AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-22 · Documentation low

File: securityhub/latest/userguide/asff-changes-consolidation.md

Summary

Updated documentation about consolidated controls and findings in Security Hub CSPM, including terminology changes from 'turning on' to 'enabling', added details about ASFF field changes, and workflow impact warnings

Security assessment

The changes clarify security feature behavior (consolidated findings) and ASFF field impacts, but do not address specific vulnerabilities. Updates focus on documentation improvements and user guidance rather than patching security issues.

Diff

diff --git a/securityhub/latest/userguide/asff-changes-consolidation.md b/securityhub/latest/userguide/asff-changes-consolidation.md
index 30b14b54d..637cf2efb 100644
--- a//securityhub/latest/userguide/asff-changes-consolidation.md
+++ b//securityhub/latest/userguide/asff-changes-consolidation.md
@@ -5 +5 @@
-Consolidated controls view – ASFF changesConsolidated control findings – ASFF changesGenerator IDs before and after turning on consolidated control findingsHow consolidation impacts control IDs and titlesUpdating workflows for consolidation
+Consolidated controls view – ASFF changesConsolidated control findings – ASFF changesGenerator IDs before and after enabling consolidated control findingsHow consolidation impacts control IDs and titlesUpdating workflows for consolidation
@@ -9 +9 @@ Consolidated controls view – ASFF changesConsolidated control findings – ASF
-AWS Security Hub Cloud Security Posture Management (CSPM) offers two types of consolidation:
+AWS Security Hub Cloud Security Posture Management (CSPM) offers two types of consolidation for controls:
@@ -11 +11 @@ AWS Security Hub Cloud Security Posture Management (CSPM) offers two types of co
-  * **Consolidated controls view (always on; can't be turned off)** – Each control has a single identifier across standards. The **Controls** page of the Security Hub CSPM console displays all your controls across standards.
+  * **Consolidated controls view** – With this type of consolidation, each control has a single identifier across all standards. In addition, on the Security Hub CSPM console, the **Controls** page displays all controls across all standards. 
@@ -13 +13 @@ AWS Security Hub Cloud Security Posture Management (CSPM) offers two types of co
-  * **Consolidated control findings (can be turned on or off)** – When consolidated control findings is turned on, Security Hub CSPM produces a single finding for a security check even when a check is shared across multiple standards. This is intended to reduce finding noise. Consolidated control findings is turned _on_ for you by default if you enabled Security Hub CSPM on or after February 23, 2023. Otherwise, it's turned off by default. However, consolidated control findings is turned on in Security Hub CSPM member accounts only if it's turned on in the administrator account. If the feature is turned off in the administrator account, it's turned off in member accounts. For instructions on turning on this feature, see [Consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings).
+  * **Consolidated control findings** – With this type of consolidation, Security Hub CSPM produces a single finding for a control, even if the control applies to multiple enabled standards. This can reduce finding noise. 
@@ -18 +18 @@ AWS Security Hub Cloud Security Posture Management (CSPM) offers two types of co
-Both features bring changes to control finding fields and values in the [AWS Security Finding Format (ASFF)](./securityhub-findings-format.html). This section summarizes those changes.
+You can't enable or disable consolidated controls view. Consolidated control findings is enabled by default if you enable Security Hub CSPM on or after February 23, 2023. Otherwise, it's disabled by default. However, for organizations, consolidated control findings is enabled for Security Hub CSPM member accounts only if it's enabled for the administrator account. To learn more about consolidated control findings, see [Generating and updating control findings](./controls-findings-create-update.html).
@@ -20 +20,13 @@ Both features bring changes to control finding fields and values in the [AWS Sec
-## Consolidated controls view – ASFF changes
+Both types of consolidation affect fields and values for control findings in the [AWS Security Finding Format (ASFF)](./securityhub-findings-format.html).
+
+###### Topics
+
+  * Consolidated controls view – ASFF changes
+
+  * Consolidated control findings – ASFF changes
+
+  * Generator IDs before and after enabling consolidated control findings
+
+  * How consolidation impacts control IDs and titles
+
+  * Updating workflows for consolidation
@@ -22 +33,0 @@ Both features bring changes to control finding fields and values in the [AWS Sec
-The consolidated controls view feature introduced the following changes to control finding fields and values in the ASFF.
@@ -24 +34,0 @@ The consolidated controls view feature introduced the following changes to contr
-If your workflows don’t rely on the values of these control finding fields, no action is required.
@@ -26 +35,0 @@ If your workflows don’t rely on the values of these control finding fields, no
-If you have workflows that rely on the specific values of these control finding fields, update your workflows to use the current values.
@@ -28 +37,5 @@ If you have workflows that rely on the specific values of these control finding
-ASFF field  |  Sample value before consolidated controls view  |  Sample value after consolidated controls view, plus description of change   
+## Consolidated controls view – ASFF changes
+
+The consolidated controls view feature introduced the following changes to fields and values for control findings in the ASFF. If your workflows don’t rely on values for these ASFF fields, no action is required. If you have workflows that rely on specific values for these fields, update your workflows to use the current values.
+
+ASFF field  | Sample value before consolidated controls view  | Sample value after consolidated controls view, and a description of the change   
@@ -40,3 +53 @@ Remediation.Recommendation.Url |  https://docs.aws.amazon.com/console/securityhu
-If you turn on consolidated control findings, you may be impacted by the following changes to control finding fields and values in the ASFF. These changes are in addition to the changes previously described for consolidated controls view. 
-
-If your workflows don’t rely on the values of these control finding fields, no action is required.
+If you enable consolidated control findings, you might be affected by the following changes to fields and values for control findings in the ASFF. These changes are in addition to the changes introduced by the consolidated controls view feature. If your workflows don’t rely on values for these ASFF fields, no action is required. If you have workflows that rely on specific values for these fields, update your workflows to use the current values.
@@ -44 +55 @@ If your workflows don’t rely on the values of these control finding fields, no
-If you have workflows that rely on the specific values of these control finding fields, update your workflows to use the current values.
+###### Tip
@@ -46 +57 @@ If you have workflows that rely on the specific values of these control finding
-###### Note
+If you use the [Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) solution, note that it supports consolidated control findings. This means that you can maintain your current workflows if you enable consolidated control findings. 
@@ -48,3 +59 @@ If you have workflows that rely on the specific values of these control finding
-[Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) supports consolidated control findings. If you use this version of the solution, you can maintain your workflows when turning on consolidated control findings. 
-
-ASFF field  |  Example value before turning on consolidated control findings  |  Example value after turning on consolidated control findings, and description of change   
+ASFF field  | Example value before enabling consolidated control findings  | Example value after enabling consolidated control findings, and a description of the change   
@@ -61,2 +70,2 @@ Compliance.RelatedRequirements  |  ["PCI DSS 10.5.2", "PCI DSS 11.5", "CIS AWS F
-CreatedAt  |  2022-05-05T08:18:13.138Z  |  2022-09-25T08:18:13.138Z Format remains the same, but value resets when you turn on consolidated control findings.  
-FirstObservedAt  |  2022-05-07T08:18:13.138Z  |  2022-09-28T08:18:13.138Z Format remains the same, but value resets when you turn on consolidated control findings.  
+CreatedAt  |  2022-05-05T08:18:13.138Z  |  2022-09-25T08:18:13.138Z Format remains the same, but value resets when you enable consolidated control findings.  
+FirstObservedAt  |  2022-05-07T08:18:13.138Z | 2022-09-28T08:18:13.138Z Format remains the same, but value resets when you enable consolidated control findings.  
@@ -73 +82,3 @@ ProductFields.aws/securityhub/FindingId  |  arn:aws:securityhub:us-east-1::produ
-If you turn on [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings), Security Hub CSPM generates one finding across standards and archives the original findings (separate findings for each standard). To view archived findings, you can visit the **Findings** page of the Security Hub CSPM console with the **Record state** filter set to **ARCHIVED** , or use the [`GetFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html) API action. Updates you’ve made to the original findings in the Security Hub CSPM console or using the [BatchUpdateFindings](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html) API won't be preserved in the new findings (if needed, you can recover this data by referring to the archived findings).
+If you enable consolidated control findings, Security Hub CSPM generates one finding across standards and archives the original findings (separate findings for each standard).
+
+Updates that you made to the original findings by using the Security Hub CSPM console or the [BatchUpdateFindings](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html) operation won't be preserved in the new findings. If necessary, you can recover this data by referring to the archived findings. To review archived findings, you can use the **Findings** page on the Security Hub CSPM console and set the **Record state** filter to **ARCHIVED**. Alternatively, you can use the [GetFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API.
@@ -75 +86 @@ If you turn on [consolidated control findings](./controls-findings-create-update
-Customer-provided ASFF field  |  Description of change after turning on consolidated control findings   
+Customer-provided ASFF field  | Description of change after enabling consolidated control findings   
@@ -87 +98 @@ Workflow  |  New failed findings have a default value of `NEW`. New passed findi
-## Generator IDs before and after turning on consolidated control findings
+## Generator IDs before and after enabling consolidated control findings
@@ -89 +100 @@ Workflow  |  New failed findings have a default value of `NEW`. New passed findi
-Here's a list of generator ID changes for controls when you turn on consolidated control findings. These apply to controls that Security Hub CSPM supported as of February 15, 2023.
+The following table lists changes to generator ID values for controls when you enable consolidated control findings. These changes apply to controls that Security Hub CSPM supported as of February 15, 2023.
@@ -91 +102 @@ Here's a list of generator ID changes for controls when you turn on consolidated
-GeneratorID before turning on consolidated control findings | GeneratorID after turning on consolidated control findings  
+GeneratorID before enabling consolidated control findings | GeneratorID after enabling consolidated control findings  
@@ -568,3 +579 @@ Consolidated controls view and consolidated control findings standardize control
-The Security Hub CSPM console displays standard-agnostic security control IDs and security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub CSPM findings contain standard-specific control titles (for PCI and CIS v1.2.0) if consolidated control findings is turned off in your account. In addition, Security Hub CSPM findings contain the standard-specific control ID and the security control ID. For more information about how consolidation impacts control findings, see [Samples of control findings](./sample-control-findings.html).
-
-For controls that are part of [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html), the prefix `CT.` is removed from the control ID and title in findings when consolidated control findings is turned on.
+The Security Hub CSPM console displays standard-agnostic security control IDs and security control titles, regardless of whether consolidated control findings is enabled or disabled for your account. However, Security Hub CSPM findings contain standard-specific control titles, for PCI DSS and CIS v1.2.0, if consolidated control findings is disabled for your account. In addition, Security Hub CSPM findings contain the standard-specific control ID and security control ID. For examples of how consolidation impacts control findings, see [Samples of control findings](./sample-control-findings.html).
@@ -572 +581 @@ For controls that are part of [Service-Managed Standard: AWS Control Tower](./se
-To disable a security control in Security Hub CSPM, you must disable all standard controls that correspond to the security control. The following table shows the mapping of security control IDs and titles to standard-specific control IDs and titles. IDs and titles for controls that belong to the AWS Foundational Security Best Practices (FSBP) standard are already standard-agnostic. For a mapping of controls to the requirements of Center for Internet Security (CIS) v3.0.0, see [Mapping of controls to CIS requirements in each version](./cis-aws-foundations-benchmark.html#cis-version-comparison).
+For controls that are part of the [AWS Control Tower service-managed standard](./service-managed-standard-aws-control-tower.html), the prefix `CT.` is removed from the control ID and title in findings when consolidated control findings is enabled.
@@ -574 +583 @@ To disable a security control in Security Hub CSPM, you must disable all standar
-To run your own scripts on this table, [download it as a .csv file](samples/Consolidation_ID_Title_Changes.csv.zip).
+To disable a security control in Security Hub CSPM, you must disable all standard controls that correspond to the security control. The following table shows the mapping of security control IDs and titles to standard-specific control IDs and titles. IDs and titles for controls that belong to the AWS Foundational Security Best Practices (FSBP) standard are already standard-agnostic. For a mapping of controls to the requirements of Center for Internet Security (CIS) v3.0.0, see [Mapping of controls to CIS requirements in each version](./cis-aws-foundations-benchmark.html#cis-version-comparison). To run your own scripts on this table, you can [download it as a .csv file](samples/Consolidation_ID_Title_Changes.csv.zip).
@@ -704 +713 @@ PCI DSS v3.2.1 |  PCI.SSM.3 EC2 instances should be managed by AWS Systems Manag
-If your workflows don’t rely on the specific format of any control finding fields, no action is required.
+If your workflows don’t rely on the specific format of any fields in control findings, no action is required.
@@ -706 +715 @@ If your workflows don’t rely on the specific format of any control finding fie
-If your workflows rely on the specific format of any control finding fields noted in the tables, you should update your workflows. For example, If you created a Amazon CloudWatch Events rule that triggered an action for a specific control ID (such as invoking an AWS Lambda function if the control ID equals CIS 2.7), update the rule to use CloudTrail.2, the `Compliance.SecurityControlId` field for that control.
+If your workflows rely on the specific format of one or more fields in control findings, as noted in the preceding tables, you should update your workflows. For example, If you created an Amazon EventBridge rule that triggered an action for a specific control ID, such as invoking an AWS Lambda function if the control ID equals CIS 2.7, update the rule to use CloudTrail.2, which is the value for the `Compliance.SecurityControlId` field for that control.
@@ -708 +717 @@ If your workflows rely on the specific format of any control finding fields note
-If you created [custom insights](./securityhub-custom-insights.html) using any of the control finding fields or values that changed, update those insights to use the current fields or values.
+If you created [custom insights](./securityhub-custom-insights.html) that use any of the fields or values that changed, update those insights to use the new fields or values.