AWS securityhub documentation change
Summary
Updated documentation about consolidated control findings behavior, including clarifications about organizational account management and central configuration limitations. Changed wording from 'in your account' to 'for your account' and 'may' to 'might' in multiple places.
Security assessment
The changes primarily clarify existing functionality of consolidated control findings and account management relationships. No specific security vulnerabilities or incidents are mentioned. The update about central configuration limitations is operational guidance rather than security remediation.
Diff
diff --git a/securityhub/latest/userguide/controls-findings-create-update.md b/securityhub/latest/userguide/controls-findings-create-update.md index 3531db336..c871ff461 100644 --- a//securityhub/latest/userguide/controls-findings-create-update.md +++ b//securityhub/latest/userguide/controls-findings-create-update.md @@ -17 +17 @@ For example, the AWS Config rule `iam-password-policy` is used by multiple contr -If consolidated control findings is enabled in your account, Security Hub generates a single new finding or finding update for each security check of a control, even if a control applies to multiple enabled standards. To see a list of controls and the standards they apply to, see [Security Hub controls reference](./securityhub-controls-reference.html). We recommend enabling consolidated control findings to reduce finding noise. +If consolidated control findings is enabled for your account, Security Hub generates a single new finding or finding update for each security check of a control, even if a control applies to multiple enabled standards. For a list of controls and the standards that they apply to, see the [Security Hub controls reference](./securityhub-controls-reference.html). We recommend enabling consolidated control findings to reduce finding noise. @@ -19 +19 @@ If consolidated control findings is enabled in your account, Security Hub genera -If you enabled Security Hub for an AWS account before February 23, 2023, you can enable consolidated control findings by following the instructions later in this section. If you enable Security Hub on or after February 23, 2023, consolidated control findings is automatically enabled in your account. However, if you use the [Security Hub integration with AWS Organizations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html) or invited member accounts through a [manual invitation process](https://docs.aws.amazon.com/securityhub/latest/userguide/account-management-manual.html), consolidated control findings is enabled in member accounts only if it's enabled in the administrator account. If the feature is disabled in the administrator account, it's disabled in member accounts. This behavior applies to new and existing member accounts. +If you enabled Security Hub for an AWS account before February 23, 2023, you can enable consolidated control findings by following the instructions later in this section. If you enable Security Hub on or after February 23, 2023, consolidated control findings is automatically enabled for your account. @@ -21 +21 @@ If you enabled Security Hub for an AWS account before February 23, 2023, you can -If you disable consolidated control findings in your account, Security Hub generates a separate finding per security check for each enabled standard that includes a control. For example, if four enabled standards share a control with the same underlying AWS Config rule, you receive four separate findings after a security check of the control. If you enable consolidated control findings, you receive only one finding. +However, if you use the [Security Hub integration with AWS Organizations](./securityhub-accounts-orgs.html) or invited member accounts through a [manual invitation process](./account-management-manual.html), consolidated control findings is enabled for member accounts only if it's enabled for the administrator account. If the feature is disabled for the administrator account, it's disabled for member accounts. This behavior applies to new and existing member accounts. If the administrator uses [central configuration](./central-configuration-intro.html) to manage Security Hub for multiple accounts, they cannot use central configuration policies to enable or disable consolidated control findings for the accounts. @@ -23 +23 @@ If you disable consolidated control findings in your account, Security Hub gener -When you enable consolidated control findings, Security Hub creates new standard-agnostic findings and archives the original standard-based findings. Some control finding fields and values will change and may impact existing workflows. For more information about these changes, see [Consolidated control findings – ASFF changes](./asff-changes-consolidation.html#securityhub-findings-format-consolidated-control-findings). +If you disable consolidated control findings for your account, Security Hub generates a separate finding per security check for each enabled standard that includes a control. For example, if four enabled standards share a control with the same underlying AWS Config rule, you receive four separate findings after a security check of the control. If you enable consolidated control findings, you receive only one finding. @@ -25 +25,3 @@ When you enable consolidated control findings, Security Hub creates new standard -Turning on consolidated control findings may also affect findings that integrated third-party products receive from Security Hub. [Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) supports consolidated control findings. +When you enable consolidated control findings, Security Hub creates new standard-agnostic findings and archives the original standard-based findings. Some control finding fields and values will change, which might impact existing workflows. For information about these changes, see [Consolidated control findings – ASFF changes](./asff-changes-consolidation.html#securityhub-findings-format-consolidated-control-findings). + +Turning on consolidated control findings might also affect findings that integrated third-party products receive from Security Hub. [Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) supports consolidated control findings. @@ -31 +33 @@ To enable or disable consolidated control findings, you must be signed in to an -After enabling consolidated control findings, it may take up to 24 hours for Security Hub for generate new, consolidated findings and archive the original, standard-based findings. Similarly, after disabling consolidated control findings, it may take up to 24 hours for Security Hub for generate new, standard-based findings and archive the consolidated findings. During these times, you may see a mix of standard-agnostic and standard-based findings in your account. +After enabling consolidated control findings, it can take up to 24 hours for Security Hub for generate new, consolidated findings and archive the original, standard-based findings. Similarly, after disabling consolidated control findings, it can take up to 24 hours for Security Hub to generate new, standard-based findings and archive the consolidated findings. During these times, you might see a mix of standard-agnostic and standard-based findings in your account.