This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Policy enforcement
The Network Protection component provides capability to defend the network against threats that require network movement.
Table 12 — Policy enforcement capability and the associated AWS services
| Capability and CSF mapping | AWS service | AWS service description | Function |
AWS GovCloud (US) |
|---|---|---|---|---|
|
Policy Enforcement ID.RA-1, PR.AC-3, PR.MA-1, PR.MA-2, RS.MI-3 |
Amazon Inspector |
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API. |
Yes | |
| AWS Config Rules |
AWS Config rules are a configurable and extensible set of Lambda functions (for which source code is available) that trigger when an environment configuration change is registered by the AWS Config service. If AWS Config rules deem a configuration change to be undesirable, can act to remediate it. |
Provides notifications for changes to configuration, logs, detection, and re-porting in the event of changes to data on a system; provides notifications for changes to configuration. | Yes | |
|
AWS Lambda |
AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes. Lambda can be used to run custom policy enforcement code to maintain the systems in a compliant state. |
Enforce machine posture across an enterprise. | Yes | |
| AWS Systems Manager document | An AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances. SSM documents can be used to enforce policy decisions | Enforce machine posture across an enterprise. | Yes | |
| AWS Systems Manager Patch Manager |
AWS Systems Manager helps you select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances. Through patch baselines, you can set rules to auto-approve select categories of patches to be installed, such as operating system or high severity patches, and you can specify a list of patches that override these rules and are automatically approved or rejected. You can also schedule maintenance windows for your patches so that they are only applied during preset times. Systems Manager helps ensure that your software is up-to-date and meets your compliance policies. |
Enforce machine posture across an enterprise. | Yes | |
| AWS Systems Manager State Manager |
AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of your Amazon EC2 or on-premises instances. With Systems Manager, you can control configuration details such as server configurations, antivirus definitions, firewall settings, and more.
You can define configuration policies for your servers
through the
AWS Management Console Systems Manager automatically applies your configurations across your instances at a time and frequency that you define. You can query Systems Manager at any time to view the status of your instance configurations, giving you on-demand visibility into your compliance status. |
Provides notifications for changes to configuration, provides logs, detection, and re-porting in the event of changes to data on a system and provides notifications for changes to configuration | Yes |
