AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-12-25 · Security-related medium

File: cli/latest/reference/configservice/associate-resource-types.md

Summary

Updated Security Hub reference to Security Hub CSPM in IAM role permissions note

Security assessment

The change specifically references Cloud Security Posture Management (CSPM), indicating enhanced security posture monitoring requirements. This directly relates to security best practices for IAM role configurations when using security services.

Diff

diff --git a/cli/latest/reference/configservice/associate-resource-types.md b/cli/latest/reference/configservice/associate-resource-types.md
index df824408d..5bdf0683c 100644
--- a//cli/latest/reference/configservice/associate-resource-types.md
+++ b//cli/latest/reference/configservice/associate-resource-types.md
@@ -15 +15 @@
-  * [AWS CLI 2.32.21 Command Reference](../../index.html) »
+  * [AWS CLI 2.32.23 Command Reference](../../index.html) »
@@ -555,0 +556,91 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/config
+>>   * `AWS::CloudFormation::StackSet`
+>>   * `AWS::MediaPackageV2::Channel`
+>>   * `AWS::S3::AccessGrantsLocation`
+>>   * `AWS::S3::AccessGrant`
+>>   * `AWS::S3::AccessGrantsInstance`
+>>   * `AWS::EMRServerless::Application`
+>>   * `AWS::Config::AggregationAuthorization`
+>>   * `AWS::Bedrock::ApplicationInferenceProfile`
+>>   * `AWS::ApiGatewayV2::Integration`
+>>   * `AWS::SageMaker::MlflowTrackingServer`
+>>   * `AWS::SageMaker::ModelBiasJobDefinition`
+>>   * `AWS::SecretsManager::RotationSchedule`
+>>   * `AWS::Deadline::QueueFleetAssociation`
+>>   * `AWS::ECR::RepositoryCreationTemplate`
+>>   * `AWS::CloudFormation::LambdaHook`
+>>   * `AWS::EC2::SubnetNetworkAclAssociation`
+>>   * `AWS::ApiGateway::UsagePlan`
+>>   * `AWS::AppConfig::Extension`
+>>   * `AWS::Deadline::Fleet`
+>>   * `AWS::EMR::Studio`
+>>   * `AWS::S3Tables::TableBucket`
+>>   * `AWS::CloudFront::RealtimeLogConfig`
+>>   * `AWS::BackupGateway::Hypervisor`
+>>   * `AWS::BCMDataExports::Export`
+>>   * `AWS::CloudFormation::GuardHook`
+>>   * `AWS::CloudFront::PublicKey`
+>>   * `AWS::CloudTrail::EventDataStore`
+>>   * `AWS::EntityResolution::IdMappingWorkflow`
+>>   * `AWS::EntityResolution::SchemaMapping`
+>>   * `AWS::IoT::DomainConfiguration`
+>>   * `AWS::PCAConnectorAD::DirectoryRegistration`
+>>   * `AWS::RDS::Integration`
+>>   * `AWS::Config::ConformancePack`
+>>   * `AWS::RolesAnywhere::Profile`
+>>   * `AWS::CodeArtifact::Domain`
+>>   * `AWS::Backup::RestoreTestingPlan`
+>>   * `AWS::Config::StoredQuery`
+>>   * `AWS::SageMaker::DataQualityJobDefinition`
+>>   * `AWS::SageMaker::ModelExplainabilityJobDefinition`
+>>   * `AWS::SageMaker::ModelQualityJobDefinition`
+>>   * `AWS::SageMaker::StudioLifecycleConfig`
+>>   * `AWS::SES::DedicatedIpPool`
+>>   * `AWS::SES::MailManagerTrafficPolicy`
+>>   * `AWS::SSM::ResourceDataSync`
+>>   * `AWS::BedrockAgentCore::Runtime`
+>>   * `AWS::BedrockAgentCore::BrowserCustom`
+>>   * `AWS::ElasticLoadBalancingV2::TargetGroup`
+>>   * `AWS::EMRContainers::VirtualCluster`
+>>   * `AWS::EntityResolution::MatchingWorkflow`
+>>   * `AWS::IoTCoreDeviceAdvisor::SuiteDefinition`
+>>   * `AWS::EC2::SecurityGroupVpcAssociation`
+>>   * `AWS::EC2::VerifiedAccessInstance`
+>>   * `AWS::KafkaConnect::CustomPlugin`
+>>   * `AWS::NetworkManager::TransitGatewayPeering`
+>>   * `AWS::OpenSearchServerless::SecurityConfig`
+>>   * `AWS::Redshift::Integration`
+>>   * `AWS::RolesAnywhere::TrustAnchor`
+>>   * `AWS::Route53Profiles::ProfileAssociation`
+>>   * `AWS::SSMIncidents::ResponsePlan`
+>>   * `AWS::Transfer::Server`
+>>   * `AWS::Glue::Database`
+>>   * `AWS::Organizations::OrganizationalUnit`
+>>   * `AWS::EC2::IPAMPoolCidr`
+>>   * `AWS::EC2::VPCGatewayAttachment`
+>>   * `AWS::Bedrock::Prompt`
+>>   * `AWS::Comprehend::Flywheel`
+>>   * `AWS::DataSync::Agent`
+>>   * `AWS::MediaTailor::LiveSource`
+>>   * `AWS::MSK::ServerlessCluster`
+>>   * `AWS::IoTSiteWise::Asset`
+>>   * `AWS::B2BI::Capability`
+>>   * `AWS::CloudFront::KeyValueStore`
+>>   * `AWS::Deadline::Monitor`
+>>   * `AWS::GuardDuty::MalwareProtectionPlan`
+>>   * `AWS::Location::APIKey`
+>>   * `AWS::MediaPackageV2::OriginEndpoint`
+>>   * `AWS::PCAConnectorAD::Connector`
+>>   * `AWS::S3Tables::TableBucketPolicy`
+>>   * `AWS::SecretsManager::ResourcePolicy`
+>>   * `AWS::SSMContacts::Contact`
+>>   * `AWS::IoT::ThingGroup`
+>>   * `AWS::ImageBuilder::LifecyclePolicy`
+>>   * `AWS::GameLift::Build`
+>>   * `AWS::ECR::ReplicationConfiguration`
+>>   * `AWS::EC2::SubnetCidrBlock`
+>>   * `AWS::Connect::SecurityProfile`
+>>   * `AWS::CleanRoomsML::TrainingDataset`
+>>   * `AWS::AppStream::AppBlockBuilder`
+>>   * `AWS::Route53::DNSSEC`
+>>   * `AWS::SageMaker::UserProfile`
+>>   * `AWS::ApiGateway::Method`
@@ -720 +811 @@ ConfigurationRecorder -> (structure)
->> If you use an Amazon Web Services service that uses Config, such as Security Hub or Control Tower, and an IAM role has already been created, make sure that the IAM role that you use when setting up Config keeps the same minimum permissions as the pre-existing IAM role. You must do this to ensure that the other Amazon Web Services service continues to run as expected.
+>> If you use an Amazon Web Services service that uses Config, such as Security Hub CSPM or Control Tower, and an IAM role has already been created, make sure that the IAM role that you use when setting up Config keeps the same minimum permissions as the pre-existing IAM role. You must do this to ensure that the other Amazon Web Services service continues to run as expected.
@@ -1264,0 +1356,91 @@ ConfigurationRecorder -> (structure)
+>>>>   * `AWS::CloudFormation::StackSet`
+>>>>   * `AWS::MediaPackageV2::Channel`
+>>>>   * `AWS::S3::AccessGrantsLocation`
+>>>>   * `AWS::S3::AccessGrant`
+>>>>   * `AWS::S3::AccessGrantsInstance`
+>>>>   * `AWS::EMRServerless::Application`
+>>>>   * `AWS::Config::AggregationAuthorization`
+>>>>   * `AWS::Bedrock::ApplicationInferenceProfile`
+>>>>   * `AWS::ApiGatewayV2::Integration`
+>>>>   * `AWS::SageMaker::MlflowTrackingServer`
+>>>>   * `AWS::SageMaker::ModelBiasJobDefinition`
+>>>>   * `AWS::SecretsManager::RotationSchedule`
+>>>>   * `AWS::Deadline::QueueFleetAssociation`
+>>>>   * `AWS::ECR::RepositoryCreationTemplate`
+>>>>   * `AWS::CloudFormation::LambdaHook`
+>>>>   * `AWS::EC2::SubnetNetworkAclAssociation`
+>>>>   * `AWS::ApiGateway::UsagePlan`
+>>>>   * `AWS::AppConfig::Extension`
+>>>>   * `AWS::Deadline::Fleet`
+>>>>   * `AWS::EMR::Studio`
+>>>>   * `AWS::S3Tables::TableBucket`
+>>>>   * `AWS::CloudFront::RealtimeLogConfig`
+>>>>   * `AWS::BackupGateway::Hypervisor`
+>>>>   * `AWS::BCMDataExports::Export`
+>>>>   * `AWS::CloudFormation::GuardHook`
+>>>>   * `AWS::CloudFront::PublicKey`
+>>>>   * `AWS::CloudTrail::EventDataStore`
+>>>>   * `AWS::EntityResolution::IdMappingWorkflow`
+>>>>   * `AWS::EntityResolution::SchemaMapping`
+>>>>   * `AWS::IoT::DomainConfiguration`
+>>>>   * `AWS::PCAConnectorAD::DirectoryRegistration`
+>>>>   * `AWS::RDS::Integration`
+>>>>   * `AWS::Config::ConformancePack`
+>>>>   * `AWS::RolesAnywhere::Profile`
+>>>>   * `AWS::CodeArtifact::Domain`
+>>>>   * `AWS::Backup::RestoreTestingPlan`
+>>>>   * `AWS::Config::StoredQuery`
+>>>>   * `AWS::SageMaker::DataQualityJobDefinition`
+>>>>   * `AWS::SageMaker::ModelExplainabilityJobDefinition`
+>>>>   * `AWS::SageMaker::ModelQualityJobDefinition`
+>>>>   * `AWS::SageMaker::StudioLifecycleConfig`
+>>>>   * `AWS::SES::DedicatedIpPool`
+>>>>   * `AWS::SES::MailManagerTrafficPolicy`
+>>>>   * `AWS::SSM::ResourceDataSync`
+>>>>   * `AWS::BedrockAgentCore::Runtime`
+>>>>   * `AWS::BedrockAgentCore::BrowserCustom`
+>>>>   * `AWS::ElasticLoadBalancingV2::TargetGroup`
+>>>>   * `AWS::EMRContainers::VirtualCluster`
+>>>>   * `AWS::EntityResolution::MatchingWorkflow`
+>>>>   * `AWS::IoTCoreDeviceAdvisor::SuiteDefinition`
+>>>>   * `AWS::EC2::SecurityGroupVpcAssociation`
+>>>>   * `AWS::EC2::VerifiedAccessInstance`
+>>>>   * `AWS::KafkaConnect::CustomPlugin`
+>>>>   * `AWS::NetworkManager::TransitGatewayPeering`
+>>>>   * `AWS::OpenSearchServerless::SecurityConfig`
+>>>>   * `AWS::Redshift::Integration`
+>>>>   * `AWS::RolesAnywhere::TrustAnchor`
+>>>>   * `AWS::Route53Profiles::ProfileAssociation`
+>>>>   * `AWS::SSMIncidents::ResponsePlan`
+>>>>   * `AWS::Transfer::Server`
+>>>>   * `AWS::Glue::Database`
+>>>>   * `AWS::Organizations::OrganizationalUnit`
+>>>>   * `AWS::EC2::IPAMPoolCidr`
+>>>>   * `AWS::EC2::VPCGatewayAttachment`
+>>>>   * `AWS::Bedrock::Prompt`
+>>>>   * `AWS::Comprehend::Flywheel`
+>>>>   * `AWS::DataSync::Agent`
+>>>>   * `AWS::MediaTailor::LiveSource`
+>>>>   * `AWS::MSK::ServerlessCluster`
+>>>>   * `AWS::IoTSiteWise::Asset`
+>>>>   * `AWS::B2BI::Capability`
+>>>>   * `AWS::CloudFront::KeyValueStore`
+>>>>   * `AWS::Deadline::Monitor`
+>>>>   * `AWS::GuardDuty::MalwareProtectionPlan`
+>>>>   * `AWS::Location::APIKey`
+>>>>   * `AWS::MediaPackageV2::OriginEndpoint`
+>>>>   * `AWS::PCAConnectorAD::Connector`
+>>>>   * `AWS::S3Tables::TableBucketPolicy`
+>>>>   * `AWS::SecretsManager::ResourcePolicy`
+>>>>   * `AWS::SSMContacts::Contact`
+>>>>   * `AWS::IoT::ThingGroup`
+>>>>   * `AWS::ImageBuilder::LifecyclePolicy`
+>>>>   * `AWS::GameLift::Build`
+>>>>   * `AWS::ECR::ReplicationConfiguration`
+>>>>   * `AWS::EC2::SubnetCidrBlock`
+>>>>   * `AWS::Connect::SecurityProfile`
+>>>>   * `AWS::CleanRoomsML::TrainingDataset`
+>>>>   * `AWS::AppStream::AppBlockBuilder`
+>>>>   * `AWS::Route53::DNSSEC`
+>>>>   * `AWS::SageMaker::UserProfile`
+>>>>   * `AWS::ApiGateway::Method`
@@ -1727,0 +1910,91 @@ ConfigurationRecorder -> (structure)
+>>>>>   * `AWS::CloudFormation::StackSet`
+>>>>>   * `AWS::MediaPackageV2::Channel`
+>>>>>   * `AWS::S3::AccessGrantsLocation`
+>>>>>   * `AWS::S3::AccessGrant`
+>>>>>   * `AWS::S3::AccessGrantsInstance`