AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-06-07 · Security-related medium

File: securityhub/latest/userguide/documentdb-controls.md

Summary

Modified TLS parameter order and control failure conditions for Amazon DocumentDB clusters.

Security assessment

The control now fails if TLS is set to 'disabled' **or** 'enabled', which appears contradictory. However, this likely corrects a misconfiguration in parameter validation (e.g., ensuring TLS is enforced by checking for `disabled`). This directly impacts secure communication settings.

Diff

diff --git a/securityhub/latest/userguide/documentdb-controls.md b/securityhub/latest/userguide/documentdb-controls.md
index 45784c6e5..03793f0c7 100644
--- a//securityhub/latest/userguide/documentdb-controls.md
+++ b//securityhub/latest/userguide/documentdb-controls.md
@@ -151 +151 @@ To enable deletion protection for an existing Amazon DocumentDB cluster, see [Mo
-**Parameters:** `excludeTlsParameters`: `enabled`, `disabled` (not customizable)
+**Parameters:** `excludeTlsParameters`: `disabled`, `enabled` (not customizable)
@@ -153 +153 @@ To enable deletion protection for an existing Amazon DocumentDB cluster, see [Mo
-This controls checks whether an Amazon DocumentDB cluster requires TLS for connections to the cluster. The control fails if the cluster parameter group associated with the cluster is not in sync, or the TLS cluster parameter in the group is set to `disabled`.
+This controls checks whether an Amazon DocumentDB cluster requires TLS for connections to the cluster. The control fails if the cluster parameter group associated with the cluster is not in sync, or the TLS cluster parameter is set to `disabled` or `enabled`.