**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# AWS Shield network security director (preview)
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Shield network security director helps secure your AWS environment by discovering your compute, networking, and network security resources across your account. network security director evaluates each resource's security configuration by analyzing network topology and security configurations against AWS best practices and threat intelligence. To help you strengthen your security, network security director rates its findings from low to critical severity and shares specific remediation steps, which you can explore using natural language queries through Amazon Q Developer.
## AWS Shield network security director pricing
AWS currently does not charge for use of network security director. However, you are responsible for fees incurred for the underlying services you use, such as AWS WAF. When network security director becomes generally available, pricing will differ from the preview release.
# AWS Shield network security director use cases
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Shield network security director helps secure your AWS environment by discovering your compute, networking, and network security resources across your account. network security director evaluates each resource's security configuration by analyzing network topology and security configurations against AWS best practices and threat intelligence. To help you strengthen your security, network security director rates its findings from low to critical severity and shares specific remediation steps, which you can explore using natural language queries through Amazon Q Developer.
Network security director and Amazon Q Developer help you identify security issues in your network security configuration and provide mitigation options:
+ **Overly permissive access to your EC2 instances** – Identify security groups and network ACLs (NACLs) that are associated with your VPCs and Amazon Elastic Compute Cloud instances that allow unrestricted access to high-risk ports, such as ports 22 and 3389. Follow step-by-step instructions for implementing the right rules for security groups or NACLs to restrict access for these high-risk ports.
+ **Compute and networking resources that are open to the internet** – Identify resources that are reachable from the internet via connectivity with an internet gateway.
+ **Internet-facing resources that aren't fully protected by AWS WAF** – Identify resources that are reachable from the internet and understand the status of their AWS WAF protections. Follow step-by-step instructions for configuring and deploying AWS WAF, including recommendations for using rules such as rate-limiting rules and AWS Managed Rules rule groups.
+ **Resources that are exposed to known threats** – Identify resources that are exposed to known threats, such as distributed denial of service (DDoS) attacks, SQL injection attacks, and cross-site scripting (XSS) attacks. Follow step-by-step instructions for implementing custom rules or AWS WAF AWS Managed Rules rule groups to defend against these threats.
+ **Network security services that are enabled but aren't attached to any compute or networking resources** – Identify AWS WAF web ACLs and VPC security groups and NACLs that are currently not protecting any of your compute or networking resources. Follow instructions for removing them or for adding recommended rules to improve protections in case you decide to associate them with compute or networking resources in the future.
# Key concepts in network security director
**Note**
AWS Shield network security director is in public preview release and is subject to change.
**Resources**
The compute, networking, and security resources that handle your application traffic:
+ *Compute* – Amazon Elastic Compute Cloud instances
+ *Networking* – Application Load Balancers, Amazon API Gateways, Amazon CloudFront distributions, VPC subnets, and VPC elastic network interfaces (ENIs)
+ *Security* – AWS WAF web ACLs, VPC security groups, and VPC network access control lists (NACLs)
**Findings**
Alerts about missing or misconfigured network security services, with severity levels of NONE, INFORMATIONAL, LOW, MEDIUM, HIGH, or CRITICAL. network security director generates findings by evaluating configuration settings and threat intelligence for each resource.
**Severity**
A measure of a resource's vulnerability to potential security events, based on AWS best practices and threat intelligence. Severity assessment considers both potential vulnerabilities and existing protections. A resource's severity level matches its most severe finding, or shows as none if there are no findings.
**Network topology**
A visual representation of your network that shows resource connections, internet exposure, and tag-based relationships. Use the topology view to investigate resources and their findings.
## Understanding network security director findings
**Note**
AWS Shield network security director is in public preview release and is subject to change.
Network security director generates specific findings for each type of resource it analyzes. These findings help you identify security issues and take appropriate action. The following table lists all possible findings by resource type.
**network security director findings by resource type**
| Resource type | Finding description |
| --- | --- |
| Application Load Balancer | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/nsd-concepts.html) |
| Amazon API Gateway | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/nsd-concepts.html) |
| Amazon CloudFront | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/nsd-concepts.html) |
| Amazon Elastic Compute Cloud (EC2) instance | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/nsd-concepts.html) |
| VPC security group | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/nsd-concepts.html) |
| VPC network access control list (NACL) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/nsd-concepts.html) |
| AWS WAF web ACL | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/nsd-concepts.html) |
# Setting up your account to use AWS Shield network security director
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Shield network security director requires AWS Organizations to manage security across multiple accounts in your organization. This topic describes the preliminary steps to prepare your AWS environment, including setting up Organizations, designating a delegated administrator, and configuring the necessary IAM permissions. You aren't charged for these preliminary setup steps. You are charged only for AWS services that you use.
## Prerequisites
Before you can use AWS Shield network security director, you must have the following in place:
+ **AWS Organizations** - AWS Shield network security director works exclusively with AWS Organizations to provide security analysis across multiple accounts. You cannot use AWS Shield network security director with a single standalone account.
+ **Management account access** - You need access to the AWS Organizations management account to designate a delegated administrator for AWS Shield network security director.
+ **Delegated administrator account** - You need to identify or create an account that will serve as the delegated administrator for AWS Shield network security director. This cannot be the Organizations management account.
**Important**
AWS Shield network security director cannot be used with standalone AWS accounts. You must have AWS Organizations configured with at least one member account in addition to the management account.
## Understanding AWS Organizations integration
AWS Organizations is a global account management service that lets AWS administrators consolidate and manage multiple AWS accounts. AWS Shield network security director integrates with Organizations to provide centralized security analysis and management across your entire organization.
When you integrate AWS Shield network security director with AWS Organizations:
+ The Organizations management account designates a delegated administrator for AWS Shield network security director
+ The delegated administrator can enable AWS Shield network security director across multiple accounts and regions
+ Security analysis and findings are centrally managed through the delegated administrator account
+ Service-linked roles are automatically created in member accounts to enable analysis
This approach is similar to other AWS security services like AWS Security Hub and provides consistent governance across your security tools.
## Choosing a delegated administrator
A delegated administrator is an AWS account in your organization that has been granted permissions to manage AWS Shield network security director on behalf of the organization. The delegated administrator can enable the service, create policies, and manage security findings across all member accounts.
**Delegated administrator requirements:**
+ Must be a member account in your AWS Organizations structure
+ Cannot be the Organizations management account
+ Should have appropriate IAM permissions configured (see next section)
**Note**
As a best practice, we recommend using the same delegated administrator account across AWS security services (such as Security Hub, GuardDuty, and AWS Shield network security director) for consistent governance and simplified management.
## IAM requirements for the delegated administrator
The delegated administrator account requires specific IAM permissions to manage AWS Shield network security director effectively. You must attach the following policy to the IAM user or role that will be managing AWS Shield network security director in the delegated administrator account.
**Required IAM policy for AWS Shield network security director delegated administrator:**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-security-director:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam:::role/aws-service-role/AWSServiceRoleForNetworkSecurityDirector"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListAccountsForParent",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:ListDelegatedAdministrators",
"organizations:DescribeOrganization",
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy",
"organizations:EnablePolicyType",
"organizations:DisablePolicyType",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource",
"organizations:ListDelegatedAdministrators",
"organizations:ListHandshakesForAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy"
],
"Resource": [
"*"
]
}
]
}
```
**Policy explanation:**
+ **network-security-director:\$1** - Grants full access to all AWS Shield network security director operations, including enabling the service, creating policies, and managing findings.
+ **IAM permissions** - Allows the delegated administrator to manage the service-linked role that AWS Shield network security director uses to perform analysis across member accounts.
**To create and attach the IAM policy**
1. Sign in to the AWS Management Console using the delegated administrator account.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**, then choose **Create policy**.
1. Choose the **JSON** tab and paste the policy document shown above.
1. Choose **Next: Tags**, then **Next: Review**.
1. For **Name**, enter **NetworkSecurityDirectorDelegatedAdminPolicy**.
1. Choose **Create policy**.
1. Attach this policy to the IAM user or role that will be managing AWS Shield network security director in the delegated administrator account.
## Setup checklist
Before proceeding to enable AWS Shield network security director, ensure you have completed the following setup tasks:
+ ✓ AWS Organizations is configured with a management account and at least one member account
+ ✓ You have identified a delegated administrator account (cannot be the management account)
+ ✓ The required IAM policy has been created and attached in the delegated administrator account
+ ✓ You have access to both the Organizations management account and the delegated administrator account
Once you have completed these setup tasks, you can proceed to [Enabling AWS Shield network security director](nsd-enablement.md) to enable AWS Shield network security director for your organization.
# Enabling AWS Shield network security director
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Shield network security director is enabled for AWS accounts through AWS Organizations. This section of the documentation describes all the steps required to enable AWS Shield network security director for an AWS Organization.
This section includes two steps, both of which are necessary to complete network security director setup:
1. The AWS Organization management account enables AWS Shield network security director, designates a delegated administrator for the organization, and creates the corresponding delegated administrator policy.
1. The delegated administrator for the organization creates a policy that enables AWS Shield network security director for user-selected regions and target member accounts in the organization.
## Enabling AWS Shield network security director and delegating a service administrator
When assigning the delegated administrator account for AWS Shield network security director, AWS Shield network security director will recommend an existing delegated administrator if one is already configured for another AWS security service, such as **AWS Security Hub**. If no delegated administrator exists, you will be prompted to select a member account from your organization. The organization's management account cannot be designated as the delegated administrator.
**To designate an administrator for AWS Shield network security director**
1. Sign in to your AWS Account with your AWS Organization management account credentials and open the AWS Shield network security director console at [https://console.aws.amazon.com/wafv2/network-security-director/](https://console.aws.amazon.com/wafv2/network-security-director/).
1. From the network security director home page, choose **Get started**.
1. For **Delegated administrator account**, choose an administrator account based on the provided options. As a best practice, we recommend using the same delegated administrator across security services for consistent governance.
1. For **Delegated administrator policy**, choose one of the following options to add the policy statement:
1. (Option 1) Choose **Update this for me**. Select the box under the policy statement to confirm AWS Shield network security director will automatically create a delegation policy granting all required permissions to the delegated administrator.
1. (Option 2) Choose **I want to attach this manually**. Choose **Copy and attach**. In the AWS Organizations console, under **Delegated administrator for AWS Organizations**, choose **Delegate**, and paste the resource policy in the delegation policy editor and then Choose **Create Policy**. Open the tab where you are in the AWS Shield network security director console.
1. Choose **Complete get started**.
At the end of this step the following actions will be complete:
+ [Trusted Access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) enablement for AWS Shield network security director. This will allow network security director to create service-linked roles within member accounts that are in scope of the policy.
+ Creation of the service-linked role **AWSServiceRoleForNetworkSecurityDirector** for the organization’s management account.
+ Registration of the delegated administrator for AWS Shield network security director.
+ Update of the resource policy, allowing the delegated administrator for AWS Shield network security director to make necessary calls to AWS Organizations APIs.
Now that the setup is complete, you will be redirected to the **Settings** page, where you can update or remove the delegated administrator, manage delegation policy, and disable network security director as a service. To access this settings page in the future with the organization's management account, navigate to the network security director console and choose **Manage settings**.
## Enabling AWS Shield network security director for member accounts with delegated administrator
This step must be completed by the delegated administrator. Once the AWS Organization's management account designates a delegated administrator, that administrator must create a policy that grants permission to enable regions within the organization. All configured policies are available in the **Region and Account Policies** section of the AWS Shield network security director console. The procedure below outlines how to create this policy.
**To create and attach a policy that enables regions for targeted accounts**
1. Sign in to your AWS account with your delegated administrator credentials and open the AWS Shield network security director console at [https://console.aws.amazon.com/wafv2/network-security-director/](https://console.aws.amazon.com/wafv2/network-security-director/).
1. From the AWS Shield network security director home page, choose **Enable**.
1. For **Details**, enter a name and an optional description for the policy.
1. For **Account selection**, select one of the following options. Choose **All organizational units and accounts** if you want to apply the policy to all organizational units and accounts. Choose **Specific organizational units and accounts** if you want to apply the policy to specific organizational units and accounts. Use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied.
1. For **Regions**, select the regions you want to enable or disable for this policy. Please refer to [Performance Considerations](troubleshooting.md#performance-considerations) before completing your selections.
1. Review your changes, and then choose **Enable network security director**.
At the end of this step the following actions will be complete:
+ Creation of the service-linked role **AWSServiceRoleForNetworkSecurityDirector** for the current delegated administrator account.
+ Creation of the policy that enables AWS Shield network security director to run scans in the enabled regions and on the attached targets.
+ Redirection to the **Summary dashboard**, where you can view organization-wide insights as well as resource-level details for each account.
Now that the setup is complete, you will be redirected to the **Summary dashboard** page, where you can view organization-wide insights as well as resource-level details for each account. To manage the policies in the future with the delegated administrator account, navigate to the network security director console and choose **Manage settings**.
# Exploring resources and findings
The AWS Shield network security director dashboard provides a summary of the most severe findings, a comparison of findings by included regions, a table of accounts that have been analyzed, a panel that appears when an account is selected, and a network topology that populates once a resource within that panel is selected.
**Note**
You must sign in with delegated administrator credentials to view resources and findings on the network security director dashboard.
## To identify which accounts have findings
1. Sign in with your delegated administrator account and open the AWS Shield network security director console at [https://console.aws.amazon.com/wafv2/network-security-director/](https://console.aws.amazon.com/wafv2/network-security-director/).
1. In the navigation pane, under network security director, choose **Dashboard**.
1. The Summary dashboard displays with the following widgets.
### Regions Widget
The Regions widget highlights the **most critical findings**, which are a representation of all the findings on resources and their combined severity. Next to it is a chart that includes the current region and provides a comparative summary of finding severities across all enabled regions. This allows for quick identification of critical issues by region and an indicator that you may need to switch regions if there are findings in that region to review.
### Accounts Widget
Accounts that are analyzed in the current region appear in the table with the default sort set to show accounts with resources by the highest composite finding severities. You can select an account to open a panel that displays resources by their composite finding severity.
### To identify which resources have findings
1. From the network security director Dashboard, navigate to the **Accounts** widget.
1. Select the account which shows the number of composite severity findings.
1. This will open the resources in the **Account and topology explorer** panel widget.
To identify your affected resources and find specific remediation recommendations, see the following sections.
When a network analysis completes, network security director provides detailed recommendations to remediate vulnerabilities identified in resource findings. You can filter for any vulnerable resource based on **Resource ID**, **Severity level**, **Resource type**, or associated **Findings**. By default, the **Resources** table displays resources in order of highest to lowest severity.
### Account and topology explorer panel widget
When an account is selected the account and topology explorer panel widget opens to display the resources and findings within that account. Filter the table within to find specific resources or findings or remove filters to see a summary of resources types and finding types.
AWS Shield network security director assigns severity levels to each finding from the most recent network analysis. Resources can be assigned **None**, **Informational**, **Low**, **Medium**, **High**, or **Critical**. This severity level represents the severity level of the most severe finding identified on a resource. For example, if your latest network analysis determines that your Amazon Amazon EC2 instance has one Medium severity finding and two Low severity findings, that resource is assigned a Medium composite finding severity level.
The **Findings overview** widget inside the **Account and topology explorer panel widget**, which can be accessed by removing any resource or finding type filters, provides two ways to understand the findings that network security director found in your resources:
+ From **Highest severity resources**, you can quickly understand which severity level is the most severe across all your networking resources. You can also see a list of how many of your resources are affected and the number of resources assigned each severity level by network security director.
+ From **Severity distribution**, you can view the number of resources with a specific severity level for each resource type and compare it with those of other resource types.
### To explore your network topology
1. In the navigation pane, under network security director, choose **Dashboard**.
1. From the network security director Dashboard, navigate to the **Accounts** widget.
1. Select the account which shows the number of composite severity findings.
1. This will open the resources in the **Account and topology explorer** panel widget.
AWS Shield network security director maps the connections of your resources during its analyses. These connections are visualized in a network topology that is shown in a widget on the dashboard below the **Accounts** widget. When you select an account, and then select a resource in the **Account and topology explorer** panel widget, the network topology visualization appears in the context of the selected resource.
### Network topology widget
The network topology exists in an empty state until a specific resource has been selected in the Account and topology explorer panel widget which appears when an account has been selected in the **Accounts** table widget. The network topology can be navigated by dragging the canvas, or by using the zoom controls in the lower right corner of the container. There are also controls for resetting the zoom and location of the canvas along with exporting its contents. The topology can be refreshed in the case of updated analysis findings and can also expand its view to display the topology across the entire screen. Select a resource in the topology to view its details in the **Account and topology explorer** panel widget. Select a resource edge connection to learn more about the nature of the relationship between two resources in the topology.
**Note**
The network topology is built by traversing from the selected resource to its connected network resources. Only the first 100 connected resources are displayed in the topology visualization, sorted by severity. This sorting is applied only to the initial set of 100 fetched results, not the complete dataset.
### To find recommendations for improving your security
1. From the network security director Dashboard, navigate to the **Accounts** widget.
1. Select the account which shows the number of composite severity findings.
1. This will open the resources in the **Account and topology explorer** panel widget.
1. Selecting a resource in the widget displays its details, with an option to navigate directly to the full **Resource Details page** for deeper investigation.
A resource can have multiple findings identified by network security director. Each finding represents a security issue found during your most recent network analysis.
+ Expand the **Remediation recommendations** for the finding to learn more about it.
+ Follow the steps suggested by network security director or choose the documentation link included to learn more.
After reviewing and implementing the remediation recommendations for your affected resources, you may want to get additional insights about your overall security configuration. Continue to [Analyze network security with Amazon Q Developer](nsd-security-insights.md) to learn how to use Amazon Q Developer for further analysis.
# Analyze network security with Amazon Q Developer
Amazon Q Developer is a generative artificial intelligence (generative AI)-powered assistant that works with network security director to help answer your questions and provide recommendations about network security and remediation options.
You can interact with Amazon Q Developer by choosing the Q button or **Explore with Amazon Q Developer** anywhere it appears in the network security director console. This section guides you through the steps to ask questions of Q from the network security director **Dashboard**.
**To engage with Amazon Q Developer**
**Note**
You must have a completed network analysis before you can chat with Amazon Q Developer.
1. Sign in to the AWS Management Console and open the AWS Shield network security director console at [https://console.aws.amazon.com/wafv2/network-security-director/](https://console.aws.amazon.com/wafv2/network-security-director/).
1. From the network security director home page, choose **Dashboard**.
1. In the **Ask Amazon Q Developer** widget, choose a question to use as a prompt in the Amazon Q Developer chat interface.
1. In the Amazon Q Developer chat interface, submit your request.
## Example questions
Following are example questions about network security that you can ask Amazon Q Developer:
+ Identify my top network security findings
+ Identify my top network security findings in the account 123456789010
+ Identify my top network security findings in us-west-2
+ Summarize the network security of my environment
+ Are my systems at risk of DDoS attacks?
+ How can I improve my network security?
+ Do I have any resources without WAF protection?
+ Which resources are not protected from common web vulnerabilities?
+ What are the common network security issues on my EC2 instances?
+ Do I have any WAF web ACLs that aren't protecting anything?
# Data protection considerations
For information about how Amazon Q Developer stores your conversations, see [Data protection in Amazon Q Developer](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/data-protection.html) in the *Amazon Q Developer User Guide*.
For information about how Amazon Q Developer uses cross region processing, see [Cross region processing in Amazon Q Developer](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/cross-region-processing.html) in the *Amazon Q Developer User Guide*.
## AWS Shield network security director quotas
AWS accounts have default quotas, formerly referred to as limits, for each AWS service. The following table describes the quota for network security director. For information about quotas that can be changed, see [Service Quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).
| Resource | Default Quota |
| --- | --- |
| Maximum resources processed per scan | 300,000 |
| Maximum number of edges per resource | 200 |
| Maximum number of accounts enabled per region per organization | 15,000 |
| Maximum Q prompts per organization per month | 200 |
When network security director reaches the maximum number of resources that it can process in a network analysis or the maximum number of edges per resource, the network analysis fails. You are not charged for the failed network analysis.
# Troubleshooting AWS Shield network security director
## Unsupported Cross-Account Shared Resources
AWS Shield network security director does not support certain cross-account shared resources. When attempting to scan these resources, you'll receive error messages indicating the resources cannot be analyzed.
**Unsupported Shared Resources and Error Messages**
| Resource Type | Error Message |
| --- | --- |
| Network Firewall FirewallPolicy | network-firewall:DescribeFirewallPolicy not supported on shared resources |
| Network Firewall Stateful rule group | network-firewall:DescribeRuleGroup not supported on shared resources |
| Network Firewall Stateless rule group | network-firewall:DescribeRuleGroup not supported on shared resources |
| EC2 PrefixList | ec2:GetManagedPrefixListEntries not supported on shared resources |
## Availability of Resources, Findings, and Suppression
If an account leaves an organization or network security director is disabled for an account, the following occurs:
+ **Findings and Resources:** Findings from the account will be removed once the service is disabled for the account. This process typically takes a few minutes but could be longer.
+ **Suppressions:** Suppressions are deleted within 90 days of disabling the service for an account. If the service is re-enabled for an account within this 90-day period, existing suppressions might still be available, but availability is not guaranteed. Suppressions must be removed before disabling the service for an account to avoid this uncertainty.
## Performance Considerations
AWS Shield network security director is designed to provide daily data refreshes for your organization's network analysis. However, performance can vary based on your organization's size and region.
Organizations with a large number of accounts may experience longer refresh cycles, with data refreshes occurring after multiple days for individual accounts. Additionally, performance can vary significantly by Region, with opt-in regions in particular experiencing slow performance and extended refresh times.
For improved performance and more frequent data refreshes, we recommend enabling network security director for accounts that are specifically relevant to each region. This recommendation is especially critical for opt-in regions.
## Additional Resources
If you encounter issues not addressed in this troubleshooting guide, please contact AWS Support for additional assistance.
# Security in your use of the AWS Shield network security director
**Note**
AWS Shield network security director is in public preview release and is subject to change.
This section describes the key security considerations for using this network security director preview.
**Data sources**
When you run an analysis, network security director retrieves information about your [AWS resources](https://aws.amazon.com/resourceexplorer/) using public AWS API endpoints. The information retrieved includes resource attributes that are available to your account through the public AWS APIs.
AWS Shield network security director also uses internal AWS data sources and threat intelligence to identify findings and recommend remediations.
**Data encryption**
Review the following encryption considerations when using network security director.
+ **Encryption at rest** – All data is protected at rest.
+ **Encryption in transit** – All data is protected in transit using Transport Layer Security (TLS) encryption. All communication is authenticated using Amazon Simple Storage Service AWS Signature Version 4 (SigV4). For information about SigV4, see [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon S3 User Guide*.
+ **Key management** – Customer-managed keys are not currently supported.
**Topics**
+ [
# Identity and Access Management for AWS Shield network security director
](nsd-iam.md)
+ [
# Identity-based policy examples for AWS Shield network security director
](security-nsd-with-iam-id-based-policies.md)
+ [
# Using service-linked roles for AWS Shield network security director
](security_iam_nsd-with-iam-roles-service-linked.md)
# Identity and Access Management for AWS Shield network security director
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Shield network security director resources. IAM is an AWS service that you can use with no additional charge.
Review the guidance in this section to understand how to use supported policies and roles for AWS Shield network security director.
## How AWS Shield network security director works with IAM
This section explains how to use the features of IAM with AWS Shield network security director.
Before you use IAM to manage access to network security director, learn what IAM features are available to use with network security director.
**IAM features you can use with AWS Shield network security director**
| IAM feature | AWS Shield network security director support |
| --- | --- |
| [Identity-based policies](#iam_nsd-with-iam-id-based-policies) | Yes |
| [Service-linked roles](security_iam_nsd-with-iam-roles-service-linked.md) | Yes |
To get a high-level view of how network security director and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
### Identity-based policies for network security director
**Supports identity-based policies:** Yes
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
To view examples of AWS Shield network security director identity-based policies, see [Identity-based policy examples for AWS Shield network security director](security-nsd-with-iam-id-based-policies.md).
### Service-linked roles for network security director
**Supports service-linked roles:** Yes
A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
For details about creating or managing network security director service-linked roles, see [Using service-linked roles for AWS Shield network security director](security_iam_nsd-with-iam-roles-service-linked.md).
# Identity-based policy examples for AWS Shield network security director
**Note**
When you start using AWS Shield network security director, we automatically create a service-linked role that satisfies all the minimum permissions requirements. Creating and managing your own identity-based policies is optional.
To provide appropriate access to network security director, you can create identity-based policies that grant the necessary permissions for administrative and read-only access.
For more information about creating and managing IAM policies, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.
These permissions allow AWS Shield network security director to perform comprehensive security analysis and provide accurate network security recommendations. The example policies provided in this guide are designed for common use cases. You can use these policies as a starting point and modify them as needed to meet your specific requirements.
**Example policies in this guide**
+ [Administrative access identity-based policy](#nsd-security-admin-id-based-policy)
+ [Read-only access identity-based policy](#nsd-security-readonly-id-based-policy)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete network security director resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Updates to identity-based policies
As updates and features are added to network security director, you may need to update your identity-based policies to include additional permissions. Monitor this guide for information about new permissions that may be required.
Unlike AWS managed policies, customer managed policies are not automatically updated. You are responsible for maintaining and updating these policies as needed.
For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Administrative access identity-based policy
Create an identity-based policy with the following example to provide full administrative access to network security director operations and the ability to create the required service-linked role.
**Policy name**: NetworkSecurityDirectorAdminPolicy
**Policy description**: Allows full administrative access to AWS Shield network security director operations and also provides access to create or delete the service linked role for Network Security Director.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-security-director:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/network-security-director.amazonaws.com/AWSServiceRoleForNetworkSecurityDirector"
}
]
}
```
------
## Read-only access identity-based policy
Create an identity-based policy with the following policy example to provide read-only access to network security director operations.
**Policy name**: NetworkSecurityDirectorReadOnlyPolicy
**Policy description**: Allows read-only access to AWS Shield network security director.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-security-director:Get*",
"network-security-director:List*"
],
"Resource": "*"
}
]
}
```
------
# Using service-linked roles for AWS Shield network security director
This section explains how to use service-linked roles to give AWS Shield network security director access to resources in your AWS account.
AWS Shield network security director uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS Shield network security director. Service-linked roles are predefined by AWS Shield network security director and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AWS Shield network security director easier because you don’t have to manually add the necessary permissions. AWS Shield network security director defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Shield network security director can assume its roles. The defined permissions include the trust policy and the permissions policy. That permissions policy can't be attached to any other IAM entity.
See the full service-linked role in the IAM console: [NetworkSecurityDirectorServiceLinkedRolePolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/NetworkSecurityDirectorServiceLinkedRolePolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for AWS Shield network security director
The `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role trusts the following services to assume the role:
+ `network-director.amazonaws.com`
The `NetworkSecurityDirectorServiceLinkedRolePolicy` grants AWS Shield network security director permissions to access and analyze various AWS resources and services on your behalf. This includes:
+ Retrieving network configuration and security settings from Amazon EC2 resources
+ Accessing CloudWatch metrics to analyze network traffic patterns
+ Gathering information about load balancers and target groups
+ Collecting AWS WAF configurations and rules
+ Accessing AWS Direct Connect gateway information
+ And more, as detailed in the permissions list below
The following listing is for permissions that don't support downscoping to specific resources. The rest are downscoped for the indicated service resources.
```
{
"Sid": "ResourceLevelPermissionNotSupported",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeCustomerGateways",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:GetManagedPrefixListEntries",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeLoadBalancencerAttributes",
"wafv2:ListWebACLs",
"cloudfront:ListDistributions",
"cloudfront:ListTagsForResource",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeVirtualInterfaces"
],
"Resource": "*"
}
```
**`NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role permissions**
The following list covers all permissions enabled by the `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role.
Amazon CloudFront
```
{
"Sid": "cloudfront",
"Effect": "Allow",
"Action": [
"cloudfront:GetDistribution"
],
"Resource": "arn:aws:cloudfront::*:distribution/*"
}
```
AWS WAF
```
{
"Sid": "wafv2",
"Effect": "Allow",
"Action": [
"wafv2:ListResourcesForWebACL",
"wafv2:ListRuleGroups",
"wafv2:ListAvailableManagedRuleGroups",
"wafv2:GetRuleGroup",
"wafv2:DescribeManagedRuleGroup",
"wafv2:GetWebACL"
],
"Resource": [
"arn:aws:wafv2:*:*:global/rulegroup/*",
"arn:aws:wafv2:*:*:regional/rulegroup/*",
"arn:aws:wafv2:*:*:global/managedruleset/*",
"arn:aws:wafv2:*:*:regional/managedruleset/*",
"arn:aws:wafv2:*:*:global/webacl/*/*",
"arn:aws:wafv2:*:*:regional/webacl/*/*",
"arn:aws:apprunner:*:*:service/*",
"arn:aws:cognito-idp:*:*:userpool/*",
"arn:aws:ec2:*:*:verified-access-instance/*"
]
}
```
AWS WAF Classic
```
{
"Sid": "classicWaf",
"Effect": "Allow",
"Action": [
"waf:ListWebACLs",
"waf:GetWebACL"
],
"Resource": [
"arn:aws:waf::*:webacl/*",
"arn:aws:waf-regional:*:*:webacl/*"
]
}
```
AWS Direct Connect
```
{
"Sid": "directconnect",
"Effect": "Allow",
"Action": [
"directconnect:DescribeConnections",
"directconnect:DescribeDirectConnectGatewayAssociations",
"directconnect:DescribeDirectConnectGatewayAttachments",
"directconnect:DescribeVirtualGateways"
],
"Resource": [
"arn:aws:directconnect::*:dx-gateway/*",
"arn:aws:directconnect:*:*:dxcon/*",
"arn:aws:directconnect:*:*:dxlag/*",
"arn:aws:directconnect:*:*:dxvif/*"
]
}
```
AWS Transit Gateway routes
```
{
"Sid": "ec2Get",
"Effect": "Allow",
"Action": [
"ec2:SearchTransitGatewayRoutes"
],
"Resource": [
"arn:aws:ec2:*:*:transit-gateway-route-table/*"
]
}
```
AWS Network Firewall
```
{
"Sid": "networkFirewall",
"Effect": "Allow",
"Action": [
"network-firewall:ListFirewalls",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListRuleGroups",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:DescribeRuleGroup"
],
"Resource": [
"arn:aws:network-firewall:*:*:*/*"
]
}
```
Amazon API Gateway
```
{
"Sid": "apiGatewayGetAPI",
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/apis",
"arn:aws:apigateway:*::/apis/*",
"arn:aws:apigateway:*::/tags/*",
"arn:aws:apigateway:*::/vpclinks",
"arn:aws:apigateway:*::/vpclinks/*"
]
}
```
## Creating a service-linked role for AWS Shield network security director
You don't need to manually create a service-linked role. When you run your first network analysis, AWS Shield network security director creates the service-linked role for you.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable AWS Shield network security director logging, AWS Shield network security director creates the service-linked role for you again.
## Editing a service-linked role for AWS Shield network security director
AWS Shield network security director doesn't allow you to edit the `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for AWS Shield network security director
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
This protects your AWS Shield network security director resources because you can't inadvertently remove permission to access the resources.
**Note**
If the AWS Shield network security director service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To manually delete the service-linked role using IAM**
Use the IAM console, the IAM CLI, or the IAM API to delete the `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for AWS Shield network security director service-linked roles
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Shield network security director supports using service-linked roles in following regions and can only retrieve data about your resources in these regions.
| Region Name | Region |
| --- | --- |
| US East (N. Virginia) | us-east-1 |
| Europe (Stockholm) | eu-north-1 |
| Asia Pacific (Thailand) | ap-southeast-7 |
| Africa (Cape Town) | ap-south-1 |
| US East (Ohio) | us-east-2 |
| Asia Pacific (Malaysia) | ap-southeast-5 |
| Asia Pacific (Tokyo) | ap-northeast-1 |
| US West (Oregon) | us-west-2 |
| Europe (Spain) | eu-south-2 |
| Europe (Ireland) | eu-west-1 |
| Europe (Frankfurt) | eu-central-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Singapore) | ap-southeast-1 |
| Asia Pacific (Sydney) | ap-southeast-2 |
# Logging AWS Shield network security director API calls with AWS CloudTrail
AWS Shield network security director integrates with AWS CloudTrail to record all API calls as events. This integration captures calls made from the network security director console, programmatic calls to network security director APIs, and calls made from other AWS services.
With CloudTrail, you can view recent events in the Event history or create a trail to deliver ongoing logs to an Amazon Simple Storage Service bucket. These logs provide details about each request, including the identity of the caller, the time, the request parameters, and the response.
To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
## network security director information in CloudTrail
CloudTrail is automatically enabled on your AWS account. When activity occurs in network security director, it's recorded as an event in CloudTrail. For an ongoing record of events, create a trail that delivers log files to an Amazon S3 bucket.
For more information about creating and managing trails, see:
+ [Creating a Trail for Your AWS Account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [AWS Service Integrations with CloudTrail Logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html)
+ [Receiving CloudTrail Log Files from Multiple Regions and Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
## network security director API operations logged by CloudTrail
All network security director API operations are logged by CloudTrail and documented in the API Reference. The following operations are included:
+ *ListResources*: Lists resources available in the service
+ *GetResource*: Retrieves detailed information about a specific resource
+ *ListFindings*: Lists security findings
+ *GetFinding*: Retrieves detailed information about a specific finding
+ *UpdateFinding*: Updates the status or other attributes of a finding
+ *ListRemediations*: Lists remediation recommendations for a finding
+ *ListInsights*: Lists insights based on findings and resources
+ *ListAccountSummaries*: Lists account summaries for an organization
## Understanding network security director log file entries
CloudTrail log entries contain information about who made the request, when it was made, and what parameters were used. Here's an example of a ListAccountSummaries action:
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/janedoe",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/janedoe",
"accountId": "111122223333",
"userName": "janedoe"
},
"attributes": {
"creationDate": "2025-11-11T02:57:20Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2025-11-11T02:59:53Z",
"eventSource": "network-security-director.amazonaws.com",
"eventName": "ListAccountSummaries",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/1.18.147 Python/2.7.18 Linux/5.10.244-220.970.amzn2int.x86_64 botocore/1.18.6",
"requestParameters": {
"status": "ACTIVE",
"sortBy": "SEVERITY",
"maxResults": 2
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
## Monitoring CloudTrail logs with Amazon CloudWatch
You can use Amazon CloudWatch to monitor and alert on specific API activity in CloudTrail logs. This helps you detect unauthorized access attempts, configuration changes, or unusual activity patterns.
To set up CloudWatch monitoring:
1. Configure your CloudTrail trail to send logs to CloudWatch Logs
1. Create metric filters to extract specific information from log events
1. Create alarms based on these metrics
For detailed instructions, see [Monitoring CloudTrail Log Files with Amazon CloudWatch Logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html).
## Best practices for CloudTrail with network security director
To maximize security and auditability with CloudTrail:
+ *Enable CloudTrail in all regions* for comprehensive coverage
+ *Enable log file integrity validation* to detect unauthorized modifications
+ *Use IAM to control access to CloudTrail logs* following least privilege principles
+ *Set up alerts for critical events* using CloudWatch alarms
+ *Regularly review CloudTrail logs* to identify unusual activity