AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-05-31 · Security-related medium

File: securityhub/latest/userguide/controls-change-log.md

Summary

Added entry documenting removal of IAM.10 control from PCI DSS v4.0.1 standard and guidance to use IAM.7 control instead for password requirements

Security assessment

The change documents compliance with updated PCI DSS password requirements (minimum 8 characters vs 7), which directly relates to security configuration standards and authentication security controls. It provides guidance for maintaining compliance with security frameworks.

Diff

diff --git a/securityhub/latest/userguide/controls-change-log.md b/securityhub/latest/userguide/controls-change-log.md
index 218c0f015..6180c9dd4 100644
--- a//securityhub/latest/userguide/controls-change-log.md
+++ b//securityhub/latest/userguide/controls-change-log.md
@@ -12,0 +13 @@ Date of change | Control ID and title | Description of change
+May 30, 2025 | [[IAM.10] Password policies for IAM users should have strong configurations](./iam-controls.html#iam-10) | Security Hub removed this control from the [PCI DSS v4.0.1 standard](./pci-standard.html). This control checks whether account password policies for IAM users meet minimum requirements, including a minimum password length of 7 characters. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. The control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements. To evaluate account password policies against PCI DSS v4.0.1 requirements, you can use the [IAM.7 control](./iam-controls.html#iam-7). This control requires passwords to have a minimum of 8 characters. It also supports custom values for password length and other parameters. The IAM.7 control is part of the PCI DSS v4.0.1 standard in Security Hub.