AWS securityhub documentation change
Summary
Updated documentation about Security Hub controls to disable, including grammatical corrections, region specification clarifications, removal of deprecated controls (EventBridge.4, IAM.28, WAF.10, WAF.11), and rephrasing for clarity regarding CloudTrail logging and CloudWatch alarm controls.
Security assessment
Changes primarily involve documentation clarity improvements and removal of specific control references without explicit security context. No evidence of addressing vulnerabilities or security incidents.
Diff
diff --git a/securityhub/latest/userguide/controls-to-disable.md b/securityhub/latest/userguide/controls-to-disable.md index 10d7710ed..f6ebfaa18 100644 --- a/securityhub/latest/userguide/controls-to-disable.md +++ b/securityhub/latest/userguide/controls-to-disable.md @@ -5 +5 @@ -Controls that use global resourcesCloudTrail logging controlsCloudWatch alarms controls +Controls that use global resourcesCloudTrail logging controlsCloudWatch alarm controls @@ -9 +9 @@ Controls that use global resourcesCloudTrail logging controlsCloudWatch alarms c -We recommend disabling some AWS Security Hub controls to reduce finding noise and limit costs. +We recommend disabling some AWS Security Hub controls to reduce finding noise and usage costs. @@ -15 +15 @@ Some AWS services support global resources, which means that you can access the -If a control involves global resources but is available in only one Region, disabling it in that Region prevents you from getting any findings for the underlying resource. In this case, we recommend keeping the control enabled. When using cross-Region aggregation, the region in which the control is available should be the aggregation Region or one of the linked Regions. The following controls involve global resources but are only available in a single Region: +If a control involves global resources but is available in only one Region, disabling it in that Region prevents you from getting any findings for the underlying resource. In this case, we recommend keeping the control enabled. When using cross-Region aggregation, the Region in which the control is available should be the aggregation Region or one of the linked Regions. The following controls involve global resources but are available in only a single Region: @@ -17 +17 @@ If a control involves global resources but is available in only one Region, disa - * **All CloudFront controls** – Available only in US East (N. Virginia) + * **All CloudFront controls** – Available only in the US East (N. Virginia) Region @@ -19 +19 @@ If a control involves global resources but is available in only one Region, disa - * **GlobalAccelerator.1** – Available only in US West (Oregon) + * **GlobalAccelerator.1** – Available only in the US West (Oregon) Region @@ -21 +21 @@ If a control involves global resources but is available in only one Region, disa - * **Route53.2** – Available only in US East (N. Virginia) + * **Route53.2** – Available only in the US East (N. Virginia) Region @@ -23 +23 @@ If a control involves global resources but is available in only one Region, disa - * **WAF.1, WAF.6, WAF.7, and WAF.8** – Available only in US East (N. Virginia) + * **WAF.1, WAF.6, WAF.7, WAF.8** – Available only in the US East (N. Virginia) Region @@ -36 +36 @@ For more information about central configuration, see [Understanding central con -For controls with a _periodic_ schedule type, disabling them in Security Hub is required to prevent billing. Setting the AWS Config parameter `includeGlobalResourceTypes` to `false` doesn't affect periodic Security Hub controls. +For controls that have a _periodic_ schedule type, disabling them in Security Hub is required to prevent billing. Setting the AWS Config parameter `includeGlobalResourceTypes` to `false` doesn't affect periodic Security Hub controls. @@ -38 +38 @@ For controls with a _periodic_ schedule type, disabling them in Security Hub is -The following is a list of Security Hub controls that use global resources: +The following Security Hub controls use global resources: @@ -66,2 +65,0 @@ The following is a list of Security Hub controls that use global resources: - * [[EventBridge.4] EventBridge global endpoints should have event replication enabled](./eventbridge-controls.html#eventbridge-4) - @@ -120,2 +117,0 @@ The following is a list of Security Hub controls that use global resources: - * [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](./iam-controls.html#iam-28) - @@ -136,4 +131,0 @@ The following is a list of Security Hub controls that use global resources: - * [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](./waf-controls.html#waf-10) - - * [[WAF.11] AWS WAF web ACL logging should be enabled](./waf-controls.html#waf-11) - @@ -145 +137 @@ The following is a list of Security Hub controls that use global resources: -This control deals with using AWS Key Management Service (AWS KMS) to encrypt AWS CloudTrail trail logs. If you log these trails in a centralized logging account, you only need to enable this control in the account and Region where centralized logging takes place. +This control deals with using AWS Key Management Service (AWS KMS) to encrypt AWS CloudTrail trail logs. If you log these trails in a centralized logging account, you need to enable this control only in the account and Region where centralized logging takes place. @@ -156 +148 @@ If you use [central configuration](./central-configuration-intro.html), the enab -## CloudWatch alarms controls +## CloudWatch alarm controls @@ -158 +150 @@ If you use [central configuration](./central-configuration-intro.html), the enab -If you prefer to use Amazon GuardDuty for anomaly detection instead of Amazon CloudWatch alarms, you can disable these controls, which focus on CloudWatch alarms. +If you prefer to use Amazon GuardDuty for anomaly detection instead of Amazon CloudWatch alarms, you can disable the following controls, which focus on CloudWatch alarms: