AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-19 · Documentation low

File: securityhub/latest/userguide/controls-config-resources.md

Summary

Updated documentation to reflect Security Hub Cloud Security Posture Management (CSPM) terminology and references throughout the document. Changed 'Security Hub controls' to 'Security Hub CSPM controls' in multiple sections and updated links.

Security assessment

The changes introduce CSPM (Cloud Security Posture Management) terminology, which is a security-focused service. However, there is no evidence of addressing a specific vulnerability or security incident - this appears to be branding/documentation consistency updates for Security Hub's CSPM features. The updates clarify requirements for security posture management but don't disclose or fix vulnerabilities.

Diff

diff --git a/securityhub/latest/userguide/controls-config-resources.md b/securityhub/latest/userguide/controls-config-resources.md
index f87d4d08e..16dec72ce 100644
--- a//securityhub/latest/userguide/controls-config-resources.md
+++ b//securityhub/latest/userguide/controls-config-resources.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html)
+[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html)
@@ -5 +5 @@
-Required resources for all Security Hub controlsRequired resources for the AWS Foundational Security Best Practices standardRequired resources for the CIS AWS Foundations BenchmarkRequired resources for the NIST SP 800-53 Revision 5 standardRequired resources for the NIST SP 800-171 Revision 2 standardRequired resources for PCI DSS v3.2.1Required resources for the AWS Resource Tagging standardRequired resources for the AWS Control Tower service-managed standard
+Required resources for all Security Hub CSPM controlsRequired resources for the AWS Foundational Security Best Practices standardRequired resources for the CIS AWS Foundations BenchmarkRequired resources for the NIST SP 800-53 Revision 5 standardRequired resources for the NIST SP 800-171 Revision 2 standardRequired resources for PCI DSS v3.2.1Required resources for the AWS Resource Tagging standardRequired resources for the AWS Control Tower service-managed standard
@@ -7 +7 @@ Required resources for all Security Hub controlsRequired resources for the AWS F
-# Required AWS Config resources for Security Hub control findings
+# Required AWS Config resources for control findings
@@ -9 +9 @@ Required resources for all Security Hub controlsRequired resources for the AWS F
-Some AWS Security Hub controls use service-linked AWS Config rules that detect configuration changes in your AWS resources. For Security Hub to generate accurate findings for these controls, you must enable AWS Config and turn on resource recording in AWS Config. For information about how Security Hub uses AWS Config rules and how to enable and configure AWS Config, see [Enabling and configuring AWS Config for Security Hub](./securityhub-setup-prereqs.html). For detailed information about resource recording, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the _AWS Config Developer Guide_.
+In AWS Security Hub Cloud Security Posture Management (CSPM), some controls use service-linked AWS Config rules that detect configuration changes in your AWS resources. For Security Hub CSPM to generate accurate findings for these controls, you must enable AWS Config and turn on resource recording in AWS Config. For information about how Security Hub CSPM uses AWS Config rules and how to enable and configure AWS Config, see [Enabling and configuring AWS Config for Security Hub CSPM](./securityhub-setup-prereqs.html). For detailed information about resource recording, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the _AWS Config Developer Guide_.
@@ -11 +11 @@ Some AWS Security Hub controls use service-linked AWS Config rules that detect c
-To receive accurate control findings, you must turn on AWS Config resource recording for enabled controls with a _change triggered_ schedule type. Some controls with a _periodic_ schedule type also require resource recording. This page lists the required resources for these Security Hub controls.
+To receive accurate control findings, you must turn on AWS Config resource recording for enabled controls with a _change triggered_ schedule type. Some controls with a _periodic_ schedule type also require resource recording. This page lists the required resources for these Security Hub CSPM controls.
@@ -13 +13 @@ To receive accurate control findings, you must turn on AWS Config resource recor
-Security Hub controls can rely on managed AWS Config rules or custom Security Hub rules. Make sure there aren't any AWS Identity and Access Management (IAM) policies or AWS Organizations managed policies that prevent AWS Config from having permission to record your resources. Security Hub controls evaluate resource configurations directly and don’t take AWS Organizations policies into account.
+Security Hub CSPM controls can rely on managed AWS Config rules or custom Security Hub CSPM rules. Make sure there aren't any AWS Identity and Access Management (IAM) policies or AWS Organizations managed policies that prevent AWS Config from having permission to record your resources. Security Hub CSPM controls evaluate resource configurations directly and don’t take AWS Organizations policies into account.
@@ -17 +17 @@ Security Hub controls can rely on managed AWS Config rules or custom Security Hu
-In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of these limits, see [Regional limits on Security Hub controls](./regions-controls.html).
+In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of these limits, see [Regional limits on Security Hub CSPM controls](./regions-controls.html).
@@ -21 +21 @@ In AWS Regions where a control isn't available, the corresponding resource isn't
-  * Required resources for all Security Hub controls
+  * Required resources for all Security Hub CSPM controls
@@ -40 +40 @@ In AWS Regions where a control isn't available, the corresponding resource isn't
-## Required resources for all Security Hub controls
+## Required resources for all Security Hub CSPM controls
@@ -42 +42 @@ In AWS Regions where a control isn't available, the corresponding resource isn't
-For Security Hub to generate findings for change triggered controls that are enabled and use an AWS Config rule, you must record the following types of resources in AWS Config. This table also indicates which controls evaluate a particular type of resource. A single control might evaluate more than one type of resource.
+For Security Hub CSPM to generate findings for change triggered controls that are enabled and use an AWS Config rule, you must record the following types of resources in AWS Config. This table also indicates which controls evaluate a particular type of resource. A single control might evaluate more than one type of resource.
@@ -242 +242 @@ Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |  WorkSpaces.1 WorkSpaces.2
-For Security Hub to accurately report findings for change triggered controls that apply to the AWS Foundational Security Best Practices standard (v.1.0.0), are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [AWS Foundational Security Best Practices standard in Security Hub](./fsbp-standard.html).
+For Security Hub CSPM to accurately report findings for change triggered controls that apply to the AWS Foundational Security Best Practices standard (v.1.0.0), are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [AWS Foundational Security Best Practices standard in Security Hub CSPM](./fsbp-standard.html).
@@ -293 +293 @@ Amazon WorkSpaces |  `AWS::WorkSpaces::WorkSpace`
-To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark, Security Hub either runs through the exact audit steps prescribed for the checks or uses specific AWS Config managed rules. For information about this standard in Security Hub, see [CIS AWS Foundations Benchmark in Security Hub](./cis-aws-foundations-benchmark.html).
+To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark, Security Hub CSPM either runs through the exact audit steps prescribed for the checks or uses specific AWS Config managed rules. For information about this standard in Security Hub CSPM, see [CIS AWS Foundations Benchmark in Security Hub CSPM](./cis-aws-foundations-benchmark.html).
@@ -297 +297 @@ To run security checks for enabled controls that apply to the Center for Interne
-For Security Hub to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
+For Security Hub CSPM to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
@@ -308 +308 @@ Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::Bucket`
-For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
+For Security Hub CSPM to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
@@ -319 +319 @@ Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::Bucket`
-For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
+For Security Hub CSPM to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
@@ -328 +328 @@ AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy`, `AWS::IAM::User`
-For Security Hub to accurately report findings for change triggered controls that apply to the NIST SP 800-53 Revision 5 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-53 Revision 5 in Security Hub](./standards-reference-nist-800-53.html).
+For Security Hub CSPM to accurately report findings for change triggered controls that apply to the NIST SP 800-53 Revision 5 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-53 Revision 5 in Security Hub CSPM](./standards-reference-nist-800-53.html).
@@ -377 +377 @@ AWS WAF |  `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WA
-For Security Hub to accurately report findings for change triggered controls that apply to the NIST SP 800-171 Revision 2 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-171 Revision 2 in Security Hub](./standards-reference-nist-800-171.html).
+For Security Hub CSPM to accurately report findings for change triggered controls that apply to the NIST SP 800-171 Revision 2 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-171 Revision 2 in Security Hub CSPM](./standards-reference-nist-800-171.html).
@@ -397 +397 @@ AWS WAF | `AWS::WAFv2::RuleGroup`
-For Security Hub to accurately report findings for controls that apply to v3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS), are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [PCI DSS in Security Hub](./pci-standard.html).
+For Security Hub CSPM to accurately report findings for controls that apply to v3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS), are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [PCI DSS in Security Hub CSPM](./pci-standard.html).
@@ -414 +414 @@ Amazon EC2 Systems Manager (SSM)  |  `AWS::SSM::AssociationCompliance`, `AWS::SS
-All the controls that apply to the AWS Resource Tagging standard are change triggered and use an AWS Config rule. For Security Hub to accurately report findings for these controls, you must record the following types of resources in AWS Config. For information about this standard, see [AWS Resource Tagging standard in Security Hub](./standards-tagging.html).
+All the controls that apply to the AWS Resource Tagging standard are change triggered and use an AWS Config rule. For Security Hub CSPM to accurately report findings for these controls, you must record the following types of resources in AWS Config. For information about this standard, see [AWS Resource Tagging standard in Security Hub CSPM](./standards-tagging.html).
@@ -479 +479 @@ AWS Transfer Family |  `AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`,
-For Security Hub to accurately report findings for change triggered controls that apply to the AWS Control Tower service-managed standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html).
+For Security Hub CSPM to accurately report findings for change triggered controls that apply to the AWS Control Tower service-managed standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html).