AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-02-27 · Documentation low

File: securityhub/latest/userguide/securityhub-controls-reference.md

Summary

Updated wording from 'select' to 'choose' in multiple places and added several new security controls including Connect.2, ECR.5, ELB.17, Glue.4, GuardDuty.11-13, NetworkFirewall.10, RDS.40, SQS.3, and Transfer.3

Security assessment

The changes add new security controls and improve wording, but there is no evidence these changes are in response to a specific security vulnerability or incident. The new controls document security best practices but are not tied to a specific security issue.

Diff

diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md
index ca25c54bd..d563b4228 100644
--- a/securityhub/latest/userguide/securityhub-controls-reference.md
+++ b/securityhub/latest/userguide/securityhub-controls-reference.md
@@ -15 +15 @@ Control IDs may skip numbers. These are placeholders for future controls.
-  * **Applicable standards** – Indicates which standards a control applies to. Select a control to see specific requirements from third-party compliance frameworks.
+  * **Applicable standards** – Indicates which standards a control applies to. Choose a control to review specific requirements from third-party compliance frameworks.
@@ -23 +23 @@ Control IDs may skip numbers. These are placeholders for future controls.
-  * **Supports custom parameters** – Indicates whether the control supports custom values for one or more parameters. Select a control to see the parameter details. For more information, see [Understanding control parameters in Security Hub](./custom-control-parameters.html).
+  * **Supports custom parameters** – Indicates whether the control supports custom values for one or more parameters. Choose a control to review the parameter details. For more information, see [Understanding control parameters in Security Hub](./custom-control-parameters.html).
@@ -28 +28 @@ Control IDs may skip numbers. These are placeholders for future controls.
-Select a control to view further details. Controls are listed in alphabetical order of the service name.
+Choose a control to review additional details. Controls are listed in alphabetical order by security control ID.
@@ -123,0 +124 @@ Security control ID | Security control title | Applicable standards | Severity |
+[Connect.2](./connect-controls.html#connect-2) | Amazon Connect instances should have CloudWatch logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Change triggered  
@@ -208,0 +210 @@ Security control ID | Security control title | Applicable standards | Severity |
+[ECR.5](./ecr-controls.html#ecr-5) | ECR repositories should be encrypted with customer managed AWS KMS keys | NIST SP 800-53 Rev. 5 | MEDIUM |  Yes | Change triggered  
@@ -259,0 +262 @@ Security control ID | Security control title | Applicable standards | Severity |
+[ELB.17](./elb-controls.html#elb-17) | Application and Network Load Balancers with listeners should use recommended security policies  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
@@ -281,0 +285 @@ Security control ID | Security control title | Applicable standards | Severity |
+[Glue.4](./glue-controls.html#glue-4) | AWS Glue Spark jobs should run on supported versions of AWS Glue | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM |  No | Change triggered  
@@ -292,0 +297,3 @@ Security control ID | Security control title | Applicable standards | Severity |
+[GuardDuty.11](./guardduty-controls.html#guardduty-11) | GuardDuty Runtime Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH |  No | Periodic  
+[GuardDuty.12](./guardduty-controls.html#guardduty-12) | GuardDuty ECS Runtime Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
+[GuardDuty.13](./guardduty-controls.html#guardduty-13) | GuardDuty EC2 Runtime Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
@@ -389,0 +397 @@ Security control ID | Security control title | Applicable standards | Severity |
+[NetworkFirewall.10](./networkfirewall-controls.html#networkfirewall-10) | Network Firewall firewalls should have subnet change protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM |  No | Change triggered  
@@ -441,0 +450 @@ Security control ID | Security control title | Applicable standards | Severity |
+[RDS.40](./rds-controls.html#rds-40) | RDS for SQL Server DB instances should publish logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM |  Yes | Change triggered  
@@ -496,0 +506 @@ Security control ID | Security control title | Applicable standards | Severity |
+[SQS.3](./sqs-controls.html#sqs-3) | SQS queue access policies should not allow public access | AWS Foundational Security Best Practices v1.0.0 | HIGH |  No | Change triggered  
@@ -504,0 +515 @@ Security control ID | Security control title | Applicable standards | Severity |
+[Transfer.3](./transfer-controls.html#transfer-3) | Transfer Family connectors should have logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM |  No | Change triggered