AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-10-16 · Documentation low

File: securityhub/latest/userguide/coverage-findings.md

Summary

Updated documentation for security service coverage findings with expanded GuardDuty protections (malware, EKS, Lambda, S3, RDS), added Runtime Monitoring and Foundational Coverage details. Enhanced Amazon Inspector and Macie coverage descriptions with specific scanning types.

Security assessment

The changes provide expanded documentation about security monitoring features (GuardDuty malware/EKS/Lambda protections, Inspector scanning types) but do not address a specific vulnerability. This improves visibility into security posture management without evidence of patching existing flaws.

Diff

diff --git a/securityhub/latest/userguide/coverage-findings.md b/securityhub/latest/userguide/coverage-findings.md
index 4ec7c3d15..3f6e0ed83 100644
--- a//securityhub/latest/userguide/coverage-findings.md
+++ b//securityhub/latest/userguide/coverage-findings.md
@@ -5 +5 @@
-Coverage findings for Security Hub CSPMCoverage findings for GuardDutyCoverage findings for Amazon InspectorCoverage findings for Macie
+Coverage findings for AWS Security Hub CSPMCoverage findings for Amazon GuardDutyCoverage findings for Amazon InspectorCoverage findings for Amazon Macie
@@ -13 +13 @@ Security Hub is in preview release and is subject to change.
-Coverage findings for Security Hub provide visibility into which AWS security features are enabled and where there might be gaps in coverage in a standalone account or across an organization's AWS environment. Enabling additional security features will enhance the detection capabilities of Security Hub. Coverage Findings evaluate what GuardDuty, Amazon Inspector, Macie, and Security Hub CSPM features are enabled for an account. These findings appear as a widget on the Security Hub dashboard with the ability to drill down into more detailed views by specific security capability. For the delegated administrator, this widget shows coverage breakdown across all Security Hub enabled accounts. 
+Coverage findings for Security Hub provide visibility into which AWS security features are enabled and where there might be gaps in coverage in a standalone account or across an organization's member accounts. Enabling additional security features will enhance the detection capabilities of Security Hub. Coverage Findings evaluate what GuardDuty, Amazon Inspector, Macie, and Security Hub CSPM features are enabled for an account. These findings appear in the Security Coverage widget on the Security Hub dashboard with the ability to drill down into more detailed views by specific security capability. For the delegated administrator, this widget shows coverage breakdown across all Security Hub enabled member accounts. 
@@ -21 +20,0 @@ Coverage findings for Security Hub provide visibility into which AWS security fe
-  * Coverage only indicates if an AWS service is enabled, not whether specific features in an AWS service are enabled. 
@@ -25,2 +24 @@ Coverage findings for Security Hub provide visibility into which AWS security fe
-
-## Coverage findings for Security Hub CSPM
+## Coverage findings for AWS Security Hub CSPM
@@ -32 +30 @@ It can take up to 24 hours to detect standards enabled by default when enabling
-## Coverage findings for GuardDuty
+## Coverage findings for Amazon GuardDuty
@@ -36 +34,7 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
-  * Malware Protection for Amazon EC2 – Scans Amazon EC2 instances for potential malware 
+  * GuardDuty Malware Protection for Amazon EC2 – Scans Amazon EC2 instances for potential malware 
+
+  * GuardDuty Amazon EKS Protection – Monitors Kubernetes audit logs for threats in Amazon EKS clusters 
+
+  * GuardDuty Lambda Protection – Analyzes Lambda function invocations for potential threats 
+
+  * GuardDuty Amazon S3 Protection – Analyzes data events for potential threats to Amazon S3 buckets 
@@ -38 +42 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
-  * Amazon EKS Protection – Monitors Kubernetes audit logs for threats in Amazon EKS clusters 
+  * GuardDuty Amazon RDS Protection – Monitors for threats to Amazon RDS databases 
@@ -40 +44 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
-  * Lambda Protection – Analyzes Lambda function invocations for potential threats 
+  * GuardDuty Runtime Monitoring – Provides real-time monitoring of runtime behavior in Amazon EC2 instances 
@@ -42 +46 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
-  * Amazon S3 Protection – Analyzes data events for potential threats to Amazon S3 buckets 
+  * GuardDuty Foundational Coverage – Baseline GuardDuty features which are automatically turned on when GuardDuty is enabled 
@@ -44 +47,0 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
-  * Amazon RDS Protection – Monitors for threats to Amazon RDS databases 
@@ -46 +48,0 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
-  * Runtime Monitoring – Provides real-time monitoring of runtime behavior in Amazon EC2 instances 
@@ -48,0 +51 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
+###### Note
@@ -49,0 +53 @@ GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardD
+For GuardDuty Foundational Coverage, coverage findings that indicate the feature is turned off mean GuardDuty is not enabled in the account for the coverage finding. 
@@ -55 +59,7 @@ It can take up to 24 hours for updates to GuardDuty coverage to reflect across a
-Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled and which features are enabled in an account: 
+Amazon Inspector coverage findings assess whether Amazon Inspector is enabled and which features are enabled in an account: 
+
+  * Inspector EC2 Scanning – Scans Amazon EC2 instances for vulnerabilities 
+
+  * Inspector ECR Scanning – Scans Amazon ECR container images for vulnerabilities 
+
+  * Inspector Lambda Standard Scanning – Scans Lambda functions for vulnerabilities 
@@ -57 +67 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
-  * Amazon EC2 Scanning – Scans Amazon EC2 instances for vulnerabilities 
+  * Inspector Lambda Code Scanning – Scans Lambda code functions for code vulnerabilities 
@@ -59 +68,0 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
-  * Amazon ECR Scanning – Scans container images in Amazon ECR for vulnerabilities 
@@ -61 +69,0 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
-  * Lambda Standard Scanning – Scans Lambda functions for vulnerabilities 
@@ -63 +70,0 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
-  * Lambda Code Scanning – Scans Lambda code functions for code vulnerabilities 
@@ -65 +72 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
-  * Amazon Inspector Code Security – Scans first-party application source code, third-party application dependencies, and Infrastructure as Code for vulnerabilities 
+## Coverage findings for Amazon Macie
@@ -66,0 +74 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
+Macie coverage findings assess whether Macie is enabled across AWS accounts: 
@@ -67,0 +76 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
+  * Macie Automated Sensitive Data Discovery Coverage – Continuously evaluates your Amazon S3 data estate for sensitive data. 
@@ -70 +78,0 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
-## Coverage findings for Macie
@@ -72 +79,0 @@ Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled an
-Macie Coverage Findings are assessments that indicate whether Macie is enabled across AWS accounts. 
@@ -74 +81 @@ Macie Coverage Findings are assessments that indicate whether Macie is enabled a
-It can take up to 24 hours for updates to Macie automated sensitive data discovery to reflect across all member accounts in an organization. 
+It can take up to 24 hours for updates to Macie automated sensitive data discovery for coverage findings to reflect across all member accounts in an organization.