AWS Security ChangesHomeSearch

AWS managedservices documentation change

Service: managedservices · 2025-12-10 · Documentation low

File: managedservices/latest/userguide/scp-library-compliance.md

Summary

Updated SCP-AMS-024 policy name and description from 'Security Hub' to 'Security Hub CSPM'

Security assessment

The change clarifies the scope of an existing security control policy (SCP) by specifying CSPM (Cloud Security Posture Management) in Security Hub references. This enhances documentation accuracy but doesn't indicate a response to a specific vulnerability. SCPs are preventive security controls by nature, but the change itself is a documentation refinement rather than addressing a newly discovered security issue.

Diff

diff --git a/managedservices/latest/userguide/scp-library-compliance.md b/managedservices/latest/userguide/scp-library-compliance.md
index 8f2404d61..88be3e619 100644
--- a//managedservices/latest/userguide/scp-library-compliance.md
+++ b//managedservices/latest/userguide/scp-library-compliance.md
@@ -5 +5 @@
-SCP-AMS-001: Restrict EBS creationSCP-AMS-002: Restrict EC2 launchSCP-ADV-001: Restrict RFC submissionsSCP-AMS-003: Restrict EC2 or RDS creationSCP-AMS-004: Restrict S3 uploadsSCP-AMS-005: Restrict API and console accessSCP-AMS-006: Prevent IAM entity from removing member account from the organizationSCP-AMS-007: Prevent sharing resources to accounts outside your organizationSCP-AMS-008: Prevent sharing with organizations or organizational units (OUs)SCP-AMS-009: Prevent users from accepting resource share invitationsSCP-AMS-010: Prevent account Region enable and disable actionsSCP-AMS-011: Prevent billing modification actionsSCP-AMS-012: Prevent deletion or modification to specific CloudTrailsSCP-AMS-013: Prevent disabling default EBS encryptionSCP-AMS-014: Prevent creating default VPC and subnetSCP-AMS-015: Prevent disabling and modifying GuardDutySCP-AMS-016: Prevent root user activitySCP-AMS-017: Prevent creating access keys for the root userSCP-AMS-018: Prevent disabling S3 account public access blockSCP-AMS-019: Prevent disabling AWS Config or modifying Config rulesSCP-AMS-020: Prevent all IAM actionsSCP-AMS-021: Prevent deleting CloudWatch Logs groups and streamsSCP-AMS-022: Prevent Glacier deletionSCP-AMS-023: Prevent deletion of IAM Access AnalyzerSCP-AMS-024: Prevent modifications to Security HubSCP-AMS-025: Prevent deletion under Directory ServiceSCP-AMS-026: Prevent use of denylisted serviceSCP-AMS-027: Prevent use of denylisted service in specific RegionsSCP-AMS-028: Prevent tags from being modified except by authorized principalsSCP-AMS-029: Prevent users from deleting Amazon VPC Flow LogsSCP-AMS-030: Prevent sharing VPC subnet with account other than network accountSCP-AMS-031: Prevent launching instances with prohibited instance typesSCP-AMS-032: Prevent launching instances without IMDSv2SCP-AMS-033: Prevent modifications to specific IAM roleSCP-AMS-034: Prevent AssumeRolePolicy modification on specific IAM rolesConfigRule: Required tagsConfigRule: Access key rotatedConfigRule: IAM root access keyConfigRule: SSM managed EC2ConfigRule: Unused IAM userConfigRule: S3 bucket loggingConfigRule: S3 bucket versioningConfigRule: S3 public accessConfigRule: Non-archived GuardDuty findingsConfigRule: CMK deletionConfigRule: CMK rotation
+SCP-AMS-001: Restrict EBS creationSCP-AMS-002: Restrict EC2 launchSCP-ADV-001: Restrict RFC submissionsSCP-AMS-003: Restrict EC2 or RDS creationSCP-AMS-004: Restrict S3 uploadsSCP-AMS-005: Restrict API and console accessSCP-AMS-006: Prevent IAM entity from removing member account from the organizationSCP-AMS-007: Prevent sharing resources to accounts outside your organizationSCP-AMS-008: Prevent sharing with organizations or organizational units (OUs)SCP-AMS-009: Prevent users from accepting resource share invitationsSCP-AMS-010: Prevent account Region enable and disable actionsSCP-AMS-011: Prevent billing modification actionsSCP-AMS-012: Prevent deletion or modification to specific CloudTrailsSCP-AMS-013: Prevent disabling default EBS encryptionSCP-AMS-014: Prevent creating default VPC and subnetSCP-AMS-015: Prevent disabling and modifying GuardDutySCP-AMS-016: Prevent root user activitySCP-AMS-017: Prevent creating access keys for the root userSCP-AMS-018: Prevent disabling S3 account public access blockSCP-AMS-019: Prevent disabling AWS Config or modifying Config rulesSCP-AMS-020: Prevent all IAM actionsSCP-AMS-021: Prevent deleting CloudWatch Logs groups and streamsSCP-AMS-022: Prevent Glacier deletionSCP-AMS-023: Prevent deletion of IAM Access AnalyzerSCP-AMS-024: Prevent modifications to Security Hub CSPMSCP-AMS-025: Prevent deletion under Directory ServiceSCP-AMS-026: Prevent use of denylisted serviceSCP-AMS-027: Prevent use of denylisted service in specific RegionsSCP-AMS-028: Prevent tags from being modified except by authorized principalsSCP-AMS-029: Prevent users from deleting Amazon VPC Flow LogsSCP-AMS-030: Prevent sharing VPC subnet with account other than network accountSCP-AMS-031: Prevent launching instances with prohibited instance typesSCP-AMS-032: Prevent launching instances without IMDSv2SCP-AMS-033: Prevent modifications to specific IAM roleSCP-AMS-034: Prevent AssumeRolePolicy modification on specific IAM rolesConfigRule: Required tagsConfigRule: Access key rotatedConfigRule: IAM root access keyConfigRule: SSM managed EC2ConfigRule: Unused IAM userConfigRule: S3 bucket loggingConfigRule: S3 bucket versioningConfigRule: S3 public accessConfigRule: Non-archived GuardDuty findingsConfigRule: CMK deletionConfigRule: CMK rotation
@@ -436 +436 @@ Prevent the deletion of IAM Access Analyzer.
-## SCP-AMS-024: Prevent modifications to Security Hub
+## SCP-AMS-024: Prevent modifications to Security Hub CSPM
@@ -438 +438 @@ Prevent the deletion of IAM Access Analyzer.
-Prevent the deletion of AWS Security Hub.
+Prevent the deletion of AWS Security Hub CSPM.