AWS securityhub documentation change
Summary
Updated regional control support documentation with new regions (Asia Pacific Thailand, Canada West Calgary, Mexico Central), reorganized content, and added multiple service-specific controls to regional unsupported lists
Security assessment
The changes document regional availability of security controls but do not address specific vulnerabilities. Adds security documentation by expanding details about which security controls are unavailable in specific regions, including tagging, logging, and encryption-related controls.
Diff
diff --git a/securityhub/latest/userguide/regions-controls.md index 216a3931e..05022221e 100644 --- a/securityhub/latest/userguide/regions-controls.md +++ b/securityhub/latest/userguide/regions-controls.md @@ -5 +5 @@ -US East (N. Virginia)US East (Ohio)US West (N. California)US West (Oregon)Africa (Cape Town)Asia Pacific (Hong Kong)Asia Pacific (Jakarta)Asia Pacific (Hyderabad)Asia Pacific (Malaysia)Asia Pacific (Melbourne)Asia Pacific (Mumbai)Asia Pacific (Osaka)Asia Pacific (Seoul)Asia Pacific (Singapore)Asia Pacific (Sydney)Asia Pacific (Tokyo)Canada (Central)China (Beijing)China (Ningxia)Europe (Frankfurt)Europe (Ireland)Europe (London)Europe (Milan)Europe (Paris)Europe (Spain)Europe (Stockholm)Europe (Zurich)Israel (Tel Aviv)Middle East (Bahrain)Middle East (UAE)South America (São Paulo)AWS GovCloud (US-East)AWS GovCloud (US-West) +US East (N. Virginia)US East (Ohio)US West (N. California)US West (Oregon)Africa (Cape Town)Asia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Jakarta)Asia Pacific (Malaysia)Asia Pacific (Melbourne)Asia Pacific (Mumbai)Asia Pacific (Osaka)Asia Pacific (Seoul)Asia Pacific (Singapore)Asia Pacific (Sydney)Asia Pacific (Thailand)Asia Pacific (Tokyo)Canada (Central)Canada West (Calgary)China (Beijing)China (Ningxia)Europe (Frankfurt)Europe (Ireland)Europe (London)Europe (Milan)Europe (Paris)Europe (Spain)Europe (Stockholm)Europe (Zurich)Israel (Tel Aviv)Mexico (Central)Middle East (Bahrain)Middle East (UAE)South America (São Paulo)AWS GovCloud (US-East)AWS GovCloud (US-West) @@ -7 +7 @@ US East (N. Virginia)US East (Ohio)US West (N. California)US West (Oregon)Africa -# Regional limits on Security Hub controls +# Regional limits on controls @@ -9 +9 @@ US East (N. Virginia)US East (Ohio)US West (N. California)US West (Oregon)Africa -Most AWS Security Hub controls are available in only select AWS Regions. This page shows which controls are unavailable in each Region. A control doesn't appear on the list of controls in the Security Hub console if it's not available in the Region that you are signed in to. The exception is if you're signed in to an aggregation Region. In that case, you can see controls that are available in the aggregation Region or in one or more linked Regions. +AWS Security Hub controls may not be available in all AWS Regions. This page specifies which controls aren't available in specific Regions. A control doesn't appear in the list of controls on the Security Hub console if it isn't available in the Region that you're signed in to. @@ -19 +18,0 @@ Most AWS Security Hub controls are available in only select AWS Regions. This pa - * [Asia Pacific (Jakarta)](./regions-controls.html#securityhub-control-support-apsoutheast3) @@ -20,0 +20 @@ Most AWS Security Hub controls are available in only select AWS Regions. This pa + * [Asia Pacific (Jakarta)](./regions-controls.html#securityhub-control-support-apsoutheast3) @@ -27,0 +28 @@ Most AWS Security Hub controls are available in only select AWS Regions. This pa + * [Asia Pacific (Thailand)](./regions-controls.html#securityhub-control-support-apsoutheast7) @@ -29,0 +31 @@ Most AWS Security Hub controls are available in only select AWS Regions. This pa + * [Canada West (Calgary)](./regions-controls.html#securityhub-control-support-cawest1) @@ -40,0 +43 @@ Most AWS Security Hub controls are available in only select AWS Regions. This pa + * [Mexico (Central)](./regions-controls.html#securityhub-control-support-mxcentral1) @@ -51 +54 @@ Most AWS Security Hub controls are available in only select AWS Regions. This pa -The following controls are not supported in US East (N. Virginia). +The following controls are not supported in the US East (N. Virginia) Region. @@ -70 +73 @@ The following controls are not supported in US East (N. Virginia). -The following controls are not supported in US East (Ohio). +The following controls are not supported in the US East (Ohio) Region. @@ -99,0 +103,4 @@ The following controls are not supported in US East (Ohio). + * [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](./connect-controls.html#connect-1) + + * [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](./connect-controls.html#connect-2) + @@ -107,0 +115,20 @@ The following controls are not supported in US East (Ohio). + * [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](./iottwinmaker-controls.html#iottwinmaker-1) + + * [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](./iottwinmaker-controls.html#iottwinmaker-2) + + * [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](./iottwinmaker-controls.html#iottwinmaker-3) + + * [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](./iottwinmaker-controls.html#iottwinmaker-4) + + * [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](./iotwireless-controls.html#iotwireless-1) + + * [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](./iotwireless-controls.html#iotwireless-2) + + * [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](./iotwireless-controls.html#iotwireless-3) + + * [[IVS.1] IVS playback key pairs should be tagged](./ivs-controls.html#ivs-1) + + * [[IVS.2] IVS recording configurations should be tagged](./ivs-controls.html#ivs-2) + + * [[IVS.3] IVS channels should be tagged](./ivs-controls.html#ivs-3) + @@ -133 +160,5 @@ The following controls are not supported in US East (Ohio). -The following controls are not supported in US West (N. California). +The following controls are not supported in the US West (N. California) Region. + + * [[AppRunner.1] App Runner services should be tagged](./apprunner-controls.html#apprunner-1) + + * [[AppRunner.2] App Runner VPC connectors should be tagged](./apprunner-controls.html#apprunner-2) @@ -164,0 +196,8 @@ The following controls are not supported in US West (N. California). + * [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](./codeguruprofiler-controls.html#codeguruprofiler-1) + + * [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](./codegurureviewer-controls.html#codegurureviewer-1) + + * [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](./connect-controls.html#connect-1) + + * [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](./connect-controls.html#connect-2) + @@ -176,0 +216,8 @@ The following controls are not supported in US West (N. California). + * [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](./frauddetector-controls.html#frauddetector-1) + + * [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](./frauddetector-controls.html#frauddetector-2) + + * [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](./frauddetector-controls.html#frauddetector-3) + + * [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](./frauddetector-controls.html#frauddetector-4) + @@ -182,0 +230,36 @@ The following controls are not supported in US West (N. California). + * [[IoTEvents.1] AWS IoT Events inputs should be tagged](./iotevents-controls.html#iotevents-1) + + * [[IoTEvents.2] AWS IoT Events detector models should be tagged](./iotevents-controls.html#iotevents-2) + + * [[IoTEvents.3] AWS IoT Events alarm models should be tagged](./iotevents-controls.html#iotevents-3) + + * [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](./iotsitewise-controls.html#iotsitewise-1) + + * [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](./iotsitewise-controls.html#iotsitewise-2) + + * [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](./iotsitewise-controls.html#iotsitewise-3) + + * [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](./iotsitewise-controls.html#iotsitewise-4) + + * [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](./iotsitewise-controls.html#iotsitewise-5) + + * [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](./iottwinmaker-controls.html#iottwinmaker-1) + + * [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](./iottwinmaker-controls.html#iottwinmaker-2) + + * [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](./iottwinmaker-controls.html#iottwinmaker-3) + + * [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](./iottwinmaker-controls.html#iottwinmaker-4) + + * [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](./iotwireless-controls.html#iotwireless-1) + + * [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](./iotwireless-controls.html#iotwireless-2) + + * [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](./iotwireless-controls.html#iotwireless-3) + + * [[IVS.1] IVS playback key pairs should be tagged](./ivs-controls.html#ivs-1) + + * [[IVS.2] IVS recording configurations should be tagged](./ivs-controls.html#ivs-2) + + * [[IVS.3] IVS channels should be tagged](./ivs-controls.html#ivs-3) + @@ -208 +291 @@ The following controls are not supported in US West (N. California). -The following controls are not supported in US West (Oregon). +The following controls are not supported in the US West (Oregon) Region. @@ -259 +342,5 @@ The following controls are not supported in US West (Oregon). -The following controls are not supported in Africa (Cape Town). +The following controls are not supported in the Africa (Cape Town) Region. + + * [[AppRunner.1] App Runner services should be tagged](./apprunner-controls.html#apprunner-1) + + * [[AppRunner.2] App Runner VPC connectors should be tagged](./apprunner-controls.html#apprunner-2) @@ -291 +378,3 @@ The following controls are not supported in Africa (Cape Town). - * [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](./codebuild-controls.html#codebuild-1) + * [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](./codeguruprofiler-controls.html#codeguruprofiler-1) + + * [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](./codegurureviewer-controls.html#codegurureviewer-1) @@ -313,2 +401,0 @@ The following controls are not supported in Africa (Cape Town). - * [[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest](./ec2-controls.html#ec2-3) - @@ -319,4 +405,0 @@ The following controls are not supported in Africa (Cape Town). - * [[EC2.12] Unused Amazon EC2 EIPs should be removed](./ec2-controls.html#ec2-12) - - * [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](./ec2-controls.html#ec2-13) - @@ -333,6 +415,0 @@ The following controls are not supported in Africa (Cape Town). - * [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](./efs-controls.html#efs-1) - - * [[EFS.2] Amazon EFS volumes should be in backup plans](./efs-controls.html#efs-2) - - * [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](./elb-controls.html#elb-1) - @@ -341 +418 @@ The following controls are not supported in Africa (Cape Town). - * [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](./elb-controls.html#elb-4) + * [[ES.3] Elasticsearch domains should encrypt data sent between nodes](./es-controls.html#es-3) @@ -343 +420 @@ The following controls are not supported in Africa (Cape Town). - * [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](./elb-controls.html#elb-8) + * [[EventBridge.4] EventBridge global endpoints should have event replication enabled](./eventbridge-controls.html#eventbridge-4) @@ -345 +422 @@ The following controls are not supported in Africa (Cape Town). - * [[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL](./elb-controls.html#elb-16) + * [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](./frauddetector-controls.html#frauddetector-1) @@ -347 +424 @@ The following controls are not supported in Africa (Cape Town). - * [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](./emr-controls.html#emr-1) + * [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](./frauddetector-controls.html#frauddetector-2) @@ -349 +426 @@ The following controls are not supported in Africa (Cape Town). - * [[ES.3] Elasticsearch domains should encrypt data sent between nodes](./es-controls.html#es-3) + * [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](./frauddetector-controls.html#frauddetector-3) @@ -351 +428 @@ The following controls are not supported in Africa (Cape Town). - * [[EventBridge.4] EventBridge global endpoints should have event replication enabled](./eventbridge-controls.html#eventbridge-4) + * [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](./frauddetector-controls.html#frauddetector-4) @@ -373 +450 @@ The following controls are not supported in Africa (Cape Town). - * [[MSK.3] MSK Connect connectors should be encrypted in transit](./msk-controls.html#msk-3) + * [[IoTEvents.1] AWS IoT Events inputs should be tagged](./iotevents-controls.html#iotevents-1) @@ -375 +452 @@ The following controls are not supported in Africa (Cape Town). - * [[RDS.1] RDS snapshot should be private](./rds-controls.html#rds-1) + * [[IoTEvents.2] AWS IoT Events detector models should be tagged](./iotevents-controls.html#iotevents-2) @@ -377 +454 @@ The following controls are not supported in Africa (Cape Town). - * [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](./rds-controls.html#rds-9) + * [[IoTEvents.3] AWS IoT Events alarm models should be tagged](./iotevents-controls.html#iotevents-3) @@ -379 +456,35 @@ The following controls are not supported in Africa (Cape Town). - * [[RDS.10] IAM authentication should be configured for RDS instances](./rds-controls.html#rds-10) + * [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](./iotsitewise-controls.html#iotsitewise-1) + + * [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](./iotsitewise-controls.html#iotsitewise-2) + + * [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](./iotsitewise-controls.html#iotsitewise-3) + + * [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](./iotsitewise-controls.html#iotsitewise-4) + + * [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](./iotsitewise-controls.html#iotsitewise-5) + + * [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](./iottwinmaker-controls.html#iottwinmaker-1) + + * [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](./iottwinmaker-controls.html#iottwinmaker-2) + + * [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](./iottwinmaker-controls.html#iottwinmaker-3) + + * [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](./iottwinmaker-controls.html#iottwinmaker-4) + + * [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](./iotwireless-controls.html#iotwireless-1) + + * [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](./iotwireless-controls.html#iotwireless-2) + + * [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](./iotwireless-controls.html#iotwireless-3) +