Merge pull request #217702 from ElazarK/recommendations-update

aws updated

Author: Maggiemouse1

articles/defender-for-cloud/recommendations-reference-aws.md

@@ -2,7 +2,7 @@
 title: Reference table for all Microsoft Defender for Cloud recommendations for AWS resources
 description: This article lists Microsoft Defender for Cloud's security recommendations that help you harden and protect your AWS resources.
 ms.topic: reference
-ms.date: 05/25/2022
+ms.date: 11/09/2022
 ms.custom: generated
 ---
 # Security recommendations for AWS resources - a reference guide

includes/mdfc/mdfc-recs-aws-compute.md

@@ -1,9 +1,9 @@
 ---
-author: memildin
+author: Elazark
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 03/13/2022
-ms.author: memildin
+ms.date: 11/09/2022
+ms.author: elkrieger
 ms.custom: generated
 ---
 
@@ -16,13 +16,13 @@ There are **18** AWS recommendations in this category.
 |[Amazon EFS volumes should be in backup plans](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e864e460-158b-4a4a-beb9-16ebc25c1240) |This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. <br> Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss. |Medium |
 |[Application Load Balancer deletion protection should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/5c508bf1-26f9-4696-bb61-8341d395e3de) |This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. <br>Enable deletion protection to protect your Application Load Balancer from deletion. |Medium |
 |[Auto Scaling groups associated with a load balancer should use health checks](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/837d6a45-503f-4c95-bf42-323763960b62) |Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. <br> PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices. |Low |
-|[AWS accounts should have Azure Arc auto provisioning enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/882a80f0-943f-473e-b6d7-40c7a625540e) |For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about <a href='/azure/azure-arc/servers/overview'>Azure Arc</a>, and <a href='/azure/security-center/defender-for-servers-introduction'>Microsoft Defender for Servers</a>. |High |
+|[AWS accounts should have Azure Arc auto provisioning enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/882a80f0-943f-473e-b6d7-40c7a625540e) |For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about [Azure Arc](/azure/azure-arc/servers/overview), and [Microsoft Defender for Servers](/azure/security-center/defender-for-servers-introduction). |High |
 |[CloudFront distributions should have origin failover configured](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/4779e962-2ea3-4126-aa76-379ea271887c) |This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.<br>CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes. |Medium |
 |[CodeBuild GitHub or Bitbucket source repository URLs should use OAuth](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9694d4ef-f21a-40b7-b535-618ac5c5d21e) |This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.<br>Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.<br> Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access. |High |
 |[CodeBuild project environment variables should not contain credentials](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/a88b4b72-b461-4b5e-b024-91da1cbe500f) |This control checks whether the project contains the environment variables <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code>.<br>Authentication credentials <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code> should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access. |High |
 |[DynamoDB Accelerator (DAX) clusters should be encrypted at rest](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/58e67d3d-8b17-4c1c-9bc4-550b10f0328a) |This control checks whether a DAX cluster is encrypted at rest. <br> Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. <br> For example, API permissions are required to decrypt the data before it can be read. |Medium |
 |[DynamoDB tables should automatically scale capacity with demand](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/47476790-2527-4bdb-b839-3b48ed18dccf) |This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. <br> Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications. |Medium |
-|[EC2 instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/231dee23-84db-44d2-bd9d-c32fbcfb42a3) |Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about <a href='/azure/azure-arc/servers/overview'>Azure Arc</a>, and about <a href='/azure/security-center/defender-for-servers-introduction'>Microsoft Defender for Servers</a> on hybrid-cloud environment. |High |
+|[EC2 instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/231dee23-84db-44d2-bd9d-c32fbcfb42a3) |Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about [Azure Arc](/azure/azure-arc/servers/overview), and about [Microsoft Defender for Servers](/azure/security-center/defender-for-servers-introduction) on hybrid-cloud environment. |High |
 |[EC2 instances should be managed by AWS Systems Manager](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/4be5393d-cc33-4ef7-acae-80295bc3ae35) |Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. <br> Only  instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked.  |Medium |
 |[Instances managed by Systems Manager should have an association compliance status of COMPLIANT](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65) |This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.<br/>A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.<br/>After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, "Configuration" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as "Critical" or "Medium". To learn more about State Manager association compliance, see About <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-compliance-about.html#sysman-compliance-about-association">About State Manager association compliance</a> in the AWS Systems Manager User Guide.<br/>You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-state-assoc.html">Create an association</a>, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html"> AWS Systems Manager Patch Manager</a> in the AWS Systems Manager User Guide. |Low |
 |[Lambda functions should have a dead-letter queue configured](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dcf10b98-798f-4734-9afd-800916bf1e65) |This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.<br>As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing. <br> A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.<br>A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.<br>From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result. <br> For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network. |Medium |

includes/mdfc/mdfc-recs-aws-container.md

@@ -1,17 +1,17 @@
 ---
-author: memildin
+author: Elazark
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 03/13/2022
-ms.author: memildin
+ms.date: 11/09/2022
+ms.author: elkrieger
 ms.custom: generated
 ---
 
 There are **3** AWS recommendations in this category.
 
 |Recommendation |Description |Severity |
 |---|---|---|
-|[EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7d3a977e-46f1-419a-9046-4bd44db80aac) |Microsoft Defender for Containers provides protections for your EKS clusters. <br> To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud. <br> Learn more about <a href="/azure/security-center/defender-for-kubernetes-introduction">Microsoft Defender for Cloud's security features for containerized environments</a>. |High |
-|[EKS clusters should have Microsoft Defender's extension for Azure Arc installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/38307993-84fb-4636-8ce7-3a64466bb5cc) |Microsoft Defender's <a href="/azure/azure-arc/kubernetes/extensions">cluster extension</a> provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats. <br> The extension works with <a href="/azure/azure-arc/kubernetes/overview">Azure Arc-enabled Kubernetes</a>. <br>Learn more about <a href="/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks">Microsoft Defender for Cloud's security features for containerized environments</a>. |High |
+|[EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7d3a977e-46f1-419a-9046-4bd44db80aac) |Microsoft Defender for Containers provides protections for your EKS clusters. <br> To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud. <br> Learn more about [Microsoft Defender for Cloud's security features for containerized environments](/azure/security-center/defender-for-kubernetes-introduction). |High |
+|[EKS clusters should have Microsoft Defender's extension for Azure Arc installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/38307993-84fb-4636-8ce7-3a64466bb5cc) |Microsoft Defender's [cluster extension](/azure/azure-arc/kubernetes/extensions) provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats. <br> The extension works with [Azure Arc-enabled Kubernetes](/azure/azure-arc/kubernetes/overview). <br>Learn more about [Microsoft Defender for Cloud's security features for containerized environments](/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks). |High |
 |[Microsoft Defender for Containers should be enabled on AWS connectors](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/11d0f4af-6924-4a2e-8b66-781a4553c828) |Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.<br>Use this information to harden the security of Kubernetes clusters and remediate security issues.<br><br>Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster. |High |
 |||