Adding data perimeter service-specific guidance

tatyatsk · tatyatsk · commit cfd19e7f633d · 2025-06-12T15:56:14.000-04:00
diff --git a/service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json b/service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json
@@ -163,4 +163,4 @@
          }
       }
    ]
-}
+}
diff --git a/service_specific_guidance/accessanalyzer-specific-guidance.md b/service_specific_guidance/accessanalyzer-specific-guidance.md
@@ -2,7 +2,9 @@
 # Service-specific guidance: AWS Identity and Access Management Access Analyzer
 
 
-This document outlines service-specific guidance for implementing a data perimeter for AWS Identity and Access Management Access Analyzer. IAM Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. 
+This document outlines service-specific guidance for implementing a data perimeter for AWS Identity and Access Management Access Analyzer. 
+
+IAM Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. 
 
 
 The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
diff --git a/service_specific_guidance/acm-pca-specific-guidance.md b/service_specific_guidance/acm-pca-specific-guidance.md
@@ -2,7 +2,9 @@
 # Service-specific guidance: AWS Private Certificate Authority
 
 
-This document outlines service-specific guidance for implementing a data perimeter for AWS Private Certificate Authority (AWS Private CA). AWS Private CA is a managed service that allows you to create and manage private certificate authorities (CAs) within your organization. It enables you to issue and manage private certificates for your internal applications, services, and devices, providing secure communication and authentication within your AWS environment and on-premises infrastructure.
+This document outlines service-specific guidance for implementing a data perimeter for AWS Private Certificate Authority (AWS Private CA). 
+
+AWS Private CA is a managed service that allows you to create and manage private certificate authorities (CAs) within your organization. It enables you to issue and manage private certificates for your internal applications, services, and devices, providing secure communication and authentication within your AWS environment and on-premises infrastructure.
 
 
 The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
diff --git a/service_specific_guidance/acm-specific-guidance.md b/service_specific_guidance/acm-specific-guidance.md
@@ -2,7 +2,9 @@
 # Service-specific guidance: AWS Certificate Manager
 
 
-This document outlines service-specific guidance for implementing a data perimeter for AWS Certificate Manager (ACM). ACM is a service that simplifies the process of provisioning, managing, and deploying public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM handles the complexity of creating, storing, and renewing SSL/TLS certificates, helping you secure your applications and websites while reducing the time-consuming manual process of managing certificates.
+This document outlines service-specific guidance for implementing a data perimeter for AWS Certificate Manager (ACM). 
+
+ACM is a service that simplifies the process of provisioning, managing, and deploying public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM handles the complexity of creating, storing, and renewing SSL/TLS certificates, helping you secure your applications and websites while reducing the time-consuming manual process of managing certificates.
 
 
 The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
diff --git a/service_specific_guidance/amp-specific-guidance.md b/service_specific_guidance/amp-specific-guidance.md
@@ -2,7 +2,9 @@
 # Service-specific guidance: Amazon Managed Service for Prometheus
 
 
-This document outlines service-specific guidance for implementing a data perimeter for Amazon Managed Service for Prometheus. Amazon Managed Service for Prometheus is a fully managed monitoring service that makes it easy to monitor containerized applications and infrastructure at scale. It provides a highly available, secure, and managed environment for Prometheus, an open-source monitoring and alerting tool, allowing users to collect, store, and analyze metrics from their applications and infrastructure without the need to manage the underlying infrastructure.
+This document outlines service-specific guidance for implementing a data perimeter for Amazon Managed Service for Prometheus. 
+
+Amazon Managed Service for Prometheus is a fully managed monitoring service that makes it easy to monitor containerized applications and infrastructure at scale. It provides a highly available, secure, and managed environment for Prometheus, an open-source monitoring and alerting tool, allowing users to collect, store, and analyze metrics from their applications and infrastructure without the need to manage the underlying infrastructure.
 
 
 The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
diff --git a/service_specific_guidance/apigateway-specific-guidance.md b/service_specific_guidance/apigateway-specific-guidance.md
@@ -2,7 +2,9 @@
 # Service-specific guidance: Amazon API Gateway Management
 
 
-This document outlines service-specific guidance for implementing a data perimeter for Amazon API Gateway. Amazon API Gateway is a fully managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a "front door" for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon EC2, code running on AWS Lambda, or any web application. API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.
+This document outlines service-specific guidance for implementing a data perimeter for Amazon API Gateway. 
+
+Amazon API Gateway is a fully managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a "front door" for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon EC2, code running on AWS Lambda, or any web application. API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.
 
 
 The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
diff --git a/service_specific_guidance/apprunner-specific-guidance.md b/service_specific_guidance/apprunner-specific-guidance.md
@@ -2,7 +2,9 @@
 # Service-specific guidance: AWS App Runner
 
 
-This document outlines service-specific guidance for implementing a data perimeter for AWS App Runner. AWS App Runner is a fully managed service that makes it easy to deploy containerized web applications and APIs at scale. It automatically builds and deploys your code, handles load balancing, scaling, and provides a secure HTTPS endpoint, allowing developers to focus on their application code rather than infrastructure management.
+This document outlines service-specific guidance for implementing a data perimeter for AWS App Runner. 
+
+AWS App Runner is a fully managed service that makes it easy to deploy containerized web applications and APIs at scale. It automatically builds and deploys your code, handles load balancing, scaling, and provides a secure HTTPS endpoint, allowing developers to focus on their application code rather than infrastructure management.
 
 
 The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
diff --git a/service_specific_guidance/appsync-specific-guidance.md b/service_specific_guidance/appsync-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS AppSync. 
+
 AWS AppSync is a fully managed service that enables developers to create scalable GraphQL APIs. It simplifies the process of building applications by allowing you to easily connect to various data sources, including AWS DynamoDB, Lambda, and HTTP APIs. AppSync handles real-time data synchronization and offline programming models, making it ideal for building responsive and collaborative applications across web and mobile platforms.
 
 
diff --git a/service_specific_guidance/artifact-specific-guidance.md b/service_specific_guidance/artifact-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS Artifact. 
+
 AWS Artifact is a self-service portal that provides on-demand access to AWS' compliance reports and agreements. It allows customers to download AWS security and compliance documents, such as ISO certifications, PCI reports, and SOC reports, to support their regulatory and compliance requirements. AWS Artifact helps organizations demonstrate AWS infrastructure compliance to auditors and regulators.
 
 
diff --git a/service_specific_guidance/codeartifact-specific-guidance.md b/service_specific_guidance/codeartifact-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS CodeArtifact. 
+
 AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations to securely store, publish, and share software packages used in their software development process. It integrates with commonly used build tools and package managers, allowing developers to easily retrieve dependencies while maintaining control over package access and versioning.
 
 
diff --git a/service_specific_guidance/codebuild-specific-guidance.md b/service_specific_guidance/codebuild-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS CodeBuild. 
+
 AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready for deployment. It eliminates the need to provision, manage, and scale your own build servers, allowing developers to focus on writing code rather than managing infrastructure. CodeBuild supports various programming languages and build tools, integrates seamlessly with other AWS services, and can be used as part of a continuous delivery pipeline.
 
 
diff --git a/service_specific_guidance/codepipeline-specific-guidance.md b/service_specific_guidance/codepipeline-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS CodePipeline. 
+
 AWS CodePipeline is a fully managed continuous delivery service that helps you automate your software release processes. It enables you to model, visualize, and automate the steps required to release your software, allowing you to rapidly and reliably deliver features and updates. CodePipeline integrates with various AWS services and third-party tools, making it easy to build, test, and deploy your code every time there's a change.
 
 
diff --git a/service_specific_guidance/config-specific-guidance.md b/service_specific_guidance/config-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS Config. 
+
 AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides a detailed view of the configuration of AWS resources in your account, including how they are related to one another and how they have changed over time. This helps you simplify compliance auditing, security analysis, change management, and operational troubleshooting.
 
 
diff --git a/service_specific_guidance/dynamodb-specific-guidance.md b/service_specific_guidance/dynamodb-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon DynamoDB. 
+
 Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. It allows you to store and retrieve any amount of data, and serve any level of request traffic. DynamoDB offers built-in security, backup and restore, and in-memory caching for internet-scale applications.
 
 
diff --git a/service_specific_guidance/emr-serverless-specific-guidance.md b/service_specific_guidance/emr-serverless-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon EMR Serverless. 
+
 Amazon EMR Serverless is a managed service that allows you to run big data analytics applications without the need to configure, manage, or scale clusters and servers. It provides a serverless runtime environment for Apache Spark and Apache Hive, enabling you to process data quickly and cost-effectively while automatically scaling resources based on workload demands.
 
 
diff --git a/service_specific_guidance/glacier-specific-guidance.md b/service_specific_guidance/glacier-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon S3 Glacier. 
+
 Amazon S3 Glacier is a secure, durable, and low-cost cloud storage service for data archiving and long-term backup. It is designed for infrequently accessed data with flexible retrieval options ranging from minutes to hours. S3 Glacier integrates with Amazon S3 to provide a complete data storage solution for cost-effective data lifecycle management.
 
 
diff --git a/service_specific_guidance/grafana-specific-guidance.md b/service_specific_guidance/grafana-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon Managed Grafana. 
+
 Amazon Managed Grafana is a fully managed service that makes it easy to deploy, operate, and scale Grafana, an open-source analytics and monitoring platform. It allows users to create, explore, and share observability dashboards to visualize and analyze metrics, logs, and traces from various data sources across their applications and infrastructure.
 
 
diff --git a/service_specific_guidance/kms-specific-guidance.md b/service_specific_guidance/kms-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS Key Management Service (KMS). 
+
 AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. KMS integrates with other AWS services to help you protect the data you store in these services and control access to it. It provides a centralized system for managing keys across a wide range of AWS services and in your applications.
 
 
diff --git a/service_specific_guidance/lambda-specific-guidance.md b/service_specific_guidance/lambda-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS Lambda. 
+
 AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. It automatically scales your applications in response to incoming requests, and you only pay for the compute time you consume. Lambda supports multiple programming languages and integrates seamlessly with other AWS services, making it ideal for building microservices, automating tasks, and creating event-driven applications.
 
 
diff --git a/service_specific_guidance/logs-specific-guidance.md b/service_specific_guidance/logs-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon CloudWatch Logs. 
+
 Amazon CloudWatch Logs is a fully managed service that enables you to centralize, monitor, and store log files from various AWS resources and applications. It allows you to easily search, analyze, and set alarms on your log data, helping you troubleshoot issues, identify patterns, and gain insights into your system's performance and behavior.
 
 
diff --git a/service_specific_guidance/s3-specific-guidance.md b/service_specific_guidance/s3-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon Simple Storage Service. 
+
 Amazon Simple Storage Service (Amazon S3) is a scalable object storage service that offers industry-leading durability, availability, and performance. It allows you to store and retrieve any amount of data from anywhere on the web, making it ideal for a wide range of use cases such as data lakes, websites, mobile applications, backup and restore, archive, and big data analytics.
 
 
diff --git a/service_specific_guidance/secretsmanager-specific-guidance.md b/service_specific_guidance/secretsmanager-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for AWS Secrets Manager. 
+
 AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Secrets Manager allows you to replace hardcoded credentials in your code with an API call to Secrets Manager to retrieve the secret programmatically.
 
 
diff --git a/service_specific_guidance/sns-specific-guidance.md b/service_specific_guidance/sns-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon Simple Notification Service (SNS). 
+
 Amazon SNS is a fully managed messaging service that enables you to send messages, notifications, and alerts to a wide range of endpoints. It provides a flexible, scalable, and cost-effective way to distribute messages to multiple subscribers through a publish/subscribe model. SNS supports various communication protocols, including email, SMS, mobile push notifications, and HTTP/HTTPS endpoints, making it easy to integrate with diverse applications and services.
 
 
diff --git a/service_specific_guidance/sqs-specific-guidance.md b/service_specific_guidance/sqs-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon Simple Queue Service (SQS). 
+
 Amazon SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS offers two types of message queues: standard queues for maximum throughput and at-least-once delivery, and FIFO queues for exactly-once processing and strict message ordering. It allows you to send, store, and receive messages between software components without losing messages or requiring other services to be available.
 
 
diff --git a/service_specific_guidance/textract-specific-guidance.md b/service_specific_guidance/textract-specific-guidance.md
@@ -3,6 +3,7 @@
 
 
 This document outlines service-specific guidance for implementing a data perimeter for Amazon Textract. 
+
 Amazon Textract is a machine learning service that automatically extracts text, handwriting, and data from scanned documents. It goes beyond simple optical character recognition (OCR) to identify, understand, and extract data from forms and tables. Textract enables you to quickly automate document processing workflows, making it easier to process applications, claims, and other structured documents.
 
 

Original file line number	Diff line number	Diff line change
`@@ -163,4 +163,4 @@`
`163`	`163`	`}`
`164`	`164`	`}`
`165`	`165`	`]`
`166`		`-}`
	`166`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`
`4`	`4`
`5`	`5`	`This document outlines service-specific guidance for implementing a data perimeter for AWS AppSync.`
	`6`	`+`
`6`	`7`	`AWS AppSync is a fully managed service that enables developers to create scalable GraphQL APIs. It simplifies the process of building applications by allowing you to easily connect to various data sources, including AWS DynamoDB, Lambda, and HTTP APIs. AppSync handles real-time data synchronization and offline programming models, making it ideal for building responsive and collaborative applications across web and mobile platforms.`
`7`	`8`
`8`	`9`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`
`4`	`4`
`5`	`5`	`This document outlines service-specific guidance for implementing a data perimeter for AWS Artifact.`
	`6`	`+`
`6`	`7`	`AWS Artifact is a self-service portal that provides on-demand access to AWS' compliance reports and agreements. It allows customers to download AWS security and compliance documents, such as ISO certifications, PCI reports, and SOC reports, to support their regulatory and compliance requirements. AWS Artifact helps organizations demonstrate AWS infrastructure compliance to auditors and regulators.`
`7`	`8`
`8`	`9`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`
`4`	`4`
`5`	`5`	`This document outlines service-specific guidance for implementing a data perimeter for AWS CodeArtifact.`
	`6`	`+`
`6`	`7`	`AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations to securely store, publish, and share software packages used in their software development process. It integrates with commonly used build tools and package managers, allowing developers to easily retrieve dependencies while maintaining control over package access and versioning.`
`7`	`8`
`8`	`9`