AWS securityhub documentation change
Summary
Added details about customer-initiated findings archival and expanded exposure definitions with examples. Enhanced exposure finding explanation with AWS service integrations.
Security assessment
The changes clarify security concepts (exposures, archival) and integration with security services like Inspector/GuardDuty, but there's no evidence of addressing a specific vulnerability. Adds documentation about security feature usage.
Diff
diff --git a/securityhub/latest/userguide/securityhub-v2-concepts.md b/securityhub/latest/userguide/securityhub-v2-concepts.md index cc3db5868..d316d24e0 100644 --- a//securityhub/latest/userguide/securityhub-v2-concepts.md +++ b//securityhub/latest/userguide/securityhub-v2-concepts.md @@ -58 +58 @@ A finding with a status of `ARCHIVED`. These findings indicate the finding provi -Finding providers can archive findings they create. +Finding providers can archive findings they create. Customers can archive any findings that they believe are no longer relevant using the [BatchUpdateFindingsV2](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindingsV2.html) operation of the Security Hub API or by updating the status in the Security Hub console. @@ -94 +94,12 @@ The organization management account must then choose the delegated administrator -A potential security scenario in your account that may be due to vulnerabilities, exploitable resources, or misconfigurations. +Exposures are broader weaknesses in security controls, misconfigurations, or other areas that could be exploited by active threats. + +Examples of exposures include: + + * Mis-configured control plane for a resource. + + * Presence of a software vulnerability that has a high potential for exploitability. + + * Publicly accessible resource (network or API). + + + @@ -99 +110,3 @@ A potential security scenario in your account that may be due to vulnerabilities -A type of finding that describes an exposure present in your environment. An exposure finding includes traits and signals. A signal can include one or more types of exposure traits. Security Hub generates an exposure finding when signals from Security Hub CSPM control findings or other AWS services, such as Amazon Inspector, indicate the presence of an exposure. A resource can have at most one exposure finding. Security Hub generates an exposure finding when a resource is exposed. If a resource doesn't have any exposure traits or has insufficient traits, Security Hub doesn't generate an exposure finding for that resource. +A type of finding that describes an exposure present in your environment. An exposure finding includes traits and signals. A signal can include one or more types of exposure traits. AWS Security Hub generates an exposure finding when signals from AWS Security Hub CSPM, Amazon Inspector, Amazon GuardDuty, Amazon Macie, or other AWS services, indicate the presence of an exposure. A resource can be involved in one or more exposure findings. If a resource doesn't have any exposure traits or has insufficient traits, Security Hub doesn't generate an exposure finding for that resource. + +An example of an exposure finding is: An EC2 instance that is reachable from the internet and has software vulnerabilities which have a high liklihood of exploitation.