AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-31 · Documentation low

File: securityhub/latest/userguide/sample-control-findings.md

Summary

Updated documentation structure and content for Security Hub control findings samples, including added NIST SP 800-171 Revision 2 examples, PCI DSS v4.0.1 references, and reorganized consolidated findings documentation.

Security assessment

The changes enhance documentation of security controls and compliance standards but do not address specific vulnerabilities. Updates include new compliance standard examples (NIST 800-171 Rev2, PCI DSS v4.0.1) and clearer explanations of consolidated findings functionality.

Diff

diff --git a/securityhub/latest/userguide/sample-control-findings.md b/securityhub/latest/userguide/sample-control-findings.md
index 6b85493de..62ca1f220 100644
--- a//securityhub/latest/userguide/sample-control-findings.md
+++ b//securityhub/latest/userguide/sample-control-findings.md
@@ -5 +5 @@
-Sample finding for FSBPSample finding for CIS AWS Foundations Benchmark v3.0.0Sample finding for CIS AWS Foundations Benchmark v1.4.0Sample finding for CIS AWS Foundations Benchmark v1.2.0Sample finding for NIST SP 800-53 Rev. 5Sample finding for PCI DSSSample finding for AWS Resource Tagging StandardSample finding for Service-Managed Standard: AWS Control TowerSample finding across standards (when consolidated control findings is turned on)
+Sample finding for the AWS Foundational Security Best Practices standardSample finding for CIS AWS Foundations Benchmark v3.0.0Sample finding for CIS AWS Foundations Benchmark v1.4.0Sample finding for CIS AWS Foundations Benchmark v1.2.0Sample finding for the NIST SP 800-53 Revision 5 standardSample finding for the NIST SP 800-171 Revision 2 standardSample finding for Payment Card Industry Data Security Standard v3.2.1Sample finding for the AWS Resource Tagging standardSample finding for the AWS Control Tower service-managed standardSample consolidated finding for multiple standards
@@ -7 +7 @@ Sample finding for FSBPSample finding for CIS AWS Foundations Benchmark v3.0.0Sa
-# Sample control findings in Security Hub
+# Samples of control findings in Security Hub
@@ -9 +9 @@ Sample finding for FSBPSample finding for CIS AWS Foundations Benchmark v3.0.0Sa
-The format of control findings varies depending on whether you've turned on consolidated control findings. When you turn on this feature, Security Hub generates a single finding for a control check even when the control applies to multiple enabled standards. For more information, see [Consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings).
+The following samples provide examples of AWS Security Hub control findings in the AWS Security Finding Format (ASFF). The contents of control findings vary depending on whether you enabled consolidated control findings.
@@ -11 +11 @@ The format of control findings varies depending on whether you've turned on cons
-The following section shows sample control findings in AWS Security Finding Format (ASFF) format. These include findings from each Security Hub standard when consolidated control findings is turned off in your account, and a sample control finding across standards when it's turned on.
+If you enable consolidated control findings, Security Hub generates a single finding for a control, even if the control applies to multiple enabled standards. If you don't enable this feature, Security Hub generates a separate control finding for each enabled standard that a control applies to. For example, if you enable two standards and a control applies to both of them, you receive two separate findings for the control, one for each standard. If you enable consolidated control findings, you receive only one finding for the control. For more information, see [Consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings).
@@ -13,3 +13 @@ The following section shows sample control findings in AWS Security Finding Form
-###### Note
-
-Findings will reference different fields and values in the China Regions and AWS GovCloud (US) Region. For more information, see [Impact of consolidation on ASFF fields and values](./asff-changes-consolidation.html).
+The samples on this page provide examples for both scenarios. The samples include: control findings for individual Security Hub standards when consolidated control findings is disabled, and a control finding for multiple Security Hub standards when consolidated control findings is enabled.
@@ -17 +15 @@ Findings will reference different fields and values in the China Regions and AWS
-**Consolidated control findings is turned off**
+###### Samples of control findings
@@ -19 +17 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for AWS Foundational Security Best Practices (FSBP) standard
+  * Sample finding for the AWS Foundational Security Best Practices standard
@@ -21 +19 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0
+  * Sample finding for CIS AWS Foundations Benchmark v3.0.0
@@ -23 +21 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0
+  * Sample finding for CIS AWS Foundations Benchmark v1.4.0
@@ -25 +23 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for Center for Internet Security (CIS) AWS Foundations Benchmark v3.0.0
+  * Sample finding for CIS AWS Foundations Benchmark v1.2.0
@@ -27 +25 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5
+  * Sample finding for the NIST SP 800-53 Revision 5 standard
@@ -29 +27 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for Payment Card Industry Data Security Standard (PCI DSS)
+  * Sample finding for the NIST SP 800-171 Revision 2 standard
@@ -31 +29 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for AWS Resource Tagging Standard
+  * Sample finding for Payment Card Industry Data Security Standard v3.2.1
@@ -33 +31 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding for Service-Managed Standard: AWS Control Tower
+  * Sample finding for the AWS Resource Tagging standard
@@ -34,0 +33 @@ Findings will reference different fields and values in the China Regions and AWS
+  * Sample finding for the AWS Control Tower service-managed standard
@@ -35,0 +35 @@ Findings will reference different fields and values in the China Regions and AWS
+  * Sample consolidated finding for multiple standards
@@ -38 +37,0 @@ Findings will reference different fields and values in the China Regions and AWS
-**Consolidated control findings is turned on**
@@ -40 +38,0 @@ Findings will reference different fields and values in the China Regions and AWS
-  * Sample finding across standards
@@ -41,0 +40 @@ Findings will reference different fields and values in the China Regions and AWS
+###### Note
@@ -42,0 +42 @@ Findings will reference different fields and values in the China Regions and AWS
+Control findings reference different fields and values in the China Regions and the AWS GovCloud (US) Regions. For more information, see [Impact of consolidation on ASFF fields and values](./asff-changes-consolidation.html).
@@ -43,0 +44 @@ Findings will reference different fields and values in the China Regions and AWS
+## Sample finding for the AWS Foundational Security Best Practices standard
@@ -45 +46 @@ Findings will reference different fields and values in the China Regions and AWS
-## Sample finding for FSBP
+The following sample provides an example of a finding for a control that applies to the AWS Foundational Security Best Practices (FSBP) standard. In this sample, consolidated control findings is disabled.
@@ -123,0 +125,2 @@ Findings will reference different fields and values in the China Regions and AWS
+The following sample provides an example of a finding for a control that applies to CIS AWS Foundations Benchmark v3.0.0. In this sample, consolidated control findings is disabled.
+    
@@ -207,0 +211,2 @@ Findings will reference different fields and values in the China Regions and AWS
+The following sample provides an example of a finding for a control that applies to CIS AWS Foundations Benchmark v1.4.0. In this sample, consolidated control findings is disabled.
+    
@@ -287,0 +293,2 @@ Findings will reference different fields and values in the China Regions and AWS
+The following sample provides an example of a finding for a control that applies to CIS AWS Foundations Benchmark v1.2.0. In this sample, consolidated control findings is disabled.
+    
@@ -362,0 +370 @@ Findings will reference different fields and values in the China Regions and AWS
+## Sample finding for the NIST SP 800-53 Revision 5 standard
@@ -364 +372 @@ Findings will reference different fields and values in the China Regions and AWS
-## Sample finding for NIST SP 800-53 Rev. 5
+The following sample provides an example of a finding for a control that applies to the NIST SP 800-53 Revision 5 standard. In this sample, consolidated control findings is disabled.
@@ -454 +462,91 @@ Findings will reference different fields and values in the China Regions and AWS
-## Sample finding for PCI DSS
+## Sample finding for the NIST SP 800-171 Revision 2 standard
+
+The following sample provides an example of a finding for a control that applies to the NIST SP 800-171 Revision 2 standard. In this sample, consolidated control findings is disabled.
+    
+    
+    {
+      "SchemaVersion": "2018-10-08",
+      "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
+      "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
+      "ProductName": "Security Hub",
+      "CompanyName": "AWS",
+      "Region": "us-east-1",
+      "GeneratorId": "nist-800-171/v/2.0.0/CloudTrail.2",
+      "AwsAccountId": "123456789012",
+      "AwsAccountName": "TestAcct",
+      "Types": [
+        "Software and Configuration Checks/Industry and Regulatory Standards"
+      ],
+      "FirstObservedAt": "2025-05-29T05:23:58.690Z",
+      "LastObservedAt": "2025-05-30T05:50:11.898Z",
+      "CreatedAt": "2025-05-29T05:24:24.772Z",
+      "UpdatedAt": "2025-05-30T05:50:34.292Z",
+      "Severity": {
+        "Product": 40,
+        "Label": "MEDIUM",
+        "Normalized": 40,
+        "Original": "MEDIUM"
+      },
+      "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled",
+      "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
+      "Remediation": {
+        "Recommendation": {
+          "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
+          "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
+        }
+      },
+      "ProductFields": {
+        "StandardsArn": "arn:aws:securityhub:::standards/nist-800-171/v/2.0.0",
+        "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0",
+        "ControlId": "CloudTrail.2",
+        "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
+        "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-0ab1c2d4",
+        "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
+        "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/nist-800-171/v/2.0.0/CloudTrail.2",
+        "aws/securityhub/ProductName": "Security Hub",
+        "aws/securityhub/CompanyName": "AWS",
+        "Resources:0/Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail",
+        "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
+      },
+      "Resources": [
+        {
+          "Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail",
+          "Partition": "aws",
+          "Region": "us-east-1",
+          "Type": "AwsCloudTrailTrail"
+        }
+      ],
+      "Compliance": {
+        "Status": "FAILED",
+        "SecurityControlId": "CloudTrail.2",
+        "RelatedRequirements": [
+          "NIST.800-171.r2/3.3.8"
+        ],
+        "AssociatedStandards": [
+          {
+            "StandardsId": "standards/nist-800-171/v/2.0.0"
+          }
+        ]
+      },
+      "Workflow": {
+        "Status": "NEW"
+      },
+      "WorkflowState": "NEW",
+      "RecordState": "ACTIVE",
+      "FindingProviderFields": {
+        "Types": [
+          "Software and Configuration Checks/Industry and Regulatory Standards"
+        ],
+        "Severity": {
+          "Product": 40,
+          "Label": "MEDIUM",
+          "Normalized": 40,
+          "Original": "MEDIUM"
+        }
+      },
+      "ProcessedAt": "2025-05-30T05:50:40.297Z"
+    }
+
+## Sample finding for Payment Card Industry Data Security Standard v3.2.1
+
+The following sample provides an example of a finding for a control that applies to Payment Card Industry Data Security Standard (PCI DSS) v3.2.1. In this sample, consolidated control findings is disabled.
@@ -533,0 +632 @@ Findings will reference different fields and values in the China Regions and AWS
+## Sample finding for the AWS Resource Tagging standard
@@ -535 +634 @@ Findings will reference different fields and values in the China Regions and AWS
-## Sample finding for AWS Resource Tagging Standard
+The following sample provides an example of a finding for a control that applies to the AWS Resource Tagging standard. In this sample, consolidated control findings is disabled.
@@ -634,3 +733 @@ Findings will reference different fields and values in the China Regions and AWS
-## Sample finding for Service-Managed Standard: AWS Control Tower
-
-###### Note
+## Sample finding for the AWS Control Tower service-managed standard
@@ -638 +735 @@ Findings will reference different fields and values in the China Regions and AWS
-This standard is available to you only if you're an AWS Control Tower user who has created the standard in AWS Control Tower. For more information, see [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html).
+The following sample provides an example of a finding for a control that applies to the AWS Control Tower service-managed standard. In this sample, consolidated control findings is disabled.
@@ -715 +812,3 @@ This standard is available to you only if you're an AWS Control Tower user who h
-## Sample finding across standards (when consolidated control findings is turned on)
+## Sample consolidated finding for multiple standards
+
+The following sample provides an example of a finding for a control that applies to multiple enabled standards. In this sample, consolidated control findings is enabled.
@@ -720,2 +819,2 @@ This standard is available to you only if you're an AWS Control Tower user who h
-      "Id": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
-      "ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub",
+      "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
+      "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
@@ -724 +823 @@ This standard is available to you only if you're an AWS Control Tower user who h
-      "Region": "us-east-2",
+      "Region": "us-east-1",
@@ -730,4 +829,4 @@ This standard is available to you only if you're an AWS Control Tower user who h
-      "FirstObservedAt": "2022-10-06T02:18:23.076Z",