (but recommended):**  If you have not done so already, follow the steps to deploy the [Amazon GuardDuty stack and blueprint](guardduty.md). Since Amazon GuardDuty automatically sends its findings to AWS Security Hub, the sample EKS finding will appear in AWS Security Hub about five minutes after it has been enabled in the same region.
 
 ## Deploy
 
@@ -32,49 +32,48 @@ make list
 
 ### Deploy AWS Security Hub
 
-To enable Security Hub in the account and region deploy the stack, run the following command.
+To enable AWS Security Hub in the account and region deploy the stack, run the following command.
 
 ```bash
 make pattern securityhub deploy securityhub-setup
 ```
 
-Once deployed, AWS Security Hub will automatically enable the [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html) security standard controls status checks.
+Once deployed, AWS Security Hub will automatically enable all controls that are part of the default security standards. Currently, the default security standards that are automatically enabled are [AWS Foundational Security Best Practices](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html).
 
 ## Verify
 
-### Verify that Security Hub is enabled
+### Verify that AWS Security Hub is enabled
 
-Now you can check that Security Hub is successfully enabled by using the AWS CLI to query the same account and region.
+Now you can check that AWS Security Hub is successfully enabled by using the AWS CLI to query the same account and region.
 
 Using the AWS CLI run following command in the same account and region where you deployed the stack.
 
 ```bash
 aws securityhub describe-hub
 ```
 
-If you successfully enabled Security Hub, you will see the following.
+If you successfully enabled AWS Security Hub, you will see the following.
 
 ```json
 {
     "HubArn": "arn:aws:securityhub:us-east-1:XXXXXXXXXXXX:hub/default",
     "SubscribedAt": "2021-08-18T00:52:40.624Z",
-    "AutoEnableControls": true
+    "AutoEnableControls": true,
+    "ControlFindingGenerator": "SECURITY_CONTROL"
 }
 ```
 
-### View findings in Security Hub
+### View findings in AWS Security Hub
 
-The findings that you see in Security Hub will depend what you have configured in your account and region. In this example we deployed the [GuardDuty EKS pattern](guardduty.md), the [Security Best Practices for Amazon EKS Config managed rules pattern](eks-config-rules.md), and successfully enabled Security Hub using the instructions above, which automatically enables two of the available Security Hub Security standard controls status checks.
+Use the following AWS CLI commands to view your findings in AWS Security Hub.
 
-Use the following AWS CLI commands to view your findings in Security Hub.
-
-To list any critical findings, and findings related to controls that have a failed status according to [Security Hub security standards](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html) which are enabled in the same account and region, run the following command.
+To list critical findings and findings related to controls that have a failed status according to the enabled [AWS Security Hub security standards](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html) in the same account and region, run the following command:
 
 ```bash
 aws securityhub get-findings --filter 'SeverityLabel={Value=CRITICAL,Comparison=EQUALS},ComplianceStatus={Value=FAILED,Comparison=EQUALS}'
 ```
 
-The following is an example of an IAM finding that relates to a [failed IAM control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-6) that Security Hub found related to the enabled [Security standards](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html), and will likely be present in your list of findings if you or your organization are not using a hardware MFA device for your AWS root account.
+Below is an example of an IAM finding that relates to a [failed IAM control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-6) that AWS Security Hub found related to the enabled [security standards](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html), and will likely be present in your list of findings if you or your organization are not using a hardware MFA device for your AWS root account:
 
 ```json
 {
@@ -175,13 +174,13 @@ The following is an example of an IAM finding that relates to a [failed IAM cont
 }
 ```
 
-Now search for a finding related to the Security Best Practices for Amazon EKS Config managed rules, run the following AWS CLI command.
+To search for findings related to the Security Best Practices for Amazon EKS Config managed rules, run the following AWS CLI command:
 
 ```bash
 aws securityhub get-findings --filters 'GeneratorId={Value="security-control/EKS.1", Comparison="EQUALS"}'
 ```
 
-You might see a finding such as the following.
+You might see a finding such as the following:
 
 ```json
 {
@@ -280,7 +279,7 @@ You might see a finding such as the following.
 }
 ```
 
-To see any findings generated by GuardDuty in Security Hub, run the following command.
+To see any findings generated by Amazon GuardDuty in AWS Security Hub, run the following command:
 
 ```bash
 aws securityhub get-findings --filters 'ProductName={Value="GuardDuty",Comparison="EQUALS"}'
@@ -335,4 +334,4 @@ aws securityhub get-findings --filters 'ProductName={Value="GuardDuty",Compariso
 }
 ```
 
-If you deployed the [Amazon GuardDuty Protection EKS Blueprints pattern](https://github.com/aws-samples/cdk-eks-blueprints-patterns/blob/main/docs/patterns/security/guardduty.md) to the same account and region where you enabled Security Hub you should see a GuardDuty finding like the one above. The sample workload deployed with the [GuardDuty pattern](guardduty.md) which contains a privileged container is detected by GuardDuty and generates the `Kubernetes-PrivilegedContainer` finding. GuardDuty automatically sent this finding to Security Hub where it can be viewed and triaged.
+If you deployed the [Amazon GuardDuty Protection EKS Blueprints pattern](https://github.com/aws-samples/cdk-eks-blueprints-patterns/blob/main/docs/patterns/security/guardduty.md) to the same account and region where you enabled AWS Security Hub, you should see Amazon GuardDuty findings like the one above. The sample workload deployed with the [Amazon GuardDuty pattern](guardduty.md) which contains a privileged container is detected by Amazon GuardDuty and generates the `Kubernetes-PrivilegedContainer` finding. Amazon GuardDuty automatically sent this finding to AWS Security Hub where it can be viewed and triaged.