AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-12-10 · Documentation low

File: prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.md

Summary

Updated all references from 'Security Hub' to 'Security Hub CSPM' to clarify the use of Cloud Security Posture Management features

Security assessment

The changes are purely terminological updates replacing 'Security Hub' with 'Security Hub CSPM' for accuracy. There is no evidence of addressing a specific security vulnerability, incident, or weakness. The modifications maintain existing security guidance about auditing security groups without introducing new security content or features.

Diff

diff --git a/prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.md b/prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.md
index ca255c5da..67a984e1b 100644
--- a//prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.md
+++ b//prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.md
@@ -13 +13 @@ SummaryPrerequisites and limitationsArchitectureToolsBest practicesEpicsTroubles
-As a security best practice, it's crucial to minimize the exposure of AWS resources to only what is absolutely necessary. For example, web servers that serve the general public need to allow inbound access from the internet, but access to other workloads should be restricted to specific networks to reduce unnecessary exposure. [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in Amazon Virtual Private Cloud (Amazon VPC) are an effective control to help you limit resource access. However, evaluating security groups can be a cumbersome task, especially in multi-account architectures. [AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) and [AWS Security Hub controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-view-manage.html) can help you identify security groups that permit access from the public internet (0.0.0.0/0) to specific network communication protocols, such as Secure Shell (SSH), HTTP, HTTPS, and Windows remote desktop protocol (RDP). However, these rules and controls are not applicable if services run on non-standard ports or if access is restricted to certain public IP addresses. For instance, this might occur when a web service is associated with TCP port 8443 instead of the standard TCP port 443. This might also occur when developers have access to the server from their home networks, such as for testing purposes.
+As a security best practice, it's crucial to minimize the exposure of AWS resources to only what is absolutely necessary. For example, web servers that serve the general public need to allow inbound access from the internet, but access to other workloads should be restricted to specific networks to reduce unnecessary exposure. [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in Amazon Virtual Private Cloud (Amazon VPC) are an effective control to help you limit resource access. However, evaluating security groups can be a cumbersome task, especially in multi-account architectures. [AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) and [AWS Security Hub CSPM controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-view-manage.html) can help you identify security groups that permit access from the public internet (0.0.0.0/0) to specific network communication protocols, such as Secure Shell (SSH), HTTP, HTTPS, and Windows remote desktop protocol (RDP). However, these rules and controls are not applicable if services run on non-standard ports or if access is restricted to certain public IP addresses. For instance, this might occur when a web service is associated with TCP port 8443 instead of the standard TCP port 443. This might also occur when developers have access to the server from their home networks, such as for testing purposes.
@@ -31 +31 @@ To address this, you can use the infrastructure as code (IaC) solution provided
-    * (Optional) Security Hub [set up](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-manual-setup-overview) in the target account
+    * (Optional) Security Hub CSPM [set up](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-manual-setup-overview) in the target account
@@ -37 +37 @@ To address this, you can use the infrastructure as code (IaC) solution provided
-    * Security Hub [set up](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-orgs-setup-overview) with AWS Organizations integration
+    * Security Hub CSPM [set up](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-orgs-setup-overview) with AWS Organizations integration
@@ -41 +41 @@ To address this, you can use the infrastructure as code (IaC) solution provided
-    * Designate an AWS account to be the delegated administrator for AWS Config and Security Hub
+    * Designate an AWS account to be the delegated administrator for AWS Config and Security Hub CSPM
@@ -48 +48 @@ To address this, you can use the infrastructure as code (IaC) solution provided
-  * If you're deploying to an individual account that doesn't have Security Hub enabled, you can use AWS Config to evaluate the findings.
+  * If you're deploying to an individual account that doesn't have Security Hub CSPM enabled, you can use AWS Config to evaluate the findings.
@@ -50 +50 @@ To address this, you can use the infrastructure as code (IaC) solution provided
-  * If you're deploying to an organization that doesn't have a delegated administrator for AWS Config and Security Hub, you must log into the individual member accounts to view the findings.
+  * If you're deploying to an organization that doesn't have a delegated administrator for AWS Config and Security Hub CSPM, you must log into the individual member accounts to view the findings.
@@ -63 +63 @@ To address this, you can use the infrastructure as code (IaC) solution provided
-The following architecture diagram shows the deployment of the AWS resources within a single AWS account. You provision the resources by using a CloudFormation template directly through the CloudFormation console. If Security Hub is enabled, you can view the results in either AWS Config or Security Hub. If Security Hub is not enabled, you can view the results only in AWS Config.
+The following architecture diagram shows the deployment of the AWS resources within a single AWS account. You provision the resources by using a CloudFormation template directly through the CloudFormation console. If Security Hub CSPM is enabled, you can view the results in either AWS Config or Security Hub CSPM. If Security Hub CSPM is not enabled, you can view the results only in AWS Config.
@@ -75 +75 @@ The diagram shows the following workflow:
-  4. Security Hub receives all of the AWS Config findings.
+  4. Security Hub CSPM receives all of the AWS Config findings.
@@ -77 +77 @@ The diagram shows the following workflow:
-  5. You can view the findings in Security Hub or in AWS Config, depending on the services that you have set up in the account.
+  5. You can view the findings in Security Hub CSPM or in AWS Config, depending on the services that you have set up in the account.
@@ -84 +84 @@ The diagram shows the following workflow:
-The following diagram shows deployment of the pattern across multiple accounts that are managed through AWS Organizations and AWS Control Tower. You deploy the CloudFormation template through CfCT. The assessment outcomes are centralized in Security Hub in the delegated administrator account. The AWS CodePipeline workflow section of the diagram shows the background steps that occur during CfCT deployment.
+The following diagram shows deployment of the pattern across multiple accounts that are managed through AWS Organizations and AWS Control Tower. You deploy the CloudFormation template through CfCT. The assessment outcomes are centralized in Security Hub CSPM in the delegated administrator account. The AWS CodePipeline workflow section of the diagram shows the background steps that occur during CfCT deployment.
@@ -100 +100 @@ The diagram shows the following workflow:
-  6. AWS Config forwards all of the findings to Security Hub.
+  6. AWS Config forwards all of the findings to Security Hub CSPM.
@@ -102 +102 @@ The diagram shows the following workflow:
-  7. The Security Hub findings are aggregated in the delegated administrator account.
+  7. The Security Hub CSPM findings are aggregated in the delegated administrator account.
@@ -104 +104 @@ The diagram shows the following workflow:
-  8. You can view the aggregated findings in Security Hub in the delegated administrator account.
+  8. You can view the aggregated findings in Security Hub CSPM in the delegated administrator account.
@@ -123 +123 @@ The diagram shows the following workflow:
-  * [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices.
+  * [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices.
@@ -192 +192 @@ Task| Description| Skills required
-View the AWS Config rule findings.| In Security Hub, do the following to view a list of individual findings:
+View the AWS Config rule findings.| In Security Hub CSPM, do the following to view a list of individual findings:
@@ -194 +194 @@ View the AWS Config rule findings.| In Security Hub, do the following to view a
-  1. Open the [Security Hub console](https://console.aws.amazon.com/securityhub/).
+  1. Open the [Security Hub CSPM console](https://console.aws.amazon.com/securityhub/).
@@ -201 +201 @@ View the AWS Config rule findings.| In Security Hub, do the following to view a
-In Security Hub, do the following to view a list of total findings grouped by AWS account:
+In Security Hub CSPM, do the following to view a list of total findings grouped by AWS account:
@@ -203 +203 @@ In Security Hub, do the following to view a list of total findings grouped by AW
-  1. Open the [Security Hub console](https://console.aws.amazon.com/securityhub/).
+  1. Open the [Security Hub CSPM console](https://console.aws.amazon.com/securityhub/).