AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-02-26 · Documentation low

File: securityhub/latest/userguide/controls-overall-status.md

Summary

Updated documentation for Security Hub control status values and workflow behavior. Changes include rephrasing compliance status definitions, reorganizing content about status transitions, and clarifying regional availability timelines.

Security assessment

The changes primarily improve clarity and accuracy of existing security control documentation but do not address specific vulnerabilities or introduce new security features. Updates focus on status definitions and workflow behavior explanations without evidence of patching security issues.

Diff

diff --git a/securityhub/latest/userguide/controls-overall-status.md
index e05502f01..75d7d7a2b 100644
--- a/securityhub/latest/userguide/controls-overall-status.md
+++ b/securityhub/latest/userguide/controls-overall-status.md
@@ -15 +15 @@ The compliance status for each finding is assigned one of the following values:
-  * `PASSED` – Indicates that the control passed the security check for this finding. Automatically sets the Security Hub `Workflow.Status` to `RESOLVED`.
+  * `PASSED` – Indicates that the control passed the security check for the finding. This automatically sets the Security Hub `Workflow.Status` to `RESOLVED`.
@@ -17 +17 @@ The compliance status for each finding is assigned one of the following values:
-If `Compliance.Status` for a finding changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`, and `Workflow.Status` was either `NOTIFIED` or `RESOLVED`, then Security Hub automatically sets `Workflow.Status` to `NEW`.
+  * `FAILED` – Indicates that the control didn't pass the security check for the finding.
@@ -19 +19 @@ If `Compliance.Status` for a finding changes from `PASSED` to `FAILED`, `WARNING
-If you don't have resources corresponding to a control, Security Hub produces a `PASSED` finding at the account level. If you have a resource corresponding to a control but then delete the resource, Security Hub creates a `NOT_AVAILABLE` finding and archives it immediately. After 18 hours, you receive a `PASSED` finding since you no longer have resources corresponding to the control.
+  * `WARNING` – Indicates that Security Hub can't determine whether the resource is in a `PASSED` or `FAILED` state. For example, [AWS Config resource recording](./securityhub-setup-prereqs.html#config-resource-recording) isn't turned on for the corresponding resource type.
@@ -21 +21 @@ If you don't have resources corresponding to a control, Security Hub produces a
-  * `FAILED` – Indicates that the control didn't pass the security check for this finding.
+  * `NOT_AVAILABLE` – Indicates that the check can't be completed because a server failed, the resource was deleted, or the result of the AWS Config evaluation was `NOT_APPLICABLE`. If the AWS Config evaluation result was `NOT_APPLICABLE`, Security Hub automatically archives the finding.
@@ -23 +22,0 @@ If you don't have resources corresponding to a control, Security Hub produces a
-  * `WARNING` – Indicates that the check was completed, but Security Hub can't determine whether the resource is in a `PASSED` or `FAILED` state.
@@ -25,3 +23,0 @@ If you don't have resources corresponding to a control, Security Hub produces a
-  * `NOT_AVAILABLE` – Indicates that the check can't be completed because a server failed, the resource was deleted, or the result of the AWS Config evaluation was `NOT_APPLICABLE`.
-
-If the AWS Config evaluation result was `NOT_APPLICABLE`, Security Hub automatically archives the finding.
@@ -29,0 +26 @@ If the AWS Config evaluation result was `NOT_APPLICABLE`, Security Hub automatic
+If the compliance status for a finding changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`, and `Workflow.Status` was either `NOTIFIED` or `RESOLVED`, Security Hub automatically changes `Workflow.Status` to `NEW`.
@@ -30,0 +28 @@ If the AWS Config evaluation result was `NOT_APPLICABLE`, Security Hub automatic
+If you don't have resources corresponding to a control, Security Hub produces a `PASSED` finding at the account level. If you have a resource corresponding to a control but then delete the resource, Security Hub creates a `NOT_AVAILABLE` finding and archives it immediately. After 18 hours, you receive a `PASSED` finding because you no longer have resources corresponding to the control.
@@ -44 +42 @@ Control status is assigned one of the following values:
-  * **No data** – Indicates that there are no findings for the control. For example, a newly enabled control has this status until Security Hub starts to generate findings for it. A control also has this status if all of the findings are `SUPPRESSED` or if it's unavailable in the current Region.
+  * **No data** – Indicates that there are no findings for the control. For example, a newly enabled control has this status until Security Hub starts to generate findings for it. A control also has this status if all of its findings are `SUPPRESSED` or it's unavailable in the current AWS Region.
@@ -51 +49 @@ Control status is assigned one of the following values:
-For an administrator account, the control status reflects the control status in the administrator account and the member accounts. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the administrator account or any of the member accounts. If you have set an aggregation Region, the control status in the aggregation Region reflects the control status in the aggregation Region and the linked Regions. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the aggregation Region or any of the linked Regions.
+For an administrator account, control status reflects the control status for the administrator account and the member accounts. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the administrator account or any of the member accounts. If you have set an aggregation Region, the control status in the aggregation Region reflects the control status in the aggregation Region and the linked Regions. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the aggregation Region or any of the linked Regions.
@@ -53 +51 @@ For an administrator account, the control status reflects the control status in
-Security Hub typically generates the initial control status within 30 minutes after your first visit to the **Summary** page or **Security standards** page of the Security Hub console. You must have [AWS Config resource recording](./controls-config-resources.html) configured for the control status to appear. After control statuses are generated for the first time, Security Hub updates control statuses every 24 hours based on the findings from the previous 24 hours. A timestamp on the control details page indicates when control status was last updated.
+Security Hub typically generates the initial control status within 30 minutes after your first visit to the **Summary** page or the **Security standards** page on the Security Hub console. You must have [AWS Config resource recording](./controls-config-resources.html) configured for the control status to appear. After control statuses are generated for the first time, Security Hub updates control statuses every 24 hours based on the findings from the previous 24 hours. A timestamp on the control details page indicates when control status was last updated.
@@ -57 +55 @@ Security Hub typically generates the initial control status within 30 minutes af
-It can take up to 24 hours after enabling a control for first-time control statuses to be generated in the China Regions and AWS GovCloud (US) Region.
+After enabling a control for first time, it can take up to 24 hours for control statuses to be generated in the China Regions and the AWS GovCloud (US) Region.