AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-07-25 · Documentation low

File: securityhub/latest/userguide/regions-controls.md

Summary

Added Asia Pacific (Taipei) region to supported regions list and updated EC2.173 control title to include 'with launch parameters' across multiple regions. Added new section for Asia Pacific (Taipei) listing all unsupported controls.

Security assessment

The changes primarily involve adding a new region (Asia Pacific Taipei) to the documentation and refining control descriptions (EC2.173) for specificity. There is no evidence these changes address active security vulnerabilities or weaknesses. The updates appear to reflect regional service expansion and improved control naming clarity rather than patching security issues.

Diff

diff --git a/securityhub/latest/userguide/regions-controls.md b/securityhub/latest/userguide/regions-controls.md
index 3c213b805..52b065863 100644
--- a//securityhub/latest/userguide/regions-controls.md
+++ b//securityhub/latest/userguide/regions-controls.md
@@ -5 +5 @@
-US East (N. Virginia)US East (Ohio)US West (N. California)US West (Oregon)Africa (Cape Town)Asia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Jakarta)Asia Pacific (Malaysia)Asia Pacific (Melbourne)Asia Pacific (Mumbai)Asia Pacific (Osaka)Asia Pacific (Seoul)Asia Pacific (Singapore)Asia Pacific (Sydney)Asia Pacific (Thailand)Asia Pacific (Tokyo)Canada (Central)Canada West (Calgary)China (Beijing)China (Ningxia)Europe (Frankfurt)Europe (Ireland)Europe (London)Europe (Milan)Europe (Paris)Europe (Spain)Europe (Stockholm)Europe (Zurich)Israel (Tel Aviv)Mexico (Central)Middle East (Bahrain)Middle East (UAE)South America (São Paulo)AWS GovCloud (US-East)AWS GovCloud (US-West)
+US East (N. Virginia)US East (Ohio)US West (N. California)US West (Oregon)Africa (Cape Town)Asia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Jakarta)Asia Pacific (Malaysia)Asia Pacific (Melbourne)Asia Pacific (Mumbai)Asia Pacific (Osaka)Asia Pacific (Seoul)Asia Pacific (Singapore)Asia Pacific (Sydney)Asia Pacific (Taipei)Asia Pacific (Thailand)Asia Pacific (Tokyo)Canada (Central)Canada West (Calgary)China (Beijing)China (Ningxia)Europe (Frankfurt)Europe (Ireland)Europe (London)Europe (Milan)Europe (Paris)Europe (Spain)Europe (Stockholm)Europe (Zurich)Israel (Tel Aviv)Mexico (Central)Middle East (Bahrain)Middle East (UAE)South America (São Paulo)AWS GovCloud (US-East)AWS GovCloud (US-West)
@@ -44,0 +45,2 @@ On the Security Hub CSPM console, a control doesn't appear in the list of contro
+  * Asia Pacific (Taipei)
+
@@ -149 +151 @@ The following controls are not supported in the US East (Ohio) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -260 +262 @@ The following controls are not supported in the US West (N. California) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -375 +377 @@ The following controls are not supported in the US West (Oregon) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -476 +478 @@ The following controls are not supported in the Africa (Cape Town) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -663 +665 @@ The following controls are not supported in the Asia Pacific (Hong Kong) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -890 +892 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -1319 +1321 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -1724 +1726 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -2445 +2447 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -2796 +2798 @@ The following controls are not supported in the Asia Pacific (Mumbai) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -2945 +2947 @@ The following controls are not supported in the Asia Pacific (Osaka) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -3146 +3148 @@ The following controls are not supported in the Asia Pacific (Seoul) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -3247 +3249 @@ The following controls are not supported in the Asia Pacific (Singapore) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -3320 +3322 @@ The following controls are not supported in the Asia Pacific (Sydney) Region.
-  * [[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
+  * [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](./ec2-controls.html#ec2-173)
@@ -3352,0 +3355,955 @@ The following controls are not supported in the Asia Pacific (Sydney) Region.
+## Asia Pacific (Taipei)
+
+The following controls are not supported in the Asia Pacific (Taipei) Region.
+
+  * [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](./acm-controls.html#acm-1)
+
+  * [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](./acm-controls.html#acm-2)
+
+  * [[ACM.3] ACM certificates should be tagged](./acm-controls.html#acm-3)
+
+  * [[Account.1] Security contact information should be provided for an AWS account](./account-controls.html#account-1)
+
+  * [[Account.2] AWS accounts should be part of an AWS Organizations organization](./account-controls.html#account-2)
+
+  * [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](./apigateway-controls.html#apigateway-1)
+
+  * [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](./apigateway-controls.html#apigateway-2)
+
+  * [[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled](./apigateway-controls.html#apigateway-3)
+
+  * [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](./apigateway-controls.html#apigateway-4)
+
+  * [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](./apigateway-controls.html#apigateway-5)
+
+  * [[APIGateway.8] API Gateway routes should specify an authorization type](./apigateway-controls.html#apigateway-8)
+
+  * [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](./apigateway-controls.html#apigateway-9)
+
+  * [[Amplify.1] Amplify apps should be tagged](./amplify-controls.html#amplify-1)
+
+  * [[Amplify.2] Amplify branches should be tagged](./amplify-controls.html#amplify-2)
+
+  * [[AppConfig.1] AWS AppConfig applications should be tagged](./appconfig-controls.html#appconfig-1)
+
+  * [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](./appconfig-controls.html#appconfig-2)
+
+  * [[AppConfig.3] AWS AppConfig environments should be tagged](./appconfig-controls.html#appconfig-3)
+
+  * [[AppConfig.4] AWS AppConfig extension associations should be tagged](./appconfig-controls.html#appconfig-4)
+
+  * [[AppFlow.1] Amazon AppFlow flows should be tagged](./appflow-controls.html#appflow-1)
+
+  * [[AppRunner.1] App Runner services should be tagged](./apprunner-controls.html#apprunner-1)
+
+  * [[AppRunner.2] App Runner VPC connectors should be tagged](./apprunner-controls.html#apprunner-2)
+
+  * [[AppSync.1] AWS AppSync API caches should be encrypted at rest](./appsync-controls.html#appsync-1)
+
+  * [[AppSync.2] AWS AppSync should have field-level logging enabled](./appsync-controls.html#appsync-2)
+
+  * [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](./appsync-controls.html#appsync-4)
+
+  * [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](./appsync-controls.html#appsync-5)
+
+  * [[AppSync.6] AWS AppSync API caches should be encrypted in transit](./appsync-controls.html#appsync-6)
+
+  * [[Athena.2] Athena data catalogs should be tagged](./athena-controls.html#athena-2)
+
+  * [[Athena.3] Athena workgroups should be tagged](./athena-controls.html#athena-3)
+
+  * [[Athena.4] Athena workgroups should have logging enabled](./athena-controls.html#athena-4)
+
+  * [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](./autoscaling-controls.html#autoscaling-1)
+
+  * [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](./autoscaling-controls.html#autoscaling-2)
+
+  * [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](./autoscaling-controls.html#autoscaling-3)
+
+  * [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](./autoscaling-controls.html#autoscaling-6)
+
+  * [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](./autoscaling-controls.html#autoscaling-9)
+
+  * [[AutoScaling.10] EC2 Auto Scaling groups should be tagged](./autoscaling-controls.html#autoscaling-10)
+
+  * [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](./autoscaling-controls.html#autoscaling-5)
+
+  * [[Backup.1] AWS Backup recovery points should be encrypted at rest](./backup-controls.html#backup-1)
+
+  * [[Backup.2] AWS Backup recovery points should be tagged](./backup-controls.html#backup-2)
+
+  * [[Backup.3] AWS Backup vaults should be tagged](./backup-controls.html#backup-3)
+
+  * [[Backup.4] AWS Backup report plans should be tagged](./backup-controls.html#backup-4)
+
+  * [[Backup.5] AWS Backup backup plans should be tagged](./backup-controls.html#backup-5)
+
+  * [[Batch.1] Batch job queues should be tagged](./batch-controls.html#batch-1)
+
+  * [[Batch.2] Batch scheduling policies should be tagged](./batch-controls.html#batch-2)
+
+  * [[Batch.3] Batch compute environments should be tagged](./batch-controls.html#batch-3)
+
+  * [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](./batch-controls.html#batch-4)
+
+  * [[CloudFormation.2] CloudFormation stacks should be tagged](./cloudformation-controls.html#cloudformation-2)
+
+  * [[CloudFront.1] CloudFront distributions should have a default root object configured](./cloudfront-controls.html#cloudfront-1)
+
+  * [[CloudFront.3] CloudFront distributions should require encryption in transit](./cloudfront-controls.html#cloudfront-3)
+
+  * [[CloudFront.4] CloudFront distributions should have origin failover configured](./cloudfront-controls.html#cloudfront-4)
+
+  * [[CloudFront.5] CloudFront distributions should have logging enabled](./cloudfront-controls.html#cloudfront-5)
+
+  * [[CloudFront.6] CloudFront distributions should have WAF enabled](./cloudfront-controls.html#cloudfront-6)
+
+  * [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](./cloudfront-controls.html#cloudfront-7)
+
+  * [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](./cloudfront-controls.html#cloudfront-8)
+
+  * [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](./cloudfront-controls.html#cloudfront-9)
+
+  * [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](./cloudfront-controls.html#cloudfront-10)
+
+  * [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](./cloudfront-controls.html#cloudfront-12)
+
+  * [[CloudFront.13] CloudFront distributions should use origin access control](./cloudfront-controls.html#cloudfront-13)
+
+  * [[CloudFront.14] CloudFront distributions should be tagged](./cloudfront-controls.html#cloudfront-14)
+
+  * [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](./cloudfront-controls.html#cloudfront-15)
+
+  * [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](./cloudtrail-controls.html#cloudtrail-6)
+
+  * [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](./cloudtrail-controls.html#cloudtrail-7)
+
+  * [[CloudTrail.9] CloudTrail trails should be tagged](./cloudtrail-controls.html#cloudtrail-9)
+
+  * [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](./cloudtrail-controls.html#cloudtrail-10)
+
+  * [[CloudWatch.17] CloudWatch alarm actions should be activated](./cloudwatch-controls.html#cloudwatch-17)
+
+  * [[CodeArtifact.1]CodeArtifact repositories should be tagged](./codeartifact-controls.html#codeartifact-1)
+
+  * [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](./codebuild-controls.html#codebuild-1)
+
+  * [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](./codebuild-controls.html#codebuild-2)
+
+  * [[CodeBuild.3] CodeBuild S3 logs should be encrypted](./codebuild-controls.html#codebuild-3)
+
+  * [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](./codebuild-controls.html#codebuild-4)
+
+  * [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](./codebuild-controls.html#codebuild-7)
+
+  * [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](./codeguruprofiler-controls.html#codeguruprofiler-1)
+
+  * [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](./codegurureviewer-controls.html#codegurureviewer-1)