AWS securityhub documentation change
Summary
Updated wording from 'select' to 'choose' in multiple places and added several new security controls including Connect.2, ECR.5, ELB.17, Glue.4, GuardDuty.11-13, NetworkFirewall.10, RDS.40, SQS.3, and Transfer.3
Security assessment
The changes add new security controls and improve wording, but there is no evidence these changes are in response to a specific security vulnerability or incident. The new controls document security best practices but are not tied to a specific security issue.
Diff
diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md index ca25c54bd..d563b4228 100644 --- a/securityhub/latest/userguide/securityhub-controls-reference.md +++ b/securityhub/latest/userguide/securityhub-controls-reference.md @@ -15 +15 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Applicable standards** – Indicates which standards a control applies to. Select a control to see specific requirements from third-party compliance frameworks. + * **Applicable standards** – Indicates which standards a control applies to. Choose a control to review specific requirements from third-party compliance frameworks. @@ -23 +23 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Supports custom parameters** – Indicates whether the control supports custom values for one or more parameters. Select a control to see the parameter details. For more information, see [Understanding control parameters in Security Hub](./custom-control-parameters.html). + * **Supports custom parameters** – Indicates whether the control supports custom values for one or more parameters. Choose a control to review the parameter details. For more information, see [Understanding control parameters in Security Hub](./custom-control-parameters.html). @@ -28 +28 @@ Control IDs may skip numbers. These are placeholders for future controls. -Select a control to view further details. Controls are listed in alphabetical order of the service name. +Choose a control to review additional details. Controls are listed in alphabetical order by security control ID. @@ -123,0 +124 @@ Security control ID | Security control title | Applicable standards | Severity | +[Connect.2](./connect-controls.html#connect-2) | Amazon Connect instances should have CloudWatch logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered @@ -208,0 +210 @@ Security control ID | Security control title | Applicable standards | Severity | +[ECR.5](./ecr-controls.html#ecr-5) | ECR repositories should be encrypted with customer managed AWS KMS keys | NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered @@ -259,0 +262 @@ Security control ID | Security control title | Applicable standards | Severity | +[ELB.17](./elb-controls.html#elb-17) | Application and Network Load Balancers with listeners should use recommended security policies | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -281,0 +285 @@ Security control ID | Security control title | Applicable standards | Severity | +[Glue.4](./glue-controls.html#glue-4) | AWS Glue Spark jobs should run on supported versions of AWS Glue | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -292,0 +297,3 @@ Security control ID | Security control title | Applicable standards | Severity | +[GuardDuty.11](./guardduty-controls.html#guardduty-11) | GuardDuty Runtime Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | No | Periodic +[GuardDuty.12](./guardduty-controls.html#guardduty-12) | GuardDuty ECS Runtime Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Periodic +[GuardDuty.13](./guardduty-controls.html#guardduty-13) | GuardDuty EC2 Runtime Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Periodic @@ -389,0 +397 @@ Security control ID | Security control title | Applicable standards | Severity | +[NetworkFirewall.10](./networkfirewall-controls.html#networkfirewall-10) | Network Firewall firewalls should have subnet change protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -441,0 +450 @@ Security control ID | Security control title | Applicable standards | Severity | +[RDS.40](./rds-controls.html#rds-40) | RDS for SQL Server DB instances should publish logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered @@ -496,0 +506 @@ Security control ID | Security control title | Applicable standards | Severity | +[SQS.3](./sqs-controls.html#sqs-3) | SQS queue access policies should not allow public access | AWS Foundational Security Best Practices v1.0.0 | HIGH | No | Change triggered @@ -504,0 +515 @@ Security control ID | Security control title | Applicable standards | Severity | +[Transfer.3](./transfer-controls.html#transfer-3) | Transfer Family connectors should have logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered