AWS Security ChangesHomeSearch

AWS securityhub critical security documentation change

Service: securityhub · 2025-04-16 · Security-related critical

File: securityhub/latest/userguide/securityhub-controls-reference.md

Summary

Added multiple new security controls across services (Amplify, Batch, EC2, ECS, RDS, etc.) including encryption, tagging, and network configuration requirements

Security assessment

Introduces new security controls addressing encryption (EC2.173), public subnet exposure (RDS.46), and network hardening (ECS.17) which directly relate to security best practices and vulnerability prevention

Diff

diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md
index b4e4fd928..613bc2df5 100644
--- a//securityhub/latest/userguide/securityhub-controls-reference.md
+++ b//securityhub/latest/userguide/securityhub-controls-reference.md
@@ -36,0 +37,2 @@ Security control ID | Security control title | Applicable standards | Severity |
+[Amplify.1](./amplify-controls.html#amplify-1) | Amplify apps should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Amplify.2](./amplify-controls.html#amplify-2) | Amplify branches should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
@@ -71,3 +73,4 @@ Security control ID | Security control title | Applicable standards | Severity |
-[Batch.1](./batch-controls.html#batch-1) | AWS Batch job queues should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
-[Batch.2](./batch-controls.html#batch-2) | AWS Batch scheduling policies should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
-[Batch.3](./batch-controls.html#batch-3) | AWS Batch compute environments should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Batch.1](./batch-controls.html#batch-1) | Batch job queues should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Batch.2](./batch-controls.html#batch-2) | Batch scheduling policies should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Batch.3](./batch-controls.html#batch-3) | Batch compute environments should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Batch.4](./batch-controls.html#batch-4) | Compute resources properties in managed Batch compute environments should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
@@ -125,0 +129 @@ Security control ID | Security control title | Applicable standards | Severity |
+[DataSync.2](./datasync-controls.html#datasync-2) | DataSync tasks should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
@@ -204,0 +209,7 @@ Security control ID | Security control title | Applicable standards | Severity |
+[EC2.173](./ec2-controls.html#ec2-173) | EC2 Spot Fleet requests should enable encryption for attached EBS volumes | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Change triggered  
+[EC2.174](./ec2-controls.html#ec2-174) | EC2 DHCP option sets should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[EC2.175](./ec2-controls.html#ec2-175) | EC2 launch templates should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[EC2.176](./ec2-controls.html#ec2-176) | EC2 prefix lists should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[EC2.177](./ec2-controls.html#ec2-177) | EC2 traffic mirror sessions should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[EC2.178](./ec2-controls.html#ec2-178) | EC2 traffic mirror filters should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[EC2.179](./ec2-controls.html#ec2-179) | EC2 traffic mirror targets should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
@@ -222,0 +234 @@ Security control ID | Security control title | Applicable standards | Severity |
+[ECS.17](./ecs-controls.html#ecs-17) | ECS task definitions should not use host network mode | NIST SP 800-53 Rev. 5 | MEDIUM |  No | Change triggered  
@@ -454,0 +467,3 @@ Security control ID | Security control title | Applicable standards | Severity |
+[RDS.41](./rds-controls.html#rds-41) | RDS for SQL Server DB instances should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
+[RDS.42](./rds-controls.html#rds-42) | RDS for MariaDB DB instances should publish logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM |  Yes | Periodic  
+[RDS.46](./rds-controls.html#rds-46) | RDS DB instances should not be deployed in public subnets with routes to internet gateways | AWS Foundational Security Best Practices v1.0.0 | CRITICAL |  No | Periodic  
@@ -469,0 +485 @@ Security control ID | Security control title | Applicable standards | Severity |
+[Redshift.17](./redshift-controls.html#redshift-17) | Redshift cluster parameter groups should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
@@ -497,0 +514,3 @@ Security control ID | Security control title | Applicable standards | Severity |
+[SageMaker.6](./sagemaker-controls.html#sagemaker-6) | SageMaker app image configurations should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[SageMaker.7](./sagemaker-controls.html#sagemaker-7) | SageMaker images should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[SageMaker.8](./sagemaker-controls.html#sagemaker-8) | SageMaker notebook instances should run on supported platforms | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
@@ -515,0 +535 @@ Security control ID | Security control title | Applicable standards | Severity |
+[SSM.5](./ssm-controls.html#ssm-5) | SSM documents should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
@@ -520,0 +541,4 @@ Security control ID | Security control title | Applicable standards | Severity |
+[Transfer.4](./transfer-controls.html#transfer-4) | Transfer Family agreements should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Transfer.5](./transfer-controls.html#transfer-5) | Transfer Family certificates should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Transfer.6](./transfer-controls.html#transfer-6) | Transfer Family connectors should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered  
+[Transfer.7](./transfer-controls.html#transfer-7) | Transfer Family profiles should be tagged | AWS Resource Tagging Standard | LOW |  Yes | Change triggered