AWS securityhub documentation change
Summary
Added multiple security controls to the list of unsupported controls across various AWS regions, including TLS policies, logging requirements, access controls, and lifecycle configurations
Security assessment
The changes document security-related controls (e.g., TLS policies, authentication requirements, logging) that are unavailable in specific regions. While these controls relate to security best practices, the update itself is about regional service availability rather than addressing specific vulnerabilities or security incidents.
Diff
diff --git a/securityhub/latest/userguide/regions-controls.md b/securityhub/latest/userguide/regions-controls.md index 0605ef016..3c213b805 100644 --- a//securityhub/latest/userguide/regions-controls.md +++ b//securityhub/latest/userguide/regions-controls.md @@ -140,0 +141,2 @@ The following controls are not supported in the US East (Ohio) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -233,0 +236,2 @@ The following controls are not supported in the US West (N. California) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -311,0 +316,2 @@ The following controls are not supported in the US West (N. California) Region. + * [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](./redshift-controls.html#redshift-18) + @@ -317,0 +324,2 @@ The following controls are not supported in the US West (N. California) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -364,0 +373,2 @@ The following controls are not supported in the US West (Oregon) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -425,0 +436,2 @@ The following controls are not supported in the Africa (Cape Town) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -545,0 +558,2 @@ The following controls are not supported in the Africa (Cape Town) Region. + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + @@ -571,0 +586,2 @@ The following controls are not supported in the Africa (Cape Town) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -622,0 +639,2 @@ The following controls are not supported in the Asia Pacific (Hong Kong) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -702,0 +721,2 @@ The following controls are not supported in the Asia Pacific (Hong Kong) Region. + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + @@ -716,0 +737,2 @@ The following controls are not supported in the Asia Pacific (Hong Kong) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -793,0 +816,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -805,0 +830,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](./cognito-controls.html#cognito-2) + @@ -871,0 +898,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[EC2.180] EC2 network interfaces should have source/destination checking enabled](./ec2-controls.html#ec2-180) + @@ -881,0 +910,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](./elb-controls.html#elb-18) + @@ -1001,0 +1032,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](./lambda-controls.html#lambda-7) + @@ -1017,0 +1050,6 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[MSK.4] MSK clusters should have public access disabled](./msk-controls.html#msk-4) + + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + + * [[MSK.6] MSK clusters should disable unauthenticated access](./msk-controls.html#msk-6) + @@ -1071,0 +1110,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](./redshift-controls.html#redshift-18) + @@ -1093,0 +1134,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -1117,0 +1160,4 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region. + * [[SSM.6] SSM Automation should have CloudWatch logging enabled](./ssm-controls.html#ssm-6) + + * [[SSM.7] SSM documents should have the block public sharing setting enabled](./ssm-controls.html#ssm-7) + @@ -1194,0 +1241,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -1284,0 +1333,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region. + * [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](./elb-controls.html#elb-18) + @@ -1370,0 +1421,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region. + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + @@ -1410,0 +1463,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -1541,0 +1596,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -1567,0 +1624,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](./cognito-controls.html#cognito-2) + @@ -1679,0 +1738,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[EC2.180] EC2 network interfaces should have source/destination checking enabled](./ec2-controls.html#ec2-180) + @@ -1743,0 +1804,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](./elb-controls.html#elb-18) + @@ -1957,0 +2020,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](./lambda-controls.html#lambda-7) + @@ -1977,0 +2042,6 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[MSK.4] MSK clusters should have public access disabled](./msk-controls.html#msk-4) + + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + + * [[MSK.6] MSK clusters should disable unauthenticated access](./msk-controls.html#msk-6) + @@ -2071,0 +2142,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](./rds-controls.html#rds-45) + @@ -2099,0 +2172,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](./redshift-controls.html#redshift-18) + @@ -2137,0 +2212,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -2173,0 +2250,4 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region. + * [[SSM.6] SSM Automation should have CloudWatch logging enabled](./ssm-controls.html#ssm-6) + + * [[SSM.7] SSM documents should have the block public sharing setting enabled](./ssm-controls.html#ssm-7) + @@ -2276,0 +2357,2 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -2376,0 +2459,2 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region. + * [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](./elb-controls.html#elb-18) + @@ -2536,0 +2621,2 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region. + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + @@ -2610,0 +2697,2 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -2638,0 +2727,2 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region. + * [[SSM.7] SSM documents should have the block public sharing setting enabled](./ssm-controls.html#ssm-7) + @@ -2693,0 +2784,2 @@ The following controls are not supported in the Asia Pacific (Mumbai) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -2792,0 +2885,2 @@ The following controls are not supported in the Asia Pacific (Osaka) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -2948,0 +3043,2 @@ The following controls are not supported in the Asia Pacific (Osaka) Region. + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + @@ -2970,0 +3067,2 @@ The following controls are not supported in the Asia Pacific (Osaka) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -3031,0 +3130,2 @@ The following controls are not supported in the Asia Pacific (Seoul) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -3037,0 +3138,2 @@ The following controls are not supported in the Asia Pacific (Seoul) Region. + * [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](./cognito-controls.html#cognito-2) + @@ -3045,0 +3148,2 @@ The following controls are not supported in the Asia Pacific (Seoul) Region. + * [[EC2.180] EC2 network interfaces should have source/destination checking enabled](./ec2-controls.html#ec2-180) + @@ -3047,0 +3152,2 @@ The following controls are not supported in the Asia Pacific (Seoul) Region. + * [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](./elb-controls.html#elb-18) + @@ -3071,0 +3178,8 @@ The following controls are not supported in the Asia Pacific (Seoul) Region. + * [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](./lambda-controls.html#lambda-7) + + * [[MSK.4] MSK clusters should have public access disabled](./msk-controls.html#msk-4) + + * [[MSK.5] MSK connectors should have logging enabled](./msk-controls.html#msk-5) + + * [[MSK.6] MSK clusters should disable unauthenticated access](./msk-controls.html#msk-6) + @@ -3073,0 +3188,2 @@ The following controls are not supported in the Asia Pacific (Seoul) Region. + * [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](./redshift-controls.html#redshift-18) + @@ -3079,0 +3196,6 @@ The following controls are not supported in the Asia Pacific (Seoul) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + + * [[SSM.6] SSM Automation should have CloudWatch logging enabled](./ssm-controls.html#ssm-6) + + * [[SSM.7] SSM documents should have the block public sharing setting enabled](./ssm-controls.html#ssm-7) + @@ -3122,0 +3245,2 @@ The following controls are not supported in the Asia Pacific (Singapore) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -3148,0 +3273,2 @@ The following controls are not supported in the Asia Pacific (Singapore) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -3191,0 +3318,2 @@ The following controls are not supported in the Asia Pacific (Sydney) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -3211,0 +3340,2 @@ The following controls are not supported in the Asia Pacific (Sydney) Region. + * [[S3.25] S3 directory buckets should have lifecycle configurations](./s3-controls.html#s3-25) + @@ -3332,0 +3463,2 @@ The following controls are not supported in the Asia Pacific (Thailand) Region. + * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15) + @@ -3360,0 +3493,2 @@ The following controls are not supported in the Asia Pacific (Thailand) Region. + * [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](./cognito-controls.html#cognito-2) + @@ -3506,0 +3641,2 @@ The following controls are not supported in the Asia Pacific (Thailand) Region. + * [[EC2.180] EC2 network interfaces should have source/destination checking enabled](./ec2-controls.html#ec2-180) + @@ -3580,0 +3717,2 @@ The following controls are not supported in the Asia Pacific (Thailand) Region. + * [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](./elb-controls.html#elb-18) +