AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-22 · Documentation low

File: securityhub/latest/userguide/asff-top-level-attributes.md

Summary

Updated documentation for ASFF attributes with improved clarity and terminology. Changes include: title reference correction, grammatical improvements, expanded descriptions of FirstObservedAt/LastObservedAt timestamps, clarification of ProcessedAt behavior, and RecordState operation requirements.

Security assessment

The changes improve documentation clarity but do not address specific security vulnerabilities. Updates to timestamp descriptions and RecordState API usage clarify security feature behavior without indicating a security fix. Enhanced documentation helps users properly interpret security findings but doesn't introduce new security controls.

Diff

diff --git a/securityhub/latest/userguide/asff-top-level-attributes.md b/securityhub/latest/userguide/asff-top-level-attributes.md
index 76c36f84c..5540c807c 100644
--- a//securityhub/latest/userguide/asff-top-level-attributes.md
+++ b//securityhub/latest/userguide/asff-top-level-attributes.md
@@ -9 +9 @@ ActionAwsAccountNameCompanyNameComplianceConfidenceCriticalityDetectionFindingPr
-The following top-level attributes in the AWS Security Finding Format (ASFF) are optional for findings in Security Hub CSPM. For more information about these attributes, see [AwsSecurityFinding](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the _AWS Security Hub Cloud Security Posture Management (CSPM) API Reference_.
+The following top-level attributes in the AWS Security Finding Format (ASFF) are optional for findings in Security Hub CSPM. For more information about these attributes, see [AwsSecurityFinding](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the _AWS Security Hub API Reference_.
@@ -13 +13 @@ The following top-level attributes in the AWS Security Finding Format (ASFF) are
-The [`Action`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Action.html) object provides details about an action that affects or that was taken on a resource.
+The [`Action`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Action.html) object provides details about an action that affects or was taken on a resource.
@@ -333 +333 @@ Customers can update the top-level fields by using the `BatchUpdateFindings` ope
-Indicates when the potential security issue captured by a finding was first observed.
+Indicates when the potential security issue or event captured by a finding was first observed.
@@ -335 +335 @@ Indicates when the potential security issue captured by a finding was first obse
-This timestamp reflects the time of when the event or vulnerability was first observed. Consequently, it can differ from the `CreatedAt` timestamp, which reflects the time this finding record was created. 
+This timestamp specifies when the event or vulnerability was first observed. Consequently, it can differ from the `CreatedAt` timestamp, which reflects when this finding record was created.
@@ -346 +346 @@ This timestamp should be immutable between updates of the finding record but can
-Indicates when the potential security issue that was captured by a finding was most recently observed by the security findings product.
+Indicates when the potential security issue or event captured by a finding was most recently observed by the security findings product.
@@ -348 +348 @@ Indicates when the potential security issue that was captured by a finding was m
-This timestamp reflects the time when the event or vulnerability was last or most recently observed. Consequently, it can differ from the `UpdatedAt` timestamp, which reflects when this finding record was last or most recently updated. 
+This timestamp specifies when the event or vulnerability was last or most recently observed. Consequently, it can differ from the `UpdatedAt` timestamp, which reflects when this finding record was last or most recently updated. 
@@ -350 +350 @@ This timestamp reflects the time when the event or vulnerability was last or mos
-You can provide this timestamp, but it isn't required upon first observation. If you provide this field upon first observation, the timestamp should be the same as the `FirstObservedAt` timestamp. You should update this field to reflect the last or most recently observed timestamp each time a finding is observed.
+You can provide this timestamp, but it isn't required upon first observation. If you populate this field upon first observation, the timestamp should be the same as the `FirstObservedAt` timestamp. You should update this field to reflect the last or most recently observed timestamp each time a finding is observed.
@@ -499 +499 @@ Example:
-Indicates when Security Hub CSPM received a finding and begins to process it.
+Indicates when Security Hub CSPM received a finding and began to process it.
@@ -501 +501 @@ Indicates when Security Hub CSPM received a finding and begins to process it.
-This differs from `CreatedAt` and `UpdatedAt`, which are required time stamps that relate to the finding provider's interaction with the security issue and finding. The `ProcessedAt` time stamp indicates when Security Hub CSPM starts to process a finding. A finding appears in a user's account after processing is completed.
+This differs from `CreatedAt` and `UpdatedAt`, which are required timestamps that relate to the finding provider's interaction with the security issue and finding. The `ProcessedAt` timestamp indicates when Security Hub CSPM starts to process a finding. A finding appears in a user's account after processing is complete.
@@ -555 +555 @@ By default, when initially generated by a service, findings are considered `ACTI
-The `ARCHIVED` state indicates that a finding should be hidden from view. Archived findings are not immediately deleted. You can search, review, and report on them. Security Hub CSPM automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled.
+The `ARCHIVED` state indicates that a finding should be hidden from view. Archived findings are not deleted immediately. You can search, review, and report on them. Security Hub CSPM automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled.
@@ -557 +557 @@ The `ARCHIVED` state indicates that a finding should be hidden from view. Archiv
-`RecordState` is intended for finding providers, and can only be updated by [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html). You cannot update it using [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html).
+`RecordState` is intended for finding providers, and can be updated only by using the [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation. You cannot update it by using the [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation.
@@ -561 +561 @@ To track the status of your investigation into a finding, use Workflow instead o
-If the record state changes from `ARCHIVED` to `ACTIVE`, and the workflow status of the finding is either `NOTIFIED` or `RESOLVED`, then Security Hub CSPM automatically sets the workflow status to `NEW`.
+If the record state changes from `ARCHIVED` to `ACTIVE`, and the workflow status of the finding is `NOTIFIED` or `RESOLVED`, Security Hub CSPM automatically changes the workflow status to `NEW`.