AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-31 · Documentation low

File: securityhub/latest/userguide/standards-tagging.md

Summary

Updated documentation for AWS Resource Tagging standard in Security Hub with revised structure, clarified purpose, added prerequisites about AWS Config resource recording, regional availability notes, and updated control references

Security assessment

The changes improve documentation about a security feature (resource tagging standard) but do not address any specific vulnerability. Added emphasis on AWS Config configuration requirements helps users properly implement security controls but doesn't fix a security flaw.

Diff

diff --git a/securityhub/latest/userguide/standards-tagging.md b/securityhub/latest/userguide/standards-tagging.md
index 0a26885ba..dc0cc6c15 100644
--- a//securityhub/latest/userguide/standards-tagging.md
+++ b//securityhub/latest/userguide/standards-tagging.md
@@ -5 +5 @@
-What is the AWS Resource Tagging Standard?Controls in the AWS Resource Tagging Standard
+Controls that apply to the standard
@@ -7 +7 @@ What is the AWS Resource Tagging Standard?Controls in the AWS Resource Tagging S
-# AWS Resource Tagging Standard
+# AWS Resource Tagging standard in Security Hub
@@ -9,5 +9 @@ What is the AWS Resource Tagging Standard?Controls in the AWS Resource Tagging S
-This section provides information about the AWS Resource Tagging Standard.
-
-## What is the AWS Resource Tagging Standard?
-
-Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource or after creation. Examples of resources include Amazon CloudFront distributions, Amazon Elastic Compute Cloud (Amazon EC2) instances, and secrets in AWS Secrets Manager. Tags can help you manage, identify, organize, search for, and filter AWS resources.
+The AWS Resource Tagging standard, developed by AWS Security Hub, helps you determine whether your AWS resources are missing tags. _Tags_ are key‐value pairs that act as metadata for organizing AWS resources. With most AWS resources, you have the option of adding tags to a resource when you create the resource or after you create the resource. Examples of resources include Amazon CloudFront distributions, Amazon Elastic Compute Cloud (Amazon EC2) instances, and secrets in AWS Secrets Manager. Tags can help you manage, identify, organize, search for, and filter AWS resources.
@@ -24,3 +20 @@ Each tag has two parts:
-You can use tags to categorize resources by purpose, owner, environment, or other criteria.
-
-For information about adding tags to AWS resources, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
+You can use tags to categorize resources by purpose, owner, environment, or other criteria. For information about adding tags to AWS resources, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
@@ -28 +22 @@ For information about adding tags to AWS resources, see the [Tagging AWS Resourc
-The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you determine whether any of your AWS resources are missing tag keys. For each control that applies to this standard, you can optionally use the supported parameter to specify tag keys that you want the control to check for. If you don't specify any tag keys, the control checks only for the existence of at least one tag key and fails if the resource doesn't have any tag keys.
+For each control that applies to the AWS Resource Tagging standard in Security Hub, you can optionally use the supported parameter to specify tag keys that you want the control to check for. If you don't specify any tag keys, the control checks only for the existence of at least one tag key, and fails if a resource doesn't have any tag keys.
@@ -30 +24 @@ The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you dete
-After you enable the AWS Resource Tagging Standard, you begin receiving findings in the AWS Security Finding Format (ASFF).
+Before you enable the AWS Resource Tagging standard, it's important to first enable and configure resource recording in AWS Config. When you configure resource recording, also be sure to enable it for all the types of AWS resources that are checked by controls that apply to the standard. Otherwise, Security Hub might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For more information, including a list of the types of resources to record, see [Required AWS Config resources for control findings](./controls-config-resources.html).
@@ -32 +26 @@ After you enable the AWS Resource Tagging Standard, you begin receiving findings
-###### Notes
+###### Note
@@ -34 +28 @@ After you enable the AWS Resource Tagging Standard, you begin receiving findings
-If you enable the AWS Resource Tagging Standard, it can take up to 18 hours for Security Hub to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html).
+The AWS Resource Tagging standard isn't available in the Canada West (Calgary), China, and AWS GovCloud (US) Regions.
@@ -36 +30 @@ If you enable the AWS Resource Tagging Standard, it can take up to 18 hours for
-The AWS Resource Tagging Standard isn't available in the Canada West (Calgary), China, and AWS GovCloud (US) Regions.
+After you enable the AWS Resource Tagging standard, you begin receiving findings for controls that apply to the standard. Note that it can take up to 18 hours for Security Hub to generate findings for controls that use the same AWS Config service-linked rule as controls that apply to other enabled standards. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html).
@@ -38 +32 @@ The AWS Resource Tagging Standard isn't available in the Canada West (Calgary),
-This standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub:`region`::standards/aws-resource-tagging-standard/v/1.0.0`. You can also use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub API to find the ARN of an enabled standard.
+The AWS Resource Tagging standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub:`region`::standards/aws-resource-tagging-standard/v/1.0.0`. You can also use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub API to find the ARN of an enabled standard.
@@ -40 +34 @@ This standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub
-## Controls in the AWS Resource Tagging Standard
+## Controls that apply to the standard
@@ -42 +36 @@ This standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub
-The AWS Resource Tagging Standard includes the following controls. Choose a control to review a detailed description of it.
+The following list specifies which AWS Security Hub controls apply to the AWS Resource Tagging standard (v1.0.0). To review the details of a control, choose the control.
@@ -333 +327 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-PCI DSS
+AWS Foundational Security Best Practices
@@ -335 +329 @@ PCI DSS
-Service-managed standards
+CIS AWS Foundations Benchmark