本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 应用程序控制
****
- **在工作站和服务器上实施应用程序控制,以将可执行文件、软件库、脚本、安装程序、编译的 HTML、HTML 应用程序、控制面板小程序和驱动程序的执行限制在组织批准的集合内。**
- **实施指导:** [主题 2:通过安全管线管理不可变基础设施](theme-2.md):实施 AMI 和容器构建管线
- **AWS 资源:** [使用 EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html) 并内置:[See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/essential-eight-maturity/application-control.html)
[亚马逊 CloudWatch 代理](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-EC2-Instance.html)
[ AMIs 与整个组织共享](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html)
[确保应用团队参考的是最新的 AMIs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-lookup-amiids.html)
[使用您的 AMI 管线进行补丁管理](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-patch-management.html)
- **AWS Well-Architected 指南:** [SEC06-从经过强化的映像BP02 配置计算](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_hardened_images.html)
- **已实施 Microsoft 的“推荐的阻止规则”。**
- **实施指导:** 请参阅[实现应用程序控制](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-application-control)(ACSC 网站)
- **AWS 资源:** 不适用
- **AWS Well-Architected 指南:** 不适用
- **已实施 Microsoft 的“推荐的驱动程序阻止规则”。**
- **应用程序控制规则集每年或更频繁地进行一次验证。**
- **实施指导:** [主题 8:实施手动流程机制](theme-8.md):实施更新安全策略的机制
- **AWS 资源:** 不可用
- **AWS Well-Architected 指南:** [SEC01-定期BP08 评估和实施新的安全服务和功能](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_implement_services_features.html)
- **工作站和服务器上允许和阻止的执行会集中记录,防止未经授权的修改和删除,监控泄露迹象,并在检测到网络安全事件时采取行动。**
- **实施指导:** [主题 7:集中记录和监控](theme-7.md):启用日志记录 / **AWS 资源:** [使用 CloudWatch 代理将系统级日志发布到 Logs CloudWatch ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html)
[为 GuardDuty 发现设置警报](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#setup-sns)
[在中创建组织跟踪 CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
[使用版本控制和 S3 对象锁定来保护存储在 Amazon S3 中的数据](https://aws.amazon.com/getting-started/hands-on/protect-data-on-amazon-s3/) / **AWS Well-Architected 指南:** [SEC04-BP01 配置服务和应用程序日志](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html)
[SEC04-在标准化位置BP02 捕获日志、发现结果和指标](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)
- **实施指导:** [主题 7:集中记录和监控](theme-7.md):实施日志记录安全最佳实践 / **AWS 资源:** [实施 CloudTrail 安全最佳实践](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html)
[用于 SCPs 防止用户禁用安全服务](https://aws.amazon.com/blogs/industries/best-practices-for-aws-organizations-service-control-policies-in-a-multi-account-environment/)(AWS 博客文章)
[使用加密日志中的 CloudWatch 日志数据 AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) / **AWS Well-Architected 指南:** [SEC04-BP01 配置服务和应用程序日志](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html)
[SEC04-在标准化位置BP02 捕获日志、发现结果和指标](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)
- **实施指导:** [主题 7:集中记录和监控](theme-7.md):集中日志 / **AWS 资源:** [接收来自多个账户的 CloudTrail 日志](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
[向日志归档账户发送日志](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/security-ou-and-accounts.html#log-archive-account)
[将 CloudWatch 日志集中到账户中以进行审计和分析](https://aws.amazon.com/blogs/architecture/stream-amazon-cloudwatch-logs-to-a-centralized-account-for-audit-and-analysis/)(AWS 博客文章)
[集中管理 Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/managing-multiple-accounts.html)
在 AWS Config([博客文章)AWS 中创建组织范围的聚合器](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
[集中管理 Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html)
[集中管理 GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html)
[考虑使用 Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) / **AWS Well-Architected 指南:** [SEC04-在标准化位置BP02 捕获日志、发现结果和指标](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)
- **实施指导:** [主题 8:实施手动流程机制](theme-8.md):实施审查和解决合规差距的机制 / **AWS 资源:** 考虑实施自动化(例如 [AWS Config 规则](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html)),以减轻手动流程的负担 / **AWS Well-Architected 指南:** [OPS02-BP02 流程和程序已确定所有者](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/ops_ops_model_def_proc_owners.html)
[OPS02-BP03 运营活动已确定了对其绩效负责的所有者](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/ops_ops_model_def_activity_owners.html)
[OPS02-存在管理责任和所有权的BP04 机制](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/ops_ops_model_def_responsibilities_ownership.html)