AWS securityhub documentation change
Summary
Updated compliance references to include NIST 800-171 and NIST 800-53 controls across multiple CloudWatch security controls, modified section titles for consistency, and adjusted control [CloudWatch.5] title from 'CloudTrail AWS Configuration changes' to 'CloudTrail configuration changes'.
Security assessment
The changes add references to NIST security frameworks (800-171 and 800-53) to existing controls, enhancing documentation about compliance requirements. This improves alignment with recognized security standards but does not indicate a direct fix for a specific security vulnerability. The control title change in [CloudWatch.5] appears to be a clarification rather than addressing a security flaw.
Diff
diff --git a/securityhub/latest/userguide/cloudwatch-controls.md b/securityhub/latest/userguide/cloudwatch-controls.md index c4f1da207..6eff6518a 100644 --- a//securityhub/latest/userguide/cloudwatch-controls.md +++ b//securityhub/latest/userguide/cloudwatch-controls.md @@ -5 +5 @@ -[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes[CloudWatch.15] CloudWatch alarms should have specified actions configured[CloudWatch.16] CloudWatch log groups should be retained for a specified time period[CloudWatch.17] CloudWatch alarm actions should be activated +[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes[CloudWatch.15] CloudWatch alarms should have specified actions configured[CloudWatch.16] CloudWatch log groups should be retained for a specified time period[CloudWatch.17] CloudWatch alarm actions should be activated @@ -7 +7 @@ -# Security Hub controls for CloudWatch +# Security Hub controls for Amazon CloudWatch @@ -9 +9 @@ -These controls evaluate the Amazon CloudWatch service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These AWS Security Hub controls evaluate the Amazon CloudWatch service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -13 +13 @@ These controls evaluate the Amazon CloudWatch service and resources. The control -**Related requirements:** PCI DSS v3.2.1/7.2.1, CIS AWS Foundations Benchmark v1.2.0/1.1,CIS AWS Foundations Benchmark v1.2.0/3.3, CIS AWS Foundations Benchmark v1.4.0/1.7,CIS AWS Foundations Benchmark v1.4.0/4.3 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.1,CIS AWS Foundations Benchmark v1.2.0/3.3, CIS AWS Foundations Benchmark v1.4.0/1.7,CIS AWS Foundations Benchmark v1.4.0/4.3, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7, PCI DSS v3.2.1/7.2.1 @@ -91 +91 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.1 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -247 +247 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.4, CIS AWS Foundations Benchmark v1.4.0/4.4 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.4, CIS AWS Foundations Benchmark v1.4.0/4.4, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -325 +325 @@ than... | `1` -## [CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes +## [CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes @@ -327 +327 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.5, CIS AWS Foundations Benchmark v1.4.0/4.5 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.5, CIS AWS Foundations Benchmark v1.4.0/4.5, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -405 +405 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.6, CIS AWS Foundations Benchmark v1.4.0/4.6 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.6, CIS AWS Foundations Benchmark v1.4.0/4.6, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -483 +483 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.7, CIS AWS Foundations Benchmark v1.4.0/4.7 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.7, CIS AWS Foundations Benchmark v1.4.0/4.7, NIST.800-171.r2 3.13.10, NIST.800-171.r2 3.13.16, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -561 +561 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.8, CIS AWS Foundations Benchmark v1.4.0/4.8 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.8, CIS AWS Foundations Benchmark v1.4.0/4.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -639 +639 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.9, CIS AWS Foundations Benchmark v1.4.0/4.9 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.9, CIS AWS Foundations Benchmark v1.4.0/4.9, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -717 +717 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.10, CIS AWS Foundations Benchmark v1.4.0/4.10 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.10, CIS AWS Foundations Benchmark v1.4.0/4.10, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -795 +795 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.11, CIS AWS Foundations Benchmark v1.4.0/4.11 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.11, CIS AWS Foundations Benchmark v1.4.0/4.11, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -873 +873 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.12, CIS AWS Foundations Benchmark v1.4.0/4.12 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.12, CIS AWS Foundations Benchmark v1.4.0/4.12, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1 @@ -951 +951 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.13, CIS AWS Foundations Benchmark v1.4.0/4.13 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.13, CIS AWS Foundations Benchmark v1.4.0/4.13, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -1031 +1031 @@ than... | `1` -**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.14, CIS AWS Foundations Benchmark v1.4.0/4.14 +**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/3.14, CIS AWS Foundations Benchmark v1.4.0/4.14, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 @@ -1109 +1109 @@ than... | `1` -**Category:** Detect > Detection services +**Related requirements:** NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 CA-7, NIST.800-53.r5 IR-4(1), NIST.800-53.r5 IR-4(5), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-4(12), NIST.800-53.r5 SI-4(5), NIST.800-171.r2 3.3.4, NIST.800-171.r2 3.14.6 @@ -1111 +1111 @@ than... | `1` -**Related requirements:** NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 CA-7, NIST.800-53.r5 IR-4(1), NIST.800-53.r5 IR-4(5), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-4(12), NIST.800-53.r5 SI-4(5) +**Category:** Detect > Detection services