AWS securityhub documentation change
Summary
Updated documentation to consistently reference 'Security Hub CSPM' instead of 'Security Hub' throughout, emphasizing Cloud Security Posture Management capabilities in central configuration
Security assessment
The changes clarify Security Hub's CSPM (Cloud Security Posture Management) capabilities for centralized security configuration management, but do not address any specific vulnerability or security incident. The updates enhance documentation about existing security features rather than patching weaknesses.
Diff
diff --git a/securityhub/latest/userguide/central-configuration-intro.md b/securityhub/latest/userguide/central-configuration-intro.md index 98c953ee4..b50a0e277 100644 --- a//securityhub/latest/userguide/central-configuration-intro.md +++ b//securityhub/latest/userguide/central-configuration-intro.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html) +[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html) @@ -7 +7 @@ Benefits of using central configurationWhen to use central configuration?Central -# Understanding central configuration in Security Hub +# Understanding central configuration in Security Hub CSPM @@ -9 +9 @@ Benefits of using central configurationWhen to use central configuration?Central -Central configuration is an AWS Security Hub feature that helps you set up and manage Security Hub across multiple AWS accounts and AWS Regions. To use central configuration, you must first integrate Security Hub and AWS Organizations. You can integrate the services by creating an organization and designating a delegated Security Hub administrator account for the organization. +Central configuration is an AWS Security Hub Cloud Security Posture Management (CSPM) feature that helps you set up and manage Security Hub CSPM across multiple AWS accounts and AWS Regions. To use central configuration, you must first integrate Security Hub CSPM and AWS Organizations. You can integrate the services by creating an organization and designating a delegated Security Hub CSPM administrator account for the organization. @@ -11 +11 @@ Central configuration is an AWS Security Hub feature that helps you set up and m -From the delegated Security Hub administrator account, you can enable Security Hub for your organization’s accounts and organizational units (OUs) across Regions. You can also enable, configure, and disable individual security standards and security controls for accounts and OUs across Regions. You can configure these settings in just a few steps from one primary Region, referred to as the _home Region_. +From the delegated Security Hub CSPM administrator account, you can enable Security Hub CSPM for your organization’s accounts and organizational units (OUs) across Regions. You can also enable, configure, and disable individual security standards and security controls for accounts and OUs across Regions. You can configure these settings in just a few steps from one primary Region, referred to as the _home Region_. @@ -15 +15 @@ When you use central configuration, the delegated administrator can choose which -To configure centrally managed accounts, the delegated administrator uses Security Hub configuration policies. Configuration policies let the delegated administrator specify whether Security Hub is enabled or disabled, and which standards and controls are enabled or disabled. They can also be used to customize parameters for certain controls. +To configure centrally managed accounts, the delegated administrator uses Security Hub CSPM configuration policies. Configuration policies let the delegated administrator specify whether Security Hub CSPM is enabled or disabled, and which standards and controls are enabled or disabled. They can also be used to customize parameters for certain controls. @@ -21 +21 @@ Configuration policies take effect in the home Region and all linked Regions. Th -If you don't use central configuration, you must largely configure Security Hub separately in each account and Region. This is called _local configuration_. Under local configuration, the delegated administrator can automatically enable Security Hub and a limited set of security standards in new organization accounts in the current Region. Local configuration doesn't apply to existing organization accounts or to Regions other than the current Region. Local configuration also doesn't support the use of configuration policies. +If you don't use central configuration, you must largely configure Security Hub CSPM separately in each account and Region. This is called _local configuration_. Under local configuration, the delegated administrator can automatically enable Security Hub CSPM and a limited set of security standards in new organization accounts in the current Region. Local configuration doesn't apply to existing organization accounts or to Regions other than the current Region. Local configuration also doesn't support the use of configuration policies. @@ -29 +29 @@ Benefits of central configuration include the following: -**Simplify configuration of the Security Hub service and capabilities** +**Simplify configuration of the Security Hub CSPM service and capabilities** @@ -32 +32 @@ Benefits of central configuration include the following: -When you use central configuration, Security Hub guides you through the process of configuring security best practices for your organization. It also deploys the resulting configuration policies to specified accounts and OUs automatically. If you have existing Security Hub settings, such as automatically enabling new security controls, you can use those as a starting point for your configuration policies. In addition, the **Configuration** page on the Security Hub console displays a real-time summary of your configuration policies and which accounts and OUs use each policy. +When you use central configuration, Security Hub CSPM guides you through the process of configuring security best practices for your organization. It also deploys the resulting configuration policies to specified accounts and OUs automatically. If you have existing Security Hub CSPM settings, such as automatically enabling new security controls, you can use those as a starting point for your configuration policies. In addition, the **Configuration** page on the Security Hub CSPM console displays a real-time summary of your configuration policies and which accounts and OUs use each policy. @@ -37 +37 @@ When you use central configuration, Security Hub guides you through the process -You can use central configuration to configure Security Hub across multiple accounts and Regions. This helps ensure that each part of your organization maintains a consistent configuration and adequate security coverage. +You can use central configuration to configure Security Hub CSPM across multiple accounts and Regions. This helps ensure that each part of your organization maintains a consistent configuration and adequate security coverage. @@ -51 +51 @@ Configuration drift occurs when a user makes a change to a service or feature th -Central configuration is most beneficial for AWS environments that include multiple Security Hub accounts. It's designed to help you centrally manage Security Hub for multiple accounts. +Central configuration is most beneficial for AWS environments that include multiple Security Hub CSPM accounts. It's designed to help you centrally manage Security Hub CSPM for multiple accounts. @@ -53 +53 @@ Central configuration is most beneficial for AWS environments that include multi -You can use central configuration to configure the Security Hub service, security standards, and security controls. You can also use it to customize parameters of certain controls. For more information about security standards, see [Understanding security standards in Security Hub](./standards-view-manage.html). For more information about security controls, see [Understanding security controls in Security Hub](./controls-view-manage.html). +You can use central configuration to configure the Security Hub CSPM service, security standards, and security controls. You can also use it to customize parameters of certain controls. For more information about security standards, see [Understanding security standards in Security Hub CSPM](./standards-view-manage.html). For more information about security controls, see [Understanding security controls in Security Hub CSPM](./controls-view-manage.html). @@ -57 +57 @@ You can use central configuration to configure the Security Hub service, securit -Understanding the following key terms and concepts can help you use Security Hub central configuration. +Understanding the following key terms and concepts can help you use Security Hub CSPM central configuration. @@ -62 +62 @@ Understanding the following key terms and concepts can help you use Security Hub -A Security Hub feature that helps the delegated Security Hub administrator account for an organization configure the Security Hub service, security standards, and security controls across multiple accounts and Regions. To configure these settings, the delegated administrator creates and manages Security Hub configuration policies for centrally managed accounts in their organization. Self-managed accounts can configure their own settings separately in each Region. To use central configuration, you must integrate Security Hub and AWS Organizations. +A Security Hub CSPM feature that helps the delegated Security Hub CSPM administrator account for an organization configure the Security Hub CSPM service, security standards, and security controls across multiple accounts and Regions. To configure these settings, the delegated administrator creates and manages Security Hub CSPM configuration policies for centrally managed accounts in their organization. Self-managed accounts can configure their own settings separately in each Region. To use central configuration, you must integrate Security Hub CSPM and AWS Organizations. @@ -67 +67 @@ A Security Hub feature that helps the delegated Security Hub administrator accou -The AWS Region from which the delegated administrator centrally configures Security Hub, by creating and managing configuration policies. Configuration policies take effect in the home Region and all linked Regions. +The AWS Region from which the delegated administrator centrally configures Security Hub CSPM, by creating and managing configuration policies. Configuration policies take effect in the home Region and all linked Regions. @@ -69 +69 @@ The AWS Region from which the delegated administrator centrally configures Secur -The home Region also serves as the Security Hub aggregation Region, receiving findings, insights, and other data from linked Regions. +The home Region also serves as the Security Hub CSPM aggregation Region, receiving findings, insights, and other data from linked Regions. @@ -87 +87 @@ An AWS account, organizational unit (OU), or the organization root. -**Security Hub configuration policy** +**Security Hub CSPM configuration policy** @@ -90 +90 @@ An AWS account, organizational unit (OU), or the organization root. -A collection of Security Hub settings that the delegated administrator can configure for centrally managed targets. This includes: +A collection of Security Hub CSPM settings that the delegated administrator can configure for centrally managed targets. This includes: @@ -92 +92 @@ A collection of Security Hub settings that the delegated administrator can confi - * Whether to enable or disable Security Hub. + * Whether to enable or disable Security Hub CSPM. @@ -96 +96 @@ A collection of Security Hub settings that the delegated administrator can confi - * Which [security controls](./securityhub-controls-reference.html) to enable across the enabled standards. The delegated administrator can do this by providing a list of specific controls that should be enabled, and Security Hub disables all other controls (including new controls when they are released). Alternatively, the delegated administrator can provide a list of specific controls that should be disabled, and Security Hub enables all other controls (including new controls when they are released). + * Which [security controls](./securityhub-controls-reference.html) to enable across the enabled standards. The delegated administrator can do this by providing a list of specific controls that should be enabled, and Security Hub CSPM disables all other controls (including new controls when they are released). Alternatively, the delegated administrator can provide a list of specific controls that should be disabled, and Security Hub CSPM enables all other controls (including new controls when they are released). @@ -105 +105 @@ A configuration policy takes effect in the home Region and all linked Regions af -On the Security Hub console, the delegated administrator can choose the Security Hub recommended configuration policy or create custom configuration policies. With the Security Hub API and AWS CLI, the delegated administrator can only create custom configuration policies. The delegated administrator can create a maximum of 20 custom configuration policies. +On the Security Hub CSPM console, the delegated administrator can choose the Security Hub CSPM recommended configuration policy or create custom configuration policies. With the Security Hub CSPM API and AWS CLI, the delegated administrator can only create custom configuration policies. The delegated administrator can create a maximum of 20 custom configuration policies. @@ -107 +107 @@ On the Security Hub console, the delegated administrator can choose the Security -In the recommended configuration policy, Security Hub, the AWS Foundational Security Best Practices (FSBP) standard, and all existing and new FSBP controls are enabled. Controls that accept parameters use the default values. The recommended configuration policy applies to the entire organization. +In the recommended configuration policy, Security Hub CSPM, the AWS Foundational Security Best Practices (FSBP) standard, and all existing and new FSBP controls are enabled. Controls that accept parameters use the default values. The recommended configuration policy applies to the entire organization. @@ -114 +114 @@ To apply different settings to the organization, or apply different configuratio -The default configuration type for an organization, after integrating Security Hub and AWS Organizations. With local configuration, the delegated administrator can choose to automatically enable Security Hub and [default security standards](./securityhub-auto-enabled-standards.html) in _new_ organization accounts in the current Region. If the delegated administrator automatically enables default standards, all controls that are part of these standards are also automatically enabled with default parameters for new organization accounts. These settings don't apply to existing accounts, so configuration drift is possible after an account joins the organization. Disabling specific controls that are part of the default standards, and configuring additional standards and controls, must be done separately in each account and Region. +The default configuration type for an organization, after integrating Security Hub CSPM and AWS Organizations. With local configuration, the delegated administrator can choose to automatically enable Security Hub CSPM and [default security standards](./securityhub-auto-enabled-standards.html) in _new_ organization accounts in the current Region. If the delegated administrator automatically enables default standards, all controls that are part of these standards are also automatically enabled with default parameters for new organization accounts. These settings don't apply to existing accounts, so configuration drift is possible after an account joins the organization. Disabling specific controls that are part of the default standards, and configuring additional standards and controls, must be done separately in each account and Region. @@ -121 +121 @@ Local configuration doesn't support the use of configuration policies. To use co -If you don't integrate Security Hub with AWS Organizations or you have a standalone account, you must specify settings for each account separately in each Region. Manual account management doesn't support the use of configuration policies. +If you don't integrate Security Hub CSPM with AWS Organizations or you have a standalone account, you must specify settings for each account separately in each Region. Manual account management doesn't support the use of configuration policies. @@ -126 +126 @@ If you don't integrate Security Hub with AWS Organizations or you have a standal -Security Hub operations that only the Security Hub delegated Security Hub administrator can use in the home Region to manage configuration policies for centrally managed accounts. The operations include: +Security Hub CSPM operations that only the Security Hub CSPM delegated Security Hub CSPM administrator can use in the home Region to manage configuration policies for centrally managed accounts. The operations include: @@ -154 +154 @@ Security Hub operations that only the Security Hub delegated Security Hub admini -Security Hub operations that can be used to enable or disable Security Hub, standards, and controls on an account-by-account basis. These operations are used in each individual Region. +Security Hub CSPM operations that can be used to enable or disable Security Hub CSPM, standards, and controls on an account-by-account basis. These operations are used in each individual Region. @@ -173 +173 @@ Self-managed accounts can use account-specific operations to configure their own -To check account status, the owner of a centrally managed account _can_ use any `Get` or `Describe` operations of the Security Hub API. +To check account status, the owner of a centrally managed account _can_ use any `Get` or `Describe` operations of the Security Hub CSPM API. @@ -182 +182 @@ Self-managed accounts can also use `*Invitations` and `*Members` operations. How -In AWS Organizations and Security Hub, a container for a group of AWS accounts. An organizational unit (OU) also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a parent OU at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. An OU can have exactly one parent, and each organization account can be a member of exactly one OU. +In AWS Organizations and Security Hub CSPM, a container for a group of AWS accounts. An organizational unit (OU) also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a parent OU at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. An OU can have exactly one parent, and each organization account can be a member of exactly one OU. @@ -198 +198 @@ The delegated administrator account specifies whether a target is centrally mana -A target that manages its own Security Hub settings. A self-managed target uses account-specific operations to configure Security Hub for itself separately in each Region. This is in contrast to centrally managed targets, which are configurable only by the delegated administrator across Regions through configuration policies. +A target that manages its own Security Hub CSPM settings. A self-managed target uses account-specific operations to configure Security Hub CSPM for itself separately in each Region. This is in contrast to centrally managed targets, which are configurable only by the delegated administrator across Regions through configuration policies. @@ -235 +235 @@ Inheritance can't override an applied configuration. That is, if a configuration -In AWS Organizations and Security Hub, the top-level parent node in an organization. If the delegated administrator applies a configuration policy to root, the policy is associated with all accounts and OUs in the organization unless they use a different policy, through application or inheritance, or are designated as self-managed. If the administrator designates the root as self-managed, all accounts and OUs in the organization are self-managed unless they use a configuration policy through application or inheritance. If the root is self-managed and no configuration policies currently exist, all new accounts in the organization retain their current settings. +In AWS Organizations and Security Hub CSPM, the top-level parent node in an organization. If the delegated administrator applies a configuration policy to root, the policy is associated with all accounts and OUs in the organization unless they use a different policy, through application or inheritance, or are designated as self-managed. If the administrator designates the root as self-managed, all accounts and OUs in the organization are self-managed unless they use a configuration policy through application or inheritance. If the root is self-managed and no configuration policies currently exist, all new accounts in the organization retain their current settings.