AWS securityhub documentation change
Summary
Clarified timing expectations for Security Hub CSPM findings generation and improved control reference linking (added KMS.4 hyperlink). Minor wording improvements for precision ('specifies' instead of 'includes').
Security assessment
Changes are documentation clarifications about operational timing and control reference formatting. No evidence of addressing vulnerabilities or security incidents. The updates improve clarity but don't introduce new security features or address specific security weaknesses.
Diff
diff --git a/securityhub/latest/userguide/securityhub-standards-schedule.md b/securityhub/latest/userguide/securityhub-standards-schedule.md index bff885a0a..c25aea5aa 100644 --- a//securityhub/latest/userguide/securityhub-standards-schedule.md +++ b//securityhub/latest/userguide/securityhub-standards-schedule.md @@ -11 +11 @@ After you enable a security standard, AWS Security Hub Cloud Security Posture Ma -When you enable a new standard, Security Hub CSPM may take up to 24 hours to generate findings for controls that use the same underlying AWS Config service-linked rule as enabled controls from other enabled standards. For example, if you enable [Lambda.1](./lambda-controls.html#lambda-1) in the AWS Foundational Security Best Practices (FSBP) standard, Security Hub CSPM will create the service-linked rule and typically generate findings in minutes. After this, if you enable Lambda.1 in the Payment Card Industry Data Security Standard (PCI DSS), Security Hub CSPM may take up to 24 hours to generate findings for this control because it uses the same service-linked rule as Lambda.1. +When you enable a new standard, it might take up to 24 hours for Security Hub CSPM to generate findings for controls that use the same underlying AWS Config service-linked rule as enabled controls from other enabled standards. For example, if you enable the [Lambda.1](./lambda-controls.html#lambda-1) control in the AWS Foundational Security Best Practices (FSBP) standard, Security Hub CSPM creates the service-linked rule and typically generates findings within minutes. After this, if you enable the Lambda.1 control in the Payment Card Industry Data Security Standard (PCI DSS), it might take up to 24 hours for Security Hub CSPM to generate findings for the control because it uses the same service-linked rule. @@ -13 +13 @@ When you enable a new standard, Security Hub CSPM may take up to 24 hours to gen -After the initial check, the schedule for each control can be either periodic or change triggered. For a control that is based on a managed AWS Config rule, the control description includes a link to the rule description in the _AWS Config Developer Guide_. That description includes whether the rule is change triggered or periodic. +After the initial check, the schedule for each control can be either periodic or change triggered. For a control that is based on a managed AWS Config rule, the control description includes a link to the rule description in the _AWS Config Developer Guide_. That description specifies whether the rule is change triggered or periodic. @@ -19 +19 @@ Periodic security checks run automatically within 12 or 24 hours after the most -If you update the workflow status of a periodic control finding, and then in the next check the compliance status of the finding stays the same, the workflow status remains in its modified state. For example, if you have a failed finding for **KMS.4 - AWS KMS key rotation should be enabled** , and then remediate the finding, Security Hub CSPM changes the workflow status from `NEW` to `RESOLVED`. If you disable KMS key rotation before the next periodic check, the workflow status of the finding remains `RESOLVED`. +If you update the workflow status of a periodic control finding, and then in the next check the compliance status of the finding stays the same, the workflow status remains in its modified state. For example, if you have a failed finding for the [KMS.4](./kms-controls.html#kms-4) control (_AWS KMS key rotation should be enabled_), and then remediate the finding, Security Hub CSPM changes the workflow status from `NEW` to `RESOLVED`. If you disable KMS key rotation before the next periodic check, the workflow status of the finding remains `RESOLVED`.