AWS securityhub documentation change
Summary
Updated documentation for Security Hub CSPM concepts including clarifications on archived findings, control archiving criteria, regional support details, and general terminology improvements. Added references to related documentation pages.
Security assessment
Changes primarily improve clarity and consistency without addressing specific vulnerabilities. The archiving criteria update removes specific technical details but refers to external documentation. No evidence of patching vulnerabilities or disclosing security incidents.
Diff
diff --git a/securityhub/latest/userguide/securityhub-concepts.md b/securityhub/latest/userguide/securityhub-concepts.md index 07016786f..1e206fdd0 100644 --- a//securityhub/latest/userguide/securityhub-concepts.md +++ b//securityhub/latest/userguide/securityhub-concepts.md @@ -47 +47 @@ In the aggregation Region, the **Security standards** , **Insights** , and **Fin -See [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html). +For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html). @@ -52 +52 @@ See [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggr -A finding that has a `RecordState` set to `ARCHIVED`. Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. The record state is separate from the workflow status, which tracks the status of an investigation into a finding. +A finding whose record state (`RecordState`) is `ARCHIVED`. Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. Record state is different from workflow status, which tracks the status of the investigation into a finding. @@ -54 +54 @@ A finding that has a `RecordState` set to `ARCHIVED`. Archiving a finding indica -Finding providers can use the [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API to archive findings that they created. Security Hub CSPM automatically archives findings for controls if the control is disabled or the associated resource is deleted, based on one of the following criteria. +Finding providers can use the [BatchImportFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API to archive findings that they created. Security Hub CSPM automatically archives control findings that meet certain criteria. For more information, see [Generating, updating, and archiving control findings](./controls-findings-create-update.html#securityhub-standards-results-updating). @@ -56,10 +56 @@ Finding providers can use the [`BatchImportFindings`](https://docs.aws.amazon.co - * The finding is not updated in three to five days (note that this is best effort and not guaranteed). - - * The associated AWS Config evaluation returns `NOT_APPLICABLE`. - - - - -By default, archived findings are excluded from findings lists in the Security Hub CSPM console. You can update the filter to include archived findings. - -The [`GetFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API returns both active and archived findings. You can include a filter for the record state. +On the Security Hub CSPM console, default filter settings exclude archived findings from finding lists and tables. You can update the settings to include archived findings. If you retrieve findings by using the [GetFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API, the operation retrieves both archived and active findings. To exclude archived findings, you can filter the results. For example: @@ -85 +76 @@ A safeguard or countermeasure prescribed for an information system or an organiz -The term _security control_ refers to controls that have a single control ID and title across standards. The term _standard control_ refers to controls that have standard-specific control IDs and titles. Currently, Security Hub CSPM only supports standard controls in the AWS GovCloud (US) Region and China Regions. Security controls are supported in all other Regions. +The term _security control_ refers to controls that have a single control ID and title across standards. The term _standard control_ refers to controls that have standard-specific control IDs and titles. Currently, Security Hub CSPM supports standard controls only in the China Regions and AWS GovCloud (US) Regions. Security controls are supported in all other Regions. @@ -95 +86 @@ A Security Hub CSPM mechanism for sending selected findings to EventBridge. A cu -In Organizations, the delegated administrator account for a service is able to manage the use of a service for the organization. +In AWS Organizations, the delegated administrator account for a service is able to manage the use of a service for the organization. @@ -104,5 +95 @@ The organization management account must then choose the delegated administrator -The observable record of a security check or security-related detection. Security Hub CSPM generates a finding after completing a security check of a control. These are called control findings. Findings may also come from third party product integrations. - -For more information about findings in Security Hub CSPM, see [Creating and updating findings in Security Hub CSPM](./securityhub-findings.html). - -###### Note +The observable record of a security check or security-related detection. Security Hub CSPM generates findings after completing security checks for controls. These are called _control findings_. Findings can also come from integrations with other AWS services and third-party products. @@ -110 +97 @@ For more information about findings in Security Hub CSPM, see [Creating and upda -Findings are deleted 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in EventBridge that routes findings to your Amazon S3 bucket. +For more information, see [Creating and updating findings in Security Hub CSPM](./securityhub-findings.html). @@ -117 +104 @@ The aggregation of findings, insights, control compliance statuses, and security -See [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html). +For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html). @@ -138 +125 @@ In a linked Region, the **Findings** and **Insights** pages contain findings onl -See [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html). +For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html). @@ -188 +175 @@ A published statement on a topic specifying the characteristics, usually measura -The severity assigned to a Security Hub CSPM control identifies the importance of the control. The severity of a control can be **Critical** , **High** , **Medium** , **Low** , or **Informational**. The severity assigned to control findings is equal to the severity of the control itself. To learn about how Security Hub CSPM assigns severity to a control, see [Severity level of control findings](./controls-findings-create-update.html#control-findings-severity). +The severity assigned to a Security Hub CSPM control identifies the importance of the control. The severity of a control can be **Critical** , **High** , **Medium** , **Low** , or **Informational**. The severity assigned to control findings is equal to the severity of the control itself. To learn about how Security Hub CSPM assigns severity to a control, see [Severity levels for control findings](./controls-findings-create-update.html#control-findings-severity). @@ -193 +180 @@ The severity assigned to a Security Hub CSPM control identifies the importance o -The status of an investigation into a finding. Tracked using the `Workflow.Status` attribute. +The status of an investigation into a finding. This is tracked using the `Workflow.Status` attribute. @@ -199 +186 @@ By default, most finding lists only include findings with a workflow status of ` -For the [`GetFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html) operation, you can include a filter for the workflow status. +For the [GetFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html) operation, you can include a filter for the workflow status. @@ -209 +196 @@ For the [`GetFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference -The Security Hub CSPM console provides an option to set the workflow status for findings. Customers (or SIEM, ticketing, incident management, or SOAR tools working on behalf of a customer to update findings from finding providers) can also use [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) to update the workflow status. +The Security Hub CSPM console provides an option to set the workflow status for findings. Customers (or SIEM, ticketing, incident management, or SOAR tools working on behalf of a customer to update findings from finding providers) can also use [BatchUpdateFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) to update the workflow status.