AWS Security ChangesHomeSearch

AWS whitepapers documentation change

Service: whitepapers · 2025-12-10 · Documentation low

File: whitepapers/latest/organizing-your-aws-environment/foundational-ous.md

Summary

Updated references from 'AWS Security Hub' to 'AWS Security Hub CSPM' across multiple sections including service descriptions, delegation recommendations, and solution integrations.

Security assessment

The changes involve rebranding/renaming of 'AWS Security Hub' to 'AWS Security Hub CSPM' without introducing new security concepts or addressing vulnerabilities. CSPM (Cloud Security Posture Management) is a refinement of existing capabilities, not a response to a security incident. No vulnerability fixes or security incident responses are evident in the diff.

Diff

diff --git a/whitepapers/latest/organizing-your-aws-environment/foundational-ous.md b/whitepapers/latest/organizing-your-aws-environment/foundational-ous.md
index 8cf7214a6..b818b5905 100644
--- a//whitepapers/latest/organizing-your-aws-environment/foundational-ous.md
+++ b//whitepapers/latest/organizing-your-aws-environment/foundational-ous.md
@@ -82 +82 @@ Additionally, the use of S3 bucket versioning provides visibility into the compl
-In the context of AWS services, this account is used to provide centralized delegated admin access to AWS security tooling and consoles, as well as provide view-only access for investigative purposes into all accounts in the organization. The security tooling account should be restricted to authorized security and compliance personnel and related security. This account is an aggregation point (or points for organizations that split the functionality across multiple accounts) for AWS security services, including [AWS Security Hub](https://aws.amazon.com/security-hub/), [Amazon GuardDuty,](https://aws.amazon.com/guardduty/) [Amazon Macie](https://aws.amazon.com/macie/), [AWS AppConfig](https://docs.aws.amazon.com/systems-manager/latest/userguide/appconfig.html), [AWS Firewall Manager](https://aws.amazon.com/firewall-manager/), [Amazon Detective](https://aws.amazon.com/detective/), [Amazon Inspector](https://aws.amazon.com/inspector/), and [IAM Access Analyzer](https://aws.amazon.com/iam/features/analyze-access/). 
+In the context of AWS services, this account is used to provide centralized delegated admin access to AWS security tooling and consoles, as well as provide view-only access for investigative purposes into all accounts in the organization. The security tooling account should be restricted to authorized security and compliance personnel and related security. This account is an aggregation point (or points for organizations that split the functionality across multiple accounts) for AWS security services, including [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/), [Amazon GuardDuty,](https://aws.amazon.com/guardduty/) [Amazon Macie](https://aws.amazon.com/macie/), [AWS AppConfig](https://docs.aws.amazon.com/systems-manager/latest/userguide/appconfig.html), [AWS Firewall Manager](https://aws.amazon.com/firewall-manager/), [Amazon Detective](https://aws.amazon.com/detective/), [Amazon Inspector](https://aws.amazon.com/inspector/), and [IAM Access Analyzer](https://aws.amazon.com/iam/features/analyze-access/). 
@@ -90 +90 @@ AWS service  | Implementation details | AWS Control Tower enabled
-[AWS Audit Manager](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-audit-manager.html) |  Continuously audit your AWS use across multiple-accounts in your organization to simplify how you assess risk and compliance. Recommended to be in same AWS account AWS Security Hub delegated admin exists.  Delegation needs to be done on home and operational AWS Regions.  |  No   
+[AWS Audit Manager](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-audit-manager.html) |  Continuously audit your AWS use across multiple-accounts in your organization to simplify how you assess risk and compliance. Recommended to be in same AWS account AWS Security Hub CSPM delegated admin exists.  Delegation needs to be done on home and operational AWS Regions.  |  No   
@@ -94 +94 @@ AWS service  | Implementation details | AWS Control Tower enabled
-[AWS Detective](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-detective.html) |  Required to be deployed to same account which is managing Amazon GuardDuty and AWS Security Hub.  Requires GuardDuty to be enabled on Security Tooling account prior to delegating AWS Detective. Delegation needs to be done on home and operational AWS Regions.  |  No   
+[AWS Detective](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-detective.html) |  Required to be deployed to same account which is managing Amazon GuardDuty and AWS Security Hub CSPM.  Requires GuardDuty to be enabled on Security Tooling account prior to delegating AWS Detective. Delegation needs to be done on home and operational AWS Regions.  |  No   
@@ -96 +96 @@ AWS service  | Implementation details | AWS Control Tower enabled
-[Amazon GuardDuty](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html) |  Amazon GuardDuty allows for one delegated admin per AWS Organization. It is recommended to delegated Amazon GuardDuty to the same account AWS Security Hub and Amazon Macie are delegated to. Delegation needs to be done on home and operational AWS Regions.  |  No   
+[Amazon GuardDuty](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html) |  Amazon GuardDuty allows for one delegated admin per AWS Organization. It is recommended to delegated Amazon GuardDuty to the same account AWS Security Hub CSPM and Amazon Macie are delegated to. Delegation needs to be done on home and operational AWS Regions.  |  No   
@@ -98,2 +98,2 @@ AWS service  | Implementation details | AWS Control Tower enabled
-[Amazon Macie](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-macie.html) |  Amazon Macie allows for one delegated admin per AWS Organization. It is recommended to delegated Amazon Macie to the same account AWS Security Hub and Amazon GuardDuty are delegated to. Delegation needs to be done on home and operational AWS Regions.  |  No   
-[AWS Security Hub](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html) |  AWS Security Hub allows for one delegated admin per AWS Organization. It is recommended to delegated AWS Security Hub to the same account Amazon GuardDuty and Amazon Macie are delegated to, for ease of pivoting between these services in the AWS Management Console. Delegation needs to be done on each operational Region.  |  Yes — When you activate a Security Hub detective control within AWS Control Tower, it automatically enables Security Hub on your behalf.   
+[Amazon Macie](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-macie.html) |  Amazon Macie allows for one delegated admin per AWS Organization. It is recommended to delegated Amazon Macie to the same account AWS Security Hub CSPM and Amazon GuardDuty are delegated to. Delegation needs to be done on home and operational AWS Regions.  |  No   
+[AWS Security Hub CSPM](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html) |  AWS Security Hub CSPM allows for one delegated admin per AWS Organization. It is recommended to delegated AWS Security Hub CSPM to the same account Amazon GuardDuty and Amazon Macie are delegated to, for ease of pivoting between these services in the AWS Management Console. Delegation needs to be done on each operational Region.  |  Yes — When you activate a Security Hub CSPM detective control within AWS Control Tower, it automatically enables Security Hub CSPM on your behalf.   
@@ -121 +121 @@ AWS Solution  |  Description
-[Automated Security Response on AWS](https://aws.amazon.com/solutions/implementations/automated-security-response-on-aws/) |  Add-on that works with AWS Security Hub and provides predefined response and remediation actions based on industry compliance standards and best practices for security threats. It helps Security Hub customers to resolve common security findings and to improve their security posture in AWS.   
+[Automated Security Response on AWS](https://aws.amazon.com/solutions/implementations/automated-security-response-on-aws/) |  Add-on that works with AWS Security Hub CSPM and provides predefined response and remediation actions based on industry compliance standards and best practices for security threats. It helps Security Hub CSPM customers to resolve common security findings and to improve their security posture in AWS.