Merge branch 'wi-213240-risk-prioritization-containers-march25-2024' of https://github.com/dcurwin/azure-docs-pr-dc into wi-213240-risk-prioritization-containers-march25-2024

Author: David Curwin

articles/defender-for-cloud/recommendations-reference-aws.md

@@ -497,7 +497,7 @@ Enabling managed platform updates ensures that the latest available platform fix
 
 ### [Elastic Load Balancer shouldn't have ACM certificate expired or expiring in 90 days.](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/a5e0d700-3de1-469a-96d2-6536d9a92604)
 
-**Description**: This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM. you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it's recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.
+**Description**: This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM, you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it's recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.
 
 **Severity**: High
 
@@ -981,7 +981,7 @@ IAM database authentication allows authentication to database instances with an
 
 ### [IAM customer managed policies should not allow decryption actions on all KMS keys](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d088fb9f-11dc-451e-8f79-393916e42bb2)
 
-**Description**: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova), an automated reasoning engine, to validate and warn you about policies that might grant broad access to your secrets across AWS accounts.This control fails if the "kms:Decrypt" or "kms:ReEncryptFrom" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or AWS managed policies.
+**Description**: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova), an automated reasoning engine, to validate and warn you about policies that might grant broad access to your secrets across AWS accounts. This control fails if the "kms:Decrypt" or "kms:ReEncryptFrom" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or AWS managed policies.
 With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the "kms:Decrypt" or "kms:ReEncryptFrom" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that aren't appropriate for your data.
 Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, don't allow "kms:Decrypt" permission on all KMS keys. Instead, allow "kms:Decrypt" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.
 

articles/defender-for-cloud/review-exemptions.md

@@ -30,7 +30,7 @@ Once a resource has been exempted it will no longer be taken into account for se
 
 1. Select **Apply**.
 
-    :::image type="content" source="media/review-exemptions/exempted-resources.png" alt-text="Screenshot of the reccommendations page that shows where the recommendation status, exempted and apply button are located." lightbox="media/review-exemptions/exempted-resources.png":::
+    :::image type="content" source="media/review-exemptions/exempted-resources.png" alt-text="Screenshot of the recommendations page that shows where the recommendation status, exempted and apply button are located." lightbox="media/review-exemptions/exempted-resources.png":::
 
 1. Select a resource to review it.
 

articles/defender-for-cloud/review-security-recommendations.md

@@ -86,7 +86,7 @@ You can perform many actions to interact with recommendations. If an option isn'
 
 1. Select a node to view additional details.
 
-    :::image type="content" source="media/review-security-recommendations/select-node.png" alt-text="Screenshot of a node lpocated in the graph tab that is selected and showing the additional details." lightbox="media/review-security-recommendations/select-node.png":::
+    :::image type="content" source="media/review-security-recommendations/select-node.png" alt-text="Screenshot of a node located in the graph tab that is selected and showing the additional details." lightbox="media/review-security-recommendations/select-node.png":::
 
 1. Select **Insights**.
 
@@ -110,7 +110,7 @@ Defender for Cloud's recommendation page allows you to group recommendations by
 
 1. Select **Group by title**.
 
-    :::image type="content" source="media/review-security-recommendations/group-by-title.png" alt-text="Screenshot of teh recommendations page that shows where the group by title toggle is located on the screen." lightbox="media/review-security-recommendations/group-by-title.png":::
+    :::image type="content" source="media/review-security-recommendations/group-by-title.png" alt-text="Screenshot of the recommendations page that shows where the group by title toggle is located on the screen." lightbox="media/review-security-recommendations/group-by-title.png":::
 
 ## Manage recommendations assigned to you
 

articles/defender-for-cloud/risk-prioritization.md

@@ -24,7 +24,7 @@ Microsoft Defender for Cloud's resources and workloads are assessed against buil
 > [!NOTE]
 > Recommendations are included with the [Foundational CSPM plan](concept-cloud-security-posture-management.md#plan-availability) which is included with Defender for Cloud. However, risk prioritization and governance is supported only with the [Defender CSPM plan](concept-cloud-security-posture-management.md#plan-availability).
 >
-> If you environment is not protected by the Defender CSPM plan the columns with the risk prioritization features will appear blurred out.
+> If your environment is not protected by the Defender CSPM plan the columns with the risk prioritization features will appear blurred out.
 
 Different resources can have the same recommendation with different risk levels. For example, a recommendation to enable MFA on a user account can have a different risk level for different users. The risk level is determined by the risk factors of each resource, such as its configuration, network connections, and security posture. The risk level is calculated based on the potential impact of the security issue being breached, the categories of risk, and the attack path that the security issue is part of.
 
@@ -40,15 +40,15 @@ On this page you can review the:
 
 - **Risk factors** - Environmental factors of the resource affected by the recommendation, which influence the exploitability and the business impact of the underlying security issue. Examples for risk factors include internet exposure, sensitive data, lateral movement potential.
 
-- **Attack paths** - The number of attack paths that the recommendation is part of based on the security engine's search for all potential attack paths based on the resources that exist in the environment and relationship that exists between them. Each environment will present it's own unique attack paths.
+- **Attack paths** - The number of attack paths that the recommendation is part of based on the security engine's search for all potential attack paths based on the resources that exist in the environment and relationship that exists between them. Each environment will present its own unique attack paths.
 
 - **Owner** - The person the recommendation is assigned to.
 
 - **Status** - The current status of the recommendation. For example, unassigned, on time, overdue.
 
 - **Insights** - Information related to the recommendation such as, if it's in preview, if it can be denied, if there is a fix option available and more.
 
-    :::image type="content" source="media/risk-prioritization/recommendations-dashboard.png" alt-text="Screenshot of teh recommendations dashboard which shows recommendations prioritized by their risk." lightbox="media/risk-prioritization/recommendations-dashboard.png":::
+    :::image type="content" source="media/risk-prioritization/recommendations-dashboard.png" alt-text="Screenshot of the recommendations dashboard which shows recommendations prioritized by their risk." lightbox="media/risk-prioritization/recommendations-dashboard.png":::
 
 When you select a recommendation, you can view the details of the recommendation, including the description, attack paths, scope, freshness, last change date, owner, due date, severity, tactics & techniques, and more.
 
@@ -103,4 +103,4 @@ The risk level is determined by a context-aware risk-prioritization engine that
 - [Review security recommendations](review-security-recommendations.md)
 - [Remediate security recommendations](implement-security-recommendations.md)
 - [Drive remediation with governance rules](governance-rules.md)
-- [Automate remediation responses](workflow-automation.md)
+- [Automate remediation responses](workflow-automation.md)