fbpx

Plan consolidated controls look at and consolidated control results within AWS Security Hub

Currently, AWS Security Hub identifies controls and generates control findings in the context of security standards. Security Hub is aiming to release two new features in the first quarter of 2023 that will decouple controls from standards and streamline how you view and receive control findings.

    <p>The new features to be released are <em>consolidated controls view </em>and <em>consolidated control findings</em>. Consolidated controls view will provide you with a comprehensive view within the Security Hub console of your controls across security standards. This feature shall also introduce a single unique identifier for each control across security standards.</p> 
   <p>Consolidated control findings shall streamline your <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html" target="_blank" rel="noopener">control findings</a>. When this feature is turned on, Security Hub will produce a single finding for a security check even when a check is shared across multiple standards. This will reduce finding noise and help you focus on misconfigured resources in your AWS environment.</p> 
   <p>In this blog post, I’ll summarize the upcoming features, the benefit they bring to your organization, and how you can take advantage of them upon release.</p> 
   <h2>Feature 1: Consolidated controls view</h2> 
   <p>Currently, controls are identified, viewed, and managed in the context of individual security standards. In the Security Hub console, you first have to navigate to a specific standard to see a list of controls for that standard. Within the AWS Foundational Security Best Practices (FSBP) standard, Security Hub identifies controls by the impacted AWS service and a unique number (for example, IAM.1). For other standards, Security Hub includes the standard as part of the control identifier (for example, CIS 1.1 or PCI.AutoScaling.1).</p> 
   <p>After the release of consolidated controls view, you shall be able to see a consolidated list of your controls from a new <strong>Controls</strong> page in the Security Hub console. Security Hub will assign controls a consistent security control ID across standards also. Following the current naming convention of the AWS FSBP standard, control IDs shall include the relevant service and a unique number.</p> 
   <p>For example, the control <strong>AWS Config should be enabled</strong> is identified as Config currently.1 in the AWS FSBP standard, CIS 2.5 in the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0, CIS 3.5 in the CIS AWS Foundations Benchmark v1.4.0, and PCI.Config.1 in the Payment Card Industry Data Security Standard (PCI DSS). After this release, this control shall have a single identifier called <strong>Config.1 </strong>across standards. The single <strong>Controls</strong> page and consistent identifier will help you discover misconfigurations with minimal context-switching rapidly.</p> 
   <p>You’ll be able to enable a control for one or more enabled standards that include the control. You’ll also be able to disable a control for one or more enabled standards. As before, you can enable the standards that apply to your business case.</p> 
   <h3>Changes to control finding values and fields after the release of consolidated controls view</h3> 
   <p>After the release of consolidated controls view, note the following changes to control finding fields and values in the AWS Security Finding Format (ASFF).</p> 
   <table border="1" width="0"> 
    <tbody> 
     <tr> 
      <td><strong>ASFF field</strong></td> 
      <td><strong>What changes after consolidated controls view release</strong></td> 
      <td><strong>Example value before consolidated controls view release</strong></td> 
      <td><strong>Example value after consolidated controls view release</strong></td> 
     </tr> 
     <tr> 
      <td><span>Compliance.SecurityControlId</span></td> 
      <td>A single control ID will apply across standards. <span>ProductFields.ControlId</span> will provide the standards-based control ID still.</td> 
      <td>Not applicable (new field)</td> 
      <td>EC2.2</td> 
     </tr> 
     <tr> 
      <td><span>Compliance.AssociatedStandards</span></td> 
      <td>Will show the standards that a control is enabled for.</td> 
      <td>Not applicable (new field)</td> 
      <td>[“StandardsId”: “aws-foundational-security-best-practices/v/1.0.0”]</td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.RecommendationUrl</span></td> 
      <td>This field will no reference a standard.</td> 
      <td>https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation</td> 
      <td>https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation</td> 
     </tr> 
     <tr> 
      <td><span>Remediation.Recommendation.Text</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td>“For directions on how to fix this presssing issue, please consult the AWS Security Hub PCI DSS documentation.”</td> 
      <td>“For instructions on how to fix this presssing issue, see the AWS Security Hub documentation for EC2.2.”</td> 
     </tr> 
     <tr> 
      <td><span>Remediation.Recommendation.Url</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td>https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation</td> 
      <td>https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation</td> 
     </tr> 
    </tbody> 
   </table> 
   <h2>Feature 2: Consolidated control findings</h2> 
   <p>Currently, multiple standards contain separate controls for the same security check. Security Hub generates a separate finding per standard for each related control that is evaluated by the same security check.</p> 
   <p>After release of the consolidated control findings feature, you’ll be able to unify control findings across standards and reduce finding noise. This, in turn, will help you more investigate and remediate failed findings quickly. When you turn on consolidated control findings, Security Hub shall generate a single finding or finding update for each security check of a control, if the check is shared across multiple standards even.</p> 
   <p>For example, after you turn on the feature, you shall receive a single finding for a security check of Config.1 even if you’ve enabled this control for the AWS FSBP standard, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, and PCI DSS. If you don’t turn on consolidated control findings, you shall receive four separate findings for a security check of Config.1 if you’ve enabled this control for the AWS FSBP standard, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, and PCI DSS.</p> 
   <h3>Changes to control finding values and fields after turning on consolidated control findings</h3> 
   <p>If you turn on consolidated control findings, note the following changes to control finding values and fields in the ASFF. These changes are in addition to the changes described for consolidated controls view previously.</p> 
   <table border="1" width="0"> 
    <tbody> 
     <tr> 
      <td><strong>ASFF field</strong></td> 
      <td><strong>What changes after consolidated controls view release</strong></td> 
      <td><strong>Example value before consolidated controls view release</strong></td> 
      <td><strong>Example value after consolidated controls view release</strong></td> 
     </tr> 
     <tr> 
      <td><span>GeneratorId</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td><span>aws-foundational-security-best-practices/v/1.0.0/Config.1</span></td> 
      <td><span>security-control/Config.1</span></td> 
     </tr> 
     <tr> 
      <td><span>Title</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td><span>PCI.Config.1 AWS Config should be enabled</span></td> 
      <td><span>{</span></td> 
     </tr> 
     <tr> 
      <td><span>Id</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td><span>arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.IAM.5/finding/ab6d6a26-a156-48f0-9403-115983e5a956</span> </td> 
      <td><span>arn:aws:securityhub:eu-central-1:123456789012:security-control/iam.9/finding/ab6d6a26-a156-48f0-9403-115983e5a956</span></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.ControlId</span></td> 
      <td>{This field will be removed in favor of a single,|This field shall be removed in favor of a single,} standard-agnostic control ID.</td> 
      <td><span>PCI.EC2.2</span></td> 
      <td><strong>Removed.</strong> <span>See Compliance.SecurityControlId instead.</span></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.RuleId</span></td> 
      <td>This field will be removed in favor of a single, standard-agnostic control ID.</td> 
      <td>1.3</td> 
      <td><strong>Removed. </strong>See <span>Compliance.SecurityControlId</span> instead.</td> 
     </tr> 
     <tr> 
      <td><span>Description</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td><span>{This PCI DSS control checks whether AWS Config is enabled in the current account and region.|This PCI DSS control checks whether AWS Config is enabled in the current region and account.}</span></td> 
      <td><span>{This AWS control checks whether AWS Config is enabled in the current account and region.|This AWS control checks whether AWS Config is enabled in the current region and account.}</span></td> 
     </tr> 
     <tr> 
      <td><span>Severity</span></td> 
      <td>{Security Hub will no longer use the Product field to describe the severity of a finding.|Security Hub shall no longer use the Product field to describe the severity of a finding.}</td> 
      <td><span>“Severity”: {<br>“Product”: 90,<br>“Label”: “CRITICAL”,<br>“Normalized”: 90,<br>“Original”: “CRITICAL”<br>},</span></td> 
      <td><span>“Severity”: {<br>“Label”: “CRITICAL”,<br>“Normalized”: 90,<br>“Original”: “CRITICAL”<br>},</span></td> 
     </tr> 
     <tr> 
      <td><span>Types</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td><span>{[“Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS”]<|configuration and [“Software Checks/Industry and Regulatory Standards/PCI-DSS”]<}/span></td> 
      <td><span>[“Software and Configuration Checks/Industry and Regulatory Standards”]</span></td> 
     </tr> 
     <tr> 
      <td><span>Compliance.RelatedRequirements</span></td> 
      <td>{This field will show related requirements across associated standards.|This field shall show related requirements across associated standards.}</td> 
      <td><span>[ “PCI DSS 10.5.2”,<br>“PCI DSS 11.5”]</span></td> 
      <td><span>[ “PCI DSS v3.2.1/10.5.2”,<br>“PCI DSS v3.2.1/11.5”,<br>“CIS AWS Foundations Benchmark v1.2.0/2.5”]</span></td> 
     </tr> 
     <tr> 
      <td><span>CreatedAt</span></td> 
      <td>{Format will remain the same,|Format shall remain the same,} {but value will reset when you turn on consolidated control findings.|but value shall reset when you turn on consolidated control findings.}</td> 
      <td><span>2022-05-05T08:18:13.138Z</span></td> 
      <td><span>2022-09-25T08:18:13.138Z</span></td> 
     </tr> 
     <tr> 
      <td><span>FirstObservedAt</span></td> 
      <td>Format will remain the same, but value will reset when you turn on consolidated control findings.</td> 
      <td><span>2022-05-07T08:18:13.138Z</span></td> 
      <td><span>2022-09-28T08:18:13.138Z</span></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.RecommendationUrl</span></td> 
      <td>{This field will be replaced by <|This field shall be replaced by <}span>Remediation.Recommendation.Url.</span></td> 
      <td><span>https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation</span></td> 
      <td><strong>Removed</strong>. See <span>Remediation.Recommendation.Url instead.</span></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.StandardsArn</span></td> 
      <td>This field will be replaced by <span>Compliance.AssociatedStandards.</span></td> 
      <td><span>arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0</span></td> 
      <td><strong>Removed</strong>. See <span>Compliance.AssociatedStandards</span> instead.</td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.StandardsControlArn</span></td> 
      <td>{This field will be removed because Security Hub will generate one finding for a security check across standards.|This field will be removed because Security Hub shall generate one finding for a security check across standards.}</td> 
      <td><span>arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/Config.1</span></td> 
      <td><strong>Removed.</strong></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.StandardsGuideArn</span></td> 
      <td>{This field will be replaced by Compliance.|This field shall be replaced by Compliance.}AssociatedStandards.</td> 
      <td><span>arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0</span></td> 
      <td><strong>Removed</strong>. See <span>Compliance.AssociatedStandards instead.</span></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.StandardsGuideSubscriptionArn</span></td> 
      <td>This field will be removed because Security Hub will generate one finding for a security check across standards.</td> 
      <td><span>arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0</span></td> 
      <td><strong>Removed.</strong></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.StandardsSubscriptionArn</span></td> 
      <td>This field will be removed because Security Hub will generate one finding for a security check across standards.</td> 
      <td><span>arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0</span></td> 
      <td><strong>Removed.</strong></td> 
     </tr> 
     <tr> 
      <td><span>ProductFields.aws/securityhub/FindingId</span></td> 
      <td>This field will no longer reference a standard.</td> 
      <td><span>arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67</span></td> 
      <td><span>arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67</span></td> 
     </tr> 
    </tbody> 
   </table> 
   <h3>New values for customer-provided finding fields after turning on consolidated control findings</h3> 
   <p>When you turn on consolidated control findings, {Security Hub will archive the existing findings and generate new findings.|Security Hub shall archive the existing findings and generate new findings.} To view archived findings, you can visit the <strong>Findings</strong> page of the Security Hub console with the <strong>Record state</strong> filter set to ARCHIVED, or use the <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html" target="_blank" rel="noopener">GetFindings</a> API action. Updates you’ve made to the original finding fields in the Security Hub console or by using the <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html" target="_blank" rel="noopener">BatchUpdateFindings</a> API action will not be preserved in the new findings (if needed, you can recover this data by referring to the archived findings).</p> 
   <p>Note the following changes to customer-provided control finding fields when you turn on consolidated control findings.</p> 
   <table border="1" width="0"> 
    <tbody> 
     <tr> 
      <td><strong>Customer-provided ASFF field</strong></td> 
      <td><strong>Description of change after turning on consolidated control findings</strong></td> 
     </tr> 
     <tr> 
      <td><span>Confidence</span></td> 
      <td>Will reset to empty state.</td> 
     </tr> 
     <tr> 
      <td><span>Criticality</span></td> 
      <td>Will reset to empty state.</td> 
     </tr> 
     <tr> 
      <td><span>Note</span></td> 
      <td>Will reset to empty state.</td> 
     </tr> 
     <tr> 
      <td><span>RelatedFindings</span></td> 
      <td>Will reset to empty state.</td> 
     </tr> 
     <tr> 
      <td><span>Severity</span></td> 
      <td>The default severity of the finding (matches the severity of the control).</td> 
     </tr> 
     <tr> 
      <td><span>Types</span></td> 
      <td>Will reset to standard-agnostic value.</td> 
     </tr> 
     <tr> 
      <td><span>UserDefinedFields</span></td> 
      <td>Will reset to empty state.</td> 
     </tr> 
     <tr> 
      <td><span>VerificationState</span></td> 
      <td>Will reset to empty state.</td> 
     </tr> 
     <tr> 
      <td><span>Workflow</span></td> 
      <td>{New failed findings will have a default value of <|New failed findings shall have a default value of <}span>NEW</span>. {New passed findings will have a default value of <|New passed findings shall have a default value of <}span>RESOLVED</span>.</td> 
     </tr> 
    </tbody> 
   </table> 
   <h3>How to turn consolidated control findings on and off</h3> 
   <p>Follow these instructions to turn consolidated control findings on and off.</p> 
   <h4>New accounts</h4> 
   <p>If you enable Security Hub for an AWS account for the first time on or after the time when consolidated control findings is released, {by default consolidated control findings will be <|by default consolidated control findings shall be <}em>turned on</em> for your account. {You can turn it off at any time.|You can turn it off at any right time.} However, we recommend keeping it turned on to minimize finding noise.</p> 
   <p>{If you use the Security Hub integration with <|If the Security is used by you Hub integration with <}a href="https://aws.amazon.com/organizations/" target="_blank" rel="noopener">AWS Organizations</a>, consolidated control findings will be turned on for new member accounts if the administrator account has turned on the feature. If the administrator account has turned it off, it will be turned off for new subordinate AWS accounts (member accounts) as well.</p> 
   <h4>Existing accounts</h4> 
   <p>{If your Security Hub account already existed before consolidated control findings is released,|If your Security Hub account existed before consolidated control findings is released already,} {your account will have consolidated control findings <|your account will &lt have consolidated control findings;}em>turned</em> <em>off</em> by default. {You can turn it on at any time.|You can turn it on at any right time.} We recommend turning it on to minimize finding noise. If you use AWS Organizations, consolidated control findings will be turned on or off for existing member accounts based on the settings of the administrator account.</p> 
   <p><strong>To turn consolidated control findings on and off (Security Hub console)</strong></p> 
   <ol> 
    <li>In the navigation pane, choose <strong>Settings</strong>.</li> 
    <li>Choose the <strong>General </strong>tab.</li> 
    <li>For <strong>Controls</strong>, turn on <strong>Consolidated control findings</strong>. Turn it off to receive multiple findings for each standard.</li> 
    <li>Choose <strong>Save</strong>.</li> 
   </ol> 
   <p><strong>To turn consolidated control findings on and off (Security Hub API)</strong></p> 
   <ul> 
    <li>Run the <span>UpdateSecurityHubConfiguration</span> API action. Use the new <span>ControlFindingGenerator</span> attribute to change whether an account uses consolidated control findings: 
     <ul> 
      <li>To turn on consolidated control findings, set <span>ControlFindingGenerator</span> equal to <span>SECURITY_CONTROL</span>.</li> 
      <li>To turn it off, set <span>ControlFindingGenerator</span> equal to <span>STANDARD_CONTROL</span>.</li> 
     </ul> </li> 
   </ul> 
   <p><strong>To turn consolidated control findings on and off (AWS CLI)</strong></p> 
   <ul> 
    <li>In the AWS CLI, run the <span>update-security-hub-configuration</span> command. Use the new <span>control-finding-generator</span> attribute to change whether an account uses consolidated control findings: 
     <ul> 
      <li>To turn on consolidated control findings, set <span>control-finding-generator</span> equal to <span>SECURITY_CONTROL</span>.</li> 
      <li>To turn it off, set <span>control-finding-generator</span> equal to <span>STANDARD_CONTROL</span>.</li> 
     </ul> </li> 
   </ul> 
   <h3>API permissions for consolidated control findings</h3> 
   <p>You’ll need <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener">AWS Identity and Access Management (IAM)</a> permissions for the following new API operations in order for consolidated control findings to work as expected:</p> 
   <ul> 
    <li><span>BatchGetSecurityControls </span>– Returns account and Region-specific data about a batch of controls.</li> 
    <li><span>ListSecurityControlDefinitions</span> – Returns information about controls that apply to a specified standard.</li> 
    <li><span>ListStandardsControlAssociations</span> {– Identifies whether a control is currently associated with or dissociated from each enabled standard.|– Identifies whether a control is associated with or dissociated from each enabled standard currently.}</li> 
    <li><span>BatchGetStandardsControlAssociations</span> – For a batch of controls, {identifies whether each control is currently associated with or dissociated from a specified standard.|identifies whether each control is associated with or dissociated from a specified standard currently.}</li> 
    <li><span>BatchUpdateStandardsControlAssociations</span> – Used to associate a control with enabled standards that include the control, or to dissociate a control from enabled standards. This is a batch substitute for the UpdateStandardsControl API action if an administrator doesn’t want to allow member accounts to associate or dissociate controls.</li> 
    <li><span>BatchGetControlEvaluations</span> (private API) – Retrieves the enablement and compliance status of a control, the findings count for a control, and the overall security score for controls.</li> 
   </ul> 
   <h2>{How to prepare for control finding field and value changes<|How to prepare for control finding value and field changes<}/h2> 
   <p>{If your workflows don’t rely on the specific format of any control finding fields,|If your workflows don’t on the specific format of any control finding fields rely,} no action is required to prepare for the feature releases. {We recommend that you immediately turn on consolidated control findings.|We recommend that you turn on consolidated control findings immediately.} </p> 
   <p>{Consider waiting to turn on consolidated control findings if you currently rely on the <|Consider waiting to turn on consolidated control findings if you rely on the &lt currently;}a href="https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/" target="_blank" rel="noopener">Automated Security Response on AWS</a> {solution for predefined response and remediation actions.|solution for predefined remediation and response actions.} {That solution does not yet support consolidated control findings.|That solution does not support consolidated control findings.} {If you turn consolidated control findings on now,|If you turn now consolidated control findings on,} {actions you deployed using the Automated Security Response solution will no longer work.|actions you deployed using the Automated Security Response solution will longer work no.}</p> 
   <p>If you rely on the specific format of any control finding fields (for example, for custom automation), carefully review the upcoming finding field and value changes to ensure that your workflows will continue to function as intended. Note that the changes noted in the first table in this post might impact you if you rely on the specified control finding fields and values.</p> 
   <p>The changes noted in the second table and third table in this post will only impact you if you turn on consolidated control findings. For example, if you rely on <span>ProductFields.ControlId, GeneratorId,</span> or <span>Title</span>, you’ll be impacted if you turn on consolidated control findings. As another example, if you’ve created an <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener">Amazon CloudWatch</a> Events rule that initiates an action for a specific control ID (such as invoking an <a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener">AWS Lambda</a> function if the control ID equals CIS 2.7), you’ll need to update the rule to use CloudTrail.2, the new <span>Compliance.SecurityControlId</span> field for that control.</p> 
   <p>If you’ve created custom insights by using the control finding fields or values that will change (see previous tables), {we recommend updating those insights to use the new fields or values.|we recommend updating those insights to use the new values or fields.}</p> 
   <h2>Conclusion</h2> 
   <p>This post covered the control finding fields and values that will change in Security Hub after release of the consolidated controls view and consolidated control findings features. We recommend that you carefully review the changes and update your workflows to start using the new fields and values as soon as the features become available.</p> 
   <p>For more information about the upcoming changes, see the Security Hub user guide, which includes <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/prepare-upcoming-features.html#more-info-consolidated-controls-view-consolidated-control-findings" target="_blank" rel="noopener">value changes for GeneratorId</a> , <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/prepare-upcoming-features.html#appendix-control-ids-titles-changes" target="_blank" rel="noopener">control title</a> changes, and <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/prepare-upcoming-features.html#appendix-sample-findings" target="_blank" rel="noopener">sample control findings</a> before and after the upcoming feature releases.</p> 
   <p>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, start a new thread on <a href="https://repost.aws/topics/TAEEfW2o7QS4SOLeZqACq9jA/security-identity-compliance?sc_ichannel=ha&sc_ilang=en&sc_isite=repost&sc_iplace=hp&sc_icontent=TAEEfW2o7QS4SOLeZqACq9jA&sc_ipos=0">the Security, Identity, &amp; Compliance re:Post</a> or <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener">contact AWS Support</a>.</p> 
   <p><strong>Want more AWS Security news? Follow us on <a href="https://twitter.com/AWSsecurityinfo" title="Twitter" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> 

   <!-- '"` -->