AWS securityhub documentation change
Summary
Updated Security Hub controls change log with new entries, formatting adjustments, and clarifications on retired controls including RDS.18 removal from certain standards
Security assessment
Changes include documentation updates about control retirements and formatting improvements. While related to security controls, there's no evidence of addressing specific vulnerabilities. Updates reflect service changes (e.g., EC2-Classic retirement) rather than security issues.
Diff
diff --git a/securityhub/latest/userguide/controls-change-log.md index e7e49b96e..f591f373f 100644 --- a/securityhub/latest/userguide/controls-change-log.md +++ b/securityhub/latest/userguide/controls-change-log.md @@ -9,3 +9 @@ The following change log tracks material changes to existing AWS Security Hub se -This log tracks changes occurring since April 2023. - -Select a control to view more details about it. Title changes are noted on each control's detailed description for 90 days. +This log tracks changes occurring since April 2023. Choose a control to review additional details about it. Title changes are noted in a control's detailed description for 90 days. @@ -15,2 +13,3 @@ Date of change | Control ID and title | Description of change -January 10, 2025 | **[Glue.2] AWS Glue jobs should have logging enabled** | Security Hub retired this control and removed it from all standards. -December 20, 2024 | EC2.61 through EC2.169 | Security Hub rolled back the release of EC2.61 through EC2.169. +March 7, 2025 | [[RDS.18] RDS instances should be deployed in a VPC](./rds-controls.html#rds-18) | Security Hub removed this control from the AWS Foundational Security Best Practices v1.0.0 standard and automated checks for NIST SP 800-53 Rev. 5 requirements. Since Amazon EC2-Classic networking was retired, Amazon Relational Database Service (Amazon RDS) instances can no longer be deployed outside a VPC. The control continues to be part of the [AWS Control Tower service-managed standard](./service-managed-standard-aws-control-tower.html). +January 10, 2025 | [Glue.2] AWS Glue jobs should have logging enabled | Security Hub retired this control and removed it from all standards. +December 20, 2024 | EC2.61 through EC2.169 | Security Hub rolled back the release of the EC2.61 through EC2.169 controls. @@ -38,6 +37,6 @@ April 19, 2024 | [[CloudTrail.1] CloudTrail should be enabled and configured wit -April 10, 2024 | **[Athena.1] Athena workgroups should be encrypted at rest** | Security Hub retired this control and removed it from all standards. Athena workgroups send logs to Amazon Simple Storage Service (Amazon S3) buckets. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. -April 10, 2024 | **[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1** | Security Hub retired this control and removed it from all standards. Metadata response hop limits for Amazon Elastic Compute Cloud (Amazon EC2) instances are workload dependent. -April 10, 2024 | **[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)** | Security Hub retired this control and removed it from all standards. Integrating AWS CloudFormation stacks with Amazon SNS topics is no longer a security best practice. Though integrating important CloudFormation stacks with SNS topics can be useful, it is not required for all stacks. -April 10, 2024 | **[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled** | Security Hub retired this control and removed it from all standards. Enabling privileged mode in a CodeBuild project does not impose an additional risk to the customer environment. -April 10, 2024 | **[IAM.20] Avoid the use of the root user** | Security Hub retired this control and removed it from all standards. The purpose of this control is covered by another control, [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](./cloudwatch-controls.html#cloudwatch-1). -April 10, 2024 | **[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic** | Security Hub retired this control and removed it from all standards. Logging delivery status for SNS topics is no longer a security best practice. Though logging delivery status for important SNS topics can be useful, it is not required for all topics. +April 10, 2024 | [Athena.1] Athena workgroups should be encrypted at rest | Security Hub retired this control and removed it from all standards. Athena workgroups send logs to Amazon Simple Storage Service (Amazon S3) buckets. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. +April 10, 2024 | [AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1 | Security Hub retired this control and removed it from all standards. Metadata response hop limits for Amazon Elastic Compute Cloud (Amazon EC2) instances are workload dependent. +April 10, 2024 | [CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS) | Security Hub retired this control and removed it from all standards. Integrating AWS CloudFormation stacks with Amazon SNS topics is no longer a security best practice. Though integrating important CloudFormation stacks with SNS topics can be useful, it is not required for all stacks. +April 10, 2024 | [CodeBuild.5] CodeBuild project environments should not have privileged mode enabled | Security Hub retired this control and removed it from all standards. Enabling privileged mode in a CodeBuild project does not impose an additional risk to the customer environment. +April 10, 2024 | [IAM.20] Avoid the use of the root user | Security Hub retired this control and removed it from all standards. The purpose of this control is covered by another control, [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](./cloudwatch-controls.html#cloudwatch-1). +April 10, 2024 | [SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic | Security Hub retired this control and removed it from all standards. Logging delivery status for SNS topics is no longer a security best practice. Though logging delivery status for important SNS topics can be useful, it is not required for all topics. @@ -93 +92 @@ September 27, 2023 | [[EKS.2] EKS clusters should run on a supported Kubernetes -September 20, 2023 | **CloudFront.2 – CloudFront distributions should have origin access identity enabled** | Security Hub retired this control and removed it from all standards. Instead, see [[CloudFront.13] CloudFront distributions should use origin access control](./cloudfront-controls.html#cloudfront-13). Origin access control is the current security best practice. This control will be removed from documentation in 90 days. +September 20, 2023 | [CloudFront.2] CloudFront distributions should have origin access identity enabled | Security Hub retired this control and removed it from all standards. Instead, see [[CloudFront.13] CloudFront distributions should use origin access control](./cloudfront-controls.html#cloudfront-13). Origin access control is the current security best practice. This control will be removed from documentation in 90 days. @@ -95,2 +94,2 @@ September 20, 2023 | [[EC2.22] Unused Amazon EC2 security groups should be remo -September 20, 2023 | **EC2.29 – EC2 instances should be launched in a VPC** | Security Hub retired this control and removed it from all standards. Amazon EC2 has migrated EC2-Classic instances to a VPC. This control will be removed from documentation in 90 days. -September 20, 2023 | **S3.4 – S3 buckets should have server-side encryption enabled** | Security Hub retired this control and removed it from all standards. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. The encryption settings are unchanged for existing buckets that are encrypted with SS3-S3 or SS3-KMS server-side encryption. This control will be removed from documentation in 90 days. +September 20, 2023 | [EC2.29] EC2 instances should be launched in a VPC | Security Hub retired this control and removed it from all standards. Amazon EC2 has migrated EC2-Classic instances to a VPC. This control will be removed from documentation in 90 days. +September 20, 2023 | [S3.4] S3 buckets should have server-side encryption enabled | Security Hub retired this control and removed it from all standards. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. The encryption settings are unchanged for existing buckets that are encrypted with SS3-S3 or SS3-KMS server-side encryption. This control will be removed from documentation in 90 days. @@ -109 +108 @@ September 14, 2023 | [[WAF.11] AWS WAF web ACL logging should be enabled](./waf -July 20, 2023 | **S3.4 – S3 buckets should have server-side encryption enabled** | S3.4 checks whether an Amazon S3 bucket either has server-side encryption enabled or that the S3 bucket policy explicitly denies `PutObject` requests without server-side encryption. Security Hub updated this control to include dual-layer server side encryption with KMS keys (DSSE-KMS). The control produces a passed finding when an S3 bucket is encrypted with SSE-S3, SSE-KMS, or DSSE-KMS. +July 20, 2023 | [S3.4] S3 buckets should have server-side encryption enabled | S3.4 checks whether an Amazon S3 bucket either has server-side encryption enabled or that the S3 bucket policy explicitly denies `PutObject` requests without server-side encryption. Security Hub updated this control to include dual-layer server side encryption with KMS keys (DSSE-KMS). The control produces a passed finding when an S3 bucket is encrypted with SSE-S3, SSE-KMS, or DSSE-KMS.