AWS securityhub documentation change
Summary
Updated documentation to clarify finding sources, added details about automatic deletion of stale findings (90 days for active, 30 days for archived), and expanded retention policy explanations. Added guidance for exporting findings to S3 for long-term retention.
Security assessment
The changes introduce explicit retention policies and data lifecycle management for security findings, which are security best practices. However, there's no evidence this addresses a specific disclosed vulnerability. The additions explain security-related functionality (data retention/archival) but do not indicate a patched issue.
Diff
diff --git a/securityhub/latest/userguide/securityhub-findings.md b/securityhub/latest/userguide/securityhub-findings.md index 86a66778c..f77583171 100644 --- a//securityhub/latest/userguide/securityhub-findings.md +++ b//securityhub/latest/userguide/securityhub-findings.md @@ -7 +7 @@ -In AWS Security Hub Cloud Security Posture Management (CSPM), a _finding_ is an observable record of a security check or security-related detection. +In AWS Security Hub Cloud Security Posture Management (CSPM), a _finding_ is an observable record of a security check or security-related detection. A finding can originate from one of the following sources: @@ -9 +9 @@ In AWS Security Hub Cloud Security Posture Management (CSPM), a _finding_ is an -A finding can originate from one of the following sources in Security Hub CSPM: + * A security check for a control in Security Hub CSPM. @@ -11 +11 @@ A finding can originate from one of the following sources in Security Hub CSPM: - * Security check of an enabled control in Security Hub CSPM + * An integration with another AWS service. @@ -13 +13 @@ A finding can originate from one of the following sources in Security Hub CSPM: - * An enabled integration with another AWS service + * An integration with a third-party product. @@ -15 +15 @@ A finding can originate from one of the following sources in Security Hub CSPM: - * An enabled integration with a third-party product + * A custom integration. @@ -17 +16,0 @@ A finding can originate from one of the following sources in Security Hub CSPM: - * A custom integration @@ -20,0 +20 @@ A finding can originate from one of the following sources in Security Hub CSPM: +Security Hub CSPM normalizes findings from all sources into a standard syntax and format called the _AWS Security Finding Format (ASFF)_. For detailed information about this format, including descriptions of individual ASFF fields, see [AWS Security Finding Format (ASFF)](./securityhub-findings-format.html). If you enable cross-Region aggregation, Security Hub CSPM also aggregates new and updated findings automatically from all linked Regions to an aggregation Region that you specify. For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html). @@ -22 +22 @@ A finding can originate from one of the following sources in Security Hub CSPM: -After a finding is created, the finding provider or a Security Hub CSPM user can update it as follows: +After a finding is created, it can be updated as follows: @@ -24 +24 @@ After a finding is created, the finding provider or a Security Hub CSPM user can - * The finding provider can use the [BatchImportFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API to update the general information about a finding. Finding providers can only update findings that they created. + * A finding provider can use the [BatchImportFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API to update general information about the finding. Finding providers can only update findings that they created. @@ -26 +26 @@ After a finding is created, the finding provider or a Security Hub CSPM user can - * The customer can use the [BatchUpdateFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation of the Security Hub CSPM API to update the status of the investigation into a finding. `BatchUpdateFindings` can also be used by a ticketing, incident management, orchestration, remediation, or SIEM tool on behalf of the customer. + * A customer can use the Security Hub CSPM console or the [BatchUpdateFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation of the Security Hub CSPM API to update the status of the investigation into the finding. The `BatchUpdateFindings` operation can also be used by a SIEM, ticketing, incident management, SOAR, or other type of tool on behalf of a customer. @@ -28 +27,0 @@ After a finding is created, the finding provider or a Security Hub CSPM user can -Customers can also update findings on the Security Hub CSPM console. @@ -31,0 +31,32 @@ Customers can also update findings on the Security Hub CSPM console. +To reduce finding noise and streamline tracking and analysis of individual findings, Security Hub CSPM automatically deletes findings that haven't been updated recently. The timing with which Security Hub CSPM does this depends on whether a finding is active or archived: + + * An _active finding_ is a finding whose record state (`RecordState`) is `ACTIVE`. Security Hub CSPM stores active findings for 90 days. If an active finding hasn't been updated for 90 days, it expires and Security Hub CSPM permanently deletes it. + + * An _archived finding_ is a finding whose record state (`RecordState`) is `ARCHIVED`. Security Hub CSPM stores archived findings for 30 days. If an archived finding hasn't been updated for 30 days, it expires and Security Hub CSPM permanently deletes it. + + + + +For control findings, which are findings that Security Hub CSPM generates from security checks for controls, Security Hub CSPM determines whether a finding has expired based on the value for the `UpdatedAt` field of the finding. If this value was more than 90 days ago for an active finding, Security Hub CSPM permanently deletes the finding. If this value was more than 30 days ago for an archived finding, Security Hub CSPM permanently deletes the finding. + +For all other types of findings, Security Hub CSPM determines whether a finding has expired based on the values for the `ProcessedAt` and `UpdatedAt` fields of the finding. Security Hub CSPM compares the values for these fields and determines which is more recent. If the more recent value was more than 90 days ago for an active finding, Security Hub CSPM permanently deletes the finding. If the more recent value was more than 30 days ago for an archived finding, Security Hub CSPM permanently deletes the finding. Finding providers can change the value for the `UpdatedAt` field of one or more findings by using the [BatchImportFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API. + +For longer-term retention of findings, you can export findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](./securityhub-cloudwatch-events.html). + +###### Topics + + * [BatchImportFindings for finding providers](./finding-update-batchimportfindings.html) + + * [BatchUpdateFindings for customers](./finding-update-batchupdatefindings.html) + + * [Reviewing finding details and history in Security Hub CSPM](./securityhub-findings-viewing.html) + + * [Filtering findings in Security Hub CSPM](./securityhub-findings-manage.html) + + * [Grouping findings in Security Hub CSPM](./finding-list-grouping.html) + + * [Setting the workflow status of findings in Security Hub CSPM](./findings-workflow-status.html) + + * [Sending findings to a custom Security Hub CSPM action](./findings-custom-action.html) + + * [AWS Security Finding Format (ASFF)](./securityhub-findings-format.html) @@ -33 +63,0 @@ Customers can also update findings on the Security Hub CSPM console. -Security Hub CSPM normalizes findings from all sources into a standard syntax and format called the AWS Security Finding Format (ASFF). For more information about ASFF, see [AWS Security Finding Format (ASFF)](./securityhub-findings-format.html). @@ -35 +64,0 @@ Security Hub CSPM normalizes findings from all sources into a standard syntax an -Security Hub CSPM automatically deletes findings that weren't updated in the past 90 days. Specifically, Security Hub CSPM retains an existing finding in an account for 90 days after the most recent value of the `UpdatedAt` ASFF field. The finding is retained for 90 days after this date even if Security Hub CSPM is disabled. At the end of this 90 day period, Security Hub CSPM permanently deletes the finding from the account. Finding providers can change the value of the `UpdatedAt` field by using the [BatchImportFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API to update a finding. @@ -37 +65,0 @@ Security Hub CSPM automatically deletes findings that weren't updated in the pas -If you enable cross-Region aggregation, then Security Hub CSPM automatically aggregates new and updated findings from the linked Regions to the aggregation Region. For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](./finding-aggregation.html).