AWS securityhub documentation change
Summary
Updated severity levels for multiple security controls (CloudFront.7, CloudTrail.5, ELB.7, GuardDuty.7, MQ.3, Opensearch.10, RDS.7, RedshiftServerless.5, ServiceCatalog.1, SNS.4, SQS.3)
Security assessment
Changes adjust severity ratings of existing security controls to reflect updated risk assessments. While these updates help prioritize security measures, there is no evidence they address newly discovered vulnerabilities or incidents.
Diff
diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md index a39d58152..034bee483 100644 --- a//securityhub/latest/userguide/securityhub-controls-reference.md +++ b//securityhub/latest/userguide/securityhub-controls-reference.md @@ -85 +85 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudFront.7](./cloudfront-controls.html#cloudfront-7) | CloudFront distributions should use custom SSL/TLS certificates | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Change triggered +[CloudFront.7](./cloudfront-controls.html#cloudfront-7) | CloudFront distributions should use custom SSL/TLS certificates | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW | No | Change triggered @@ -98 +98 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudTrail.5](./cloudtrail-controls.html#cloudtrail-5) | CloudTrail trails should be integrated with Amazon CloudWatch Logs | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | LOW | No | Periodic +[CloudTrail.5](./cloudtrail-controls.html#cloudtrail-5) | CloudTrail trails should be integrated with Amazon CloudWatch Logs | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic @@ -276 +276 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.7](./elb-controls.html#elb-7) | Classic Load Balancers should have connection draining enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ELB.7](./elb-controls.html#elb-7) | Classic Load Balancers should have connection draining enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered @@ -321 +321 @@ Security control ID | Security control title | Applicable standards | Severity | -[GuardDuty.7](./guardduty-controls.html#guardduty-7) | GuardDuty EKS Runtime Monitoring should be enabled | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[GuardDuty.7](./guardduty-controls.html#guardduty-7) | GuardDuty EKS Runtime Monitoring should be enabled | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | No | Periodic @@ -407 +407 @@ Security control ID | Security control title | Applicable standards | Severity | -[MQ.3](./mq-controls.html#mq-3) | Amazon MQ brokers should have automatic minor version upgrade enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | LOW | No | Change triggered +[MQ.3](./mq-controls.html#mq-3) | Amazon MQ brokers should have automatic minor version upgrade enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -439 +439 @@ Security control ID | Security control title | Applicable standards | Severity | -[Opensearch.10](./opensearch-controls.html#opensearch-10) | OpenSearch domains should have the latest software update installed | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | LOW | No | Change triggered +[Opensearch.10](./opensearch-controls.html#opensearch-10) | OpenSearch domains should have the latest software update installed | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -449 +449 @@ Security control ID | Security control title | Applicable standards | Severity | -[RDS.7](./rds-controls.html#rds-7) | RDS clusters should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[RDS.7](./rds-controls.html#rds-7) | RDS clusters should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -511 +511 @@ Security control ID | Security control title | Applicable standards | Severity | -[RedshiftServerless.5](./redshiftserverless-controls.html#redshiftserverless-5) | Redshift Serverless namespaces should not use the default admin username | AWS Foundational Security Best Practices | MEDIUM | Yes | Periodic +[RedshiftServerless.5](./redshiftserverless-controls.html#redshiftserverless-5) | Redshift Serverless namespaces should not use the default admin username | AWS Foundational Security Best Practices | MEDIUM | No | Periodic @@ -549 +549 @@ Security control ID | Security control title | Applicable standards | Severity | -[ServiceCatalog.1](./servicecatalog-controls.html#servicecatalog-1) | Service Catalog portfolios should be shared within an AWS organization only | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | HIGH | No | Periodic +[ServiceCatalog.1](./servicecatalog-controls.html#servicecatalog-1) | Service Catalog portfolios should be shared within an AWS organization only | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic @@ -554 +554 @@ Security control ID | Security control title | Applicable standards | Severity | -[SNS.4](./sns-controls.html#sns-4) | SNS topic access policies should not allow public access | AWS Foundational Security Best Practices | HIGH | No | Change triggered +[SNS.4](./sns-controls.html#sns-4) | SNS topic access policies should not allow public access | AWS Foundational Security Best Practices | CRITICAL | No | Change triggered @@ -557 +557 @@ Security control ID | Security control title | Applicable standards | Severity | -[SQS.3](./sqs-controls.html#sqs-3) | SQS queue access policies should not allow public access | AWS Foundational Security Best Practices | HIGH | No | Change triggered +[SQS.3](./sqs-controls.html#sqs-3) | SQS queue access policies should not allow public access | AWS Foundational Security Best Practices | CRITICAL | No | Change triggered