AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-07-25 · Documentation low

File: securityhub/latest/userguide/ec2-controls.md

Summary

Updated EC2.173 control title and description to clarify it applies specifically to Spot Fleet requests with launch parameters, added notes about scope limitations and title change history

Security assessment

The change clarifies existing security documentation about EBS encryption requirements but does not address a new vulnerability. It adds specificity about control scope (launch parameters vs templates) which improves security posture awareness but doesn't directly fix a security issue. The core security recommendation (enabling EBS encryption) was already present.

Diff

diff --git a/securityhub/latest/userguide/ec2-controls.md b/securityhub/latest/userguide/ec2-controls.md
index d89793dc1..9a62ede1c 100644
--- a//securityhub/latest/userguide/ec2-controls.md
+++ b//securityhub/latest/userguide/ec2-controls.md
@@ -5 +5 @@
-[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] VPC default security groups should not allow inbound or outbound traffic[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped EC2 instances should be removed after a specified time period[EC2.6] VPC flow logging should be enabled in all VPCs[EC2.7] EBS default encryption should be enabled[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)[EC2.9] Amazon EC2 instances should not have a public IPv4 address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17] Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports[EC2.19] Security groups should not allow unrestricted access to ports with high risk[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22] Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces[EC2.28] EBS volumes should be covered by a backup plan[EC2.33] EC2 transit gateway attachments should be tagged[EC2.34] EC2 transit gateway route tables should be tagged[EC2.35] EC2 network interfaces should be tagged[EC2.36] EC2 customer gateways should be tagged[EC2.37] EC2 Elastic IP addresses should be tagged[EC2.38] EC2 instances should be tagged[EC2.39] EC2 internet gateways should be tagged[EC2.40] EC2 NAT gateways should be tagged[EC2.41] EC2 network ACLs should be tagged[EC2.42] EC2 route tables should be tagged[EC2.43] EC2 security groups should be tagged[EC2.44] EC2 subnets should be tagged[EC2.45] EC2 volumes should be tagged[EC2.46] Amazon VPCs should be tagged[EC2.47] Amazon VPC endpoint services should be tagged[EC2.48] Amazon VPC flow logs should be tagged[EC2.49] Amazon VPC peering connections should be tagged[EC2.50] EC2 VPN gateways should be tagged[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled[EC2.52] EC2 transit gateways should be tagged[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports[EC2.55] VPCs should be configured with an interface endpoint for ECR API[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)[EC2.171] EC2 VPN connections should have logging enabled[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes[EC2.174] EC2 DHCP option sets should be tagged[EC2.175] EC2 launch templates should be tagged[EC2.176] EC2 prefix lists should be tagged[EC2.177] EC2 traffic mirror sessions should be tagged[EC2.178] EC2 traffic mirror filters should be tagged[EC2.179] EC2 traffic mirror targets should be tagged[EC2.180] EC2 network interfaces should have source/destination checking enabled
+[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] VPC default security groups should not allow inbound or outbound traffic[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped EC2 instances should be removed after a specified time period[EC2.6] VPC flow logging should be enabled in all VPCs[EC2.7] EBS default encryption should be enabled[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)[EC2.9] Amazon EC2 instances should not have a public IPv4 address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17] Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports[EC2.19] Security groups should not allow unrestricted access to ports with high risk[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22] Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces[EC2.28] EBS volumes should be covered by a backup plan[EC2.33] EC2 transit gateway attachments should be tagged[EC2.34] EC2 transit gateway route tables should be tagged[EC2.35] EC2 network interfaces should be tagged[EC2.36] EC2 customer gateways should be tagged[EC2.37] EC2 Elastic IP addresses should be tagged[EC2.38] EC2 instances should be tagged[EC2.39] EC2 internet gateways should be tagged[EC2.40] EC2 NAT gateways should be tagged[EC2.41] EC2 network ACLs should be tagged[EC2.42] EC2 route tables should be tagged[EC2.43] EC2 security groups should be tagged[EC2.44] EC2 subnets should be tagged[EC2.45] EC2 volumes should be tagged[EC2.46] Amazon VPCs should be tagged[EC2.47] Amazon VPC endpoint services should be tagged[EC2.48] Amazon VPC flow logs should be tagged[EC2.49] Amazon VPC peering connections should be tagged[EC2.50] EC2 VPN gateways should be tagged[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled[EC2.52] EC2 transit gateways should be tagged[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports[EC2.55] VPCs should be configured with an interface endpoint for ECR API[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)[EC2.171] EC2 VPN connections should have logging enabled[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes[EC2.174] EC2 DHCP option sets should be tagged[EC2.175] EC2 launch templates should be tagged[EC2.176] EC2 prefix lists should be tagged[EC2.177] EC2 traffic mirror sessions should be tagged[EC2.178] EC2 traffic mirror filters should be tagged[EC2.179] EC2 traffic mirror targets should be tagged[EC2.180] EC2 network interfaces should have source/destination checking enabled
@@ -1586 +1586 @@ To enable bi-directional BPA at the account level, see [Enable BPA bidirectional
-## [EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes
+## [EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes
@@ -1600 +1600 @@ To enable bi-directional BPA at the account level, see [Enable BPA bidirectional
-This control checks whether an Amazon EC2 Spot Fleet request enables encryption for all Amazon Elastic Block Store (Amazon EBS) volumes attached to EC2 instances. The control fails if the Spot Fleet request doesn't enable encryption for one or more EBS volumes specified in the request.
+This control checks whether an Amazon EC2 Spot Fleet request that specifies launch parameters is configured to enable encryption for all Amazon Elastic Block Store (Amazon EBS) volumes attached to EC2 instances. The control fails if the Spot Fleet request specifies launch parameters and doesn't enable encryption for one or more EBS volumes specified in the request.
@@ -1603,0 +1604,6 @@ For an additional layer of security, you should enable encryption for Amazon EBS
+###### Notes
+
+This control doesn't generate findings for Amazon EC2 Spot Fleet requests that use launch templates. It also doesn't generate findings for Spot Fleet requests that don't explicitly specify a value for the `encrypted` parameter.
+
+On July 23, 2025, Security Hub changed the title of this control. Previously, the title of this control was: _EC2 Spot Fleet requests should enable encryption for attached EBS volumes_. The new title more accurately reflects that the control only checks Spot Fleet requests that specify launch parameters.
+