AWS securityhub documentation change
Summary
Removed AWS Control Tower standard documentation and added new security controls for CloudFormation, Cognito, EC2, ECS, and SES services
Security assessment
The changes add new security controls (CloudFormation.3, Cognito.4-6, EC2.182, ECS.18, SES.3) which document enhanced security monitoring capabilities. The removal of AWS Control Tower references appears to be standard documentation cleanup without security implications. No evidence of addressing specific vulnerabilities exists.
Diff
diff --git a/securityhub/latest/userguide/controls-config-resources.md b/securityhub/latest/userguide/controls-config-resources.md index e64b8d803..d7ad7c4f2 100644 --- a//securityhub/latest/userguide/controls-config-resources.md +++ b//securityhub/latest/userguide/controls-config-resources.md @@ -5 +5 @@ -Required resources for all Security Hub CSPM controlsRequired resources for the AWS Foundational Security Best Practices standardRequired resources for the CIS AWS Foundations BenchmarkRequired resources for the NIST SP 800-53 Revision 5 standardRequired resources for the NIST SP 800-171 Revision 2 standardRequired resources for PCI DSS v3.2.1Required resources for the AWS Resource Tagging standardRequired resources for the AWS Control Tower service-managed standard +Required resources for all Security Hub CSPM controlsRequired resources for the AWS Foundational Security Best Practices standardRequired resources for the CIS AWS Foundations BenchmarkRequired resources for the NIST SP 800-53 Revision 5 standardRequired resources for the NIST SP 800-171 Revision 2 standardRequired resources for PCI DSS v3.2.1Required resources for the AWS Resource Tagging standard @@ -35,2 +34,0 @@ In AWS Regions where a control isn't available, the corresponding resource isn't - * Required resources for the AWS Control Tower service-managed standard - @@ -69 +67 @@ Amazon Athena | `AWS::Athena::DataCatalog` | Athena.2 -AWS CloudFormation | `AWS::CloudFormation::Stack` | CloudFormation.2 +AWS CloudFormation | `AWS::CloudFormation::Stack` | CloudFormation.2 CloudFormation.3 @@ -79 +77 @@ Amazon Cognito | `AWS::Cognito::IdentityPool` | Cognito.2 -`AWS::Cognito::UserPool` | Cognito.1 Cognito.3 +`AWS::Cognito::UserPool` | Cognito.1 Cognito.3 Cognito.4 Cognito.5 Cognito.6 @@ -104,0 +103 @@ Amazon Elastic Compute Cloud (EC2) | `AWS::EC2::ClientVpnEndpoint` | EC2.51 +`AWS::EC2::SnapshotBlockPublicAccess` | EC2.182 @@ -129 +128 @@ Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster` | ECS.12 EC -`AWS::ECS::TaskDefinition` | ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17 +`AWS::ECS::TaskDefinition` | ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17 ECS.18 @@ -220 +219 @@ AWS Service Catalog | `AWS::ServiceCatalog::Portfolio` | ServiceCatalog.1 -Amazon Simple Email Service (Amazon SES) | `AWS::SES::ConfigurationSet` | SES.2 +Amazon Simple Email Service (Amazon SES) | `AWS::SES::ConfigurationSet` | SES.2 SES.3 @@ -261 +260 @@ Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SS -Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` +Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SnapshotBlockPublicAccess`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` @@ -491,34 +489,0 @@ AWS Transfer Family | `AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`, -## Required resources for the AWS Control Tower service-managed standard - -For Security Hub CSPM to accurately report findings for change triggered controls that apply to the AWS Control Tower service-managed standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [Service-Managed Standard: AWS Control Tower](./service-managed-standard-aws-control-tower.html). - -AWS service | Resource types ----|--- -Amazon API Gateway | `AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage` -AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` -AWS CodeBuild | `AWS::CodeBuild::Project` -Amazon DynamoDB | `AWS::DynamoDB::Table` -Amazon Elastic Compute Cloud (EC2) | `AWS::EC2::Instance` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::Subnet` `AWS::EC2::VPNConnection` `AWS::EC2::Volume` -Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration` -Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` -Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition` -Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` -Amazon EKS | `AWS::EKS::Cluster` -ElasticBeanstalk | `AWS::ElasticBeanstalk::Environment` -Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::LoadBalancer` -ElasticSearch | `AWS::Elasticsearch::Domain` -AWS Identity and Access Management (IAM) | `AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User` -AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias` `AWS::KMS::Key` -Amazon Kinesis | `AWS::Kinesis::Stream` -AWS Lambda | `AWS::Lambda::Function` -AWS Network Firewall | `AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup` -Amazon OpenSearch Service | `AWS::OpenSearch::Domain` -Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster` `AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription` -Amazon Redshift | `AWS::Redshift::Cluster` -Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccountPublicAccessBlock` `AWS::S3::Bucket` -Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` -Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` -AWS Secrets Manager | `AWS::SecretsManager::Secret` -Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance` `AWS::SSM::ManagedInstanceInventory` `AWS::SSM::PatchCompliance` -AWS WAF | `AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL` `AWS::WAFv2::WebACL` -