AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-04-16 · Documentation medium

File: securityhub/latest/userguide/fsbp-standard.md

Summary

Added new security controls EC2.173 (EBS encryption), RDS.41 (encryption in transit), RDS.42 (CloudWatch logging), RDS.46 (public subnet prevention), and SageMaker.8 (supported platforms). Minor formatting fixes.

Security assessment

The changes add new security best practice controls related to encryption, logging, network security, and platform compliance. While these are security improvements, there's no evidence they address specific existing vulnerabilities.

Diff

diff --git a/securityhub/latest/userguide/fsbp-standard.md b/securityhub/latest/userguide/fsbp-standard.md
index 14fd290d0..52bb8e72d 100644
--- a//securityhub/latest/userguide/fsbp-standard.md
+++ b//securityhub/latest/userguide/fsbp-standard.md
@@ -9 +9 @@ Controls that apply to the FSBP standard
-The AWS Foundational Security Best Practices standard is a set of controls that detect when your AWS accounts and resources deviate from security best practices. 
+The AWS Foundational Security Best Practices (FSBP) standard is a set of controls that detect when your AWS accounts and resources deviate from security best practices. 
@@ -200,0 +201,2 @@ The controls include security best practices for resources from multiple AWS ser
+[[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
@@ -207 +209 @@ The controls include security best practices for resources from multiple AWS ser
-[[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.](./ecs-controls.html#ecs-1)
+[[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](./ecs-controls.html#ecs-1)
@@ -524,0 +527,6 @@ The controls include security best practices for resources from multiple AWS ser
+[[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](./rds-controls.html#rds-41)
+
+[[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](./rds-controls.html#rds-42)
+
+[[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](./rds-controls.html#rds-46)
+
@@ -578,0 +587,2 @@ The controls include security best practices for resources from multiple AWS ser
+[[SageMaker.8] SageMaker notebook instances should run on supported platforms](./sagemaker-controls.html#sagemaker-8)
+