AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-31 · Documentation low

File: securityhub/latest/userguide/cloudwatch-controls.md

Summary

Updated compliance references to include NIST 800-171 and NIST 800-53 controls across multiple CloudWatch security controls, modified section titles for consistency, and adjusted control [CloudWatch.5] title from 'CloudTrail AWS Configuration changes' to 'CloudTrail configuration changes'.

Security assessment

The changes add references to NIST security frameworks (800-171 and 800-53) to existing controls, enhancing documentation about compliance requirements. This improves alignment with recognized security standards but does not indicate a direct fix for a specific security vulnerability. The control title change in [CloudWatch.5] appears to be a clarification rather than addressing a security flaw.

Diff

diff --git a/securityhub/latest/userguide/cloudwatch-controls.md b/securityhub/latest/userguide/cloudwatch-controls.md
index c4f1da207..6eff6518a 100644
--- a//securityhub/latest/userguide/cloudwatch-controls.md
+++ b//securityhub/latest/userguide/cloudwatch-controls.md
@@ -5 +5 @@
-[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes[CloudWatch.15] CloudWatch alarms should have specified actions configured[CloudWatch.16] CloudWatch log groups should be retained for a specified time period[CloudWatch.17] CloudWatch alarm actions should be activated
+[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes[CloudWatch.15] CloudWatch alarms should have specified actions configured[CloudWatch.16] CloudWatch log groups should be retained for a specified time period[CloudWatch.17] CloudWatch alarm actions should be activated
@@ -7 +7 @@
-# Security Hub controls for CloudWatch
+# Security Hub controls for Amazon CloudWatch
@@ -9 +9 @@
-These controls evaluate the Amazon CloudWatch service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub controls evaluate the Amazon CloudWatch service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -13 +13 @@ These controls evaluate the Amazon CloudWatch service and resources. The control
-**Related requirements:** PCI DSS v3.2.1/7.2.1, CIS AWS Foundations Benchmark v1.2.0/1.1,CIS AWS Foundations Benchmark v1.2.0/3.3, CIS AWS Foundations Benchmark v1.4.0/1.7,CIS AWS Foundations Benchmark v1.4.0/4.3
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.1,CIS AWS Foundations Benchmark v1.2.0/3.3, CIS AWS Foundations Benchmark v1.4.0/1.7,CIS AWS Foundations Benchmark v1.4.0/4.3, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7, PCI DSS v3.2.1/7.2.1
@@ -91 +91 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.1
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -247 +247 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.4, CIS AWS Foundations Benchmark v1.4.0/4.4
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.4, CIS AWS Foundations Benchmark v1.4.0/4.4, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -325 +325 @@ than... |  `1`
-## [CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes
+## [CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes
@@ -327 +327 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.5, CIS AWS Foundations Benchmark v1.4.0/4.5
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.5, CIS AWS Foundations Benchmark v1.4.0/4.5, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -405 +405 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.6, CIS AWS Foundations Benchmark v1.4.0/4.6
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.6, CIS AWS Foundations Benchmark v1.4.0/4.6, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -483 +483 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.7, CIS AWS Foundations Benchmark v1.4.0/4.7
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.7, CIS AWS Foundations Benchmark v1.4.0/4.7, NIST.800-171.r2 3.13.10, NIST.800-171.r2 3.13.16, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -561 +561 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.8, CIS AWS Foundations Benchmark v1.4.0/4.8
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.8, CIS AWS Foundations Benchmark v1.4.0/4.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -639 +639 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.9, CIS AWS Foundations Benchmark v1.4.0/4.9
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.9, CIS AWS Foundations Benchmark v1.4.0/4.9, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -717 +717 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.10, CIS AWS Foundations Benchmark v1.4.0/4.10
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.10, CIS AWS Foundations Benchmark v1.4.0/4.10, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -795 +795 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.11, CIS AWS Foundations Benchmark v1.4.0/4.11
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.11, CIS AWS Foundations Benchmark v1.4.0/4.11, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -873 +873 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.12, CIS AWS Foundations Benchmark v1.4.0/4.12
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.12, CIS AWS Foundations Benchmark v1.4.0/4.12, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1
@@ -951 +951 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.13, CIS AWS Foundations Benchmark v1.4.0/4.13
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.13, CIS AWS Foundations Benchmark v1.4.0/4.13, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -1031 +1031 @@ than... |  `1`
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.14, CIS AWS Foundations Benchmark v1.4.0/4.14
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.14, CIS AWS Foundations Benchmark v1.4.0/4.14, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7
@@ -1109 +1109 @@ than... |  `1`
-**Category:** Detect > Detection services
+**Related requirements:** NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 CA-7, NIST.800-53.r5 IR-4(1), NIST.800-53.r5 IR-4(5), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-4(12), NIST.800-53.r5 SI-4(5), NIST.800-171.r2 3.3.4, NIST.800-171.r2 3.14.6
@@ -1111 +1111 @@ than... |  `1`
-**Related requirements:** NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 CA-7, NIST.800-53.r5 IR-4(1), NIST.800-53.r5 IR-4(5), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-4(12), NIST.800-53.r5 SI-4(5)
+**Category:** Detect > Detection services