This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Integrity monitoring
The forensics and analytics component uses the logs generated by event detection and the enterprise to discover the source and effects of the data integrity event and learn about how to prevent similar events in the future.
Table 7 — Integrity monitoring capability and the associated AWS services
| Capability and CSF mapping | AWS service | AWS service description | Function |
AWS GovCloud (US) |
|---|---|---|---|---|
|
Integrity Monitoring PR.DS-6, PR.IP-3, PR.PT-1 |
Amazon ECR |
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Each image is tagged at upload. | Provides tag immutability and vulnerability scanning of container images. | Yes |
|
Amazon Macie |
Amazon Macie is a fully managed data security and data privacy service that uses ML and pattern matching to discover and protect your sensitive data in AWS. | This control discovers and protects sensitive data using ML and pattern matching. | No | |
| AWS Config Rules | AWS Config rules are a configurable and extensible set of Lambda functions (for which source code is available) that trigger when an environment configuration change is registered by the AWS Config service. If AWS Config rules deem a configuration change to be undesirable, customers can act to remediate it. | Provides notifications for changes to configuration, logs, detection, and reporting in the event of changes to data on a system; provides notifications for changes to configuration. | Yes | |
| AWS Lambda function versioning | Lambda creates a new version of your function each time that you publish the function. The new version is a copy of the unpublished version of the function. | Versioning ensures that related services call the appropriate code version. | Yes | |
| AWS Systems Manager State Manager |
AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of your Amazon EC2 or on-premises instances. With Systems Manager, you can control configuration details such as server configurations, antivirus definitions, firewall settings, and more.
You can define configuration policies for your servers
through the
AWS Management Console Systems Manager automatically applies your configurations across your instances, at a time and frequency that you define. You can query Systems Manager at any time to view the status of your instance configurations, giving you on-demand visibility into your compliance status. |
Provides notifications for changes to configuration, provides logs, detection, and re-porting in the event of changes to data on a system; provides notifications for changes to configuration. | Yes |
