AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-10 · Documentation medium

File: securityhub/latest/userguide/securityhub-controls-reference.md

Summary

Added multiple new security controls and updated existing controls related to encryption, access restrictions, and logging across AWS services

Security assessment

The changes document security best practices and compliance requirements (e.g., encryption with KMS keys, SSL requirements, public access prohibitions) but do not indicate fixes for active vulnerabilities. These are preventive security controls rather than responses to existing security incidents.

Diff

diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md
index 613bc2df5..debdfdf94 100644
--- a//securityhub/latest/userguide/securityhub-controls-reference.md
+++ b//securityhub/latest/userguide/securityhub-controls-reference.md
@@ -97,0 +98 @@ Security control ID | Security control title | Applicable standards | Severity |
+[CloudTrail.10](./cloudtrail-controls.html#cloudtrail-10) | CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys | NIST SP 800-53 Rev. 5 | MEDIUM |  Yes | Periodic  
@@ -147,0 +149 @@ Security control ID | Security control title | Applicable standards | Severity |
+[DocumentDB.6](./documentdb-controls.html#documentdb-6) | Amazon DocumentDB clusters should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
@@ -469 +471 @@ Security control ID | Security control title | Applicable standards | Severity |
-[RDS.46](./rds-controls.html#rds-46) | RDS DB instances should not be deployed in public subnets with routes to internet gateways | AWS Foundational Security Best Practices v1.0.0 | CRITICAL |  No | Periodic  
+[RDS.44](./rds-controls.html#rds-44) | RDS for MariaDB DB instances should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
@@ -486,0 +489,6 @@ Security control ID | Security control title | Applicable standards | Severity |
+[RedshiftServerless.2](./redshiftserverless-controls.html#redshiftserverless-2) | Connections to Redshift Serverless workgroups should be required to use SSL | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
+[RedshiftServerless.3](./redshiftserverless-controls.html#redshiftserverless-3) | Redshift Serverless workgroups should prohibit public access | AWS Foundational Security Best Practices v1.0.0 | HIGH |  No | Periodic  
+[RedshiftServerless.4](./redshiftserverless-controls.html#redshiftserverless-4) | Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys | NIST SP 800-53 Rev. 5 | MEDIUM |  Yes | Periodic  
+[RedshiftServerless.5](./redshiftserverless-controls.html#redshiftserverless-5) | Redshift Serverless namespaces should not use the default admin username | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  Yes | Periodic  
+[RedshiftServerless.6](./redshiftserverless-controls.html#redshiftserverless-6) | Redshift Serverless namespaces should export logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0 | MEDIUM |  No | Periodic  
+[RedshiftServerless.7](./redshiftserverless-controls.html#redshiftserverless-7) | Redshift Serverless namespaces should not use the default database name | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM |  No | Periodic