AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-19 · Documentation low

File: securityhub/latest/userguide/controls-overall-status.md

Summary

Updated documentation to reflect rebranding of Security Hub CSPM features, including console references and terminology changes from 'Security Hub' to 'Security Hub CSPM'. Added specificity about Cloud Security Posture Management (CSPM) context for control status evaluation.

Security assessment

Changes focus on branding and clarifying CSPM-specific functionality rather than addressing vulnerabilities. The updates document existing security posture management features but don't indicate fixes for security issues.

Diff

diff --git a/securityhub/latest/userguide/controls-overall-status.md b/securityhub/latest/userguide/controls-overall-status.md
index 75d7d7a2b..284e74e3d 100644
--- a//securityhub/latest/userguide/controls-overall-status.md
+++ b//securityhub/latest/userguide/controls-overall-status.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html)
+[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html)
@@ -5 +5 @@
-Evaluating the compliance status of Security Hub findingsDeriving control status from compliance status
+Evaluating the compliance status of Security Hub CSPM findingsDeriving control status from compliance status
@@ -7 +7 @@ Evaluating the compliance status of Security Hub findingsDeriving control status
-# Evaluating compliance status and control status in Security Hub
+# Evaluating compliance status and control status
@@ -9 +9 @@ Evaluating the compliance status of Security Hub findingsDeriving control status
-The `Compliance.Status` field of the AWS Security Finding Format describes the result of a control finding. Security Hub uses the compliance status of control findings to determine an overall control status. The control status is displayed on the details page of a control on the Security Hub console.
+The `Compliance.Status` field of the AWS Security Finding Format describes the result of a control finding. AWS Security Hub Cloud Security Posture Management (CSPM) uses the compliance status of control findings to determine an overall control status. The control status is displayed on the details page of a control on the Security Hub CSPM console.
@@ -11 +11 @@ The `Compliance.Status` field of the AWS Security Finding Format describes the r
-## Evaluating the compliance status of Security Hub findings
+## Evaluating the compliance status of Security Hub CSPM findings
@@ -15 +15 @@ The compliance status for each finding is assigned one of the following values:
-  * `PASSED` – Indicates that the control passed the security check for the finding. This automatically sets the Security Hub `Workflow.Status` to `RESOLVED`.
+  * `PASSED` – Indicates that the control passed the security check for the finding. This automatically sets the Security Hub CSPM `Workflow.Status` to `RESOLVED`.
@@ -19 +19 @@ The compliance status for each finding is assigned one of the following values:
-  * `WARNING` – Indicates that Security Hub can't determine whether the resource is in a `PASSED` or `FAILED` state. For example, [AWS Config resource recording](./securityhub-setup-prereqs.html#config-resource-recording) isn't turned on for the corresponding resource type.
+  * `WARNING` – Indicates that Security Hub CSPM can't determine whether the resource is in a `PASSED` or `FAILED` state. For example, [AWS Config resource recording](./securityhub-setup-prereqs.html#config-resource-recording) isn't turned on for the corresponding resource type.
@@ -21 +21 @@ The compliance status for each finding is assigned one of the following values:
-  * `NOT_AVAILABLE` – Indicates that the check can't be completed because a server failed, the resource was deleted, or the result of the AWS Config evaluation was `NOT_APPLICABLE`. If the AWS Config evaluation result was `NOT_APPLICABLE`, Security Hub automatically archives the finding.
+  * `NOT_AVAILABLE` – Indicates that the check can't be completed because a server failed, the resource was deleted, or the result of the AWS Config evaluation was `NOT_APPLICABLE`. If the AWS Config evaluation result was `NOT_APPLICABLE`, Security Hub CSPM automatically archives the finding.
@@ -26 +26 @@ The compliance status for each finding is assigned one of the following values:
-If the compliance status for a finding changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`, and `Workflow.Status` was either `NOTIFIED` or `RESOLVED`, Security Hub automatically changes `Workflow.Status` to `NEW`.
+If the compliance status for a finding changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`, and `Workflow.Status` was either `NOTIFIED` or `RESOLVED`, Security Hub CSPM automatically changes `Workflow.Status` to `NEW`.
@@ -28 +28 @@ If the compliance status for a finding changes from `PASSED` to `FAILED`, `WARNI
-If you don't have resources corresponding to a control, Security Hub produces a `PASSED` finding at the account level. If you have a resource corresponding to a control but then delete the resource, Security Hub creates a `NOT_AVAILABLE` finding and archives it immediately. After 18 hours, you receive a `PASSED` finding because you no longer have resources corresponding to the control.
+If you don't have resources corresponding to a control, Security Hub CSPM produces a `PASSED` finding at the account level. If you have a resource corresponding to a control but then delete the resource, Security Hub CSPM creates a `NOT_AVAILABLE` finding and archives it immediately. After 18 hours, you receive a `PASSED` finding because you no longer have resources corresponding to the control.
@@ -32 +32 @@ If you don't have resources corresponding to a control, Security Hub produces a
-Security Hub derives an overall control status from the compliance status of the control findings. When determining control status, Security Hub ignores findings that have a `RecordState` of `ARCHIVED` and findings that have a `Workflow.Status` of `SUPPRESSED`.
+Security Hub CSPM derives an overall control status from the compliance status of the control findings. When determining control status, Security Hub CSPM ignores findings that have a `RecordState` of `ARCHIVED` and findings that have a `Workflow.Status` of `SUPPRESSED`.
@@ -42 +42 @@ Control status is assigned one of the following values:
-  * **No data** – Indicates that there are no findings for the control. For example, a newly enabled control has this status until Security Hub starts to generate findings for it. A control also has this status if all of its findings are `SUPPRESSED` or it's unavailable in the current AWS Region.
+  * **No data** – Indicates that there are no findings for the control. For example, a newly enabled control has this status until Security Hub CSPM starts to generate findings for it. A control also has this status if all of its findings are `SUPPRESSED` or it's unavailable in the current AWS Region.
@@ -51 +51 @@ For an administrator account, control status reflects the control status for the
-Security Hub typically generates the initial control status within 30 minutes after your first visit to the **Summary** page or the **Security standards** page on the Security Hub console. You must have [AWS Config resource recording](./controls-config-resources.html) configured for the control status to appear. After control statuses are generated for the first time, Security Hub updates control statuses every 24 hours based on the findings from the previous 24 hours. A timestamp on the control details page indicates when control status was last updated.
+Security Hub CSPM typically generates the initial control status within 30 minutes after your first visit to the **Summary** page or the **Security standards** page on the Security Hub CSPM console. You must have [AWS Config resource recording](./controls-config-resources.html) configured for the control status to appear. After control statuses are generated for the first time, Security Hub CSPM updates control statuses every 24 hours based on the findings from the previous 24 hours. A timestamp on the control details page indicates when control status was last updated.