AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-01-10 · Documentation low

File: securityhub/latest/userguide/fsbp-standard.md

Summary

Added new AWS Foundational Security Best Practices controls: CloudFormation.4 (service roles for stacks), CloudFront.17 (trusted key groups for signed URLs/cookies), and ECS.19/20/21 (termination protection and non-root/non-admin container users)

Security assessment

Documents new security best practices controls but lacks evidence of addressing specific vulnerabilities. Adds preventive measures for service roles, key group validation, and container privilege reduction.

Diff

diff --git a/securityhub/latest/userguide/fsbp-standard.md b/securityhub/latest/userguide/fsbp-standard.md
index d000438ef..4c9f4e988 100644
--- a//securityhub/latest/userguide/fsbp-standard.md
+++ b//securityhub/latest/userguide/fsbp-standard.md
@@ -62,0 +63,2 @@ The following list specifies which AWS Security Hub CSPM controls apply to the A
+[[CloudFormation.4] CloudFormation stacks should have associated service roles](./cloudformation-controls.html#cloudformation-4)
+
@@ -88,0 +91,2 @@ The following list specifies which AWS Security Hub CSPM controls apply to the A
+[[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -256,0 +261,6 @@ The following list specifies which AWS Security Hub CSPM controls apply to the A
+[[ECS.19] ECS capacity providers should have managed termination protection enabled](./ecs-controls.html#ecs-19)
+
+[[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](./ecs-controls.html#ecs-20)
+
+[[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](./ecs-controls.html#ecs-21)
+