AWS securityhub documentation change
Summary
Updated documentation for ASFF required attributes: removed CSPM-specific references, clarified CreatedAt definition, removed data retention note, adjusted API usage guidance for Severity/Types/UpdatedAt fields, and consolidated control findings text.
Security assessment
Changes primarily involve documentation clarifications and terminology updates (e.g., expanding 'security issue' to 'security issue or event'). The removal of 90-day retention policy notes impacts operational guidance but doesn't directly address vulnerabilities. API usage clarifications (e.g., BatchUpdateFindings restrictions) improve accuracy but don't indicate new security issues.
Diff
diff --git a/securityhub/latest/userguide/asff-required-attributes.md b/securityhub/latest/userguide/asff-required-attributes.md index 256a0b421..d9e89b8a5 100644 --- a//securityhub/latest/userguide/asff-required-attributes.md +++ b//securityhub/latest/userguide/asff-required-attributes.md @@ -9 +9 @@ AwsAccountIdCreatedAtDescriptionGeneratorIdIdProductArnResourcesSchemaVersionSev -The following top-level attributes in the AWS Security Finding Format (ASFF) are required for all findings in Security Hub CSPM. For more information about these required attributes, see [AwsSecurityFinding](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the _AWS Security Hub Cloud Security Posture Management (CSPM) API Reference_. +The following top-level attributes in the AWS Security Finding Format (ASFF) are required for all findings in Security Hub CSPM. For more information about these attributes, see [AwsSecurityFinding](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the _AWS Security Hub API Reference_. @@ -22 +22 @@ The AWS account ID that the finding applies to. -Indicates when the potential security issue captured by a finding was created. +Indicates when the potential security issue or event captured by a finding was created. @@ -29,4 +28,0 @@ Indicates when the potential security issue captured by a finding was created. -###### Note - -Security Hub CSPM deletes findings 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for more than 90 days, you can configure a rule in Amazon EventBridge that routes findings to an S3 bucket. - @@ -95 +91 @@ The format of this field is `arn:`partition`:securityhub:`region`:`account-id`:p -The `Resources` array of objects provides a set of resource data types that describe the AWS resources that the finding refers to. For details about the fields that a `Resources` object might contain, including which fields are required, see [Resource](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Resource.html) in the _AWS Security Hub Cloud Security Posture Management (CSPM) API Reference_. For examples of `Resources` objects for specific AWS services, see [Resources ASFF object](./asff-resources.html). +The `Resources` array of objects provides a set of resource data types that describe the AWS resources that the finding refers to. For details about the fields that a `Resources` object might contain, including which fields are required, see [Resource](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Resource.html) in the _AWS Security Hub API Reference_. For examples of `Resources` objects for specific AWS services, see [Resources ASFF object](./asff-resources.html). @@ -251 +247 @@ Defines the importance of a finding. For details about this object, see [`Severi -The value of the top-level `Severity` object for a finding should only be updated by the [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API. +The value of the top-level `Severity` object for a finding should be updated only by using the [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API. @@ -253 +249 @@ The value of the top-level `Severity` object for a finding should only be update -To provide severity information, finding providers should update the `Severity` object under `FindingProviderFields` when making a [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) API request. If a `BatchImportFindings` request for a new finding only provides `Label` or only provides `Normalized`, then Security Hub CSPM automatically populates the value of the other field. The `Product` and `Original` fields may also be populated. +To provide severity information, finding providers should update the `Severity` object under `FindingProviderFields` when making a [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) API request. If a `BatchImportFindings` request for a new finding only provides `Label` or only provides `Normalized`, Security Hub CSPM automatically populates the value of the other field. The `Product` and `Original` fields may also be populated. @@ -285,3 +281 @@ A finding's title. This field can contain nonspecific boilerplate text or detail -For control findings, this field provides the title of the control. - -This field doesn't reference a standard if you turn on [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings). +For control findings, this field provides the title of the control. This field doesn't reference a standard if you turn on [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings). @@ -298 +292 @@ One or more finding types in the format of ``namespace`/`category`/`classifier`` -`Types` should only be updated using [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). +`Types` should be updated only by using the [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API. @@ -475 +469 @@ When you update the finding record, you must update this timestamp to the curren -Note that `UpdatedAt` cannot be updated by using the [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation. You can only update it by using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html). +Note that `UpdatedAt` cannot be updated by using the [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation. You can update it only by using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation. @@ -482,4 +475,0 @@ Note that `UpdatedAt` cannot be updated by using the [`BatchUpdateFindings`](htt -###### Note - -Security Hub CSPM deletes findings 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in Amazon EventBridge that routes findings to your S3 bucket. -