AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-10 · Documentation high

File: securityhub/latest/userguide/regions-controls.md

Summary

Added multiple security controls across various AWS regions including encryption requirements (e.g., EC2.173, DocumentDB.6), tagging requirements (e.g., EC2.176, Amplify.1), and access restrictions (e.g., RedshiftServerless.3). Removed some outdated controls and reorganized existing entries.

Security assessment

The changes add documentation for security best practices like encrypting EBS volumes, enforcing SSL/TLS, restricting public access, and resource tagging. These controls help improve data protection and access management but do not indicate fixes for specific existing vulnerabilities.

Diff

diff --git a/securityhub/latest/userguide/regions-controls.md b/securityhub/latest/userguide/regions-controls.md
index 012670fa9..72c535067 100644
--- a//securityhub/latest/userguide/regions-controls.md
+++ b//securityhub/latest/userguide/regions-controls.md
@@ -144,0 +145,2 @@ The following controls are not supported in the US East (Ohio) Region.
+  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
@@ -249,0 +252,4 @@ The following controls are not supported in the US West (N. California) Region.
+  * [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](./documentdb-controls.html#documentdb-6)
+
+  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
@@ -356,0 +363,4 @@ The following controls are not supported in the US West (Oregon) Region.
+  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
+  * [[EC2.176] EC2 prefix lists should be tagged](./ec2-controls.html#ec2-176)
+
@@ -379,0 +390,4 @@ The following controls are not supported in the Africa (Cape Town) Region.
+  * [[Amplify.1] Amplify apps should be tagged](./amplify-controls.html#amplify-1)
+
+  * [[Amplify.2] Amplify branches should be tagged](./amplify-controls.html#amplify-2)
+
@@ -420,2 +433,0 @@ The following controls are not supported in the Africa (Cape Town) Region.
-  * [[DMS.1] Database Migration Service replication instances should not be public](./dms-controls.html#dms-1)
-
@@ -433,0 +446,2 @@ The following controls are not supported in the Africa (Cape Town) Region.
+  * [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](./documentdb-controls.html#documentdb-6)
+
@@ -449,0 +464,8 @@ The following controls are not supported in the Africa (Cape Town) Region.
+  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
+  * [[EC2.176] EC2 prefix lists should be tagged](./ec2-controls.html#ec2-176)
+
+  * [[EC2.177] EC2 traffic mirror sessions should be tagged](./ec2-controls.html#ec2-177)
+
+  * [[EC2.179] EC2 traffic mirror targets should be tagged](./ec2-controls.html#ec2-179)
+
@@ -533,0 +556,12 @@ The following controls are not supported in the Africa (Cape Town) Region.
+  * [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](./redshiftserverless-controls.html#redshiftserverless-2)
+
+  * [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](./redshiftserverless-controls.html#redshiftserverless-3)
+
+  * [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](./redshiftserverless-controls.html#redshiftserverless-4)
+
+  * [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](./redshiftserverless-controls.html#redshiftserverless-5)
+
+  * [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](./redshiftserverless-controls.html#redshiftserverless-6)
+
+  * [[RedshiftServerless.7] Redshift Serverless namespaces should not use the default database name](./redshiftserverless-controls.html#redshiftserverless-7)
+
@@ -550,2 +583,0 @@ The following controls are not supported in the Africa (Cape Town) Region.
-  * [[WAF.11] AWS WAF web ACL logging should be enabled](./waf-controls.html#waf-11)
-
@@ -614,0 +647,4 @@ The following controls are not supported in the Asia Pacific (Hong Kong) Region.
+  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
+  * [[EC2.176] EC2 prefix lists should be tagged](./ec2-controls.html#ec2-176)
+
@@ -676,0 +713,2 @@ The following controls are not supported in the Asia Pacific (Hong Kong) Region.
+  * [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](./redshiftserverless-controls.html#redshiftserverless-2)
+
@@ -711,0 +750,4 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[Amplify.1] Amplify apps should be tagged](./amplify-controls.html#amplify-1)
+
+  * [[Amplify.2] Amplify branches should be tagged](./amplify-controls.html#amplify-2)
+
@@ -762,4 +803,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](./codebuild-controls.html#codebuild-1)
-
-  * [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](./codebuild-controls.html#codebuild-2)
-
@@ -778,2 +815,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[DMS.1] Database Migration Service replication instances should not be public](./dms-controls.html#dms-1)
-
@@ -831,0 +868,10 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
+  * [[EC2.175] EC2 launch templates should be tagged](./ec2-controls.html#ec2-175)
+
+  * [[EC2.176] EC2 prefix lists should be tagged](./ec2-controls.html#ec2-176)
+
+  * [[EC2.177] EC2 traffic mirror sessions should be tagged](./ec2-controls.html#ec2-177)
+
+  * [[EC2.179] EC2 traffic mirror targets should be tagged](./ec2-controls.html#ec2-179)
+
@@ -837,0 +884,4 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](./elb-controls.html#elb-14)
+
+  * [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](./elb-controls.html#elb-17)
+
@@ -850,6 +899,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[ELB.5] Application and Classic Load Balancers logging should be enabled](./elb-controls.html#elb-5)
-
-  * [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](./elb-controls.html#elb-14)
-
-  * [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](./elb-controls.html#elb-17)
-
@@ -1020,2 +1063,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](./rds-controls.html#rds-2)
-
@@ -1034,4 +1075,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[Redshift.1] Amazon Redshift clusters should prohibit public access](./redshift-controls.html#redshift-1)
-
-  * [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](./redshift-controls.html#redshift-6)
-
@@ -1041,0 +1080,12 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](./redshiftserverless-controls.html#redshiftserverless-2)
+
+  * [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](./redshiftserverless-controls.html#redshiftserverless-3)
+
+  * [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](./redshiftserverless-controls.html#redshiftserverless-4)
+
+  * [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](./redshiftserverless-controls.html#redshiftserverless-5)
+
+  * [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](./redshiftserverless-controls.html#redshiftserverless-6)
+
+  * [[RedshiftServerless.7] Redshift Serverless namespaces should not use the default database name](./redshiftserverless-controls.html#redshiftserverless-7)
+
@@ -1048,2 +1097,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](./s3-controls.html#s3-17)
-
@@ -1059,0 +1108,4 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[SageMaker.6] SageMaker app image configurations should be tagged](./sagemaker-controls.html#sagemaker-6)
+
+  * [[SageMaker.7] SageMaker images should be tagged](./sagemaker-controls.html#sagemaker-7)
+
@@ -1070,2 +1121,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](./ssm-controls.html#ssm-2)
-
@@ -1073,0 +1124,4 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[Transfer.3] Transfer Family connectors should have logging enabled](./transfer-controls.html#transfer-3)
+
+  * [[Transfer.4] Transfer Family agreements should be tagged](./transfer-controls.html#transfer-4)
+
@@ -1104,0 +1159,4 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[Amplify.1] Amplify apps should be tagged](./amplify-controls.html#amplify-1)
+
+  * [[Amplify.2] Amplify branches should be tagged](./amplify-controls.html#amplify-2)
+
@@ -1165,2 +1222,0 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
-  * [[DMS.1] Database Migration Service replication instances should not be public](./dms-controls.html#dms-1)
-
@@ -1198,0 +1255,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](./documentdb-controls.html#documentdb-6)
+
@@ -1218,0 +1277,8 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+
+  * [[EC2.176] EC2 prefix lists should be tagged](./ec2-controls.html#ec2-176)
+
+  * [[EC2.177] EC2 traffic mirror sessions should be tagged](./ec2-controls.html#ec2-177)
+
+  * [[EC2.179] EC2 traffic mirror targets should be tagged](./ec2-controls.html#ec2-179)
+
@@ -1224,0 +1291,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](./elb-controls.html#elb-17)
+
@@ -1235,2 +1302,0 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
-  * [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](./elb-controls.html#elb-17)
-
@@ -1341,2 +1406,0 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
-  * [[Redshift.1] Amazon Redshift clusters should prohibit public access](./redshift-controls.html#redshift-1)
-
@@ -1344,0 +1409,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](./redshiftserverless-controls.html#redshiftserverless-2)
+
@@ -1386,4 +1451,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Account.1] Security contact information should be provided for an AWS account](./account-controls.html#account-1)
-
-  * [[Account.2] AWS accounts should be part of an AWS Organizations organization](./account-controls.html#account-2)
-
@@ -1394,5 +1456 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](./apigateway-controls.html#apigateway-1)
-
-  * [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](./apigateway-controls.html#apigateway-2)
-
-  * [[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled](./apigateway-controls.html#apigateway-3)
+  * [[Account.1] Security contact information should be provided for an AWS account](./account-controls.html#account-1)
@@ -1400 +1458 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](./apigateway-controls.html#apigateway-4)
+  * [[Account.2] AWS accounts should be part of an AWS Organizations organization](./account-controls.html#account-2)
@@ -1405,0 +1464,4 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  * [[Amplify.1] Amplify apps should be tagged](./amplify-controls.html#amplify-1)
+
+  * [[Amplify.2] Amplify branches should be tagged](./amplify-controls.html#amplify-2)
+
@@ -1436,2 +1497,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](./autoscaling-controls.html#autoscaling-1)
-
@@ -1442,2 +1501,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](./autoscaling-controls.html#autoscaling-5)
-
@@ -1463,0 +1522,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  * [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](./batch-controls.html#batch-4)
+
@@ -1493,0 +1554,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  * [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](./cloudtrail-controls.html#cloudtrail-10)
+
@@ -1522 +1584 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Detective.1] Detective behavior graphs should be tagged](./detective-controls.html#detective-1)