AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-22 · Documentation low

File: securityhub/latest/userguide/controls-filter-sort.md

Summary

Updated documentation for Security Hub CSPM controls filtering and sorting, including clarifications about aggregation Regions, filter/sort behavior, control status explanations, and API usage guidance.

Security assessment

The changes improve clarity about security control management features but do not address a specific vulnerability. The recommendation to use SecurityControlId/ARN instead of mutable Title/Description fields in automation helps maintain consistent security workflows, but this is a best practice rather than a vulnerability fix.

Diff

diff --git a/securityhub/latest/userguide/controls-filter-sort.md b/securityhub/latest/userguide/controls-filter-sort.md
index 865c1a9b7..fa4ac4536 100644
--- a//securityhub/latest/userguide/controls-filter-sort.md
+++ b//securityhub/latest/userguide/controls-filter-sort.md
@@ -7 +7 @@
-On the **Controls** page of the AWS Security Hub Cloud Security Posture Management (CSPM) console, you can see a list of all supported controls. You can also filter and sort the list to focus on a specific subset of controls.
+On the AWS Security Hub Cloud Security Posture Management (CSPM) console, you can use the **Controls** page to review a table of the controls that are available in the current AWS Region. The exception is an aggregation Region. If you [configured an aggregation Region](./finding-aggregation.html) and sign in to that Region, the console shows controls that are available in the aggregation Region or one or more linked Regions.
@@ -9 +9 @@ On the **Controls** page of the AWS Security Hub Cloud Security Posture Manageme
-The **Filter by** options next to the list of controls let you quickly focus on these specific subsets:
+To focus on a specific subset of controls, you can sort and filter the table of controls. The **Filter by** options next to the table can help you quickly focus on these specific subsets:
@@ -11 +11 @@ The **Filter by** options next to the list of controls let you quickly focus on
-  * All enabled controls (controls that are enabled in at least one enabled standard)
+  * All enabled controls, which are controls that are enabled in at least one enabled standard.
@@ -13 +13 @@ The **Filter by** options next to the list of controls let you quickly focus on
-  * All disabled controls (controls that are disabled in all standards).
+  * All disabled controls, which are controls that are disabled in all standards.
@@ -15 +15 @@ The **Filter by** options next to the list of controls let you quickly focus on
-  * For enabled controls, those with a specific control status (**Failed** , **Passed** , **Unknown** , or **No data**). **No data** controls are those with no findings. For more information about control status, see [Evaluating compliance status and control status](./controls-overall-status.html).
+  * All enabled controls that have a specific control status, such as **Failed**. The **No data** option displays only those controls that don't currently have findings. For information about control status, see [Evaluating compliance status and control status](./controls-overall-status.html).
@@ -20 +20 @@ The **Filter by** options next to the list of controls let you quickly focus on
-In addition to the **Filter by** options, you can filter the controls lists by entering filters in the **Filter controls** search box. For example, you can filter by control ID or severity.
+In addition to the **Filter by** options, you can filter the table by entering filter criteria in the **Filter controls** box above the table. For example, you can filter by control ID or severity.
@@ -22 +22 @@ In addition to the **Filter by** options, you can filter the controls lists by e
-###### Tip
+By default, controls with a **Failed** status are listed first, in descending order by severity. You can change the sort order by choosing a different column heading.
@@ -24 +24 @@ In addition to the **Filter by** options, you can filter the controls lists by e
-If you have automated workflows based on control findings, we recommend using the `SecurityControlId` or `SecurityControlArn` [ASFF fields](./securityhub-findings-format.html) as filters, rather than `Title` or `Description`. The latter fields can change occasionally, whereas the control ID and ARN are static identifiers.
+###### Tip
@@ -26 +26 @@ If you have automated workflows based on control findings, we recommend using th
-If you're signed in to a Security Hub CSPM administrator account, **Enabled** controls include those that are enabled in at least one member account. If you have set an aggregation Region, **Enabled** controls include those that are enabled in at least one linked Region.
+If you have automated workflows based on control findings, we recommend using the `SecurityControlId` or `SecurityControlArn` [ASFF fields](./securityhub-findings-format.html) as filters, rather than the `Title` or `Description` fields. The latter fields can change occasionally, whereas control ID and ARN are static identifiers.
@@ -28 +28 @@ If you're signed in to a Security Hub CSPM administrator account, **Enabled** co
-By default, the controls with **Failed** status are listed first, sorted by decreasing severity. You can change the default sorting by choosing a different option in the column headers.
+If you're signed in to a Security Hub CSPM administrator account, **Enabled** controls include controls that are enabled in at least one member account. If you configured an aggregation Region, **Enabled** controls include controls that are enabled in at least one linked Region.
@@ -30 +30 @@ By default, the controls with **Failed** status are listed first, sorted by decr
-Choosing the option next to the control brings up a side panel which displays the standards in which the control is currently enabled. You can also see the standards in which the control is currently disabled. From this panel, you can disable a control by disabling it in all standards. For instructions on enabling and disabling controls across standards, see [Enabling controls in Security Hub CSPM](./securityhub-standards-enable-disable-controls.html). For administrator accounts, the information presented in the side panel reflects all member accounts.
+If you select the option next to an enabled a control, a panel appears and displays the standards in which the control is currently enabled. You can also see the standards in which the control is currently disabled. From this panel, you can disable a control in all standards. For more information, see [Disabling controls in Security Hub CSPM](./disable-controls-overview.html). For administrator accounts, the information in the panel reflects settings for all of your member accounts.
@@ -32 +32 @@ Choosing the option next to the control brings up a side panel which displays th
-On the Security Hub CSPM API, use the [ListSecurityControlDefinitions](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html) operation to get back a list of control IDs. After you have the relevant control IDs, use the [BatchGetSecurityControls](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html) operation to get data about that subset of controls in the current AWS account and AWS Region.
+To retrieve a list of controls programmatically, you can use the [ListSecurityControlDefinitions](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html) operation of the Security Hub CSPM API. To retrieve the details of individual controls, use the [BatchGetSecurityControls](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html) operation.