AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-02-26 · Documentation low

File: securityhub/latest/userguide/controls-config-resources.md

Summary

Updated documentation to clarify AWS Config requirements for Security Hub controls, added resource recording details, improved grammar, and streamlined explanations about policy considerations and regional availability.

Security assessment

The changes improve documentation about security controls' configuration requirements (AWS Config setup) but do not address any specific security vulnerability. The updates enhance existing security documentation by clarifying prerequisites for accurate security findings.

Diff

diff --git a/securityhub/latest/userguide/controls-config-resources.md
index 4465403ab..68d715e6d 100644
--- a/securityhub/latest/userguide/controls-config-resources.md
+++ b/securityhub/latest/userguide/controls-config-resources.md
@@ -9 +9 @@ Required resources for all Security Hub controlsRequired resources for FSBP stan
-Some AWS Security Hub controls use service-linked AWS Config rules that detect configuration changes in your AWS resources. In order for Security Hub to generate accurate control findings, you must enable AWS Config and turn on resource recording in AWS Config. For context about how Security Hub uses AWS Config rules and how to enable and configure AWS Config, see [Enabling and configuring AWS Config for Security Hub](./securityhub-setup-prereqs.html).
+Some AWS Security Hub controls use service-linked AWS Config rules that detect configuration changes in your AWS resources. For Security Hub to generate accurate findings for these controls, you must enable AWS Config and turn on resource recording in AWS Config. For information about how Security Hub uses AWS Config rules and how to enable and configure AWS Config, see [Enabling and configuring AWS Config for Security Hub](./securityhub-setup-prereqs.html). For detailed information about resource recording, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the _AWS Config Developer Guide_.
@@ -11 +11 @@ Some AWS Security Hub controls use service-linked AWS Config rules that detect c
-To receive accurate control findings, you must turn on AWS Config resource recording for enabled controls with a _change triggered_ schedule type. Some controls with a _periodic_ schedule type also require resource recording. 
+To receive accurate control findings, you must turn on AWS Config resource recording for enabled controls with a _change triggered_ schedule type. Some controls with a _periodic_ schedule type also require resource recording. This page lists the required resources for these Security Hub controls.
@@ -13,3 +13 @@ To receive accurate control findings, you must turn on AWS Config resource recor
-This page lists the required resources for each Security Hub control.
-
-Security Hub controls can rely on managed AWS Config rules or custom Security Hub rules. Make sure there is no AWS Identity and Access Management (IAM) policy or policy managed in Organizations which prevents AWS Config from having permission to record your resources. Security Hub control checks directly evaluate the configuration of a resource and don’t take Organizations policies into account. For more information about AWS Config recording, see [List of AWS Config Managed Rules – Considerations](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) in the _AWS Config Developer Guide_.
+Security Hub controls can rely on managed AWS Config rules or custom Security Hub rules. Make sure there aren't any AWS Identity and Access Management (IAM) policies or AWS Organizations managed policies that prevent AWS Config from having permission to record your resources. Security Hub controls evaluate resource configurations directly and don’t take AWS Organizations policies into account.
@@ -19 +17 @@ Security Hub controls can rely on managed AWS Config rules or custom Security Hu
-In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of Regional limits on Security Hub controls, see [Regional limits on Security Hub controls](./regions-controls.html).
+In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of these limits, see [Regional limits on Security Hub controls](./regions-controls.html).
@@ -23 +21 @@ In AWS Regions where a control isn't available, the corresponding resource isn't
-For Security Hub to generate findings for enabled Security Hub change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. This table also indicates which controls evaluate a particular resource. A single control may evaluate more than one resource.
+For Security Hub to generate findings for enabled Security Hub change triggered controls that use an AWS Config rule, you must record these resources in AWS Config. This table also indicates which controls evaluate a particular resource. A single control may evaluate more than one resource.
@@ -210 +208 @@ Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |  WorkSpaces.1 WorkSpaces.2
-For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices v1.0.0 (FSBP) change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see [AWS Foundational Security Best Practices v1.0.0 (FSBP) standard](./fsbp-standard.html).
+For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices v1.0.0 (FSBP) change triggered controls that use an AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see [AWS Foundational Security Best Practices v1.0.0 (FSBP) standard](./fsbp-standard.html).
@@ -264 +262 @@ For more information about this standard, see [CIS AWS Foundations Benchmark](./
-For Security Hub to accurately report findings for enabled CIS v3.0.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
+For Security Hub to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config.
@@ -275 +273 @@ Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::Bucket`
-For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
+For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config.
@@ -286 +284 @@ Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::Bucket`
-For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
+For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config.
@@ -295 +293 @@ AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy` `AWS::IAM::User`
-For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. You only have to record resources for controls that have a schedule type of _change triggered_. For more information about this standard, see [NIST SP 800-53 Rev. 5 in Security Hub](./nist-standard.html).
+For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config. You only have to record resources for controls that have a schedule type of _change triggered_. For more information about this standard, see [NIST SP 800-53 Rev. 5 in Security Hub](./nist-standard.html).
@@ -342 +340 @@ AWS WAF |  `AWS::WAF::Rule` `AWS::WAF::RuleGroup` `AWS::WAF::WebACL` `AWS::WAFRe
-For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see [PCI DSS in Security Hub](./pci-standard.html).
+For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use an AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see [PCI DSS in Security Hub](./pci-standard.html).
@@ -359 +357 @@ Amazon EC2 Systems Manager (SSM)  |  `AWS::SSM::AssociationCompliance` `AWS::SSM
-All controls in the AWS Resource Tagging Standard are change triggered and use a AWS Config rule. For Security Hub to accurately report findings for these controls, you must record the following resources in AWS Config. For more information about this standard, see [AWS Resource Tagging Standard](./standards-tagging.html).
+All controls in the AWS Resource Tagging Standard are change triggered and use an AWS Config rule. For Security Hub to accurately report findings for these controls, you must record the following resources in AWS Config. For more information about this standard, see [AWS Resource Tagging Standard](./standards-tagging.html).
@@ -420 +418 @@ AWS Transfer Family  | `AWS::Transfer::Workflow`
-For Security Hub to accurately report findings for enabled Service-Managed Standard: AWS Control Tower change triggered controls that use a AWS Config rule, you must record the following resources in AWS Config. For more information about this standard, see [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html).
+For Security Hub to accurately report findings for enabled Service-Managed Standard: AWS Control Tower change triggered controls that use an AWS Config rule, you must record the following resources in AWS Config. For more information about this standard, see [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html).