AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-11-22 · Documentation low

File: securityhub/latest/userguide/securityhub-v2-enable.md

Summary

Added clarification about service-linked recorder creation for global resources in home region and organizational setup note

Security assessment

The change clarifies how global resource monitoring works through automatic creation of additional service-linked recorders in home regions. While this improves configuration accuracy for security visibility, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/securityhub/latest/userguide/securityhub-v2-enable.md b/securityhub/latest/userguide/securityhub-v2-enable.md
index a385449a5..cc9c39457 100644
--- a//securityhub/latest/userguide/securityhub-v2-enable.md
+++ b//securityhub/latest/userguide/securityhub-v2-enable.md
@@ -20,0 +21,4 @@ This section includes three steps. In Step 1, the AWS organization management ac
+###### Note
+
+This step only needs to be completed in one region of the organization management account. 
+
@@ -75 +79 @@ This procedure assumes the AWS organization management account has not previousl
-After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked). 
+After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For global resource types, an additional service-linked recorder is automatically created in the home region to record configuration changes for global resources, as AWS Config only records global resource types in their designated home region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked) and [Recording regional and global resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all). 
@@ -96 +100 @@ This step is for the delegated administrator to complete. After the AWS organiza
-After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked). 
+After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For global resource types, an additional service-linked recorder is automatically created in the home region to record configuration changes for global resources, as AWS Config only records global resource types in their designated home region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked) and [Recording regional and global resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all). 
@@ -117 +121 @@ This procedure describes how to enable Security Hub in a standalone account. A s
-After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked). 
+After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For global resource types, an additional service-linked recorder is automatically created in the home region to record configuration changes for global resources, as AWS Config only records global resource types in their designated home region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked) and [Recording regional and global resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).