AWS securityhub documentation change
Summary
Updated documentation to consistently reference 'Security Hub CSPM' instead of 'Security Hub' across multiple controls and configurations. Added CSPM branding to control descriptions, Config rule references, and audit process explanations.
Security assessment
The changes emphasize CSPM (Cloud Security Posture Management) capabilities but do not address a specific vulnerability or incident. This appears to be documentation standardization/clarification rather than a direct security fix. However, it enhances documentation about security features (CSPM controls).
Diff
diff --git a/securityhub/latest/userguide/cloudwatch-controls.md b/securityhub/latest/userguide/cloudwatch-controls.md index 5ff55836f..72aaf39f4 100644 --- a//securityhub/latest/userguide/cloudwatch-controls.md +++ b//securityhub/latest/userguide/cloudwatch-controls.md @@ -7 +7 @@ -# Security Hub controls for Amazon CloudWatch +# Security Hub CSPM controls for Amazon CloudWatch @@ -9 +9 @@ -These AWS Security Hub controls evaluate the Amazon CloudWatch service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These AWS Security Hub CSPM controls evaluate the Amazon CloudWatch service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -21 +21 @@ These AWS Security Hub controls evaluate the Amazon CloudWatch service and resou -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -31 +31 @@ As a best practice, use your root user credentials only when required to [ perfo -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 1.7 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 1.7 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. @@ -35 +35 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -48 +48 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -50 +50 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -52 +52 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -57 +57 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -99 +99 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -109 +109 @@ CIS recommends that you create a metric filter and alarm for unauthorized API ca -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the [CIS AWS Foundations Benchmark v1.2](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 3.1 in the [CIS AWS Foundations Benchmark v1.2](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. @@ -113 +113 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -126 +126 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -128 +128 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -130 +130 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -135 +135 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -177 +177 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -187 +187 @@ CIS recommends that you create a metric filter and alarm console logins that are -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the [CIS AWS Foundations Benchmark v1.2](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 3.2 in the [CIS AWS Foundations Benchmark v1.2](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. @@ -191 +191 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -204 +204 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -206 +206 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -208 +208 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -213 +213 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -255 +255 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -267 +267 @@ CIS recommends that you create a metric filter and alarm for changes made to IAM -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -280 +280 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -282 +282 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -284 +284 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -289 +289 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -335 +335 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -345 +345 @@ CIS recommends that you create a metric filter and alarm for changes to CloudTra -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 4.5 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.5 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. @@ -349 +349 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -362 +362 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -364 +364 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -366 +366 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -371 +371 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -413 +413 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -423 +423 @@ CIS recommends that you create a metric filter and alarm for failed console auth -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 4.6 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.6 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. @@ -427 +427 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -440 +440 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -442 +442 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -444 +444 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -449 +449 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -491 +491 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -501 +501 @@ CIS recommends that you create a metric filter and alarm for customer managed ke -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 4.7 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. The control also fails if `ExcludeManagementEventSources` contains `kms.amazonaws.com`. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.7 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. The control also fails if `ExcludeManagementEventSources` contains `kms.amazonaws.com`. @@ -505 +505 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -518 +518 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -520 +520 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -522 +522 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -527 +527 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -569 +569 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -579 +579 @@ CIS recommends that you create a metric filter and alarm for changes to S3 bucke -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 4.8 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.8 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. @@ -583 +583 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -596 +596 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -598 +598 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -600 +600 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -605 +605 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -647 +647 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -657 +657 @@ CIS recommends that you create a metric filter and alarm for changes to AWS Conf -To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 4.9 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. +To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.9 in the [CIS AWS Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. @@ -661 +661 @@ To run this check, Security Hub uses custom logic to perform the exact audit ste -When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. +When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. @@ -674 +674 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based. + * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. @@ -676 +676 @@ The check results in a control status of `NO_DATA` in the following cases: - * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail. + * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. @@ -678 +678 @@ The check results in a control status of `NO_DATA` in the following cases: -We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation. +We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. @@ -683 +683 @@ We recommend organization trails to log events from many accounts in an organiza -For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub generates `WARNING` findings for the control. +For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. @@ -725 +725 @@ than... | `1` -**AWS Config rule:** None (custom Security Hub rule) +**AWS Config rule:** None (custom Security Hub CSPM rule) @@ -735 +735 @@ CIS recommends that you create a metric filter and alarm for changes to security