Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Shield Network Security Director policies

Amazon Shield Network Security Director helps secure your Amazon environment by discovering your compute, networking, and network security resources. Network Security Director evaluates each resource's security configuration by analyzing network topology and security configurations against Amazon best practices and threat intelligence.

Amazon Shield Network Security Director policies allow you to centrally enable and manage Network Security Director across accounts in your Amazon organization. With a Network Security Director policy, you specify which organizational entities (root, OUs, or accounts) have Network Security Director enabled. When accounts join your organization, they automatically inherit the applicable policies based on their location in the organizational hierarchy. This ensures that your resources are analyzed for network security configuration gaps as your organization grows. The policies respect existing organizational structures and provide flexibility in determining which accounts are analyzed.

Amazon Shield Network Security Director is currently available in preview.

How it works

When you attach an Amazon Shield Network Security Director policy to an organizational entity, the policy automatically enables Network Security Director for all member accounts within that scope. Also, if you have finalized Amazon Shield Network Security Director setup by registering a delegated administrator, that account will have centralized visibility over the network security posture of accounts in the organization that have Amazon Shield Network Security Director enabled.

Amazon Shield Network Security Director policies can be applied to the entire organization, to specific organizational units (OUs), or to individual accounts. Accounts that join the organization—or move into an OU with an attached policy—automatically inherit the policy and have Amazon Shield Network Security Director enabled and linked to the Network Security Director delegated administrator. Network Security Director policies allow you to enable a network analysis, view the network topology and network security findings for your resources, and receive remediation recommendations for resolving configuration gaps. Specific configuration settings and suppression of individual findings can be managed via the Network Security Director delegated administrator account for the organization.

When you attach an Amazon Shield Network Security Director policy to your organization or organizational unit, Amazon Organizations automatically evaluates the policy and applies it based on the scope you define. The policy enforcement logic follows specific conflict resolution rules: