AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-22 · Documentation low

File: securityhub/latest/userguide/securityhub-data-retention.md

Summary

Clarified retention periods for Security Hub CSPM findings (30 days for archived, 90 days for active), added guidance about central configuration dependencies, and streamlined account closure/suspension impacts.

Security assessment

The changes refine data retention policies and operational procedures for Security Hub CSPM, but there is no evidence of addressing a specific security vulnerability. The updates improve clarity about how long security findings are retained and how to export them for long-term storage, which relates to security best practices but does not indicate a patched vulnerability.

Diff

diff --git a/securityhub/latest/userguide/securityhub-data-retention.md b/securityhub/latest/userguide/securityhub-data-retention.md
index d48d98f99..9aa9e199b 100644
--- a//securityhub/latest/userguide/securityhub-data-retention.md
+++ b//securityhub/latest/userguide/securityhub-data-retention.md
@@ -13 +13 @@ These account actions have the following effects on AWS Security Hub Cloud Secur
-If you use [central configuration](./central-configuration-intro.html), the delegated administrator (DA) can create Security Hub CSPM configuration policies that disable AWS Security Hub Cloud Security Posture Management (CSPM) in specific accounts and organizational units (OUs). In this case, Security Hub CSPM is disabled in the specified accounts and OUs in your home Region and any linked Regions.
+If you use [central configuration](./central-configuration-intro.html), the delegated administrator (DA) can create Security Hub CSPM configuration policies that disable AWS Security Hub Cloud Security Posture Management (CSPM) in specific accounts and organizational units (OUs). In this case, Security Hub CSPM is disabled in the specified accounts and OUs in your home Region and any linked Regions. If you don't use central configuration, you must disable Security Hub CSPM separately in each account and Region where you enabled it. You can't use central configuration if Security Hub CSPM is disabled in the DA account.
@@ -15,3 +15 @@ If you use [central configuration](./central-configuration-intro.html), the dele
-If don't use central configuration, you must disable Security Hub CSPM separately in each account and Region where you enabled it.
-
-No new findings are generated for the administrator account if Security Hub CSPM is disabled in the administrator account. You also can't use central configuration if Security Hub CSPM is disabled in the DA account. Existing findings are deleted after 90 days.
+No findings are generated for the administrator account if Security Hub CSPM is disabled in the administrator account. Existing archived findings are deleted after 30 days. Existing active findings are deleted after 90 days.
@@ -23 +21 @@ Enabled security standards and controls are disabled.
-Other Security Hub CSPM data and settings, including custom actions, insights, and subscriptions to third-party products are retained.
+Other Security Hub CSPM data and settings, including custom actions, insights, and subscriptions to third-party products are retained for 90 days.
@@ -45 +43 @@ In the **Accounts** list for the Security Hub CSPM administrator account, a remo
-When an account is suspended in AWS, the account loses permission to view their findings in Security Hub CSPM. No new findings are generated for that account. The administrator account for a suspended account can view the existing account findings.
+When an AWS account is suspended, the account loses permission to view their findings in Security Hub CSPM. No findings are generated for that account. The administrator account for a suspended account can view existing findings for the account.
@@ -57,7 +55 @@ When an AWS account is closed, Security Hub CSPM responds to the closure as foll
-Security Hub CSPM retains each existing finding in the account for 90 days after the most recent value of the `UpdatedAt` ASFF field. The finding is retained for 90 days after this date even if Security Hub CSPM is disabled. At the end of this 90 day period, Security Hub CSPM permanently deletes the finding from the account.
-
-  * To retain findings for more than 90 days, you can use a custom action with an Amazon EventBridge rule to store the findings in an Amazon S3 bucket. Then, when you reopen the closed account, Security Hub CSPM restores the findings for the account.
-
-  * If the account is a Security Hub CSPM administrator account, it is removed as an administrator and all the member accounts are removed. If the account is a member account, it is disassociated and removed as a member from the Security Hub CSPM administrator account.
-
-  * For more information, see [Closing an account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) in the _AWS Billing and Cost Management User Guide_.
+If the account is a Security Hub CSPM administrator account, it is removed as an administrator account and all the member accounts are removed. If the account is a member account, it is disassociated and removed as a member from the Security Hub CSPM administrator account.
@@ -64,0 +57 @@ Security Hub CSPM retains each existing finding in the account for 90 days after
+Security Hub CSPM retains existing archived findings in the account for 30 days. For a control finding, the calculation of 30 days is based on the value for the `UpdatedAt` field of the finding. For another type of finding, the calculation is based on the value for the `UpdatedAt` or `ProcessedAt` field of the finding, whichever date is latest. At the end of this 30-day period, Security Hub CSPM permanently deletes the finding from the account.
@@ -65,0 +59 @@ Security Hub CSPM retains each existing finding in the account for 90 days after
+Security Hub CSPM retains existing active findings in the account for 90 days. For a control finding, the calculation of 90 days is based on the value for the `UpdatedAt` field of the finding. For another type of finding, the calculation is based on the value for the `UpdatedAt` or `ProcessedAt` field of the finding, whichever date is latest. At the end of this 90-day period, Security Hub CSPM permanently deletes the finding from the account.
@@ -66,0 +61 @@ Security Hub CSPM retains each existing finding in the account for 90 days after
+For longer-term retention of existing findings, you can export the findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](./securityhub-cloudwatch-events.html).
@@ -70,5 +65 @@ Security Hub CSPM retains each existing finding in the account for 90 days after
-For customers in the AWS GovCloud (US) Regions: 
-
-  * Before closing your account, back up and then delete your policy data and other account resources. You will no longer have access to them after you close the account. 
-
-
+For customers in AWS GovCloud (US) Regions, back up and then delete your policy data and other account resources before you close your account. You won't have access to the resources and data after you close your account.
@@ -75,0 +67 @@ For customers in the AWS GovCloud (US) Regions:
+For more information, see [Close an AWS account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) in the _AWS Account Management Reference Guide_.