AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-12-10 · Documentation low

File: securityhub/latest/userguide/iam-controls.md

Summary

Updated all references from 'Security Hub' to 'Security Hub CSPM' throughout the document, including in control names, recommendations, and parameter references. Also updated the title and references to PCI DSS standards to reflect the product name change.

Security assessment

The changes are purely branding/naming updates replacing 'Security Hub' with 'Security Hub CSPM' without altering security recommendations, controls, or addressing vulnerabilities. No evidence of security fixes or new security content was introduced.

Diff

diff --git a/securityhub/latest/userguide/iam-controls.md b/securityhub/latest/userguide/iam-controls.md
index 596ecf1d7..3281a086f 100644
--- a//securityhub/latest/userguide/iam-controls.md
+++ b//securityhub/latest/userguide/iam-controls.md
@@ -7 +7 @@
-# Security Hub controls for AWS Identity and Access Management
+# Security Hub CSPM controls for AWS Identity and Access Management
@@ -9 +9 @@
-These AWS Security Hub controls evaluate the AWS Identity and Access Management (IAM) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub CSPM controls evaluate the AWS Identity and Access Management (IAM) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -44 +44 @@ You should remove IAM policies that have a statement with `"Effect": "Allow" `wi
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -72 +72 @@ By default, IAM users, groups, and roles have no access to AWS resources. IAM po
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, you can disable this control in all Regions except the Region where you record global resources.
@@ -109 +109 @@ To learn more about protecting your access keys and account, see [Best practices
-If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. 
+If you already have an access key, Security Hub CSPM recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. 
@@ -117 +117 @@ If your organization uses AWS IAM Identity Center (IAM Identity Center), your us
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -143 +143 @@ The root user is the most privileged user in an AWS account. AWS access keys pro
-Security Hub recommends that you remove all access keys that are associated with the root user. This limits that vectors that can be used to compromise your account. It also encourages the creation and use of role-based accounts that are least privileged. 
+Security Hub CSPM recommends that you remove all access keys that are associated with the root user. This limits that vectors that can be used to compromise your account. It also encourages the creation and use of role-based accounts that are least privileged. 
@@ -173 +173 @@ We recommend that you enable MFA for all accounts that have a console password.
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -201 +201 @@ Virtual MFA might not provide the same level of security as hardware MFA devices
-Security Hub evaluates this control based on the presence of root user credentials (login profile) in an AWS account. The control generates `PASSED` findings in the following cases:
+Security Hub CSPM evaluates this control based on the presence of root user credentials (login profile) in an AWS account. The control generates `PASSED` findings in the following cases:
@@ -232 +232 @@ For information about enabling hardware MFA for the root user, see [Multi-factor
-Parameter | Description | Type | Allowed custom values | Security Hub default value  
+Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value  
@@ -242 +242 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-This control checks whether the account password policy for IAM users uses strong configurations. The control fails if the password policy doesn't use strong configurations. Unless you provide custom parameter values, Security Hub uses the default values mentioned in the preceding table. The `PasswordReusePrevention` and `MaxPasswordAge` parameters have no default value, so if you exclude these parameters, Security Hub ignores number of password rotations and password age when evaluating this control.
+This control checks whether the account password policy for IAM users uses strong configurations. The control fails if the password policy doesn't use strong configurations. Unless you provide custom parameter values, Security Hub CSPM uses the default values mentioned in the preceding table. The `PasswordReusePrevention` and `MaxPasswordAge` parameters have no default value, so if you exclude these parameters, Security Hub CSPM ignores number of password rotations and password age when evaluating this control.
@@ -244 +244 @@ This control checks whether the account password policy for IAM users uses stron
-To access the AWS Management Console, IAM users need passwords. As a best practice, Security Hub highly recommends that instead of creating IAM users, you use federation. Federation allows users to use their existing corporate credentials to log into the AWS Management Console. Use AWS IAM Identity Center (IAM Identity Center) to create or federate the user, and then assume an IAM role into an account.
+To access the AWS Management Console, IAM users need passwords. As a best practice, Security Hub CSPM highly recommends that instead of creating IAM users, you use federation. Federation allows users to use their existing corporate credentials to log into the AWS Management Console. Use AWS IAM Identity Center (IAM Identity Center) to create or federate the user, and then assume an IAM role into an account.
@@ -248 +248 @@ To learn more about identity providers and federation, see [Identity providers a
-If you need to use IAM users, Security Hub recommends that you enforce the creation of strong user passwords. You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for passwords. When you create or change a password policy, most of the password policy settings are enforced the next time users change their passwords. Some of the settings are enforced immediately.
+If you need to use IAM users, Security Hub CSPM recommends that you enforce the creation of strong user passwords. You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for passwords. When you create or change a password policy, most of the password policy settings are enforced the next time users change their passwords. Some of the settings are enforced immediately.
@@ -279 +279 @@ IAM users can access AWS resources using different types of credentials, such as
-Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.
+Security Hub CSPM recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.
@@ -283 +283 @@ Security Hub recommends that you remove or deactivate all credentials that were
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -363 +363 @@ This control checks whether the account password policy for IAM users uses the f
-On May 30, 2025, Security Hub removed this control from the PCI DSS v4.0.1 standard. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. This control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements.
+On May 30, 2025, Security Hub CSPM removed this control from the PCI DSS v4.0.1 standard. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. This control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements.
@@ -365 +365 @@ On May 30, 2025, Security Hub removed this control from the PCI DSS v4.0.1 stand
-To evaluate account password policies against PCI DSS v4.0.1 requirements, you can use the IAM.7 control. This control requires passwords to have a minimum of 8 characters. It also supports custom values for password length and other parameters. The IAM.7 control is part of the PCI DSS v4.0.1 standard in Security Hub.
+To evaluate account password policies against PCI DSS v4.0.1 requirements, you can use the IAM.7 control. This control requires passwords to have a minimum of 8 characters. It also supports custom values for password length and other parameters. The IAM.7 control is part of the PCI DSS v4.0.1 standard in Security Hub CSPM.
@@ -579 +579 @@ Create an IAM role to allow authorized users to manage incidents with AWS Suppor
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -648 +648 @@ This control checks whether the IAM users have multi-factor authentication (MFA)
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -658 +658 @@ To add MFA for IAM users, see [Enabling MFA devices for users in AWS](https://do
-Security Hub retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](./controls-change-log.html).
+Security Hub CSPM retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](./controls-change-log.html).
@@ -668 +668 @@ Security Hub retired this control in April 2024. For more information, see [Chan
-**AWS Config rule:** `use-of-root-account-test` (custom Security Hub rule)
+**AWS Config rule:** `use-of-root-account-test` (custom Security Hub CSPM rule)
@@ -710 +710 @@ This check results in a control status of `NO_DATA` if one or more of the follow
-  * A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based.
+  * A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based.
@@ -712 +712 @@ This check results in a control status of `NO_DATA` if one or more of the follow
-  * A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail.
+  * A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail.
@@ -728 +728 @@ This check results in a control status of `WARNING` if one or more of the follow
-We recommend using organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of NO_DATA for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation.
+We recommend using organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of NO_DATA for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation.
@@ -877 +877 @@ When you group related IAM actions in this way, you can also avoid exceeding the
-AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -909 +909 @@ The AWS Config rule for this control uses the [`GetCredentialReport`](https://do
-AWS Config should be enabled in all Regions in which you use Security Hub. However, you can enable recording of global resources in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
+AWS Config should be enabled in all Regions in which you use Security Hub CSPM. However, you can enable recording of global resources in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
@@ -927 +927 @@ After you identify the inactive accounts or unused credentials, deactivate them.
-**AWS Config rule:** `tagged-accessanalyzer-analyzer` (custom Security Hub rule)
+**AWS Config rule:** `tagged-accessanalyzer-analyzer` (custom Security Hub CSPM rule)
@@ -933 +933 @@ After you identify the inactive accounts or unused credentials, deactivate them.
-Parameter | Description | Type | Allowed custom values | Security Hub default value  
+Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value  
@@ -957 +957 @@ To add tags to an analyzer, see [TagResource](https://docs.aws.amazon.com/access
-**AWS Config rule:** `tagged-iam-role` (custom Security Hub rule)
+**AWS Config rule:** `tagged-iam-role` (custom Security Hub CSPM rule)
@@ -963 +963 @@ To add tags to an analyzer, see [TagResource](https://docs.aws.amazon.com/access
-Parameter | Description | Type | Allowed custom values | Security Hub default value  
+Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value  
@@ -987 +987 @@ To add tags to an IAM role, see [Tagging IAM resources](https://docs.aws.amazon.
-**AWS Config rule:** `tagged-iam-user` (custom Security Hub rule)
+**AWS Config rule:** `tagged-iam-user` (custom Security Hub CSPM rule)
@@ -993 +993 @@ To add tags to an IAM role, see [Tagging IAM resources](https://docs.aws.amazon.
-Parameter | Description | Type | Allowed custom values | Security Hub default value  
+Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value