AWS securityhub documentation change
Summary
Updated references from 'Security Hub' to 'Security Hub CSPM' throughout the document to clarify Cloud Security Posture Management functionality
Security assessment
The changes emphasize CSPM (Cloud Security Posture Management) terminology but do not address specific vulnerabilities or security incidents. The updates clarify operational aspects of security checks without introducing new security features or patching weaknesses.
Diff
diff --git a/securityhub/latest/userguide/securityhub-standards-schedule.md b/securityhub/latest/userguide/securityhub-standards-schedule.md index 7733abac6..bff885a0a 100644 --- a//securityhub/latest/userguide/securityhub-standards-schedule.md +++ b//securityhub/latest/userguide/securityhub-standards-schedule.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html) +[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html) @@ -9 +9 @@ Periodic security checksChange-triggered security checks -After you enable a security standard, AWS Security Hub begins to run all checks within two hours. Most checks begin to run within 25 minutes. Security Hub runs checks by evaluating the rule underlying a control. Until a control completes its first run of checks, its status is **No data**. +After you enable a security standard, AWS Security Hub Cloud Security Posture Management (CSPM) begins to run all checks within two hours. Most checks begin to run within 25 minutes. Security Hub CSPM runs checks by evaluating the rule underlying a control. Until a control completes its first run of checks, its status is **No data**. @@ -11 +11 @@ After you enable a security standard, AWS Security Hub begins to run all checks -When you enable a new standard, Security Hub may take up to 24 hours to generate findings for controls that use the same underlying AWS Config service-linked rule as enabled controls from other enabled standards. For example, if you enable [Lambda.1](./lambda-controls.html#lambda-1) in the AWS Foundational Security Best Practices (FSBP) standard, Security Hub will create the service-linked rule and typically generate findings in minutes. After this, if you enable Lambda.1 in the Payment Card Industry Data Security Standard (PCI DSS), Security Hub may take up to 24 hours to generate findings for this control because it uses the same service-linked rule as Lambda.1. +When you enable a new standard, Security Hub CSPM may take up to 24 hours to generate findings for controls that use the same underlying AWS Config service-linked rule as enabled controls from other enabled standards. For example, if you enable [Lambda.1](./lambda-controls.html#lambda-1) in the AWS Foundational Security Best Practices (FSBP) standard, Security Hub CSPM will create the service-linked rule and typically generate findings in minutes. After this, if you enable Lambda.1 in the Payment Card Industry Data Security Standard (PCI DSS), Security Hub CSPM may take up to 24 hours to generate findings for this control because it uses the same service-linked rule as Lambda.1. @@ -17 +17 @@ After the initial check, the schedule for each control can be either periodic or -Periodic security checks run automatically within 12 or 24 hours after the most recent run. Security Hub determines the periodicity, and you can't change it. Periodic controls reflect an evaluation at the moment the check runs. +Periodic security checks run automatically within 12 or 24 hours after the most recent run. Security Hub CSPM determines the periodicity, and you can't change it. Periodic controls reflect an evaluation at the moment the check runs. @@ -19 +19 @@ Periodic security checks run automatically within 12 or 24 hours after the most -If you update the workflow status of a periodic control finding, and then in the next check the compliance status of the finding stays the same, the workflow status remains in its modified state. For example, if you have a failed finding for **KMS.4 - AWS KMS key rotation should be enabled** , and then remediate the finding, Security Hub changes the workflow status from `NEW` to `RESOLVED`. If you disable KMS key rotation before the next periodic check, the workflow status of the finding remains `RESOLVED`. +If you update the workflow status of a periodic control finding, and then in the next check the compliance status of the finding stays the same, the workflow status remains in its modified state. For example, if you have a failed finding for **KMS.4 - AWS KMS key rotation should be enabled** , and then remediate the finding, Security Hub CSPM changes the workflow status from `NEW` to `RESOLVED`. If you disable KMS key rotation before the next periodic check, the workflow status of the finding remains `RESOLVED`. @@ -21 +21 @@ If you update the workflow status of a periodic control finding, and then in the -Checks that use Security Hub custom Lambda functions are periodic. +Checks that use Security Hub CSPM custom Lambda functions are periodic. @@ -25 +25 @@ Checks that use Security Hub custom Lambda functions are periodic. -Change-triggered security checks run when the associated resource changes state. AWS Config lets you choose between _continuous recording_ of changes in resource state and _daily recording_. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub findings until a 24-hour period is complete. Regardless of your chosen recording period, Security Hub checks every 18 hours to ensure no resource updates from AWS Config were missed. +Change-triggered security checks run when the associated resource changes state. AWS Config lets you choose between _continuous recording_ of changes in resource state and _daily recording_. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub CSPM findings until a 24-hour period is complete. Regardless of your chosen recording period, Security Hub CSPM checks every 18 hours to ensure no resource updates from AWS Config were missed. @@ -27 +27 @@ Change-triggered security checks run when the associated resource changes state. -In general, Security Hub uses change-triggered rules whenever possible. For a resource to use a change-triggered rule, it must support AWS Config configuration items. +In general, Security Hub CSPM uses change-triggered rules whenever possible. For a resource to use a change-triggered rule, it must support AWS Config configuration items.