AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-22 · Documentation low

File: securityhub/latest/userguide/securityhub-disable.md

Summary

Updated documentation for disabling Security Hub CSPM, including changes to data retention periods (30 days for archived findings vs 90 days for active findings), API references, console steps, and clarifications on re-enabling behavior.

Security assessment

The changes primarily clarify operational procedures and data retention timelines but do not address a specific security vulnerability or weakness. The reduction from 90 to 30 days for archived findings deletion is a policy change, not a security fix. No evidence of a disclosed security incident or vulnerability mitigation is present.

Diff

diff --git a/securityhub/latest/userguide/securityhub-disable.md b/securityhub/latest/userguide/securityhub-disable.md
index b3cc24a3d..c881b2312 100644
--- a//securityhub/latest/userguide/securityhub-disable.md
+++ b//securityhub/latest/userguide/securityhub-disable.md
@@ -7 +7 @@
-You can disable AWS Security Hub Cloud Security Posture Management (CSPM) by using the Security Hub CSPM console or the Security Hub CSPM API. If you disable Security Hub CSPM, you can enable it again later.
+You can disable AWS Security Hub Cloud Security Posture Management (CSPM) by using the Security Hub CSPM console or the Security Hub API. If you disable Security Hub CSPM, you can enable it again later.
@@ -9 +9 @@ You can disable AWS Security Hub Cloud Security Posture Management (CSPM) by usi
-If your organization uses central configuration, the delegated AWS Security Hub Cloud Security Posture Management (CSPM) administrator can create configuration policies that disable Security Hub CSPM for specific accounts and organizational units (OUs), and keep Security Hub CSPM enabled for others. Configuration policies affect the home Region and all linked Regions. For more information, see [Understanding central configuration in Security Hub CSPM](./central-configuration-intro.html).
+If your organization uses central configuration, the delegated Security Hub CSPM administrator can create configuration policies that disable Security Hub CSPM for specific accounts and organizational units (OUs), and keep Security Hub CSPM enabled for others. Configuration policies affect the home Region and all linked Regions. For more information, see [Understanding central configuration in Security Hub CSPM](./central-configuration-intro.html).
@@ -13 +13 @@ If you disable Security Hub CSPM for an account, the following occurs:
-  * Any enabled standards and controls are disabled for the account.
+  * All standards and controls are disabled for the account.
@@ -17 +17 @@ If you disable Security Hub CSPM for an account, the following occurs:
-  * After 90 days, Security Hub CSPM permanently deletes all existing findings for the account. The findings cannot be recovered by using Security Hub CSPM.
+  * After 30 days, Security Hub CSPM permanently deletes all existing archived findings for the account. The findings cannot be recovered by using Security Hub CSPM.
@@ -19 +19 @@ If you disable Security Hub CSPM for an account, the following occurs:
-  * After 90 days, Security Hub CSPM permanently deletes existing insights and Security Hub CSPM configuration settings for the account. The data and settings cannot be recovered.
+  * After 90 days, Security Hub CSPM permanently deletes all existing active findings for the account. The findings cannot be recovered by using Security Hub CSPM.
@@ -20,0 +21 @@ If you disable Security Hub CSPM for an account, the following occurs:
+  * After 90 days, Security Hub CSPM permanently deletes all existing insights and Security Hub CSPM configuration settings for the account. The data and settings cannot be recovered.
@@ -24 +24,0 @@ If you disable Security Hub CSPM for an account, the following occurs:
-To retain existing findings for more than 90 days, you can use a custom action with an Amazon EventBridge rule to export the findings to an S3 bucket before you disable Security Hub CSPM. For more information, see [Using EventBridge for automated response and remediation](./securityhub-cloudwatch-events.html).
@@ -26 +26 @@ To retain existing findings for more than 90 days, you can use a custom action w
-If you re-enable Security Hub CSPM within 90 days of disabling it for an account, you regain access to existing findings, insights, and Security Hub CSPM configuration settings for the account. However, existing findings might be inaccurate because they will reflect the state of your AWS environment when you disabled Security Hub CSPM. In addition, as you re-enable individual standards and controls, Security Hub CSPM might initially generate duplicate findings for specific AWS resources, depending on the standards and controls that you enable. For these reasons, we recommend that you do one of the following:
+To retain existing findings, you can export the findings to an S3 bucket before you disable Security Hub CSPM. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](./securityhub-cloudwatch-events.html).
@@ -28 +28 @@ If you re-enable Security Hub CSPM within 90 days of disabling it for an account
-  * Change the workflow status of all existing findings to `RESOLVED` before you disable Security Hub CSPM. For more information, see [](./findings-workflow-status.html).
+If you re-enable Security Hub CSPM within 90 days of disabling it for an account, you regain access to existing active findings, as well as insights and Security Hub CSPM configuration settings for the account. If you re-enable Security Hub CSPM within 30 days, you also regain access to existing archived findings for the account. However, existing findings might be inaccurate because they will reflect the state of your AWS environment when you disabled Security Hub CSPM. In addition, as you re-enable individual standards and controls, Security Hub CSPM might initially generate duplicate findings for specific AWS resources, depending on the standards and controls that you enable. For these reasons, we recommend that you do one of the following:
@@ -30 +30,3 @@ If you re-enable Security Hub CSPM within 90 days of disabling it for an account
-  * Disable all standards at least six days before you disable Security Hub CSPM. Security Hub CSPM then archives all existing findings on a best-effort basis, typically within three to five days. For more information, see [Disabling a standard](./disable-standards.html).
+  * Change the workflow status of all existing findings to `RESOLVED` before you disable Security Hub CSPM. For more information, see [Setting the workflow status of findings in Security Hub CSPM](./findings-workflow-status.html).
+
+  * Disable all standards at least six days before you disable Security Hub CSPM. Security Hub CSPM then archives all existing findings on a best-effort basis, typically within three to five days. For more information, see [Disabling a security standard](./disable-standards.html).
@@ -37 +39 @@ You can't disable Security Hub CSPM in the following cases:
-  * Your account is the delegated Security Hub CSPM administrator account for an organization. If you use central configuration, you can't associate a configuration policy that disables Security Hub CSPM for the delegated administrator account. The association can succeed for other accounts, but Security Hub CSPM doesn't apply such a policy to the delegated administrator account.
+  * Your account is the delegated Security Hub CSPM administrator account for an organization. If you use central configuration, you can't associate a configuration policy that disables Security Hub CSPM for the delegated administrator account. The association can succeed for other accounts, but Security Hub CSPM doesn't apply the policy to the delegated administrator account.
@@ -44 +46 @@ You can't disable Security Hub CSPM in the following cases:
-Before the owner of a member account can disable Security Hub CSPM, the account must be disassociated from its administrator account. For an organization account, only the administrator account can disassociate member accounts. For more information, see [Disassociating Security Hub CSPM member accounts from your organization](./accounts-orgs-disassociate.html). For manually invited accounts, either the administrator account or the member account can disassociate the member account. For more information, see [Disassociating member accounts in Security Hub CSPM](./securityhub-disassociate-members.html) or [Disassociating from a Security Hub CSPM administrator account](./securityhub-disassociate-from-admin.html). Disassociation isn't required if you use central configuration because the Security Hub CSPM administrator can create a policy that disables Security Hub CSPM for specific member accounts.
+Before the owner of a member account can disable Security Hub CSPM, the account must disassociate from its administrator account. For an organization account, only the administrator account can disassociate a member account. For more information, see [Disassociating Security Hub CSPM member accounts from your organization](./accounts-orgs-disassociate.html). For a manually invited account, either the administrator account or the member account can disassociate the account. For more information, see [Disassociating member accounts in Security Hub CSPM](./securityhub-disassociate-members.html) or [Disassociating from a Security Hub CSPM administrator account](./securityhub-disassociate-from-admin.html). Disassociation isn't required if you use central configuration because the Security Hub CSPM administrator can create a policy that disables Security Hub CSPM for specific member accounts.
@@ -46 +48 @@ Before the owner of a member account can disable Security Hub CSPM, the account
-When you disable Security Hub CSPM for an account, it is disabled only in the current Region. However, if you use central configuration to disable Security Hub CSPM for specific accounts, it is disabled in the home Region and all linked Regions.
+When you disable Security Hub CSPM for an account, it's disabled only in the current AWS Region. However, if you use central configuration to disable Security Hub CSPM for specific accounts, it's disabled in the home Region and all linked Regions.
@@ -52,0 +55,2 @@ Security Hub CSPM console
+Follow these steps to disable Security Hub CSPM by using the console.
+
@@ -59 +63 @@ Security Hub CSPM console
-  3. In the **Disable AWS Security Hub Cloud Security Posture Management (CSPM)** section, choose **Disable AWS Security Hub Cloud Security Posture Management (CSPM)**.
+  3. In the **Disable Security Hub CSPM** section, choose **Disable Security Hub CSPM**.
@@ -61 +65 @@ Security Hub CSPM console
-  4. When prompted for confirmation, choose **Disable AWS Security Hub Cloud Security Posture Management (CSPM)**.
+  4. When prompted for confirmation, choose **Disable Security Hub CSPM**.
@@ -66 +70 @@ Security Hub CSPM console
-Security Hub CSPM API
+Security Hub API
@@ -69 +73 @@ Security Hub CSPM API
-To disable Security Hub CSPM programmatically, use the [DisableSecurityHub](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html) operation of the Security Hub CSPM API. Or, if you're using the AWS CLI, run the [disable-security-hub](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-security-hub.html) command. For example, the following command disables Security Hub CSPM in the current AWS Region:
+To disable Security Hub CSPM programmatically, use the [DisableSecurityHub](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html) operation of the AWS Security Hub API. Or, if you're using the AWS CLI, run the [disable-security-hub](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-security-hub.html) command. For example, the following command disables Security Hub CSPM in the current AWS Region: