AWS securityhub documentation change
Summary
Updated document history entries to clarify product names (AWS Security Hub CSPM), expand service abbreviations to full names (e.g., 'EC2' to 'Amazon EC2'), correct standard names (e.g., 'NIST SP 800-53 Rev. 5'), and add specificity to control descriptions and regional availability details.
Security assessment
The changes are documentation updates that clarify existing security controls and standards but do not address any specific security vulnerability or incident. The updates enhance documentation of security features like new controls (e.g., Cognito.3, RDS.43) and standards (e.g., CIS AWS Foundations Benchmark v5.0.0), but there is no evidence of a security incident being remediated.
Diff
diff --git a/securityhub/latest/userguide/doc-history.md b/securityhub/latest/userguide/doc-history.md index bf95ee129..4cf998d47 100644 --- a//securityhub/latest/userguide/doc-history.md +++ b//securityhub/latest/userguide/doc-history.md @@ -5 +5 @@ -# Document history for the User Guide +# Document history for the AWS Security Hub User Guide @@ -7 +7 @@ -The following table describes the important changes to the documentation since the last release of and . For releases of new controls, the date specifies when the controls begin to be available in supported . It can take 1‐2 weeks for controls to be available in all supported Regions. For details about material changes to existing controls, see [Change log for Security Hub CSPM controls](./controls-change-log.html). +The following table describes the important changes to the documentation since the last release of AWS Security Hub and Security Hub CSPM. For releases of new Security Hub CSPM controls, the date specifies when the controls begin to be available in supported AWS Regions. It can take 1‐2 weeks for controls to be available in all supported Regions. For details about material changes to existing controls, see [Change log for Security Hub CSPM controls](./controls-change-log.html). @@ -9 +9 @@ The following table describes the important changes to the documentation since t -To receive notifications about updates to the _User Guide_ , you can subscribe to an RSS feed. +To receive notifications about updates to the _AWS Security Hub User Guide_ , you can subscribe to an RSS feed. @@ -13,17 +13,17 @@ Change| Description| Date -Updated managed policy| updated the [ managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubV2ServiceRolePolicy`. The update added metering capabilities for , , , and to support (Advanced) features. The update also added support for global recorders. These changes support the preview release.| November 17, 2025 -Updates to security controls| We changed the severity of 10 controls: CloudFront.7, CloudTrail.5, ELB.7, GuardDuty.7, MQ.3, Opensearch.10, RDS.7, ServiceCatalog.1, SNS.4, and SQS.3. For a breakdown of the changes, see the [Change log for controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-change-log.html).| November 13, 2025 -New security controls| released six new controls for the [ (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The new controls are: [Cognito.3](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-3), [DMS.13](https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-13), [EC2.181](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-181), [RDS.43](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-43), [RDS.47](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-47), and [RDS.48](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-48).| October 28, 2025 -New security standard| now provides a [security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html) that aligns with . This new standard includes 40 existing security controls. The controls perform automated checks that evaluate certain resources for compliance with a subset of the requirements defined by the framework.| October 16, 2025 -New third-party integration| Elastic is a new [third-party integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) that can receive findings from .| October 3, 2025 -Updates to security standards and controls| We retired the Redshift.9 and RedshiftServerless.7 controls and removed them from all applicable standards. We retired these controls due to inherent limitations that prevented effective remediation of `FAILED` findings for the controls.Previously, these controls applied to the [ (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [ standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html). The Redshift.9 control also applied to the [ service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html).| September 24, 2025 -Regional availability| is now available in the Region. For a complete list of where is currently available, see [ endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sechub.html) in the __.| September 19, 2025 -New security controls| released two new controls for the [ (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html): [CloudFront.16](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-16) and [RDS.46](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-46).| September 3, 2025 -Regional availability| The [ standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) is now available in the and Regions.| August 29, 2025 -Updates to security standards and controls| Due to limitations, we are planning to retire the Redshift.9 and RedshiftServerless.7 controls and remove them from all applicable standards on September 15, 2025. Currently, these controls apply to the [ (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [ standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html). The Redshift.9 control also applies to the [ service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html).| August 15, 2025 -New resource details object in the ASFF| The [ (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) now includes a `CodeRepository` resource object. This object provides details about an external code repository that you connected to resources and configured to scan for vulnerabilities.| August 1, 2025 -Regional availability| is now available in the . For a complete list of where is currently available, see [ endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sechub.html) in the __.| July 23, 2025 -New third-party integration| Dynatrace is a new [third-party integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) that can receive findings from .| July 18, 2025 -New security controls| released 13 new controls. Most of the controls support the [ (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) standard. Some of the controls support <https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html> requirements. - - * For the FSBP standard, IDs for the applicable controls are: [CloudFront.15](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-15), [Cognito.2](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-2), [EC2.180](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-180), [ELB.18](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-18), [MSK.4](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-4), [MSK.5](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-5), [MSK.6](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-6), [RDS.45](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-45), [Redshift.18](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-18), [S3.25](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-25), [SSM.6](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-6), and [SSM.7](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-7). - * For , IDs for the applicable controls are: [Lambda.7](https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-7) and [RDS.45](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-45). +Updated managed policy| Security Hub CSPM updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubV2ServiceRolePolicy`. The update added metering capabilities for Amazon Elastic Container Registry, AWS Lambda, Amazon CloudWatch, and AWS Identity and Access Management to support Security Hub (Advanced) features. The update also added support for global AWS Config recorders. These changes support the Security Hub preview release.| November 17, 2025 +Updates to security controls| We changed the severity of 10 Security Hub CSPM controls: CloudFront.7, CloudTrail.5, ELB.7, GuardDuty.7, MQ.3, Opensearch.10, RDS.7, ServiceCatalog.1, SNS.4, and SQS.3. For a breakdown of the changes, see the [Change log for Security Hub CSPM controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-change-log.html).| November 13, 2025 +New security controls| Security Hub CSPM released six new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The new controls are: [Cognito.3](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-3), [DMS.13](https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-13), [EC2.181](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-181), [RDS.43](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-43), [RDS.47](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-47), and [RDS.48](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-48).| October 28, 2025 +New security standard| Security Hub CSPM now provides a [security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html) that aligns with CIS AWS Foundations Benchmark v5.0.0. This new standard includes 40 existing security controls. The controls perform automated checks that evaluate certain resources for compliance with a subset of the requirements defined by the framework.| October 16, 2025 +New third-party integration| Elastic is a new [third-party integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) that can receive findings from Security Hub CSPM.| October 3, 2025 +Updates to security standards and controls| We retired the Redshift.9 and RedshiftServerless.7 controls and removed them from all applicable standards. We retired these controls due to inherent Amazon Redshift limitations that prevented effective remediation of `FAILED` findings for the controls.Previously, these controls applied to the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [NIST SP 800-53 Rev. 5 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html). The Redshift.9 control also applied to the [AWS Control Tower service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html).| September 24, 2025 +Regional availability| Security Hub CSPM is now available in the Asia Pacific (New Zealand) Region. For a complete list of AWS Regions where Security Hub CSPM is currently available, see [AWS Security Hub endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sechub.html) in the _AWS General Reference_.| September 19, 2025 +New security controls| Security Hub CSPM released two new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html): [CloudFront.16](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-16) and [RDS.46](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-46).| September 3, 2025 +Regional availability| The [AWS Resource Tagging standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) is now available in the Asia Pacific (Thailand) and Mexico (Central) Regions.| August 29, 2025 +Updates to security standards and controls| Due to Amazon Redshift limitations, we are planning to retire the Redshift.9 and RedshiftServerless.7 controls and remove them from all applicable standards on September 15, 2025. Currently, these controls apply to the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [NIST SP 800-53 Rev. 5 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html). The Redshift.9 control also applies to the [AWS Control Tower service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html).| August 15, 2025 +New resource details object in the ASFF| The [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) now includes a `CodeRepository` resource object. This object provides details about an external code repository that you connected to AWS resources and configured Amazon Inspector to scan for vulnerabilities.| August 1, 2025 +Regional availability| Security Hub CSPM is now available in the Asia Pacific (Taipei) Region. For a complete list of AWS Regions where Security Hub CSPM is currently available, see [AWS Security Hub endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sechub.html) in the _AWS General Reference_.| July 23, 2025 +New third-party integration| Dynatrace is a new [third-party integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) that can receive findings from Security Hub CSPM.| July 18, 2025 +New security controls| Security Hub CSPM released 13 new controls. Most of the controls support the [AWS Foundational Security Best Practices (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) standard. Some of the controls support [NIST SP 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) requirements. + + * For the AWS FSBP standard, IDs for the applicable controls are: [CloudFront.15](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-15), [Cognito.2](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-2), [EC2.180](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-180), [ELB.18](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-18), [MSK.4](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-4), [MSK.5](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-5), [MSK.6](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-6), [RDS.45](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-45), [Redshift.18](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-18), [S3.25](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-25), [SSM.6](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-6), and [SSM.7](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-7). + * For NIST SP 800-53 Rev. 5, IDs for the applicable controls are: [Lambda.7](https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-7) and [RDS.45](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-45). @@ -32,12 +32,12 @@ New security controls| released 13 new controls. Most of the controls support t -Updates to generation of control findings| To help you track compliance changes, now [updates existing control findings](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html), instead of generating new findings, when there are changes to the compliance status of individual resources. This means that you can use the data provided by individual findings to track compliance changes for particular resources against particular controls.| July 3, 2025 -Updates to security standards and controls| We removed the [IAM.13 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-13) from the [ standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). We also removed the [IAM.17 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-17) from the [ standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference-nist-800-171.html). The standards don't explicitly require the checks that these controls provide. We also updated related requirement details for these standards for certain controls that check password policies: IAM.7, and IAM.10 through IAM.17.| June 30, 2025 -Updates to finding retention| now [stores archived findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html) for 30 days instead of 90 days, which can reduce finding noise. For longer-term retention, you can export findings to an S3 bucket by [using a custom action with an rule](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html). | June 20, 2025 -Updates to existing managed policies| added new permission to the [ managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubOrganizationsAccess`. The permission allows the organization management to enable and manage and within an organization. also added new permission to the managed policy named `AWSSecurityHubFullAccess`. The permission allows principals to create a service-linked role for .| June 18, 2025 -Public preview release and a new managed policy for | Public preview release of and the [_User Guide_](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-security-hub-adv.html). This release includes a new [ managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html), `AWSSecurityHubV2ServiceRolePolicy`. The policy allows to manage rules and resources in a customer's organization and on the customer's behalf. is in preview release and subject to change.| June 17, 2025 -Updates to security standards and controls| We removed the [IAM.10 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-10) from the [ standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). This control checks whether account password policies for meet minimum requirements, including a minimum password length of 7 characters. now requires passwords to have a minimum of 8 characters. The IAM.10 control continues to apply to the standard, which has different password requirements.| May 30, 2025 -New security standard| now provides a [security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference-nist-800-171.html) that aligns with the cybersecurity and compliance framework. This new standard includes more than 60 existing security controls. The controls perform automated checks that evaluate certain and resources for compliance with a subset of the requirements defined by the framework.| May 29, 2025 -Updates to security controls| rolled back the release of the following control in all : _[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways_. Previously, this control supported the (FSBP) standard.| May 8, 2025 -New security controls| released 9 new controls. Most of the controls support the [ (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) standard. Some of the controls support <https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html> requirements. - - * For the FSBP standard, IDs for the applicable controls are: [DocumentDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-6), [RDS.44](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-44), [RedshiftServerless.2](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-2), [RedshiftServerless.3](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-3), [RedshiftServerless.5](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-5), [RedshiftServerless.6](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-6), and RedshiftServerless.7 (later retired). - * For , IDs for the applicable controls are: [CloudTrail.10](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-10), [RedshiftServerless.4](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-4), and RedshiftServerless.7 (later retired). +Updates to generation of control findings| To help you track compliance changes, Security Hub CSPM now [updates existing control findings](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html), instead of generating new findings, when there are changes to the compliance status of individual resources. This means that you can use the data provided by individual findings to track compliance changes for particular resources against particular controls.| July 3, 2025 +Updates to security standards and controls| We removed the [IAM.13 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-13) from the [PCI DSS v4.0.1 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). We also removed the [IAM.17 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-17) from the [NIST SP 800-171 Revision 2 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference-nist-800-171.html). The standards don't explicitly require the checks that these controls provide. We also updated related requirement details for these standards for certain controls that check IAM password policies: IAM.7, and IAM.10 through IAM.17.| June 30, 2025 +Updates to finding retention| Security Hub CSPM now [stores archived findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html) for 30 days instead of 90 days, which can reduce finding noise. For longer-term retention, you can export findings to an S3 bucket by [using a custom action with an Amazon EventBridge rule](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html). | June 20, 2025 +Updates to existing managed policies| Security Hub CSPM added new permission to the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubOrganizationsAccess`. The permission allows the organization management to enable and manage Security Hub and Security Hub CSPM within an organization. Security Hub CSPM also added new permission to the AWS managed policy named `AWSSecurityHubFullAccess`. The permission allows principals to create a service-linked role for Security Hub.| June 18, 2025 +Public preview release and a new managed policy for Security Hub| Public preview release of AWS Security Hub and the [_AWS Security Hub User Guide_](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-security-hub-adv.html). This release includes a new [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html), `AWSSecurityHubV2ServiceRolePolicy`. The policy allows Security Hub to manage AWS Config rules and Security Hub resources in a customer's organization and on the customer's behalf. Security Hub is in preview release and subject to change.| June 17, 2025 +Updates to security standards and controls| We removed the [IAM.10 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-10) from the [PCI DSS v4.0.1 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). This control checks whether account password policies for IAM users meet minimum requirements, including a minimum password length of 7 characters. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. The IAM.10 control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements.| May 30, 2025 +New security standard| Security Hub CSPM now provides a [security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference-nist-800-171.html) that aligns with the NIST SP 800-171 Revision 2 cybersecurity and compliance framework. This new standard includes more than 60 existing security controls. The controls perform automated checks that evaluate certain AWS services and resources for compliance with a subset of the requirements defined by the framework.| May 29, 2025 +Updates to security controls| Security Hub CSPM rolled back the release of the following control in all AWS Regions: _[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways_. Previously, this control supported the AWS Foundational Security Best Practices (FSBP) standard.| May 8, 2025 +New security controls| Security Hub CSPM released 9 new controls. Most of the controls support the [AWS Foundational Security Best Practices (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) standard. Some of the controls support [NIST SP 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) requirements. + + * For the AWS FSBP standard, IDs for the applicable controls are: [DocumentDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-6), [RDS.44](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-44), [RedshiftServerless.2](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-2), [RedshiftServerless.3](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-3), [RedshiftServerless.5](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-5), [RedshiftServerless.6](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-6), and RedshiftServerless.7 (later retired). + * For NIST SP 800-53 Rev. 5, IDs for the applicable controls are: [CloudTrail.10](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-10), [RedshiftServerless.4](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-4), and RedshiftServerless.7 (later retired). @@ -46 +46 @@ New security controls| released 9 new controls. Most of the controls support th -New security controls| released 24 new controls. Most of the controls support the [ (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) or [ Resource Tagging](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) standard. Some of the controls support <https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html> requirements. +New security controls| Security Hub CSPM released 24 new controls. Most of the controls support the [AWS Foundational Security Best Practices (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) or [AWS Resource Tagging](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) standard. Some of the controls support [NIST SP 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) requirements. @@ -48,3 +48,3 @@ New security controls| released 24 new controls. Most of the controls support t - * For the FSBP standard, IDs for the applicable controls are: [EC2.173](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-173), [RDS.41](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-41), [RDS.42](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-42), and [SageMaker.8](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-8). - * For the Resource Tagging standard, IDs for the applicable controls are: [Amplify.1](https://docs.aws.amazon.com/securityhub/latest/userguide/amplify-controls.html#amplify-1), [Amplify.2](https://docs.aws.amazon.com/securityhub/latest/userguide/amplify-controls.html#amplify-2), [Batch.4](https://docs.aws.amazon.com/securityhub/latest/userguide/batch-controls.html#batch-4), [DataSync.2](https://docs.aws.amazon.com/securityhub/latest/userguide/datasync-controls.html#datasync-2), [EC2.174](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-174), [EC2.175](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-175), [EC2.176](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-176), [EC2.177](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-177), [EC2.178](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-178), [EC2.179](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-179), [Redshift.17](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-17), [SageMaker.6](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-6), [SageMaker.7](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-7), [SSM.5](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-5), [Transfer.4](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-4), [Transfer.5](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-5), [Transfer.6](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-6), and [Transfer.7](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-7). - * For , IDs for the applicable controls are: [ECS.17](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-17) and [RDS.42](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-42). + * For the AWS FSBP standard, IDs for the applicable controls are: [EC2.173](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-173), [RDS.41](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-41), [RDS.42](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-42), and [SageMaker.8](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-8). + * For the AWS Resource Tagging standard, IDs for the applicable controls are: [Amplify.1](https://docs.aws.amazon.com/securityhub/latest/userguide/amplify-controls.html#amplify-1), [Amplify.2](https://docs.aws.amazon.com/securityhub/latest/userguide/amplify-controls.html#amplify-2), [Batch.4](https://docs.aws.amazon.com/securityhub/latest/userguide/batch-controls.html#batch-4), [DataSync.2](https://docs.aws.amazon.com/securityhub/latest/userguide/datasync-controls.html#datasync-2), [EC2.174](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-174), [EC2.175](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-175), [EC2.176](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-176), [EC2.177](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-177), [EC2.178](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-178), [EC2.179](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-179), [Redshift.17](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-17), [SageMaker.6](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-6), [SageMaker.7](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-7), [SSM.5](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-5), [Transfer.4](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-4), [Transfer.5](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-5), [Transfer.6](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-6), and [Transfer.7](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-7). + * For NIST SP 800-53 Rev. 5, IDs for the applicable controls are: [ECS.17](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-17) and [RDS.42](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-42). @@ -53 +53 @@ New security controls| released 24 new controls. Most of the controls support t -New security controls| released four new controls for the [ standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The controls are: +New security controls| Security Hub CSPM released four new controls for the [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The controls are: @@ -61,3 +61,3 @@ New security controls| released four new controls for the [ standard](https://d -Updates to security standards and controls| We removed the [RDS.18 security control](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-18) from the standard and automated checks for requirements. Since -Classic networking was retired, () instances can no longer be deployed outside a VPC. The control continues to be part of the [ service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html).| March 7, 2025 -Updates to control findings| now generates `WARNING` findings for an enabled control if [resource recording](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-setup-prereqs.html#config-resource-recording) isn't turned on in for the type of resource that the control checks. This can help you identify and address potential configuration gaps in your security control checks.| February 25, 2025 -New security controls| released 11 new controls. The controls are: +Updates to security standards and controls| We removed the [RDS.18 security control](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-18) from the AWS Foundational Security Best Practices standard and automated checks for NIST SP 800-53 Rev. 5 requirements. Since Amazon EC2-Classic networking was retired, Amazon Relational Database Service (Amazon RDS) instances can no longer be deployed outside a VPC. The control continues to be part of the [AWS Control Tower service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html).| March 7, 2025 +Updates to control findings| Security Hub CSPM now generates `WARNING` findings for an enabled control if [resource recording](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-setup-prereqs.html#config-resource-recording) isn't turned on in AWS Config for the type of resource that the control checks. This can help you identify and address potential configuration gaps in your security control checks.| February 25, 2025 +New security controls| Security Hub CSPM released 11 new controls. The controls are: @@ -78 +78 @@ New security controls| released 11 new controls. The controls are: -New security controls| released 37 new controls for the <https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html>. also released the following new controls: +New security controls| Security Hub CSPM released 37 new controls for the [AWS Resource Tagging Standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html). Security Hub CSPM also released the following new controls: @@ -85,2 +85,2 @@ New security controls| released 37 new controls for the <https://docs.aws.amazo -New security control| released [EC2.172 EC2 VPC Block Public Access settings should block internet gateway traffic](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-172).| January 15, 2025 -New security controls| The following new controls are available. +New security control| Security Hub CSPM released [EC2.172 EC2 VPC Block Public Access settings should block internet gateway traffic](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-172).| January 15, 2025 +New security controls| The following new Security Hub CSPM controls are available. @@ -94,5 +94,5 @@ New security controls| The following new controls are available. -supports | now supports v4.0.1 of the Payment Card Industry Data Security Standard (PCI DSS). For more information about the standard and the controls that apply to it, see [PCI DSS in ](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html).| December 11, 2024 -receives attack sequence findings| now receives attack sequence findings from Extended Threat Detection. Attack sequence finding details are available in the [Detection](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-detection) object of the (ASFF).| December 1, 2024 -supported in new | is now available in the Region. Some security controls have Regional limitations. For a list of controls that aren't available in this Region, see [Regional limits on controls](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html).| November 22, 2024 -Changes to Config.1| increased the severity of the Config.1 control from `MEDIUM` to `CRITICAL`, and added new status codes and status reasons for failed Config.1 findings. For more information about the changes, see the entry for November 20, 2024 in the [Change log for controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-change-log.html).| November 20, 2024 -New security controls| The following new controls are available. These controls are part of and , and they evaluate whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for an or resource. +Security Hub CSPM supports PCI DSS v4.0.1| Security Hub CSPM now supports v4.0.1 of the Payment Card Industry Data Security Standard (PCI DSS). For more information about the standard and the controls that apply to it, see [PCI DSS in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html).| December 11, 2024 +Security Hub CSPM receives GuardDuty attack sequence findings| Security Hub CSPM now receives attack sequence findings from Amazon GuardDuty Extended Threat Detection. Attack sequence finding details are available in the [Detection](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-detection) object of the AWS Security Finding Format (ASFF).| December 1, 2024 +Security Hub CSPM supported in new AWS Region| Security Hub CSPM is now available in the Asia Pacific (Malaysia) Region. Some security controls have Regional limitations. For a list of controls that aren't available in this Region, see [Regional limits on Security Hub CSPM controls](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html).| November 22, 2024 +Changes to Config.1| Security Hub CSPM increased the severity of the Config.1 control from `MEDIUM` to `CRITICAL`, and added new status codes and status reasons for failed Config.1 findings. For more information about the changes, see the entry for November 20, 2024 in the [Change log for Security Hub CSPM controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-change-log.html).| November 20, 2024 +New security controls| The following new Security Hub CSPM controls are available. These controls are part of AWS Foundational Security Best Practices and NIST SP 800-53 Rev. 5, and they evaluate whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for an AWS service or AWS resource. @@ -107 +107 @@ New security controls| The following new controls are available. These controls -New security controls| The following new controls are available. +New security controls| The following new Security Hub CSPM controls are available. @@ -118 +118 @@ New security controls| The following new controls are available. -New security controls| The following new controls are available. +New security controls| The following new Security Hub CSPM controls are available. @@ -129 +129 @@ New security controls| The following new controls are available. -New security controls| The following new controls are available. +New security controls| The following new Security Hub CSPM controls are available. @@ -141,4 +141,4 @@ New security controls| The following new controls are available. -New finding panel| The [new finding panel](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html) on the console helps you quickly take action on findings, review resource details and finding history, and find other pertinent information about a finding.| August 16, 2024 -Update to Config.1 control| The [Config.1 control](https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html#config-1) checks whether is enabled, uses the service-linked role, and records resources for enabled controls. added a custom control parameter named `includeConfigServiceLinkedRoleCheck`. By setting this parameter to `false`, you can opt out of checking whether uses the service-linked role.| August 15, 2024 -Designate a home Region without linked Regions| You can now create a finding aggregator and establish a home Region without linking any to the home Region. This allows you to enable [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) without specifying linked Regions.| July 25, 2024 -Select controls available in more Regions| The following controls are now available in additional , including and . +New finding panel| The [new finding panel](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html) on the Security Hub CSPM console helps you quickly take action on findings, review resource details and finding history, and find other pertinent information about a finding.| August 16, 2024 +Update to Config.1 control| The [Config.1 control](https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html#config-1) checks whether AWS Config is enabled, uses the service-linked role, and records resources for enabled controls. Security Hub CSPM added a custom control parameter named `includeConfigServiceLinkedRoleCheck`. By setting this parameter to `false`, you can opt out of checking whether AWS Config uses the service-linked role.| August 15, 2024 +Designate a home Region without linked Regions| You can now create a finding aggregator and establish a home Region without linking any AWS Regions to the home Region. This allows you to enable [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) without specifying linked Regions.| July 25, 2024 +Select controls available in more Regions| The following controls are now available in additional AWS Regions, including US East (N. Virginia) and US East (Ohio). @@ -163 +163 @@ Select controls available in more Regions| The following controls are now availa -New security controls| The following new controls are available: +New security controls| The following new Security Hub CSPM controls are available: @@ -176 +176 @@ New security controls| The following new controls are available: -Release of CIS Foundations Benchmark v3.0.0| released [Center for Internet Security (CIS) Foundations Benchmark v3.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html). The release includes the following new controls, as well as mappings to several existing controls. +Release of CIS AWS Foundations Benchmark v3.0.0| Security Hub CSPM released [Center for Internet Security (CIS) AWS Foundations Benchmark v3.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html). The release includes the following new controls, as well as mappings to several existing controls. @@ -187 +187 @@ Release of CIS Foundations Benchmark v3.0.0| released [Center for Internet Secu -[New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html)| The following new controls are available: +[New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html)| The following new Security Hub CSPM controls are available: @@ -206,7 +206,7 @@ Release of CIS Foundations Benchmark v3.0.0| released [Center for Internet Secu -Document history for the User Guide| The <https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html> from is now generally available, along with new controls that apply to the standard.| April 30, 2024 -Update to existing managed policy| updated the [ managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AmazonSecurityHubFullAccess` to get pricing details for and products.| April 24, 2024 -In-context configuration of control parameters| If you use central configuration, you can now configure [control parameters in context](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-in-context.html), from the details page of a control on the console.| March 29, 2024 -Update to existing managed policy| updated the [ managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubReadOnlyAccess` by adding a `Sid` field.| February 22, 2024 -New security control| The control [[.2] automated sensitive data discovery should be enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html#macie-2) is now available. For Regional limits on this control, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html).| February 19, 2024 -available in | is now available in . All features are now available in this Region, with the exception of certain security controls. For more information, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html).| December 20, 2023 -New security controls| The following new controls are available: +AWS Resource Tagging Standard| The [AWS Resource Tagging Standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) from Security Hub CSPM is now generally available, along with new controls that apply to the standard.| April 30, 2024 +Update to existing managed policy| Security Hub CSPM updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AmazonSecurityHubFullAccess` to get pricing details for AWS services and products.| April 24, 2024 +In-context configuration of control parameters| If you use central configuration, you can now configure [control parameters in context](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-in-context.html), from the details page of a control on the Security Hub CSPM console.| March 29, 2024 +Update to existing managed policy| Security Hub CSPM updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubReadOnlyAccess` by adding a `Sid` field.| February 22, 2024 +New security control| The control [[Macie.2] Macie automated sensitive data discovery should be enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html#macie-2) is now available. For Regional limits on this control, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html).| February 19, 2024 +Security Hub CSPM available in Canada West (Calgary)| Security Hub CSPM is now available in Canada West (Calgary). All Security Hub CSPM features are now available in this Region, with the exception of certain security controls. For more information, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html).| December 20, 2023 +New security controls| The following new Security Hub CSPM controls are available: @@ -231,9 +231,9 @@ New security controls| The following new controls are available: -[Finding enrichment](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-view-details.html)| added the new finding fields `AwsAccountName`, `ApplicationArn`, and `ApplicationName` to the (ASFF).| November 27, 2023 -[Enhancements to Summary dashboard](https://docs.aws.amazon.com/securityhub/latest/userguide/dashboard.html)| You can now access more dashboard widgets on the **Summary** page of the console, save dashboard filter sets to quickly focus on specific security issues, and customize the dashboard layout.| November 27, 2023 -[Central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html)| Central configuration is now available. With central configuration, the delegated administrator can configure , standards, and controls across multiple organization accounts, organizational units (OUs), and Regions.| November 27, 2023 -[Updates to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy)| added new permissions to the `AWSSecurityHubServiceRolePolicy` managed policy that allow to read and update customizable security control properties.| November 26, 2023 -[Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html)| You can now customize parameter values for select controls. This can make findings for a specific control more relevant to your business requirements and security expectations.| November 26, 2023 -[Updates to managed policies](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html)| updated the `AWSSecurityHubFullAccess` and `AWSSecurityHubOrganizationsAccess` managed policies that permit you to use, respectively, features and the integration with .| November 16, 2023 -[Existing security controls added to ](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html)| The following existing controls have been added to . - - * **.2** +[Finding enrichment](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-view-details.html)| Security Hub CSPM added the new finding fields `AwsAccountName`, `ApplicationArn`, and `ApplicationName` to the AWS Security Finding Format (ASFF).| November 27, 2023 +[Enhancements to Summary dashboard](https://docs.aws.amazon.com/securityhub/latest/userguide/dashboard.html)| You can now access more dashboard widgets on the **Summary** page of the Security Hub CSPM console, save dashboard filter sets to quickly focus on specific security issues, and customize the dashboard layout.| November 27, 2023 +[Central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html)| Central configuration is now available. With central configuration, the Security Hub CSPM delegated administrator can configure Security Hub CSPM, standards, and controls across multiple organization accounts, organizational units (OUs), and Regions.| November 27, 2023 +[Updates to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy)| Security Hub CSPM added new permissions to the `AWSSecurityHubServiceRolePolicy` managed policy that allow Security Hub CSPM to read and update customizable security control properties.| November 26, 2023 +[Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html)| You can now customize parameter values for select Security Hub CSPM controls. This can make findings for a specific control more relevant to your business requirements and security expectations.| November 26, 2023 +[Updates to managed policies](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html)| Security Hub CSPM updated the `AWSSecurityHubFullAccess` and `AWSSecurityHubOrganizationsAccess` managed policies that permit you to use, respectively, Security Hub CSPM features and the integration with AWS Organizations.| November 16, 2023 +[Existing security controls added to Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html)| The following existing Security Hub CSPM controls have been added to Service-Managed Standard: AWS Control Tower. + + * **ACM.2** @@ -241 +241 @@ New security controls| The following new controls are available: - * **.6** + * **CloudTrail.6** @@ -244,2 +244,2 @@ New security controls| The following new controls are available: - * **.3** - * **.23** + * **DynamoDB.3** + * **EC2.23** @@ -247,5 +247,5 @@ New security controls| The following new controls are available: - * **.3** - * **.4** - * **.5** - * **.6** - * **.3** + * **ElastiCache.3** + * **ElastiCache.4** + * **ElastiCache.5** + * **ElastiCache.6** + * **EventBridge.3** @@ -253 +253 @@ New security controls| The following new controls are available: - * **.3** + * **Lambda.3** @@ -262,2 +262,2 @@ New security controls| The following new controls are available: -[Updates to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy)| added a new tagging permission to the `AWSSecurityHubServiceRolePolicy` managed policy that allows to read resource tags related to findings.| November 7, 2023 -[New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html)| The following new controls are available: +[Updates to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy)| Security Hub CSPM added a new tagging permission to the `AWSSecurityHubServiceRolePolicy` managed policy that allows Security Hub CSPM to read resource tags related to findings.| November 7, 2023 +[New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html)| The following new Security Hub CSPM controls are available: