AWS securityhub medium security documentation change
Summary
Added entry about removing IAM.10 control from PCI DSS v4.0.1 standard due to password length requirement changes, and added new NIST SP 800-171 standard
Security assessment
Documents removal of a control that no longer meets updated PCI DSS password requirements (security compliance impact) and adds documentation for new NIST-aligned security standard
Diff
diff --git a/securityhub/latest/userguide/doc-history.md b/securityhub/latest/userguide/doc-history.md index bb4407ba2..89d55effb 100644 --- a//securityhub/latest/userguide/doc-history.md +++ b//securityhub/latest/userguide/doc-history.md @@ -12,0 +13,2 @@ Change| Description| Date +Updates to security standards and controls| We removed the [IAM.10 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-10) from the [PCI DSS v4.0.1 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). This control checks whether account password policies for IAM users meet minimum requirements, including a minimum password length of 7 characters. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. The IAM.10 control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements.| May 30, 2025 +New security standard| Security Hub now provides a [security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference-nist-800-171.html) that aligns with the NIST SP 800-171 Revision 2 cybersecurity and compliance framework. This new standard includes more than 60 existing security controls. The controls perform automated checks that evaluate certain AWS services and resources for compliance with a subset of the requirements defined by the framework.| May 29, 2025