AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-31 · Documentation low

File: securityhub/latest/userguide/cis-aws-foundations-benchmark.md

Summary

Updated documentation formatting and version references for CIS AWS Foundations Benchmark standards. Added explicit references to Security Hub integration, standardized version labeling (e.g., 'version 3.0.0' instead of 'v3.0.0'), improved control descriptions, and clarified upgrade recommendations.

Security assessment

Changes focus on documentation clarity and consistency rather than addressing specific vulnerabilities. Updates include improved version tracking (e.g., 'AWS Support' vs 'Support') and better alignment with current Security Hub integration patterns. While related to security controls, there's no evidence of addressing new vulnerabilities or security incidents.

Diff

diff --git a/securityhub/latest/userguide/cis-aws-foundations-benchmark.md b/securityhub/latest/userguide/cis-aws-foundations-benchmark.md
index fe1ddb4e8..e07520f00 100644
--- a//securityhub/latest/userguide/cis-aws-foundations-benchmark.md
+++ b//securityhub/latest/userguide/cis-aws-foundations-benchmark.md
@@ -5 +5 @@
-CIS AWS Foundations Benchmark v3.0.0CIS AWS Foundations Benchmark v1.4.0CIS AWS Foundations Benchmark v1.2.0Version comparison for CIS AWS Foundations Benchmark
+CIS AWS Foundations Benchmark version 3.0.0CIS AWS Foundations Benchmark version 1.4.0CIS AWS Foundations Benchmark version 1.2.0Version comparison for CIS AWS Foundations Benchmark
@@ -7 +7 @@ CIS AWS Foundations Benchmark v3.0.0CIS AWS Foundations Benchmark v1.4.0CIS AWS
-# CIS AWS Foundations Benchmark
+# CIS AWS Foundations Benchmark in Security Hub
@@ -11 +11 @@ The Center for Internet Security (CIS) AWS Foundations Benchmark serves as a set
-AWS Security Hub supports CIS AWS Foundations Benchmark v3.0.0, 1.4.0, and v1.2.0.
+AWS Security Hub supports CIS AWS Foundations Benchmark versions 3.0.0, 1.4.0, and 1.2.0. This page lists the security controls that each version supports. It also provides a comparison of the versions.
@@ -13 +13 @@ AWS Security Hub supports CIS AWS Foundations Benchmark v3.0.0, 1.4.0, and v1.2.
-This page lists the security controls that each version supports and provides a comparison of the versions.
+## CIS AWS Foundations Benchmark version 3.0.0
@@ -15,5 +15 @@ This page lists the security controls that each version supports and provides a
-## CIS AWS Foundations Benchmark v3.0.0
-
-Security Hub supports version 3.0.0 of the CIS AWS Foundations Benchmark.
-
-Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: 
+Security Hub supports version 3.0.0 (v3.0.0) of the CIS AWS Foundations Benchmark. Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: 
@@ -28 +24 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-### Controls that apply to CIS AWS Foundations Benchmark v3.0.0
+### Controls that apply to CIS AWS Foundations Benchmark version 3.0.0
@@ -74 +70 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-[[IAM.18] Ensure a support role has been created to manage incidents with Support](./iam-controls.html#iam-18)
+[[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](./iam-controls.html#iam-18)
@@ -104 +100 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-## CIS AWS Foundations Benchmark v1.4.0
+## CIS AWS Foundations Benchmark version 1.4.0
@@ -106 +102 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-Security Hub supports v1.4.0 of the CIS AWS Foundations Benchmark.
+Security Hub supports version 1.4.0 (v1.4.0) of the CIS AWS Foundations Benchmark.
@@ -108 +104 @@ Security Hub supports v1.4.0 of the CIS AWS Foundations Benchmark.
-### Controls that apply to CIS AWS Foundations Benchmark v1.4.0
+### Controls that apply to CIS AWS Foundations Benchmark version 1.4.0
@@ -126 +122 @@ Security Hub supports v1.4.0 of the CIS AWS Foundations Benchmark.
-[[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes](./cloudwatch-controls.html#cloudwatch-5)
+[[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](./cloudwatch-controls.html#cloudwatch-5)
@@ -172 +168 @@ Security Hub supports v1.4.0 of the CIS AWS Foundations Benchmark.
-[[IAM.18] Ensure a support role has been created to manage incidents with Support](./iam-controls.html#iam-18)
+[[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](./iam-controls.html#iam-18)
@@ -188,3 +184 @@ Security Hub supports v1.4.0 of the CIS AWS Foundations Benchmark.
-## Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0
-
-Security Hub supports version 1.2.0 of the CIS AWS Foundations Benchmark.
+## CIS AWS Foundations Benchmark version 1.2.0
@@ -192 +186 @@ Security Hub supports version 1.2.0 of the CIS AWS Foundations Benchmark.
-Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: 
+Security Hub supports version 1.2.0 (v1.2.0) of the CIS AWS Foundations Benchmark. Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: 
@@ -201 +195 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-### Controls that apply to CIS AWS Foundations Benchmark v1.2.0
+### Controls that apply to CIS AWS Foundations Benchmark version 1.2.0
@@ -223 +217 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-[[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes](./cloudwatch-controls.html#cloudwatch-5)
+[[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](./cloudwatch-controls.html#cloudwatch-5)
@@ -283 +277 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-[[IAM.18] Ensure a support role has been created to manage incidents with Support](./iam-controls.html#iam-18)
+[[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](./iam-controls.html#iam-18)
@@ -289,3 +283 @@ Security Hub has satisfied the requirements of CIS Security Software Certificati
-This section summarizes the differences among the Center for Internet Security (CIS) AWS Foundations Benchmark v3.0.0, v1.4.0, and v1.2.0.
-
-Security Hub supports each of these versions of the CIS AWS Foundations Benchmark, but we recommend using v3.0.0 to stay current on security best practices. You can have multiple versions of the standard enabled at the same time. For instructions on enabling standards, see [Enabling a security standard in Security Hub](./enable-standards.html). If you want to upgrade to v3.0.0, enable it first before disabling an older version. This prevents gaps in your security checks. If you use the Security Hub integration with AWS Organizations and want to batch enable v3.0.0 in multiple accounts, we recommend using [central configuration](./central-configuration-intro.html).
+This section summarizes the differences between specific versions of the Center for Internet Security (CIS) AWS Foundations Benchmark—v3.0.0, v1.4.0, and v1.2.0. AWS Security Hub supports each of these versions of the CIS AWS Foundations Benchmark. However, we recommend using v3.0.0 to stay current with security best practices. You can have multiple versions of the standard enabled at the same time. For information about enabling standards, see [Enabling a security standard in Security Hub](./enable-standards.html). If you want to upgrade to v3.0.0, enable it before you disable an older version. This prevents gaps in your security checks. If you use the Security Hub integration with AWS Organizations and want to batch enable v3.0.0 in multiple accounts, we recommend using [central configuration](./central-configuration-intro.html).
@@ -310 +302 @@ Control ID and title | CIS v3.0.0 requirement | CIS v1.4.0 requirement | CIS v1.
-[[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes](./cloudwatch-controls.html#cloudwatch-5) |  Not supported – manual check |  4.5 |  3.5  
+[[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](./cloudwatch-controls.html#cloudwatch-5) |  Not supported – manual check |  4.5 |  3.5  
@@ -346 +338 @@ Control ID and title | CIS v3.0.0 requirement | CIS v1.4.0 requirement | CIS v1.
-[[IAM.18] Ensure a support role has been created to manage incidents with Support](./iam-controls.html#iam-18) |  1.17 |  1.17 |  1.2  
+[[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](./iam-controls.html#iam-18) |  1.17 |  1.17 |  1.2  
@@ -362,4 +354 @@ Control ID and title | CIS v3.0.0 requirement | CIS v1.4.0 requirement | CIS v1.
-### ARNs for CIS AWS Foundations Benchmark
-
-When you enable one or more versions of CIS AWS Foundations Benchmark, you'll begin receiving findings in the AWS Security Finding Format (ASFF). In ASFF, each version uses the following Amazon Resource Name (ARN):
-
+### ARNs for CIS AWS Foundations Benchmarks
@@ -366,0 +356 @@ When you enable one or more versions of CIS AWS Foundations Benchmark, you'll be
+When you enable one or more versions of the CIS AWS Foundations Benchmark, you begin receiving findings in the AWS Security Finding Format (ASFF). In ASFF, each version uses the following Amazon Resource Name (ARN):
@@ -383 +373 @@ When you enable one or more versions of CIS AWS Foundations Benchmark, you'll be
-You can use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub API to find out the ARN of an enabled standard.
+You can use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub API to find the ARN of an enabled standard.
@@ -389 +379 @@ The preceding values are for `StandardsArn`. However, `StandardsSubscriptionArn`
-When you enable a version of CIS AWS Foundations Benchmark, Security Hub may take up to 18 hours to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information about the schedule for generating control findings, see [Schedule for running security checks](./securityhub-standards-schedule.html).
+When you enable a version of the CIS AWS Foundations Benchmark, it can take up to 18 hours for Security Hub to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information about the schedule for generating control findings, see [Schedule for running security checks](./securityhub-standards-schedule.html).
@@ -391 +381 @@ When you enable a version of CIS AWS Foundations Benchmark, Security Hub may tak
-Finding fields differ if you turn on consolidated control findings. For more information about these differences, see [Impact of consolidation on ASFF fields and values](./asff-changes-consolidation.html). For sample control findings, see [Sample control findings in Security Hub](./sample-control-findings.html).
+Finding fields differ if you turn on consolidated control findings. For information about these differences, see [Impact of consolidation on ASFF fields and values](./asff-changes-consolidation.html). For sample control findings, see [Samples of control findings in Security Hub](./sample-control-findings.html).
@@ -395 +385 @@ Finding fields differ if you turn on consolidated control findings. For more inf
-As noted in the preceding table, Security Hub doesn't support every CIS requirement in every version of the CIS AWS Foundations Benchmark. Many of the unsupported requirements can be evaluated only manually by reviewing the state of your AWS resources.
+As noted in the preceding table, Security Hub doesn't support every CIS requirement in every version of the CIS AWS Foundations Benchmark. Many of the unsupported requirements can be evaluated only by manually reviewing the state of your AWS resources.
@@ -403 +393 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-AWS Foundational Security Best Practices
+AWS Resource Tagging
@@ -405 +395 @@ AWS Foundational Security Best Practices
-NIST SP 800-53 Rev. 5
+NIST SP 800-53 Revision 5