AWS securityhub documentation change
Summary
Updated documentation to replace 'Security Hub' with 'Security Hub CSPM' throughout the CloudTrail controls guide, including title, recommendations, and configuration rule references.
Security assessment
The changes are branding updates (adding 'CSPM' to Security Hub references) without modifying security recommendations or addressing vulnerabilities. CloudTrail security controls like log file validation and S3 bucket protections remain unchanged.
Diff
diff --git a/securityhub/latest/userguide/cloudtrail-controls.md b/securityhub/latest/userguide/cloudtrail-controls.md index 6c3d0980a..073401557 100644 --- a//securityhub/latest/userguide/cloudtrail-controls.md +++ b//securityhub/latest/userguide/cloudtrail-controls.md @@ -7 +7 @@ -# Security Hub controls for AWS CloudTrail +# Security Hub CSPM controls for AWS CloudTrail @@ -9 +9 @@ -These AWS Security Hub controls evaluate the AWS CloudTrail service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These AWS Security Hub CSPM controls evaluate the AWS CloudTrail service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -145 +145 @@ CloudTrail log file validation creates a digitally signed digest file that conta -Security Hub recommends that you enable file validation on all trails. Log file validation provides additional integrity checks of CloudTrail logs. +Security Hub CSPM recommends that you enable file validation on all trails. Log file validation provides additional integrity checks of CloudTrail logs. @@ -188 +188 @@ For a trail that is enabled in all Regions in an account, CloudTrail sends log f -Security Hub recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your AWS services. This recommendation does not preclude the use of a different solution. +Security Hub CSPM recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your AWS services. This recommendation does not preclude the use of a different solution. @@ -206 +206 @@ To integrate CloudTrail with CloudWatch Logs, see [Sending events to CloudWatch -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -214 +214 @@ CloudTrail logs a record of every API call made in your account. These log files -To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. +To run this check, Security Hub CSPM first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. @@ -216 +216 @@ To run this check, Security Hub first uses custom logic to look for the S3 bucke -If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is **No data**. +If you aggregate your logs into a single centralized S3 bucket, then Security Hub CSPM only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is **No data**. @@ -234 +234 @@ To block public access to your CloudTrail S3 bucket, see [Configuring block publ -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -246 +246 @@ By enabling S3 bucket logging on target S3 buckets, you can capture all events t -To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. +To run this check, Security Hub CSPM first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. @@ -248 +248 @@ To run this check, Security Hub first uses custom logic to look for the bucket w -If CloudTrail delivers log files from multiple AWS accounts into a single destination Amazon S3 bucket, Security Hub evaluates this control only against the destination bucket in the Region where it's located. This streamlines your findings. However, you should turn on CloudTrail in all accounts that deliver logs to the destination bucket. For all accounts except the one that holds the destination bucket, the control status is **No data**. +If CloudTrail delivers log files from multiple AWS accounts into a single destination Amazon S3 bucket, Security Hub CSPM evaluates this control only against the destination bucket in the Region where it's located. This streamlines your findings. However, you should turn on CloudTrail in all accounts that deliver logs to the destination bucket. For all accounts except the one that holds the destination bucket, the control status is **No data**. @@ -262 +262 @@ To enable server access logging for your CloudTrail S3 bucket, see [Enabling Ama -**AWS Config rule:** `tagged-cloudtrail-trail` (custom Security Hub rule) +**AWS Config rule:** `tagged-cloudtrail-trail` (custom Security Hub CSPM rule) @@ -268 +268 @@ To enable server access logging for your CloudTrail S3 bucket, see [Enabling Ama -Parameter | Description | Type | Allowed custom values | Security Hub default value +Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value @@ -300 +300 @@ To add tags to a CloudTrail trail, see [AddTags](https://docs.aws.amazon.com/aws -Parameter | Description | Type | Allowed custom values | Security Hub default value +Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value