AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-12-10 · Documentation low

File: securityhub/latest/userguide/es-controls.md

Summary

Updated product name references from 'Security Hub' to 'Security Hub CSPM' throughout the document. Added CSPM branding to titles, control descriptions, and config rule references.

Security assessment

Changes are purely rebranding updates without altering security recommendations. The security content about VPC deployment, audit logging, node fault tolerance, HTTPS requirements, and tagging remains unchanged.

Diff

diff --git a/securityhub/latest/userguide/es-controls.md b/securityhub/latest/userguide/es-controls.md
index e888121a7..6d7dfb8f5 100644
--- a//securityhub/latest/userguide/es-controls.md
+++ b//securityhub/latest/userguide/es-controls.md
@@ -7 +7 @@
-# Security Hub for Elasticsearch
+# Security Hub CSPM for Elasticsearch
@@ -9 +9 @@
-These AWS Security Hub controls evaluate the Elasticsearch service and resources.
+These AWS Security Hub CSPM controls evaluate the Elasticsearch service and resources.
@@ -59 +59 @@ This control checks whether Elasticsearch domains are in a VPC. It does not eval
-Elasticsearch domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Elasticsearch domains, including network ACL and security groups. Security Hub recommends that you migrate public Elasticsearch domains to VPCs to take advantage of these controls.
+Elasticsearch domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Elasticsearch domains, including network ACL and security groups. Security Hub CSPM recommends that you migrate public Elasticsearch domains to VPCs to take advantage of these controls.
@@ -132 +132 @@ For information on how to enable log publishing, see [Enabling log publishing (c
-**AWS Config rule:** `elasticsearch-audit-logging-enabled` (custom Security Hub rule)
+**AWS Config rule:** `elasticsearch-audit-logging-enabled` (custom Security Hub CSPM rule)
@@ -138 +138 @@ For information on how to enable log publishing, see [Enabling log publishing (c
-  * `cloudWatchLogsLogGroupArnList` (not customizable). Security Hub does not populate this parameter. Comma-separated list of CloudWatch Logs log groups that should be configured for audit logs.
+  * `cloudWatchLogsLogGroupArnList` (not customizable). Security Hub CSPM does not populate this parameter. Comma-separated list of CloudWatch Logs log groups that should be configured for audit logs.
@@ -163 +163 @@ For detailed instructions on enabling audit logs, see [Enabling audit logs](http
-**AWS Config rule:** `elasticsearch-data-node-fault-tolerance` (custom Security Hub rule)
+**AWS Config rule:** `elasticsearch-data-node-fault-tolerance` (custom Security Hub CSPM rule)
@@ -202 +202 @@ For three Availability Zone deployments, set to a multiple of three to ensure eq
-**AWS Configrule:** `elasticsearch-primary-node-fault-tolerance` (custom Security Hub rule)
+**AWS Configrule:** `elasticsearch-primary-node-fault-tolerance` (custom Security Hub CSPM rule)
@@ -241 +241 @@ An Elasticsearch domain requires at least three dedicated primary nodes for high
-**AWS Config rule:** `elasticsearch-https-required` (custom Security Hub rule)
+**AWS Config rule:** `elasticsearch-https-required` (custom Security Hub CSPM rule)
@@ -263 +263 @@ To enable TLS encryption, use the [UpdateDomainConfig](https://docs.aws.amazon.c
-**AWS Config rule:** `tagged-elasticsearch-domain` (custom Security Hub rule)
+**AWS Config rule:** `tagged-elasticsearch-domain` (custom Security Hub CSPM rule)
@@ -269 +269 @@ To enable TLS encryption, use the [UpdateDomainConfig](https://docs.aws.amazon.c
-Parameter | Description | Type | Allowed custom values | Security Hub default value  
+Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value