AWS Security ChangesHomeSearch

AWS whitepapers documentation change

Service: whitepapers · 2025-12-10 · Documentation low

File: whitepapers/latest/aws-caf-security-perspective/infrastructure-protection.md

Summary

Updated reference from 'AWS Security Hub' to 'AWS Security Hub CSPM' in centrally managed security services list

Security assessment

Branding update without security implications. Architecture guidance for shared security services remains identical. No vulnerability fixes or security enhancements documented.

Diff

diff --git a/whitepapers/latest/aws-caf-security-perspective/infrastructure-protection.md b/whitepapers/latest/aws-caf-security-perspective/infrastructure-protection.md
index 220869479..6eab17d8f 100644
--- a//whitepapers/latest/aws-caf-security-perspective/infrastructure-protection.md
+++ b//whitepapers/latest/aws-caf-security-perspective/infrastructure-protection.md
@@ -21 +21 @@ Traditional data centers use boundary-based protection methods that define the t
-We recommend using [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) in your [landing zone](https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/understanding-landing-zones.html) environment that supports your [multi-account strategy](https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html). Deploy [security controls](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) uniformly across your environment, and define the foundational shared services that will be used. Include network services to centrally deploy and manage your virtual private clouds (VPC) and subnets, and share them with other accounts in the environment using [AWS Resource Access Manager (AWS RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html). The shared services design should also include an account or accounts designated to deploy centrally managed security services. These can be delegated admin consoles for AWS Config, Amazon GuardDuty, [Amazon Macie](https://aws.amazon.com/macie/), [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html), and AWS Security Hub. Include an [account](https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html) where logging services can be centralized and logs can be aggregated. Consider shared services accounts for any other services that will be used by the other member accounts in the organization. Set up the [organizational units](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) (OUs) in AWS Organizations to create an area for the shared services account to be deployed in. You can then apply preventative and detective guardrails and other governance elements. This will give you the ability to separate accounts, such as business application workload accounts and sandbox accounts. 
+We recommend using [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) in your [landing zone](https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/understanding-landing-zones.html) environment that supports your [multi-account strategy](https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html). Deploy [security controls](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) uniformly across your environment, and define the foundational shared services that will be used. Include network services to centrally deploy and manage your virtual private clouds (VPC) and subnets, and share them with other accounts in the environment using [AWS Resource Access Manager (AWS RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html). The shared services design should also include an account or accounts designated to deploy centrally managed security services. These can be delegated admin consoles for AWS Config, Amazon GuardDuty, [Amazon Macie](https://aws.amazon.com/macie/), [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html), and AWS Security Hub CSPM. Include an [account](https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html) where logging services can be centralized and logs can be aggregated. Consider shared services accounts for any other services that will be used by the other member accounts in the organization. Set up the [organizational units](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) (OUs) in AWS Organizations to create an area for the shared services account to be deployed in. You can then apply preventative and detective guardrails and other governance elements. This will give you the ability to separate accounts, such as business application workload accounts and sandbox accounts.