AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-19 · Documentation low

File: securityhub/latest/userguide/configuration-policies-overview.md

Summary

Updated references from 'Security Hub' to 'Security Hub CSPM' throughout the document, emphasizing Cloud Security Posture Management (CSPM) integration. Adjusted terminology in policy descriptions, console references, and control behavior explanations.

Security assessment

The changes clarify the use of Security Hub's CSPM capabilities but do not address a specific security vulnerability or incident. The updates enhance documentation about existing security posture management features, reinforcing best practices without introducing new security controls or mitigating disclosed risks.

Diff

diff --git a/securityhub/latest/userguide/configuration-policies-overview.md b/securityhub/latest/userguide/configuration-policies-overview.md
index 0deb72577..caf738173 100644
--- a//securityhub/latest/userguide/configuration-policies-overview.md
+++ b//securityhub/latest/userguide/configuration-policies-overview.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html)
+[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html)
@@ -7 +7 @@ Policy considerationsTypes of configuration policiesPolicy association through a
-# How configuration policies work in Security Hub
+# How configuration policies work in Security Hub CSPM
@@ -9 +9 @@ Policy considerationsTypes of configuration policiesPolicy association through a
-The delegated AWS Security Hub administrator can create configuration policies to configure Security Hub, security standards, and security controls for an organization. After creating a configuration policy, the delegated administrator can associate it with specific accounts, organizational units (OUs), or the root. The policy then takes effect in the specified accounts, OUs, or the root.
+The delegated AWS Security Hub Cloud Security Posture Management (CSPM) administrator can create configuration policies to configure Security Hub CSPM, security standards, and security controls for an organization. After creating a configuration policy, the delegated administrator can associate it with specific accounts, organizational units (OUs), or the root. The policy then takes effect in the specified accounts, OUs, or the root.
@@ -11 +11 @@ The delegated AWS Security Hub administrator can create configuration policies t
-For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub](./central-configuration-intro.html).
+For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub CSPM](./central-configuration-intro.html).
@@ -17 +17 @@ This section provides a detailed overview of configuration policies.
-Before you create a configuration policy in Security Hub, consider the following details.
+Before you create a configuration policy in Security Hub CSPM, consider the following details.
@@ -27 +27 @@ Before you create a configuration policy in Security Hub, consider the following
-  * **Configuration policies take effect in your home Region and all linked Regions** – A configuration policy affects all associated accounts in the home Region and all linked Regions. You can't create a configuration policy that takes effect in only some of these Regions and not others. The exception to this is [controls that use global resources](./controls-to-disable.html#controls-to-disable-global-resources). Security Hub automatically disables controls that involve global resources in all Regions except the home Region.
+  * **Configuration policies take effect in your home Region and all linked Regions** – A configuration policy affects all associated accounts in the home Region and all linked Regions. You can't create a configuration policy that takes effect in only some of these Regions and not others. The exception to this is [controls that use global resources](./controls-to-disable.html#controls-to-disable-global-resources). Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region.
@@ -31 +31 @@ Regions that AWS introduced on or after March 20, 2019 are known as opt-in Regio
-If your policy configures a control that isn't available in the home Region or one or more linked Regions, Security Hub skips the control configuration in unavailable Regions but applies the configuration in Regions where the control is available. You lack coverage for a control that isn't available in the home Region or any of the linked Regions.
+If your policy configures a control that isn't available in the home Region or one or more linked Regions, Security Hub CSPM skips the control configuration in unavailable Regions but applies the configuration in Regions where the control is available. You lack coverage for a control that isn't available in the home Region or any of the linked Regions.
@@ -42 +42 @@ Each configuration policy specifies the following settings:
-  * Enable or disable Security Hub.
+  * Enable or disable Security Hub CSPM.
@@ -46 +46 @@ Each configuration policy specifies the following settings:
-  * Indicate which [security controls](./securityhub-controls-reference.html) are enabled across enabled standards. You can do this by providing a list of specific controls that should be enabled, and Security Hub disables all other controls, including new controls when they are released. Alternatively, you can provide a list of specific controls that should be disabled, and Security Hub enables all other controls, including new controls when they are released.
+  * Indicate which [security controls](./securityhub-controls-reference.html) are enabled across enabled standards. You can do this by providing a list of specific controls that should be enabled, and Security Hub CSPM disables all other controls, including new controls when they are released. Alternatively, you can provide a list of specific controls that should be disabled, and Security Hub CSPM enables all other controls, including new controls when they are released.
@@ -53 +53 @@ Each configuration policy specifies the following settings:
-Central configuration policies don't include AWS Config recorder settings. You must separately enable AWS Config and turn on recording for required resources in order for Security Hub to generate control findings. For more information, see [Considerations before enabling and configuring AWS Config](./securityhub-setup-prereqs.html#securityhub-prereq-config).
+Central configuration policies don't include AWS Config recorder settings. You must separately enable AWS Config and turn on recording for required resources in order for Security Hub CSPM to generate control findings. For more information, see [Considerations before enabling and configuring AWS Config](./securityhub-setup-prereqs.html#securityhub-prereq-config).
@@ -55 +55 @@ Central configuration policies don't include AWS Config recorder settings. You m
-If you use central configuration, Security Hub automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your AWS Config recorder settings and turn off global resource recording in all Regions except the home Region.
+If you use central configuration, Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your AWS Config recorder settings and turn off global resource recording in all Regions except the home Region.
@@ -57 +57 @@ If you use central configuration, Security Hub automatically disables controls t
-If an enabled control that involves global resources isn't supported in the home Region, Security Hub tries to enable the control in one linked Region where the control is supported. With central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions.
+If an enabled control that involves global resources isn't supported in the home Region, Security Hub CSPM tries to enable the control in one linked Region where the control is supported. With central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions.
@@ -63 +63 @@ For a list of controls that involve global resources, see [Controls that use glo
-When creating a configuration policy for the _first time in the Security Hub console_ , you have the option to choose the Security Hub recommended policy.
+When creating a configuration policy for the _first time in the Security Hub CSPM console_ , you have the option to choose the Security Hub CSPM recommended policy.
@@ -65 +65 @@ When creating a configuration policy for the _first time in the Security Hub con
-The recommended policy enables Security Hub, the AWS Foundational Security Best Practices (FSBP) standard, and all existing and new FSBP controls. Controls that accept parameters use the default values. The recommended policy applies to root (all accounts and OUs, both new and existing). After creating the recommended policy for your organization, you can modify it from the delegated administrator account. For example, you can enable additional standards or controls or disable specific FSBP controls. For instructions on modifying a configuration policy, see [Updating configuration policies](./update-policy.html).
+The recommended policy enables Security Hub CSPM, the AWS Foundational Security Best Practices (FSBP) standard, and all existing and new FSBP controls. Controls that accept parameters use the default values. The recommended policy applies to root (all accounts and OUs, both new and existing). After creating the recommended policy for your organization, you can modify it from the delegated administrator account. For example, you can enable additional standards or controls or disable specific FSBP controls. For instructions on modifying a configuration policy, see [Updating configuration policies](./update-policy.html).
@@ -73 +73 @@ Instead of the recommended policy, the delegated administrator can create up to
-You can't associate a configuration policy that disables Security Hub with the delegated administrator account. Such a policy can be associated with other accounts but skips association with the delegated administrator. The delegated administrator account retains its current configuration.
+You can't associate a configuration policy that disables Security Hub CSPM with the delegated administrator account. Such a policy can be associated with other accounts but skips association with the delegated administrator. The delegated administrator account retains its current configuration.
@@ -75 +75 @@ You can't associate a configuration policy that disables Security Hub with the d
-After creating a custom configuration policy, you can switch to the recommended configuration policy by updating your configuration policy to reflect the recommended configuration. However, you don't see the choice to create the recommended configuration policy in the Security Hub console after your first policy is created.
+After creating a custom configuration policy, you can switch to the recommended configuration policy by updating your configuration policy to reflect the recommended configuration. However, you don't see the choice to create the recommended configuration policy in the Security Hub CSPM console after your first policy is created.
@@ -95 +95 @@ The following diagram illustrates how policy application and inheritance work in
-![Applying and inheriting Security Hub configuration policies](/images/securityhub/latest/userguide/images/sechub-diagram-central-configuration-association.png)
+![Applying and inheriting Security Hub CSPM configuration policies](/images/securityhub/latest/userguide/images/sechub-diagram-central-configuration-association.png)
@@ -128 +128 @@ To make sure you understand how configuration policies work, we recommend creati
-  1. Create a custom configuration policy, and verify that the specified settings for Security Hub enablement, standards, and controls are correct. For instructions, see [Creating and associating configuration policies](./create-associate-policy.html).
+  1. Create a custom configuration policy, and verify that the specified settings for Security Hub CSPM enablement, standards, and controls are correct. For instructions, see [Creating and associating configuration policies](./create-associate-policy.html).