AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-04-16 · Documentation low

File: securityhub/latest/userguide/transfer-controls.md

Summary

Added four new Security Hub controls ([Transfer.4] to [Transfer.7]) requiring tagging for Transfer Family agreements, certificates, connectors, and profiles. Updated parameter constraints and improved documentation clarity.

Security assessment

The changes add new security controls related to resource tagging which help with inventory management and access control, but there's no evidence they address specific vulnerabilities or security incidents. Tagging controls are preventive measures rather than fixes for existing issues.

Diff

diff --git a/securityhub/latest/userguide/transfer-controls.md b/securityhub/latest/userguide/transfer-controls.md
index 2b78dd7db..e3b4c7c64 100644
--- a//securityhub/latest/userguide/transfer-controls.md
+++ b//securityhub/latest/userguide/transfer-controls.md
@@ -5 +5 @@
-[Transfer.1] AWS Transfer Family workflows should be tagged[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection[Transfer.3] Transfer Family connectors should have logging enabled
+[Transfer.1] AWS Transfer Family workflows should be tagged[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection[Transfer.3] Transfer Family connectors should have logging enabled[Transfer.4] Transfer Family agreements should be tagged[Transfer.5] Transfer Family certificates should be tagged[Transfer.6] Transfer Family connectors should be tagged[Transfer.7] Transfer Family profiles should be tagged
@@ -7 +7 @@
-# Security Hub controls for Transfer Family
+# Security Hub controls for AWS Transfer Family
@@ -9,3 +9 @@
-These AWS Security Hub controls evaluate the AWS Transfer Family service and resources.
-
-These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub controls evaluate the AWS Transfer Family service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -29 +27 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) |  `No default value`  
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  |  `No default value`  
@@ -45 +43 @@ Don’t add personally identifiable information (PII) or other confidential or s
-  2. On the navigation pane, choose **Workflows**. Then, select the workflow that you want to tag.
+  2. In the navigation pane, choose **Workflows**. Then, select the workflow that you want to tag.
@@ -47 +45 @@ Don’t add personally identifiable information (PII) or other confidential or s
-  3. Choose **Manage tags** , and add the tags.
+  3. Choose **Manage tags** , and then add the tags.
@@ -99,0 +98,120 @@ For information about enabling CloudWatch logging for a Transfer Family connecto
+## [Transfer.4] Transfer Family agreements should be tagged
+
+**Category:** Identify > Inventory > Tagging
+
+**Severity:** Low
+
+**Resource type:** `AWS::Transfer::Agreement`
+
+**AWS Config rule:** [transfer-agreement-tagged](https://docs.aws.amazon.com/config/latest/developerguide/transfer-agreement-tagged.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value  
+  
+This control checks whether an AWS Transfer Family agreement has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the agreement doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the agreement doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix.
+
+A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
+
+###### Note
+
+Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data.
+
+### Remediation
+
+For information about adding tags to an AWS Transfer Family agreement, see [Resource tagging methods](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the _Tagging AWS Resources and Tag Editor User Guide_.
+
+## [Transfer.5] Transfer Family certificates should be tagged
+
+**Category:** Identify > Inventory > Tagging
+
+**Severity:** Low
+
+**Resource type:** `AWS::Transfer::Certificate`
+
+**AWS Config rule:** [transfer-certificate-tagged](https://docs.aws.amazon.com/config/latest/developerguide/transfer-certificate-tagged.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value  
+  
+This control checks whether an AWS Transfer Family certificate has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the certificate doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the certificate doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix.
+
+A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
+
+###### Note
+
+Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data.
+
+### Remediation
+
+For information about adding tags to an AWS Transfer Family certificate, see [Resource tagging methods](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the _Tagging AWS Resources and Tag Editor User Guide_.
+
+## [Transfer.6] Transfer Family connectors should be tagged
+
+**Category:** Identify > Inventory > Tagging
+
+**Severity:** Low
+
+**Resource type:** `AWS::Transfer::Connector`
+
+**AWS Config rule:** [transfer-connector-tagged](https://docs.aws.amazon.com/config/latest/developerguide/transfer-connector-tagged.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value  
+  
+This control checks whether an AWS Transfer Family connector has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the connector doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the connector doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix.
+
+A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
+
+###### Note
+
+Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data.
+
+### Remediation
+
+For information about adding tags to an AWS Transfer Family connector, see [Resource tagging methods](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the _Tagging AWS Resources and Tag Editor User Guide_.
+
+## [Transfer.7] Transfer Family profiles should be tagged
+
+**Category:** Identify > Inventory > Tagging
+
+**Severity:** Low
+
+**Resource type:** `AWS::Transfer::Profile`
+
+**AWS Config rule:** [transfer-profile-tagged](https://docs.aws.amazon.com/config/latest/developerguide/transfer-profile-tagged.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value  
+  
+This control checks whether an AWS Transfer Family profile has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the profile doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the profile doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. The control evaluates local profiles and partner profiles.
+
+A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
+
+###### Note
+
+Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data.
+
+### Remediation
+
+For information about adding tags to an AWS Transfer Family profile, see [Resource tagging methods](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the _Tagging AWS Resources and Tag Editor User Guide_.
+