AWS securityhub documentation change
Summary
Added multiple new security controls (CloudFront.15, Cognito.2, EC2.180, ELB.18, MSK.4-6, RDS.45, Redshift.18, S3.25, SSM.6-7) related to encryption, access management, logging, and compliance standards. Updated existing control descriptions and standards references.
Security assessment
The changes document new security best practice controls such as disabling public access (MSK.4), enforcing TLS policies (CloudFront.15), and blocking unauthenticated identities (Cognito.2). These are preventive security measures rather than fixes for disclosed vulnerabilities. No evidence of addressing specific exploits or incidents.
Diff
diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md index a3036939f..b1e1584fa 100644 --- a//securityhub/latest/userguide/securityhub-controls-reference.md +++ b//securityhub/latest/userguide/securityhub-controls-reference.md @@ -7 +7,3 @@ -This control reference provides a list of available AWS Security Hub Cloud Security Posture Management (CSPM) controls with links to more information about each control. The overview table displays the controls in alphabetical order by control ID. Only controls in active use by Security Hub CSPM are included here. Retired controls are excluded from this list. The table provides the following information for each control: +This control reference provides a table of available AWS Security Hub Cloud Security Posture Management (CSPM) controls with links to more information about each control. In the table, controls are listed in alphabetical order by control ID. Only controls in active use by Security Hub CSPM are included here. Retired controls are excluded from the table. + +The table provides the following information for each control: @@ -15,2 +16,0 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Applicable standards** – Indicates which standards a control applies to. Choose a control to review specific requirements from third-party compliance frameworks. - @@ -19 +19 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Severity** – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub CSPM determines control severity, see [Severity levels for control findings](./controls-findings-create-update.html#control-findings-severity). + * **Applicable standards** – Indicates which standards a control applies to. Choose a control to review specific requirements from third-party compliance frameworks. @@ -21 +21 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Schedule type** – Indicates when the control is evaluated. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html). + * **Severity** – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub CSPM determines control severity, see [Severity levels for control findings](./controls-findings-create-update.html#control-findings-severity). @@ -24,0 +25,2 @@ Control IDs may skip numbers. These are placeholders for future controls. + * **Schedule type** – Indicates when the control is evaluated. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html). + @@ -89,0 +92 @@ Security control ID | Security control title | Applicable standards | Severity | +[CloudFront.15](./cloudfront-controls.html#cloudfront-15) | CloudFront distributions should use the recommended TLS security policy | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered @@ -124,0 +128 @@ Security control ID | Security control title | Applicable standards | Severity | +[Cognito.2](./cognito-controls.html#cognito-2) | Cognito identity pools should not allow unauthenticated identities | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -218 +222,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECR.1](./ecr-controls.html#ecr-1) | ECR private repositories should have image scanning configured | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Periodic +[EC2.180](./ec2-controls.html#ec2-180) | EC2 network interfaces should have source/destination checking enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered +[ECR.1](./ecr-controls.html#ecr-1) | ECR private repositories should have image scanning configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Periodic @@ -275 +280,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.17](./elb-controls.html#elb-17) | Application and Network Load Balancers with listeners should use recommended security policies | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ELB.17](./elb-controls.html#elb-17) | Application and Network Load Balancers with listeners should use recommended security policies | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ELB.18](./elb-controls.html#elb-18) | Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered @@ -386,0 +393 @@ Security control ID | Security control title | Applicable standards | Severity | +[Lambda.7](./lambda-controls.html#lambda-7) | Lambda functions should have AWS X-Ray active tracing enabled | NIST SP 800-53 Rev. 5 | LOW | No | Change triggered @@ -391 +398,4 @@ Security control ID | Security control title | Applicable standards | Severity | -[MSK.3](./msk-controls.html#msk-3) | MSK Connect connectors should be encrypted in transit | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | N | Change triggered +[MSK.3](./msk-controls.html#msk-3) | MSK Connect connectors should be encrypted in transit | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[MSK.4](./msk-controls.html#msk-4) | MSK clusters should have public access disabled | AWS Foundational Security Best Practices | CRITICAL | No | Change triggered +[MSK.5](./msk-controls.html#msk-5) | MSK connectors should have logging enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered +[MSK.6](./msk-controls.html#msk-6) | MSK clusters should disable unauthenticated access | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -471,0 +482 @@ Security control ID | Security control title | Applicable standards | Severity | +[RDS.45](./rds-controls.html#rds-45) | Aurora MySQL DB clusters should have audit logging enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic @@ -487,0 +499 @@ Security control ID | Security control title | Applicable standards | Severity | +[Redshift.18](./redshift-controls.html#redshift-18) | Redshift clusters should have Multi-AZ deployments enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -516,0 +529 @@ Security control ID | Security control title | Applicable standards | Severity | +[S3.25](./s3-controls.html#s3-25) | S3 directory buckets should have lifecycle configurations | AWS Foundational Security Best Practices | LOW | Yes | Change triggered @@ -540,2 +553,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[SSM.2](./ssm-controls.html#ssm-2) | EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered -[SSM.3](./ssm-controls.html#ssm-3) | EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | LOW | No | Change triggered +[SSM.2](./ssm-controls.html#ssm-2) | EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[SSM.3](./ssm-controls.html#ssm-3) | EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | LOW | No | Change triggered @@ -544 +557,3 @@ Security control ID | Security control title | Applicable standards | Severity | -[StepFunctions.1](./stepfunctions-controls.html#stepfunctions-1) | Step Functions state machines should have logging turned on | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | Yes | Change triggered +[SSM.6](./ssm-controls.html#ssm-6) | SSM Automation should have CloudWatch logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Periodic +[SSM.7](./ssm-controls.html#ssm-7) | SSM documents should have the block public sharing setting enabled | AWS Foundational Security Best Practices v1.0.0 | CRITICAL | No | Periodic +[StepFunctions.1](./stepfunctions-controls.html#stepfunctions-1) | Step Functions state machines should have logging turned on | AWS Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | MEDIUM | Yes | Change triggered