Theme 1: Use managed services
Essential Eight strategies covered: Patch applications, restrict administrative privileges, patch operating systems
Managed services help you reduce your compliance obligations by allowing AWS to manage some security tasks, such as patching and vulnerability management.
As discussed in the AWS shared responsibility model section, you share responsibility with AWS for cloud security and compliance. This can reduce your operational burden because AWS operates, manages, and controls components, from the host operating system and virtualisation layer to the physical security of the facilities in which the service operates.
Your responsibilities might include managing maintenance windows for managed services, such as Amazon Relational Database Service (Amazon RDS) or Amazon Redshift, and scanning for vulnerabilities in AWS Lambda code or container images. As with all themes in this guide, you also retain responsibility for monitoring and compliance reporting. You can use Amazon Inspector to report vulnerabilities across all of your AWS accounts. You can use rules in AWS Config to make sure that services, such as Amazon RDS and Amazon Redshift, have minor updates and maintenance windows enabled.
For example, if you run an Amazon EC2 instance, your responsibilities include the following:
Application control
Patching applications
Restricting administrative privileges to the Amazon EC2 control plane and the operating system (OS)
Patching the OS
Enforcing multi-factor authentication (MFA) to access the AWS control plane and the OS
Backing up the data and configuration
Whereas if you run a Lambda function, then your responsibilities are reduced and include the following:
Application control
Confirming that libraries are up-to-date
Restricting administrative privileges to the Lambda control plane
Enforcing MFA to access the AWS control plane
Backing up the Lambda function code and configuration
Related best practices in the AWS Well-Architected Framework
Implementing this theme
Enable patching
Scan for vulnerabilities
Monitoring this theme
Implement governance checks
Enable the Operational Best Practices for ACSC Essential 8 conformance pack in AWS Config
Monitor Amazon Inspector
Implement the following AWS Config rules
RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLEDELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLEDREDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECKEC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECKEKS_CLUSTER_SUPPORTED_VERSION