AWS securityhub documentation change
Summary
Updated security standards documentation with expanded descriptions, added NIST SP 800-171 Rev 2 standard, reorganized content structure, and clarified consolidated control findings behavior
Security assessment
The changes enhance documentation of security standards (PCI DSS, NIST, CIS, etc.) and add a new NIST 800-171 standard reference. While these updates improve clarity about security features and compliance frameworks, there's no evidence of addressing a specific vulnerability or security incident. The changes primarily provide better guidance about existing security controls rather than patching vulnerabilities.
Diff
diff --git a/securityhub/latest/userguide/standards-reference.md b/securityhub/latest/userguide/standards-reference.md index 81359e0ab..4eeb46bff 100644 --- a//securityhub/latest/userguide/standards-reference.md +++ b//securityhub/latest/userguide/standards-reference.md @@ -7 +7 @@ -In AWS Security Hub, a _security standard_ is a set of requirements that's based on regulatory frameworks, industry best practices, or company policies. Security Hub maps these requirements to controls and runs security checks on the controls to assess whether the requirements of a standard are being met. A standard includes multiple controls. +In AWS Security Hub, a _security standard_ is a set of requirements that's based on regulatory frameworks, industry best practices, or company policies. Security Hub maps these requirements to controls, and runs security checks on the controls to assess whether the requirements of a standard are being met. Each standard includes multiple controls. @@ -9 +9 @@ In AWS Security Hub, a _security standard_ is a set of requirements that's based -An individual control can belong to one or more standards. If you turn on consolidated control findings, Security Hub generates a single finding for each security check, even when a control belongs to multiple enabled standards. For more information, see [Consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings). +Security Hub currently supports the following standards: @@ -11 +11 @@ An individual control can belong to one or more standards. If you turn on consol -Security Hub currently supports the security standards detailed in this section. We recommend enabling the standards that are relevant to your business needs, industry, or use case. Here's a quick summary of the supported standards. Choose a standard from the following list to review details about it, including the controls that apply to it. + * **AWS Foundational Security Best Practices** – Developed by AWS and industry professionals, this standard is a compilation of security best practices for organizations, regardless of sector or size. It provides a set of controls that detect when your AWS accounts and resources deviate from security best practices. It also provides prescriptive guidance about how to improve and maintain your security posture. @@ -13 +13 @@ Security Hub currently supports the security standards detailed in this section. - * [AWS Foundational Security Best Practices v1.0.0 (FSBP)](./fsbp-standard.html) – Developed by AWS and industry professionals, FSBP is a compilation of best practices for organizations regardless of sector or size. + * **AWS Resource Tagging** – Developed by Security Hub, this standard can help you determine whether your AWS resources have tags. A _tag_ is a key-value pair that acts as metadata for an AWS resource. Tags can help you identify, categorize, manage, and search for AWS resources. For example, you can use tags to categorize resources by purpose, owner, or environment. @@ -15 +15 @@ Security Hub currently supports the security standards detailed in this section. - * [Center for Internet Security (CIS) AWS Foundations Benchmark](./cis-aws-foundations-benchmark.html) – Provides configuration guidelines for AWS resources. + * **CIS AWS Foundations Benchmark** – Developed by the Center for Internet Security (CIS), this standard provides secure configuration guidelines for AWS. It specifies a set of security configuration guidelines and best practices for a subset of AWS services and resources, with an emphasis on foundational, testable, and architecture agnostic settings. The guidelines include clear, step-by-step implementation and assessment procedures. @@ -17 +17 @@ Security Hub currently supports the security standards detailed in this section. - * [National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5](./nist-standard.html) – Generally applies to federal agencies or organizations that work with federal agencies or federal information systems. + * **NIST SP 800-53 Revision 5** – This standard aligns with National Institute of Standards and Technology (NIST) requirements for protecting the confidentiality, integrity, and availability of information systems and critical resources. The associated framework generally applies to U.S. federal agencies or organizations that work with U.S. federal agencies or information systems. However, private organizations can also use the requirements as a guiding framework. @@ -19 +19 @@ Security Hub currently supports the security standards detailed in this section. - * [Payment Card Industry Data Security Standard (PCI DSS)](./pci-standard.html) – Applies to organizations that store, process, or transmit cardholder data. + * **NIST SP 800-171 Revision 2** – This standard aligns with NIST security recommendations and requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in systems and organizations that aren't part of the U.S. federal government. _CUI_ is information that doesn't meet government criteria for classification, but is considered sensitive and is created or possessed by the U.S. federal government or other entities on behalf of the U.S. federal government. @@ -21 +21 @@ Security Hub currently supports the security standards detailed in this section. - * [AWS Resource Tagging Standard](./standards-tagging.html) – Helps you keep track of tags that apply to your AWS resources. + * **PCI DSS** – This standard aligns with the Payment Card Industry Data Security Standard (PCI DSS) compliance framework defined by the PCI Security Standards Council (SSC). The framework provides a set of rules and guidelines for safely handling credit and debit card information. The framework generally applies to organizations that store, process, or transmit cardholder data. @@ -23 +23 @@ Security Hub currently supports the security standards detailed in this section. - * [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html) – Applies to users of Security Hub and AWS Control Tower who want to enable proactive and detective controls. + * **Service-managed standard, AWS Control Tower** – This standard helps you configure the proactive controls provided by AWS Control Tower alongside the detective controls provided by Security Hub. AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. By enabling both proactive and detective controls for your AWS environment, you can enhance your security posture at different development stages. @@ -28 +28,21 @@ Security Hub currently supports the security standards detailed in this section. -For information about enabling a standard, see [Enabling a security standard in Security Hub](./enable-standards.html). +Security Hub standards and controls don't guarantee compliance with any regulatory frameworks or audits. Instead, they provide a way to evaluate and monitor the state of your AWS accounts and resources. We recommend enabling each standard that's relevant to your business needs, industry, or use case. + +Individual controls can apply to more than one standard. If you enable multiple standards, we recommend that you also enable consolidated control findings. If you do this, Security Hub generates a single finding for each control, even if the control applies to more than one standard. If you don't turn on consolidated control findings, Security Hub generates a separate finding for each enabled standard that a control applies to. For example, if you enable two standards and a control applies to both of them, you receive two separate findings for the control, one for each standard. If you enable consolidated control findings, you receive only one finding for the control. For more information, see [Consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings). + +###### Detailed reference by standard + + * [AWS Foundational Security Best Practices](./fsbp-standard.html) + + * [AWS Resource Tagging](./standards-tagging.html) + + * [CIS AWS Foundations Benchmark](./cis-aws-foundations-benchmark.html) + + * [NIST SP 800-53 Revision 5](./standards-reference-nist-800-53.html) + + * [NIST SP 800-171 Revision 2](./standards-reference-nist-800-171.html) + + * [PCI DSS](./pci-standard.html) + + * [Service-managed standards](./service-managed-standards.html) + + @@ -30 +49,0 @@ For information about enabling a standard, see [Enabling a security standard in -Security Hub standards and controls don't guarantee compliance with any regulatory frameworks or audits. Rather, the controls provide a way to monitor the current state of your AWS accounts and resources.