AWS securityhub documentation change
Summary
Updated AWS Resource Tagging Standard documentation with grammatical improvements, moved regional availability note, clarified parameter usage, and added multiple new resource-specific tagging controls across services (Amplify, Batch, DataSync, EC2, Redshift, SageMaker, SSM, Transfer)
Security assessment
Changes primarily expand documentation about security controls for resource tagging (a security best practice) but do not address a specific disclosed vulnerability. The additions of new service-specific controls (e.g., EC2.174-179, Transfer.4-7) enhance security guidance without referencing a concrete security incident.
Diff
diff --git a/securityhub/latest/userguide/standards-tagging.md b/securityhub/latest/userguide/standards-tagging.md index 8b126ebdb..0a26885ba 100644 --- a//securityhub/latest/userguide/standards-tagging.md +++ b//securityhub/latest/userguide/standards-tagging.md @@ -11,4 +10,0 @@ This section provides information about the AWS Resource Tagging Standard. -###### Note - -The AWS Resource Tagging Standard isn't available in the Canada West (Calgary), China, and AWS GovCloud (US) Regions. - @@ -17 +13 @@ The AWS Resource Tagging Standard isn't available in the Canada West (Calgary), -Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource or after creation. Examples of resources include an Amazon CloudFront distribution, an Amazon Elastic Compute Cloud (Amazon EC2) instance, or a secret in AWS Secrets Manager. Tags can help you manage, identify, organize, search for, and filter resources. +Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource or after creation. Examples of resources include Amazon CloudFront distributions, Amazon Elastic Compute Cloud (Amazon EC2) instances, and secrets in AWS Secrets Manager. Tags can help you manage, identify, organize, search for, and filter AWS resources. @@ -32 +28 @@ For information about adding tags to AWS resources, see the [Tagging AWS Resourc -The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you determine whether any of your AWS resources are missing tag keys. You can customize the `requiredTagKeys` parameter to specify tag keys that you want the controls to check for. If specific tags aren't provided, the controls only check for the existence of at least one tag key. +The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you determine whether any of your AWS resources are missing tag keys. For each control that applies to this standard, you can optionally use the supported parameter to specify tag keys that you want the control to check for. If you don't specify any tag keys, the control checks only for the existence of at least one tag key and fails if the resource doesn't have any tag keys. @@ -34 +30 @@ The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you dete -When you enable the AWS Resource Tagging Standard, you'll begin receiving findings in the AWS Security Finding Format (ASFF). +After you enable the AWS Resource Tagging Standard, you begin receiving findings in the AWS Security Finding Format (ASFF). @@ -36 +32 @@ When you enable the AWS Resource Tagging Standard, you'll begin receiving findin -###### Note +###### Notes @@ -38 +34 @@ When you enable the AWS Resource Tagging Standard, you'll begin receiving findin -When you enable the AWS Resource Tagging Standard, Security Hub may take up to 18 hours to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html). +If you enable the AWS Resource Tagging Standard, it can take up to 18 hours for Security Hub to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html). @@ -40 +36 @@ When you enable the AWS Resource Tagging Standard, Security Hub may take up to 1 -This standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub:`region`::standards/aws-resource-tagging-standard/v/1.0.0`. +The AWS Resource Tagging Standard isn't available in the Canada West (Calgary), China, and AWS GovCloud (US) Regions. @@ -42 +38 @@ This standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub -You can also use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub API to find the ARN of an enabled standard. +This standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub:`region`::standards/aws-resource-tagging-standard/v/1.0.0`. You can also use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub API to find the ARN of an enabled standard. @@ -49,0 +46,4 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[Amplify.1] Amplify apps should be tagged](./amplify-controls.html#amplify-1) + + * [[Amplify.2] Amplify branches should be tagged](./amplify-controls.html#amplify-2) + @@ -85,0 +86,2 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](./batch-controls.html#batch-4) + @@ -99,0 +102,2 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[DataSync.2] DataSync tasks should be tagged](./datasync-controls.html#datasync-2) + @@ -149,0 +154,12 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[EC2.174] EC2 DHCP option sets should be tagged](./ec2-controls.html#ec2-174) + + * [[EC2.175] EC2 launch templates should be tagged](./ec2-controls.html#ec2-175) + + * [[EC2.176] EC2 prefix lists should be tagged](./ec2-controls.html#ec2-176) + + * [[EC2.177] EC2 traffic mirror sessions should be tagged](./ec2-controls.html#ec2-177) + + * [[EC2.178] EC2 traffic mirror filters should be tagged](./ec2-controls.html#ec2-178) + + * [[EC2.179] EC2 traffic mirror targets should be tagged](./ec2-controls.html#ec2-179) + @@ -275,0 +292,2 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[Redshift.17] Redshift cluster parameter groups should be tagged](./redshift-controls.html#redshift-17) + @@ -277,0 +296,4 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[SageMaker.6] SageMaker app image configurations should be tagged](./sagemaker-controls.html#sagemaker-6) + + * [[SageMaker.7] SageMaker images should be tagged](./sagemaker-controls.html#sagemaker-7) + @@ -287,0 +310,2 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[SSM.5] SSM documents should be tagged](./ssm-controls.html#ssm-5) + @@ -291,0 +316,8 @@ The AWS Resource Tagging Standard includes the following controls. Choose a cont + * [[Transfer.4] Transfer Family agreements should be tagged](./transfer-controls.html#transfer-4) + + * [[Transfer.5] Transfer Family certificates should be tagged](./transfer-controls.html#transfer-5) + + * [[Transfer.6] Transfer Family connectors should be tagged](./transfer-controls.html#transfer-6) + + * [[Transfer.7] Transfer Family profiles should be tagged](./transfer-controls.html#transfer-7) +