readme updates

ScaleSec · Apr 5, 2021 · 6c9529b · 6c9529b
1 parent 475c5ca
commit 6c9529b
Showing 1 changed file with 18 additions and 12 deletions.
diff --git a/security_controls_scp/README.md b/security_controls_scp/README.md
@@ -9,8 +9,8 @@ The following SCPs should only be applied after the account has been configured
 ### Account
 
 - [deny_region_interaction.tf](./modules/account/deny_region_interaction.tf) - Denies the ability to enable or disable a region.
-  - By default, when new regions are enabled by AWS, you now have to enable that region before IAM will propagate. 
-  - This policy can be used to lock down the ability to launch resources in unapproved regions or deny a malicious actor from disabling a region in your account. 
+  - By default, when new regions are enabled by AWS, you now have to enable that region before IAM will propagate.
+  - This policy can be used to lock down the ability to launch resources in unapproved regions or deny a malicious actor from disabling a region in your account.
   - *Important*: When a region is disabled, and there are IAM resources in that region, they will be removed. Please view the documentation [here](https://aws.amazon.com/blogs/security/setting-permissions-to-enable-accounts-for-upcoming-aws-regions/) for more information.
 
 ### AI Services
@@ -20,10 +20,16 @@ The following SCPs should only be applied after the account has been configured
   - Please review the documentation [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html) on how to selectively opt in to data sharing.
   - Prior to applying, ensure that the AI services opt-out policy type is enabled for the organization.
 
+### Amazon Comprehend
+
+- [require_kms_cmks.tf](./modules/comprehend/require_kms_cmks.tf) - Requires all applicable Amazon Comprehend calls to pass in a Amazon Key Management Service (KMS) customer managed key (CMK). Per the [documentation](https://docs.aws.amazon.com/comprehend/latest/dg/kms-in-comprehend.html), _Amazon Comprehend can encrypt custom models using either its own KMS Key or a provided customer managed key (CMK)._ You can find a comparison of the two keys [here](https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html), and CMKs provide greater control over your encyption keys.
+- [require_private_vpcs.tf](./modules/comprehend/require_private_vpcs.tf) - Amazon Comprehend supports running the job containers in a customer managed VPC. A VPC can be configured to not be exposed to internet, allows users to monitor networking traffic using flow logs, and can route traffic over private networks with VPC endpoints.
+  - When Amazon Comprehend jobs are launched in a VPC, Amazon Comprehend creates Elastic Network Interfaces (ENIs) and attached them to the job containers. The ENIs provide network connectivity within the VPC.
+
 ### AWS Config
 
-- [deny_interruption_actions.tf](./modules/awsconfig/deny_interruption_actions.tf) - Denies the ability to delete AWS Config rules and stop recording. 
-  - AWS Config is a service to monitor your resources for point-in-time configuration updates and compliance monitoring. 
+- [deny_interruption_actions.tf](./modules/awsconfig/deny_interruption_actions.tf) - Denies the ability to delete AWS Config rules and stop recording.
+  - AWS Config is a service to monitor your resources for point-in-time configuration updates and compliance monitoring.
   - Malicious actors may try to stop AWS Config recording and perform destructive behavior so it is important to deny AWS Config deletions.
 
 ### AWS Organizations
@@ -37,15 +43,15 @@ The following SCPs should only be applied after the account has been configured
 
 ### CloudTrail
 
-- [deny_cloudtrail_actions.tf](./modules/cloudtrail/deny_cloudtrail_actions.tf) - Denies the ability to delete or manipulate CloudTrail trails. 
-  - CloudTrail monitors all API calls against (supported) resources. 
+- [deny_cloudtrail_actions.tf](./modules/cloudtrail/deny_cloudtrail_actions.tf) - Denies the ability to delete or manipulate CloudTrail trails.
+  - CloudTrail monitors all API calls against (supported) resources.
   - Please note that not all AWS services and resources are supported by CloudTrail.
   - Because CloudTrail is a record of all API calls made, it is commonly targeted to cover malicious actors' tracks.
 
 ### EC2
 
 - [require_mfa_actions.tf](./modules/ec2/require_mfa_actions.tf) - Requires MFA when deleting or stopping EC2 instances.
-  - A best practice is to protect your resources from accidental deletions and requiring MFA is one step in that direction. 
+  - A best practice is to protect your resources from accidental deletions and requiring MFA is one step in that direction.
 - [restrict_ami_owner.tf](./modules/ec2/restrict_ami_owner.tf) - Locks down the AMIs that can be launched to only the AMI creation account.
   - A common practice is to configure an AWS account for centralized AMI creations that you then share to the receiving accounts. Similar to a hub-and-spoke model.
 - [require_ami_tag.tf](./modules/ec2/require_ami_tag.tf) - Requires a resource tag key/value pair to launch EC2s.
@@ -59,14 +65,14 @@ The following SCPs should only be applied after the account has been configured
 
 ### GuardDuty
 
-- [deny_guardduty_disassociate.tf](./modules/guardduty/deny_guardduty_disassociate.tf) - Denies the ability to remove the assigned account from the GuardDuty master. 
-  - Once GuardDuty is in place for an account, it should not be removed while in use. 
+- [deny_guardduty_disassociate.tf](./modules/guardduty/deny_guardduty_disassociate.tf) - Denies the ability to remove the assigned account from the GuardDuty master.
+  - Once GuardDuty is in place for an account, it should not be removed while in use.
 
 ### IAM
 
-- [deny_actions_no_mfa.tf](./modules/iam/deny_actions_no_mfa.tf) - Requires MFA to be set before any action can be performed. 
+- [deny_actions_no_mfa.tf](./modules/iam/deny_actions_no_mfa.tf) - Requires MFA to be set before any action can be performed.
   - The user will only be able to set a MFA device and then must log out / in to have normal access.
-  - This is a blanket guardrail that should be used cautiously. Keep in mind that unless the user authenticated with MFA via the CLI, access keys will not be valid. 
+  - This is a blanket guardrail that should be used cautiously. Keep in mind that unless the user authenticated with MFA via the CLI, access keys will not be valid.
 
 ### Lambda
 
@@ -101,4 +107,4 @@ The following SCPs should only be applied after the account has been configured
 ### VPC
 
 - [deny_flow_logs_delete.tf](./modules/vpc/deny_flow_logs_delete.tf) - Denies the ability to delete VPC Flow Logs.
-  - VPC Flow Logs are your network monitoring logs and provide visibility into anomalous traffic during a security event. 
+  - VPC Flow Logs are your network monitoring logs and provide visibility into anomalous traffic during a security event.