Theme 1: Use managed services

Essential Eight strategies covered

Patch applications, restrict administrative privileges, patch operating systems

Managed services help you reduce your compliance obligations by allowing AWS to manage some security tasks, such as patching and vulnerability management.

As discussed in the AWS shared responsibility model section, you share responsibility with AWS for cloud security and compliance. This can reduce your operational burden because AWS operates, manages, and controls components, from the host operating system and virtualisation layer to the physical security of the facilities in which the service operates.

Your responsibilities might include managing maintenance windows for managed services, such as Amazon Relational Database Service (Amazon RDS) or Amazon Redshift, and scanning for vulnerabilities in AWS Lambda code or container images. As with all themes in this guide, you also retain responsibility for monitoring and compliance reporting. You can use Amazon Inspector to report vulnerabilities across all of your AWS accounts. You can use rules in AWS Config to make sure that services, such as Amazon RDS and Amazon Redshift, have minor updates and maintenance windows enabled.

For example, if you run an Amazon EC2 instance, your responsibilities include the following:

Application control
Patching applications
Restricting administrative privileges to the Amazon EC2 control plane and the operating system (OS)
Patching the OS
Enforcing multi-factor authentication (MFA) to access the AWS control plane and the OS
Backing up the data and configuration

Whereas if you run a Lambda function, then your responsibilities are reduced and include the following: