AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-31 · Documentation low

File: securityhub/latest/userguide/iam-controls.md

Summary

Updated IAM controls documentation with compliance standard references (NIST 800-171 additions), corrected section titles, added PCI DSS v4.0.1 deprecation note, and improved clarity of security control descriptions.

Security assessment

Changes primarily add/update references to compliance standards (NIST 800-171, PCI DSS) and clarify security control requirements. While these enhance security documentation, there's no evidence of addressing specific vulnerabilities. The note about PCI DSS v4.0.1 changes helps users align with updated requirements but doesn't fix a security flaw.

Diff

diff --git a/securityhub/latest/userguide/iam-controls.md b/securityhub/latest/userguide/iam-controls.md
index 91e5eebde..d2ff59425 100644
--- a//securityhub/latest/userguide/iam-controls.md
+++ b//securityhub/latest/userguide/iam-controls.md
@@ -5 +5 @@
-[IAM.1] IAM policies should not allow full "*" administrative privileges[IAM.2] IAM users should not have IAM policies attached[IAM.3] IAM users' access keys should be rotated every 90 days or less[IAM.4] IAM root user access key should not exist[IAM.5] MFA should be enabled for all IAM users that have a console password[IAM.6] Hardware MFA should be enabled for the root user[IAM.7] Password policies for IAM users should have strong configurations[IAM.8] Unused IAM user credentials should be removed[IAM.9] MFA should be enabled for the root user[IAM.10] Password policies for IAM users should have strong AWS Configurations[IAM.11] Ensure IAM password policy requires at least one uppercase letter[IAM.12] Ensure IAM password policy requires at least one lowercase letter[IAM.13] Ensure IAM password policy requires at least one symbol[IAM.14] Ensure IAM password policy requires at least one number[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater[IAM.16] Ensure IAM password policy prevents password reuse[IAM.17] Ensure IAM password policy expires passwords within 90 days or less[IAM.18] Ensure a support role has been created to manage incidents with Support[IAM.19] MFA should be enabled for all IAM users[IAM.20] Avoid the use of the root user[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services[IAM.22] IAM user credentials unused for 45 days should be removed[IAM.23] IAM Access Analyzer analyzers should be tagged[IAM.24] IAM roles should be tagged[IAM.25] IAM users should be tagged[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached[IAM.28] IAM Access Analyzer external access analyzer should be enabled
+[IAM.1] IAM policies should not allow full "*" administrative privileges[IAM.2] IAM users should not have IAM policies attached[IAM.3] IAM users' access keys should be rotated every 90 days or less[IAM.4] IAM root user access key should not exist[IAM.5] MFA should be enabled for all IAM users that have a console password[IAM.6] Hardware MFA should be enabled for the root user[IAM.7] Password policies for IAM users should have strong configurations[IAM.8] Unused IAM user credentials should be removed[IAM.9] MFA should be enabled for the root user[IAM.10] Password policies for IAM users should have strong configurations[IAM.11] Ensure IAM password policy requires at least one uppercase letter[IAM.12] Ensure IAM password policy requires at least one lowercase letter[IAM.13] Ensure IAM password policy requires at least one symbol[IAM.14] Ensure IAM password policy requires at least one number[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater[IAM.16] Ensure IAM password policy prevents password reuse[IAM.17] Ensure IAM password policy expires passwords within 90 days or less[IAM.18] Ensure a support role has been created to manage incidents with AWS Support[IAM.19] MFA should be enabled for all IAM users[IAM.20] Avoid the use of the root user[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services[IAM.22] IAM user credentials unused for 45 days should be removed[IAM.23] IAM Access Analyzer analyzers should be tagged[IAM.24] IAM roles should be tagged[IAM.25] IAM users should be tagged[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached[IAM.28] IAM Access Analyzer external access analyzer should be enabled
@@ -7 +7 @@
-# Security Hub controls for IAM
+# Security Hub controls for AWS Identity and Access Management
@@ -13 +13 @@ These AWS Security Hub controls evaluate the AWS Identity and Access Management
-**Related requirements:** PCI DSS v3.2.1/7.2.1, CIS AWS Foundations Benchmark v1.2.0/1.22, CIS AWS Foundations Benchmark v1.4.0/1.16, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2), NIST.800-53.r5 AC-6(3)
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.22, CIS AWS Foundations Benchmark v1.4.0/1.16, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2), NIST.800-53.r5 AC-6(3), NIST.800-171.r2 3.1.4, PCI DSS v3.2.1/7.2.1
@@ -52 +52 @@ To modify your IAM policies so that they do not allow full "*" administrative pr
-**Related requirements:** PCI DSS v3.2.1/7.2.1, CIS AWS Foundations Benchmark v3.0.0/1.15, CIS AWS Foundations Benchmark v1.2.0/1.16, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(3)
+**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.15, CIS AWS Foundations Benchmark v1.2.0/1.16, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(3), NIST.800-171.r2 3.1.1, NIST.800-171.r2 3.1.2, NIST.800-171.r2 3.1.7, NIST.800-171.r2 3.3.9, NIST.800-171.r2 3.13.3, PCI DSS v3.2.1/7.2.1
@@ -222 +222 @@ We are offering a free MFA security key to eligible customers. To determine whet
-**Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-2(3), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-5(1), PCI DSS v4.0.1/8.3.6, PCI DSS v4.0.1/8.3.7
+**Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-2(3), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-5(1), NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v4.0.1/8.3.6, PCI DSS v4.0.1/8.3.7
@@ -260 +260 @@ To update your password policy, see [Setting an account password policy for IAM
-**Related requirements:** PCI DSS v3.2.1/8.1.4, PCI DSS v4.0.1/8.2.6, CIS AWS Foundations Benchmark v1.2.0/1.3, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-2(3), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.3, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-2(3), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-171.r2 3.1.2, PCI DSS v3.2.1/8.1.4, PCI DSS v4.0.1/8.2.6
@@ -332 +332 @@ For information about enabling MFA for the root user of an AWS account, see [Mul
-## [IAM.10] Password policies for IAM users should have strong AWS Configurations
+## [IAM.10] Password policies for IAM users should have strong configurations
@@ -334 +334 @@ For information about enabling MFA for the root user of an AWS account, see [Mul
-**Related requirements:** PCI DSS v3.2.1/8.1.4, PCI DSS v3.2.1/8.2.3, PCI DSS v3.2.1/8.2.4, PCI DSS v3.2.1/8.2.5, PCI DSS v4.0.1/8.3.6
+**Related requirements:** NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v3.2.1/8.1.4, PCI DSS v3.2.1/8.2.3, PCI DSS v3.2.1/8.2.4, PCI DSS v3.2.1/8.2.5
@@ -364,0 +365,6 @@ This control checks whether the account password policy for IAM users uses the f
+###### Note
+
+On May 30, 2025, Security Hub removed this control from the PCI DSS v4.0.1 standard. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. This control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements.
+
+To evaluate account password policies against PCI DSS v4.0.1 requirements, you can use the IAM.7 control. This control requires passwords to have a minimum of 8 characters. It also supports custom values for password length and other parameters. The IAM.7 control is part of the PCI DSS v4.0.1 standard in Security Hub.
+
@@ -371 +377 @@ To update your password policy to use the recommended configuration, see [Settin
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.5, PCI DSS v4.0.1/8.3.6
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.5, NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v4.0.1/8.3.6
@@ -395 +401 @@ To change your password policy, see [Setting an account password policy for IAM
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.6, PCI DSS v4.0.1/8.3.6
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.6, NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v4.0.1/8.3.6
@@ -417 +423 @@ To change your password policy, see [Setting an account password policy for IAM
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.7, PCI DSS v4.0.1/8.3.6
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.7, NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v4.0.1/8.3.6
@@ -441 +447 @@ To change your password policy, see [Setting an account password policy for IAM
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.8, PCI DSS v4.0.1/8.3.6
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.8, NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v4.0.1/8.3.6
@@ -465 +471 @@ To change your password policy, see [Setting an account password policy for IAM
-**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.8, CIS AWS Foundations Benchmark v1.4.0/1.8, CIS AWS Foundations Benchmark v1.2.0/1.9
+**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.8, CIS AWS Foundations Benchmark v1.4.0/1.8, CIS AWS Foundations Benchmark v1.2.0/1.9, NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9
@@ -489 +495 @@ To change your password policy, see [Setting an account password policy for IAM
-**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.9, CIS AWS Foundations Benchmark v1.4.0/1.9, CIS AWS Foundations Benchmark v1.2.0/1.10, PCI DSS v4.0.1/8.3.7
+**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.9, CIS AWS Foundations Benchmark v1.4.0/1.9, CIS AWS Foundations Benchmark v1.2.0/1.10, NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v4.0.1/8.3.7
@@ -515 +521 @@ To change your password policy, see [Setting an account password policy for IAM
-**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.11, PCI DSS v4.0.1/8.3.9
+**Related requirements:** CIS AWS Foundations Benchmark v1.2.0/1.11, NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, NIST.800-171.r2 3.5.9, PCI DSS v4.0.1/8.3.9
@@ -548 +554 @@ To change your password policy, see [Setting an account password policy for IAM
-## [IAM.18] Ensure a support role has been created to manage incidents with Support
+## [IAM.18] Ensure a support role has been created to manage incidents with AWS Support
@@ -550 +556 @@ To change your password policy, see [Setting an account password policy for IAM
-**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.17, CIS AWS Foundations Benchmark v1.4.0/1.17, CIS AWS Foundations Benchmark v1.2.0/1.20, PCI DSS v4.0.1/12.10.3
+**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.17, CIS AWS Foundations Benchmark v1.4.0/1.17, CIS AWS Foundations Benchmark v1.2.0/1.20, NIST.800-171.r2 3.1.2, PCI DSS v4.0.1/12.10.3
@@ -628 +634 @@ Show moreShow less
-**Related requirements:** PCI DSS v3.2.1/8.3.1, PCI DSS v4.0.1/8.4.2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-2(1), NIST.800-53.r5 IA-2(2), NIST.800-53.r5 IA-2(6), NIST.800-53.r5 IA-2(8)
+**Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-2(1), NIST.800-53.r5 IA-2(2), NIST.800-53.r5 IA-2(6), NIST.800-53.r5 IA-2(8), NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.5.3, NIST.800-171.r2 3.5.4, NIST.800-171.r2 3.7.5, PCI DSS v3.2.1/8.3.1, PCI DSS v4.0.1/8.4.2, 
@@ -820 +826 @@ Show moreShow less
-**Related requirements:** NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2), NIST.800-53.r5 AC-6(3)
+**Related requirements:** NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2), NIST.800-53.r5 AC-6(3), NIST.800-171.r2 3.1.1, NIST.800-171.r2 3.1.2, NIST.800-171.r2 3.1.5, NIST.800-171.r2 3.1.7, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.3.9, NIST.800-171.r2 3.13.3, NIST.800-171.r2 3.13.4
@@ -883 +889 @@ To remediate this issue, update your IAM policies so that they do not allow full
-**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.12, CIS AWS Foundations Benchmark v1.4.0/1.12
+**Related requirements:** CIS AWS Foundations Benchmark v3.0.0/1.12, CIS AWS Foundations Benchmark v1.4.0/1.12, NIST.800-171.r2 3.1.2