本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 應用程式控制
****
- **應用程式控制會在工作站和伺服器上實作,將可執行檔、軟體程式庫、指令碼、安裝程式、編譯的 HTML、HTML 應用程式、控制面板小程式和驅動程式的執行限制為組織核准的集合。**
- **實作指引:** [主題 2:透過安全管道管理不可變的基礎設施](theme-2.md):實作 AMI 和容器建置管道
- **AWS 資源:** [使用 EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html) 並建置:[See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/essential-eight-maturity/application-control.html)
[Amazon CloudWatch 代理程式](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-EC2-Instance.html)
[與整個組織共用 AMIs ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html)
[確定應用程式團隊正在參考最新的 AMIs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-lookup-amiids.html)
[使用您的 AMI 管道進行修補程式管理](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-patch-management.html)
- **AWS Well-Architected 指引:** [SEC06-BP02 從強化影像佈建運算](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_hardened_images.html)
- **Microsoft已實作 的「建議區塊規則」。**
- **實作指引:** 請參閱[實作應用程式控制](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-application-control) (ACSC 網站)
- **AWS 資源:** 不適用
- **AWS Well-Architected 指引:** 不適用
- **Microsoft已實作 的「建議驅動程式區塊規則」。**
- **每年或更頻繁地驗證應用程式控制規則集。**
- **實作指引:** [佈景主題 8:實作手動程序的機制](theme-8.md):實作機制以更新安全政策
- **AWS 資源:** 不適用
- **AWS Well-Architected 指引:** [SEC01-BP08 定期評估和實作新的安全服務和功能](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_implement_services_features.html)
- **工作站和伺服器上允許的和封鎖的執行會集中記錄和保護,避免未經授權的修改和刪除、監控入侵跡象,以及在偵測到網路安全事件時採取動作。**
- **實作指引:** [佈景主題 7:集中記錄和監控](theme-7.md):啟用記錄 / **AWS 資源:** [使用 CloudWatch 代理程式將系統層級日誌發佈至 CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html)
[設定 GuardDuty 調查結果的提醒](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#setup-sns)
[在 CloudTrail 中建立組織追蹤](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
[使用版本控制和 Amazon S3 S3 中的資料](https://aws.amazon.com/getting-started/hands-on/protect-data-on-amazon-s3/) / **AWS Well-Architected 指引:** [SEC04-BP01 設定服務和應用程式日誌記錄](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html)
[SEC04-BP02 在標準化位置中擷取日誌、調查結果和指標](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)
- **實作指引:** [佈景主題 7:集中記錄和監控](theme-7.md):實作記錄安全最佳實務 / **AWS 資源:** [實作 CloudTrail 安全最佳實務](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html)
[使用 SCPs 防止使用者停用安全服務](https://aws.amazon.com/blogs/industries/best-practices-for-aws-organizations-service-control-policies-in-a-multi-account-environment/) (AWS 部落格文章)
[使用 在 CloudWatch Logs 中加密日誌資料 AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) / **AWS Well-Architected 指引:** [SEC04-BP01 設定服務和應用程式日誌記錄](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html)
[SEC04-BP02 在標準化位置中擷取日誌、調查結果和指標](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)
- **實作指引:** [佈景主題 7:集中記錄和監控](theme-7.md):集中日誌 / **AWS 資源:** [從多個帳戶接收 CloudTrail 日誌](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
[將日誌傳送至日誌封存帳戶](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/security-ou-and-accounts.html#log-archive-account)
[在 帳戶中集中 CloudWatch Logs 以進行稽核和分析 ](https://aws.amazon.com/blogs/architecture/stream-amazon-cloudwatch-logs-to-a-centralized-account-for-audit-and-analysis/)(AWS 部落格文章)
[集中管理 Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/managing-multiple-accounts.html)
在 [中建立整個組織的彙整工具 AWS Config](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) (AWS 部落格文章)
[集中管理 Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html)
[集中管理 GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html)
[考慮使用 Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) / **AWS Well-Architected 指引:** [SEC04-BP02 在標準化位置中擷取日誌、調查結果和指標](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)
- **實作指引:** [佈景主題 8:實作手動程序的機制](theme-8.md):實作機制來檢閱和解決合規差距 / **AWS 資源:** 考慮實作自動化,例如[AWS Config 規則](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html),以減少手動程序的負擔 / **AWS Well-Architected 指引:** [OPS02-BP02 流程和程序已識別擁有者](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/ops_ops_model_def_proc_owners.html)
[OPS02-BP03 已為營運活動識別負責其效能的擁有者](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/ops_ops_model_def_activity_owners.html)
[OPS02-BP04 存在管理責任和擁有權的機制](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/ops_ops_model_def_responsibilities_ownership.html)