SI-16—Memory Protection

MODERATE

HIGH

>Control Description

Implement the following controls to protect the system memory from unauthorized code execution: ⚙organization-defined controls.

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk

PR.DS-10

Compare

SCF

SEA-10

Compare

>Programmatic Queries

Beta

Related Services

EC2 Nitro

Lambda

ECS

CLI Commands

Check Nitro Enclave support

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{Id:InstanceId,EnclaveOptions:EnclaveOptions.Enabled}'

List instances with EBS encryption

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{Id:InstanceId,Encrypted:BlockDeviceMappings[*].Ebs.Encrypted}'

Check Lambda memory config

aws lambda list-functions --query 'Functions[*].{Name:FunctionName,Memory:MemorySize,Architecture:Architectures}'

Verify EC2 instance types (for memory isolation)

aws ec2 describe-instance-types --instance-types INSTANCE_TYPE --query 'InstanceTypes[*].{Type:InstanceType,Hypervisor:Hypervisor,Nitro:NitroEnclavesSupport}'

Open AWS Console Documentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

SonarQube

>Supplemental Guidance

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.