AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-06-22 · Security-related medium

File: securityhub/latest/userguide/controls-findings-create-update.md

Summary

Updated documentation to clarify consolidated control findings behavior, added details about archiving criteria, expanded automation/suppression guidance, restructured compliance details, and introduced new status reason codes like S3_BUCKET_CROSS_ACCOUNT_CROSS_REGION and SNS_TOPIC_CROSS_ACCOUNT

Security assessment

The change adds documentation for the SNS_TOPIC_CROSS_ACCOUNT status reason code, which explicitly warns about cross-account SNS topic permissions misconfigurations that could lead to security monitoring gaps. This addresses a specific security configuration weakness. Additionally, expanded guidance on archiving criteria and suppression mechanisms improves security posture documentation.

Diff

diff --git a/securityhub/latest/userguide/controls-findings-create-update.md b/securityhub/latest/userguide/controls-findings-create-update.md
index 4f997c430..83be44b81 100644
--- a//securityhub/latest/userguide/controls-findings-create-update.md
+++ b//securityhub/latest/userguide/controls-findings-create-update.md
@@ -5 +5 @@
-Consolidated control findingsGenerating new findings versus updating existing findingsControl finding automation and suppressionCompliance details for control findingsProductFields details for control findingsSeverity level of control findings
+Consolidated control findingsGenerating, updating, and archiving control findingsAutomation and suppression of control findingsCompliance details for control findingsProductFields details for control findingsSeverity levels for control findings
@@ -9 +9,20 @@ Consolidated control findingsGenerating new findings versus updating existing fi
-AWS Security Hub Cloud Security Posture Management (CSPM) generates findings by running checks against security controls. These findings use the AWS Security Finding Format (ASFF). Note that if the finding size exceeds the maximum of 240 KB, then the `Resource.Details` object is removed. For controls that are backed by AWS Config resources, you can view the resource details on the AWS Config console.
+AWS Security Hub Cloud Security Posture Management (CSPM) generates control findings when it runs checks against security controls. Control findings use the [AWS Security Finding Format (ASFF)](./securityhub-findings-format.html).
+
+Security Hub CSPM normally charges for each security check for a control. However, if multiple controls use the same AWS Config rule, Security Hub CSPM charges only once for each check against the rule. For example, the AWS Config `iam-password-policy` rule is used by multiple controls in the CIS AWS Foundations Benchmark standard and the AWS Foundational Security Best Practices standard. Each time Security Hub CSPM runs a check against that rule, it generates a separate control finding for each related control, but charges only once for the check.
+
+If the size of a control finding exceeds the maximum of 240 KB, Security Hub CSPM removes the `Resource.Details` object from the finding. For controls that are backed by AWS Config resources, you can review resource details by using the AWS Config console.
+
+###### Topics
+
+  * Consolidated control findings
+
+  * Generating, updating, and archiving control findings
+
+  * Automation and suppression of control findings
+
+  * Compliance details for control findings
+
+  * ProductFields details for control findings
+
+  * Severity levels for control findings
+
@@ -11 +29,0 @@ AWS Security Hub Cloud Security Posture Management (CSPM) generates findings by
-Security Hub CSPM normally charges for each security check for a control. However, if multiple controls use the same AWS Config rule, then Security Hub CSPM only charges once for each check against the AWS Config rule. If you enable consolidated control findings, Security Hub CSPM generates a single finding for a security check even when the control is included in multiple enabled standards.
@@ -13 +30,0 @@ Security Hub CSPM normally charges for each security check for a control. Howeve
-For example, the AWS Config rule `iam-password-policy` is used by multiple controls in the Center for Internet Security (CIS) AWS Foundations Benchmark standard and the Foundational Security Best Practices standard. Each time Security Hub CSPM runs a check against that AWS Config rule, it generates a separate finding for each related control, but only charges once for the check.
@@ -19 +36 @@ If consolidated control findings is enabled for your account, Security Hub CSPM
-If you enabled Security Hub CSPM for an AWS account before February 23, 2023, you can enable consolidated control findings by following the instructions later in this section. If you enable Security Hub CSPM on or after February 23, 2023, consolidated control findings is automatically enabled for your account.
+If you enabled Security Hub CSPM for an AWS account before February 23, 2023, you can enable consolidated control findings by following the instructions later in this section. If you enable Security Hub CSPM on or after February 23, 2023, consolidated control findings is enabled automatically for your account.
@@ -21 +38 @@ If you enabled Security Hub CSPM for an AWS account before February 23, 2023, yo
-However, if you use the [Security Hub CSPM integration with AWS Organizations](./securityhub-accounts-orgs.html) or invited member accounts through a [manual invitation process](./account-management-manual.html), consolidated control findings is enabled for member accounts only if it's enabled for the administrator account. If the feature is disabled for the administrator account, it's disabled for member accounts. This behavior applies to new and existing member accounts. If the administrator uses [central configuration](./central-configuration-intro.html) to manage Security Hub CSPM for multiple accounts, they cannot use central configuration policies to enable or disable consolidated control findings for the accounts.
+If you use the [Security Hub CSPM integration with AWS Organizations](./securityhub-accounts-orgs.html) or invited member accounts through a [manual invitation process](./account-management-manual.html), consolidated control findings is enabled for member accounts only if it's enabled for the administrator account. If the feature is disabled for the administrator account, it's disabled for member accounts. This behavior applies to new and existing member accounts. In addition, if the administrator uses [central configuration](./central-configuration-intro.html) to manage Security Hub CSPM for multiple accounts, they cannot use central configuration policies to enable or disable consolidated control findings for the accounts.
@@ -23 +40 @@ However, if you use the [Security Hub CSPM integration with AWS Organizations](.
-If you disable consolidated control findings for your account, Security Hub CSPM generates a separate finding per security check for each enabled standard that includes a control. For example, if four enabled standards share a control with the same underlying AWS Config rule, you receive four separate findings after a security check of the control. If you enable consolidated control findings, you receive only one finding.
+If you disable consolidated control findings for your account, Security Hub CSPM generates a separate control finding for each security check and each enabled standard that includes a control. For example, if you enable four standards that share a control, you receive four separate findings after a security check for the control. If you enable consolidated control findings, you receive only one finding.
@@ -25,3 +42 @@ If you disable consolidated control findings for your account, Security Hub CSPM
-When you enable consolidated control findings, Security Hub CSPM creates new standard-agnostic findings and archives the original standard-based findings. Some control finding fields and values will change, which might impact existing workflows. For information about these changes, see [Consolidated control findings – ASFF changes](./asff-changes-consolidation.html#securityhub-findings-format-consolidated-control-findings).
-
-Turning on consolidated control findings might also affect findings that integrated third-party products receive from Security Hub CSPM. [Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) supports consolidated control findings. 
+When you enable consolidated control findings, Security Hub CSPM creates new standard-agnostic findings and archives the original standard-based findings. Some control finding fields and values will change, which might impact your existing workflows. For information about these changes, see [Consolidated control findings – ASFF changes](./asff-changes-consolidation.html#securityhub-findings-format-consolidated-control-findings). Enabling consolidated control findings might also affect findings that integrated third-party products receive from Security Hub CSPM. If you use the [Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) solution, note that it supports consolidated control findings. 
@@ -33 +48 @@ To enable or disable consolidated control findings, you must be signed in to an
-After enabling consolidated control findings, it can take up to 24 hours for Security Hub CSPM for generate new, consolidated findings and archive the original, standard-based findings. Similarly, after disabling consolidated control findings, it can take up to 24 hours for Security Hub CSPM to generate new, standard-based findings and archive the consolidated findings. During these times, you might see a mix of standard-agnostic and standard-based findings in your account.
+After you enable consolidated control findings, it can take up to 24 hours for Security Hub CSPM for generate new, consolidated findings and archive the original, standard-based findings. Similarly, after disabling consolidated control findings, it can take up to 24 hours for Security Hub CSPM to generate new, standard-based findings and archive the consolidated findings. During these times, you might see a mix of standard-agnostic and standard-based findings in your account.
@@ -38 +53 @@ Security Hub CSPM console
-###### To enable or disable consolidated control findings (console)
+###### To enable or disable consolidated control findings
@@ -42 +57 @@ Security Hub CSPM console
-  2. In the navigation pane, choose **Settings**.
+  2. In the navigation pane, under **Settings** , choose **General**.
@@ -44 +59 @@ Security Hub CSPM console
-  3. Choose the **General** tab.
+  3. In the **Controls** section, choose **Edit**.
@@ -46 +61 @@ Security Hub CSPM console
-  4. For **Controls** , turn on or off **Consolidated control findings**.
+  4. Use the **Consolidated control findings** switch to enable or disable consolidated control findings.
@@ -53 +68 @@ Security Hub CSPM console
-Security Hub CSPM API, AWS CLI
+Security Hub CSPM API
@@ -56 +71 @@ Security Hub CSPM API, AWS CLI
-###### To enable or disable consolidated control findings (API, AWS CLI)
+To enable or disable consolidated control findings programmatically, use the [UpdateSecurityHubConfiguration](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html) operation of the Security Hub CSPM API. Or, if you're using the AWS CLI, run the [update-security-hub-configuration](https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-security-hub-configuration.html) command. 
@@ -58 +73 @@ Security Hub CSPM API, AWS CLI
-  1. Use the [`UpdateSecurityHubConfiguration`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html) operation. If you're using the AWS CLI, run the [`update-security-hub-configuration`](https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-security-hub-configuration.html) command.
+For the `control-finding-generator` parameter, specify `SECURITY_CONTROL` to enable consolidated control findings. To disable consolidated control findings, specify `STANDARD_CONTROL`.
@@ -60 +75 @@ Security Hub CSPM API, AWS CLI
-  2. Set `control-finding-generator` equal to `SECURITY_CONTROL` to enable consolidated control findings. Set `control-finding-generator` equal to `STANDARD_CONTROL` to disable consolidated control findings 
+For example, the following AWS CLI command enables consolidated control findings.
@@ -62 +76,0 @@ Security Hub CSPM API, AWS CLI
-For example, the following AWS CLI command enables consolidated control findings. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\\) line-continuation character to improve readability.
@@ -66 +80,2 @@ For example, the following AWS CLI command enables consolidated control findings
-The following AWS CLI command disables consolidated control findings. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\\) line-continuation character to improve readability.
+The following AWS CLI command disables consolidated control findings.
+    
@@ -69,0 +85 @@ The following AWS CLI command disables consolidated control findings. This examp
+## Generating, updating, and archiving control findings
@@ -70,0 +87 @@ The following AWS CLI command disables consolidated control findings. This examp
+Security Hub CSPM runs security checks on a [schedule](./securityhub-standards-schedule.html). A subsequent check against a given control can generate a new result. For example, the status of a control could change from `FAILED` to `PASSED`. In this case, Security Hub CSPM generates a new finding that contains the most recent result. If a subsequent check against a given control generates a result that is identical to the current result, Security Hub CSPM updates the existing finding. No new finding is generated.
@@ -71,0 +89 @@ The following AWS CLI command disables consolidated control findings. This examp
+In addition to generating and updating control findings, Security Hub CSPM automatically archives control findings that meet certain criteria. Security Hub CSPM archives a finding if the control is disabled, the specified resource is deleted, or the specified resource no longer exists. A resource might not exist anymore because the associated service is no longer used. More specifically, Security Hub CSPM automatically archives a control finding if the finding meets one of the following criterion:
@@ -73 +91 @@ The following AWS CLI command disables consolidated control findings. This examp
-## Generating new findings versus updating existing findings
+  * The finding hasn't been updated for 3‐5 days. Note that archival based on this time frame is on a best-effort basis and is not guaranteed.
@@ -75 +93 @@ The following AWS CLI command disables consolidated control findings. This examp
-Security Hub CSPM runs security checks on a [schedule](./securityhub-standards-schedule.html). A subsequent check against a given control can generate a new result. For example, the status of a control could change from `FAILED` to `PASSED`. In this case, Security Hub CSPM generates a new finding that contains the most recent result.
+  * The associated AWS Config evaluation returned `NOT_APPLICABLE` for the compliance status of the specified resource.
@@ -77 +94,0 @@ Security Hub CSPM runs security checks on a [schedule](./securityhub-standards-s
-If a subsequent check against a given rule generates a result that is identical to the current result, Security Hub CSPM updates the existing finding. No new finding is generated.
@@ -79 +95,0 @@ If a subsequent check against a given rule generates a result that is identical
-Security Hub CSPM automatically archives findings from controls if the associated resource is deleted, the resource does not exist, or the control is disabled. A resource might no longer exist because the associated service isn't currently used. The findings are archived automatically based on one of the following criteria:
@@ -81 +96,0 @@ Security Hub CSPM automatically archives findings from controls if the associate
-  * The finding isn't updated for 3-5 days (note that this is best effort and not guaranteed).
@@ -83 +98 @@ Security Hub CSPM automatically archives findings from controls if the associate
-  * The associated AWS Config evaluation returned `NOT_APPLICABLE`.
+To determine whether a finding is archived, you can refer to the record state (`RecordState`) field of the finding. If a finding is archived, the value for this field is `ARCHIVED`.
@@ -84,0 +100 @@ Security Hub CSPM automatically archives findings from controls if the associate
+Security Hub CSPM stores archived control findings for 30 days. After 30 days, the findings expire and Security Hub CSPM permanently deletes them. To determine whether an archived control finding has expired, Security Hub CSPM bases its calculation on the value for the `UpdatedAt` field of the finding.
@@ -85,0 +102 @@ Security Hub CSPM automatically archives findings from controls if the associate
+To store archived control findings for more than 30 days, you can export the findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](./securityhub-cloudwatch-events.html).
@@ -86,0 +104 @@ Security Hub CSPM automatically archives findings from controls if the associate
+## Automation and suppression of control findings
@@ -88 +106 @@ Security Hub CSPM automatically archives findings from controls if the associate
-## Control finding automation and suppression
+You can use Security Hub CSPM automation rules to update or suppress specific control findings. If you suppress a finding, you can continue to access it in your account. However, suppression indicates your belief that no action is needed to address the finding.
@@ -90 +108 @@ Security Hub CSPM automatically archives findings from controls if the associate
-You can use Security Hub CSPM automation rules to update or suppress specific control findings. When you suppress a finding, it's still accessible in your account, but it indicates your belief that no action is needed to address the finding. By suppressing irrelevant findings, you can reduce finding noise. For example, you might suppress control findings that are generated in test accounts. Or, you might suppress findings related to specific resources. For more information about automatically updating or suppressing findings, see [Understanding automation rules in Security Hub CSPM](./automation-rules.html). 
+By suppressing findings, you can reduce finding noise. For example, you might suppress control findings that are generated in test accounts. Or, you might suppress findings related to specific resources. To learn more about updating or suppressing findings automatically, see [Understanding automation rules in Security Hub CSPM](./automation-rules.html). 
@@ -92 +110 @@ You can use Security Hub CSPM automation rules to update or suppress specific co
-Automation rules are appropriate when you want to update or suppress specific control findings. However, if a control isn't relevant to your organization or use case, we recommend [disabling the control](./disable-controls-overview.html). When you disable a control, Security Hub CSPM doesn't run security checks on it, and you aren't charged.
+Automation rules are appropriate when you want to update or suppress specific control findings. However, if a control isn't relevant to your organization or use case, we recommend [disabling the control](./disable-controls-overview.html). When you disable a control, Security Hub CSPM doesn't run security checks on it, and you aren't charged for it.
@@ -96,13 +114 @@ Automation rules are appropriate when you want to update or suppress specific co
-For findings generated by security checks of controls, the [Compliance](./asff-top-level-attributes.html#asff-compliance) field in the AWS Security Finding Format (ASFF) contains details related to control findings. The `Compliance` field includes the following information.
-
-`AssociatedStandards`
-    
-
-The enabled standards that a control is enabled in.
-
-`RelatedRequirements`
-    
-
-The list of related requirements for the control in all enabled standards. The requirements are from the third-party security framework for the control, such as the Payment Card Industry Data Security Standard (PCI DSS).
-
-`SecurityControlId`
+In findings generated by security checks for controls, the [Compliance](./asff-top-level-attributes.html#asff-compliance) object and fields in the AWS Security Finding Format (ASFF) provide compliance details for individual resources that a control checked. This includes the following information:
@@ -109,0 +116 @@ The list of related requirements for the control in all enabled standards. The r
+  * `AssociatedStandards` – The enabled standards that the control is enabled in.
@@ -111 +118 @@ The list of related requirements for the control in all enabled standards. The r
-The identifier for a control across security standards that Security Hub CSPM supports.
+  * `RelatedRequirements` – The related requirements for the control in all enabled standards. These requirements derive from third-party security frameworks for the control, such as the Payment Card Industry Data Security Standard (PCI DSS) or the NIST SP 800-171 Revision 2 standard.
@@ -113 +120 @@ The identifier for a control across security standards that Security Hub CSPM su
-`Status`
+  * `SecurityControlId` – The identifier for the control across the standards that Security Hub CSPM supports.
@@ -114,0 +122 @@ The identifier for a control across security standards that Security Hub CSPM su
+  * `Status` – The result of the most recent check that Security Hub CSPM ran for the control. The results of the previous checks are kept in an archived state. 
@@ -116 +124 @@ The identifier for a control across security standards that Security Hub CSPM su
-The result of the most recent check that Security Hub CSPM ran for a given control. The results of the previous checks are kept in an archived state for 90 days.
+  * `StatusReasons` – An array that lists reasons for the value specified by the `Status` field. For each reason, this includes a reason code and a description.
@@ -118 +125,0 @@ The result of the most recent check that Security Hub CSPM ran for a given contr
-`StatusReasons`
@@ -121 +127,0 @@ The result of the most recent check that Security Hub CSPM ran for a given contr
-Contains a list of reasons for the value of `Compliance.Status`. For each reason, `StatusReasons` includes the reason code and a description.
@@ -123 +129 @@ Contains a list of reasons for the value of `Compliance.Status`. For each reason
-The following table lists the available status reason codes and descriptions. The remediation steps depend on which control generated a finding with the reason code. Choose a control from the [Control reference for Security Hub CSPM](./securityhub-controls-reference.html) to see remediation steps for that control.
+The following table lists reason codes and descriptions that a finding might include in the `StatusReasons` array. The remediation steps vary based on which control generated a finding with a specified reason code. To review the remediation guidance for a control, refer to the [Control reference for Security Hub CSPM](./securityhub-controls-reference.html).
@@ -125 +131 @@ The following table lists the available status reason codes and descriptions. Th
-Reason code |  Compliance.Status |  Description  
+Reason code | Compliance status | Description  
@@ -158,2 +164,2 @@ Reason code |  Compliance.Status |  Description
-`LAMBDA_CUSTOM_RUNTIME_DETAILS_NOT_AVAILABLE` |  FAILED |  Security Hub CSPM is unable to perform a check against a custom Lambda runtime.  
-`S3_BUCKET_CROSS_ACCOUNT_CROSS_REGION` |  `WARNING` |  The finding is in a `WARNING` state, because the S3 bucket that is associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located.  
+`LAMBDA_CUSTOM_RUNTIME_DETAILS_NOT_AVAILABLE` |  `FAILED` |  Security Hub CSPM is unable to perform a check against a custom Lambda runtime.  
+`S3_BUCKET_CROSS_ACCOUNT_CROSS_REGION` |  `WARNING` |  The finding is in a `WARNING` state because the S3 bucket that is associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located.  
@@ -161 +167 @@ Reason code |  Compliance.Status |  Description
-`SNS_TOPIC_CROSS_ACCOUNT` |  WARNING |  The finding is in a `WARNING` state. The SNS topic associated with this rule is owned by a different account. The current account cannot obtain the subscription information. The account that owns the SNS topic must grant to the current account the `sns:ListSubscriptionsByTopic` permission for the SNS topic.  
+`SNS_TOPIC_CROSS_ACCOUNT` |  `WARNING` |  The finding is in a `WARNING` state. The SNS topic associated with this rule is owned by a different account. The current account cannot obtain the subscription information. The account that owns the SNS topic must grant to the current account the `sns:ListSubscriptionsByTopic` permission for the SNS topic.  
@@ -257 +263 @@ The identifier of the finding. This field doesn't reference a standard if you en
-## Severity level of control findings
+## Severity levels for control findings