AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-12-10 · Documentation low

File: systems-manager/latest/userguide/OpsCenter-applications-that-integrate.md

Summary

Updated all references from 'AWS Security Hub' to 'AWS Security Hub CSPM' throughout the documentation, including section headers, service names, configuration steps, and integration details.

Security assessment

The changes reflect a rebranding/renaming of Security Hub to Security Hub CSPM (Cloud Security Posture Management) but do not address any specific vulnerability or incident. The updates enhance documentation about existing security posture management features but don't introduce new security capabilities or remediate weaknesses.

Diff

diff --git a/systems-manager/latest/userguide/OpsCenter-applications-that-integrate.md b/systems-manager/latest/userguide/OpsCenter-applications-that-integrate.md
index abf66cc60..9feffb405 100644
--- a//systems-manager/latest/userguide/OpsCenter-applications-that-integrate.md
+++ b//systems-manager/latest/userguide/OpsCenter-applications-that-integrate.md
@@ -5 +5 @@
-Understanding OpsCenter integration with Amazon CloudWatchUnderstanding OpsCenter integration with Amazon CloudWatch Application InsightsUnderstanding OpsCenter integration with Amazon DevOps GuruUnderstanding OpsCenter integration with Amazon EventBridgeUnderstanding OpsCenter integration with AWS ConfigUnderstanding OpsCenter integration with AWS Security HubUnderstanding OpsCenter integration with Incident Manager
+Understanding OpsCenter integration with Amazon CloudWatchUnderstanding OpsCenter integration with Amazon CloudWatch Application InsightsUnderstanding OpsCenter integration with Amazon DevOps GuruUnderstanding OpsCenter integration with Amazon EventBridgeUnderstanding OpsCenter integration with AWS ConfigUnderstanding OpsCenter integration with AWS Security Hub CSPMUnderstanding OpsCenter integration with Incident Manager
@@ -32 +32 @@ You have to integrate the following services with OpsCenter to create OpsItems a
-  * AWS Security Hub
+  * AWS Security Hub CSPM
@@ -53 +53 @@ For more information about each AWS service and how it integrates with OpsCenter
-  * Understanding OpsCenter integration with AWS Security Hub
+  * Understanding OpsCenter integration with AWS Security Hub CSPM
@@ -139 +139 @@ Following are some rules that you can configure in EventBridge to create an OpsI
-  * Security Hub: security alert issued
+  * Security Hub CSPM: security alert issued
@@ -170 +170 @@ Using this OpsItem, you can track details of the noncompliant resource, record i
-## Understanding OpsCenter integration with AWS Security Hub
+## Understanding OpsCenter integration with AWS Security Hub CSPM
@@ -172 +172 @@ Using this OpsItem, you can track details of the noncompliant resource, record i
-AWS Security Hub collects security data, called _findings_ , from across AWS accounts and services. Using a set of rules to detect and generate findings, Security Hub helps you identify, prioritize, and remediate security issues for the resources you manage. After you configure integration, as described in this topic, Systems Manager creates OpsItems for Security Hub findings in OpsCenter. 
+AWS Security Hub CSPM collects security data, called _findings_ , from across AWS accounts and services. Using a set of rules to detect and generate findings, Security Hub CSPM helps you identify, prioritize, and remediate security issues for the resources you manage. After you configure integration, as described in this topic, Systems Manager creates OpsItems for Security Hub CSPM findings in OpsCenter. 
@@ -176 +176 @@ AWS Security Hub collects security data, called _findings_ , from across AWS acc
-OpsCenter has bidirectional integration with Security Hub. This means that if you update the **Status** or **Severity** field for an OpsItem related to a security finding, the system synchronizes the changes with Security Hub. Likewise, any changes to a finding are automatically updated in the corresponding OpsItems in OpsCenter.
+OpsCenter has bidirectional integration with Security Hub CSPM. This means that if you update the **Status** or **Severity** field for an OpsItem related to a security finding, the system synchronizes the changes with Security Hub CSPM. Likewise, any changes to a finding are automatically updated in the corresponding OpsItems in OpsCenter.
@@ -178 +178 @@ OpsCenter has bidirectional integration with Security Hub. This means that if yo
-When an OpsItem is created from a Security Hub finding, Security Hub metadata is automatically added to the operational data field of the OpsItem. If this metadata is deleted, the bidirectional updates no longer function.
+When an OpsItem is created from a Security Hub CSPM finding, Security Hub CSPM metadata is automatically added to the operational data field of the OpsItem. If this metadata is deleted, the bidirectional updates no longer function.
@@ -180 +180 @@ When an OpsItem is created from a Security Hub finding, Security Hub metadata is
-By default, Systems Manager creates OpsItems for critical and high severity findings. You can manually configure OpsCenter to create OpsItems for medium and low severity findings. OpsCenter doesn’t create OpsItems for informational findings as they don't require remediation. For more information about Security Hub severity levels, see [Severity](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_Severity.html) in the _AWS Security Hub API Reference_.
+By default, Systems Manager creates OpsItems for critical and high severity findings. You can manually configure OpsCenter to create OpsItems for medium and low severity findings. OpsCenter doesn’t create OpsItems for informational findings as they don't require remediation. For more information about Security Hub CSPM severity levels, see [Severity](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_Severity.html) in the _AWS Security Hub CSPM API Reference_.
@@ -184 +184 @@ By default, Systems Manager creates OpsItems for critical and high severity find
-Before you configure OpsCenter to create OpsItems based on Security Hub findings, verify that you completed the Security Hub set up tasks. For more information, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the _AWS Security Hub User Guide_.
+Before you configure OpsCenter to create OpsItems based on Security Hub CSPM findings, verify that you completed the Security Hub CSPM set up tasks. For more information, see [Setting up Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the _AWS Security Hub CSPM User Guide_.
@@ -186 +186 @@ Before you configure OpsCenter to create OpsItems based on Security Hub findings
-When you integrate Security Hub with OpsCenter, the system creates OpsItems by using the `AWSServiceRoleForSystemsManagerOpsDataSync` IAM service-linked role. For more information about this role, see [Using roles to create OpsData and OpsItems for Explorer](./using-service-linked-roles-service-action-3.html).
+When you integrate Security Hub CSPM with OpsCenter, the system creates OpsItems by using the `AWSServiceRoleForSystemsManagerOpsDataSync` IAM service-linked role. For more information about this role, see [Using roles to create OpsData and OpsItems for Explorer](./using-service-linked-roles-service-action-3.html).
@@ -190 +190 @@ When you integrate Security Hub with OpsCenter, the system creates OpsItems by u
-Note the following important information about pricing for OpsCenter integration with Security Hub:
+Note the following important information about pricing for OpsCenter integration with Security Hub CSPM:
@@ -192 +192 @@ Note the following important information about pricing for OpsCenter integration
-  * If you are logged into the Security Hub administrator account when you configure OpsCenter and Security Hub integration, the system creates OpsItems for findings in the administrator _and_ all member accounts. The OpsItems are all created _in the administrator account_. Depending on a variety of factors, this can lead to an unexpectedly large bill from AWS.
+  * If you are logged into the Security Hub CSPM administrator account when you configure OpsCenter and Security Hub CSPM integration, the system creates OpsItems for findings in the administrator _and_ all member accounts. The OpsItems are all created _in the administrator account_. Depending on a variety of factors, this can lead to an unexpectedly large bill from AWS.
@@ -194 +194 @@ Note the following important information about pricing for OpsCenter integration
-If you are logged into a member account when you configure integration, the system only creates OpsItems for findings in that individual account. For more information about the Security Hub administrator account, member accounts, and their relation to the EventBridge event feed for findings, see [Types of Security Hub integration with EventBridge](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-integration-types.html) in the _AWS Security Hub User Guide_.
+If you are logged into a member account when you configure integration, the system only creates OpsItems for findings in that individual account. For more information about the Security Hub CSPM administrator account, member accounts, and their relation to the EventBridge event feed for findings, see [Types of Security Hub CSPM integration with EventBridge](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-integration-types.html) in the _AWS Security Hub CSPM User Guide_.
@@ -196 +196 @@ If you are logged into a member account when you configure integration, the syst
-  * For each finding that creates an OpsItem, you are charged the regular price for creating the OpsItem. You are also charged if you edit the OpsItem or if the corresponding finding is updated in Security Hub (which triggers an OpsItem update).
+  * For each finding that creates an OpsItem, you are charged the regular price for creating the OpsItem. You are also charged if you edit the OpsItem or if the corresponding finding is updated in Security Hub CSPM (which triggers an OpsItem update).
@@ -198 +198 @@ If you are logged into a member account when you configure integration, the syst
-  * OpsItems that are created by an integration with AWS Security Hub are _not_ currently limited by the maximum quota of 500,000 OpsItems per account in a Region. It is therefore possible for Security Hub alerts to create more than 500,000 chargeable OpsItems in each Region in an account.
+  * OpsItems that are created by an integration with AWS Security Hub CSPM are _not_ currently limited by the maximum quota of 500,000 OpsItems per account in a Region. It is therefore possible for Security Hub CSPM alerts to create more than 500,000 chargeable OpsItems in each Region in an account.
@@ -200 +200 @@ If you are logged into a member account when you configure integration, the syst
-For high-production environments, we therefore recommend limiting the scope of Security Hub findings to high severity issues only.
+For high-production environments, we therefore recommend limiting the scope of Security Hub CSPM findings to high severity issues only.
@@ -205 +205 @@ For high-production environments, we therefore recommend limiting the scope of S
-###### To configure OpsCenter to create OpsItems for Security Hub findings
+###### To configure OpsCenter to create OpsItems for Security Hub CSPM findings
@@ -213 +213 @@ For high-production environments, we therefore recommend limiting the scope of S
-  4. In the **Security Hub findings** section, choose **Edit.**
+  4. In the **Security Hub CSPM findings** section, choose **Edit.**
@@ -224 +224 @@ For high-production environments, we therefore recommend limiting the scope of S
-Use the following procedure if you no longer want the system to create OpsItems for Security Hub findings.
+Use the following procedure if you no longer want the system to create OpsItems for Security Hub CSPM findings.
@@ -226 +226 @@ Use the following procedure if you no longer want the system to create OpsItems
-###### To stop receiving OpsItems for Security Hub findings
+###### To stop receiving OpsItems for Security Hub CSPM findings
@@ -234 +234 @@ Use the following procedure if you no longer want the system to create OpsItems
-  4. In the **Security Hub findings** section, choose **Edit.**
+  4. In the **Security Hub CSPM findings** section, choose **Edit.**
@@ -236 +236 @@ Use the following procedure if you no longer want the system to create OpsItems
-  5. Choose the slider to change **Enabled** to **Disabled**. If you aren't able to toggle the slider, Security Hub hasn't been enabled for your AWS account.
+  5. Choose the slider to change **Enabled** to **Disabled**. If you aren't able to toggle the slider, Security Hub CSPM hasn't been enabled for your AWS account.
@@ -238 +238 @@ Use the following procedure if you no longer want the system to create OpsItems
-  6. Choose **Save** to save your configuration. OpsCenter no longer creates OpsItems based on Security Hub findings.
+  6. Choose **Save** to save your configuration. OpsCenter no longer creates OpsItems based on Security Hub CSPM findings.
@@ -245 +245 @@ Use the following procedure if you no longer want the system to create OpsItems
-A Systems Manager delegated administrator or the AWS Organizations management account can enable Security Hub findings in OpsCenter for multiple accounts and AWS Regions by creating a resource data sync in Explorer. If the **Security Hub** source is enabled in Explorer and a resource data sync exists that targets the member account where you disabled Security Hub integration, then the settings selected by your administrator take precedence. OpsCenter continues to create OpsItems for Security Hub findings. To stop creating OpsItems for Security Hub findings in a member account targeted by a resource data sync, contact your administrator and ask them to remove your account from the resource data sync or turn off the **Security Hub** source in Explorer. For information about changing settings in Explorer, see [Editing Systems Manager Explorer data sources](./Explorer-using-editing-data-sources.html).
+A Systems Manager delegated administrator or the AWS Organizations management account can enable Security Hub CSPM findings in OpsCenter for multiple accounts and AWS Regions by creating a resource data sync in Explorer. If the **Security Hub CSPM** source is enabled in Explorer and a resource data sync exists that targets the member account where you disabled Security Hub CSPM integration, then the settings selected by your administrator take precedence. OpsCenter continues to create OpsItems for Security Hub CSPM findings. To stop creating OpsItems for Security Hub CSPM findings in a member account targeted by a resource data sync, contact your administrator and ask them to remove your account from the resource data sync or turn off the **Security Hub CSPM** source in Explorer. For information about changing settings in Explorer, see [Editing Systems Manager Explorer data sources](./Explorer-using-editing-data-sources.html).