AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-01-16 · Documentation low

File: securityhub/latest/userguide/regions-controls.md

Summary

Updated regional support documentation for Security Hub controls by adding CloudFront.17, CloudFormation.4, ECS.19-21, and Redshift.9 controls to unsupported lists across multiple regions, while removing several outdated controls from regional unsupported lists.

Security assessment

The changes document regional availability of security controls but don't address specific vulnerabilities. The added CloudFront.17 control relates to secure URL/cookie validation, while ECS.20-21 enforce least privilege in containers - all security best practices. No evidence of incident response or vulnerability fixes.

Diff

diff --git a/securityhub/latest/userguide/regions-controls.md b/securityhub/latest/userguide/regions-controls.md
index 499ff61ec..16048f1ef 100644
--- a//securityhub/latest/userguide/regions-controls.md
+++ b//securityhub/latest/userguide/regions-controls.md
@@ -148,0 +149,2 @@ The following controls are not supported in the US East (Ohio) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -245,0 +248,2 @@ The following controls are not supported in the US West (N. California) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -388,0 +393,2 @@ The following controls are not supported in the US West (Oregon) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -453,0 +460,2 @@ The following controls are not supported in the Africa (Cape Town) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -654,0 +663,2 @@ The following controls are not supported in the Asia Pacific (Hong Kong) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -809,0 +820,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[CloudFormation.4] CloudFormation stacks should have associated service roles](./cloudformation-controls.html#cloudformation-4)
+
@@ -837,0 +850,2 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -1060,2 +1073,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](./mq-controls.html#mq-3)
-
@@ -1144,2 +1155,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts](./s3-controls.html#s3-6)
-
@@ -1232,0 +1243,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[CloudFormation.4] CloudFormation stacks should have associated service roles](./cloudformation-controls.html#cloudformation-4)
+
@@ -1260,0 +1273,2 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -1359,2 +1372,0 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
-  * [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](./elasticbeanstalk-controls.html#elasticbeanstalk-2)
-
@@ -1587,0 +1600,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  * [[CloudFormation.4] CloudFormation stacks should have associated service roles](./cloudformation-controls.html#cloudformation-4)
+
@@ -1615,0 +1630,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -1797,0 +1814,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  * [[ECS.19] ECS capacity providers should have managed termination protection enabled](./ecs-controls.html#ecs-19)
+
@@ -2058,2 +2075,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](./mq-controls.html#mq-3)
-
@@ -2183,0 +2200,2 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  * [](./.html#redshift-9)
+
@@ -2354,0 +2373,2 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
+  * [[CloudFormation.4] CloudFormation stacks should have associated service roles](./cloudformation-controls.html#cloudformation-4)
+
@@ -2382,0 +2403,2 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -2441,2 +2462,0 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
-  * [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](./ec2-controls.html#ec2-18)
-
@@ -2687,2 +2706,0 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
-  * [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](./rds-controls.html#rds-15)
-
@@ -2803,0 +2822,2 @@ The following controls are not supported in the Asia Pacific (Mumbai) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -2919,2 +2938,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](./autoscaling-controls.html#autoscaling-1)
-
@@ -2929,2 +2946,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](./autoscaling-controls.html#autoscaling-5)
-
@@ -2950,0 +2967,2 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
+  * [[CloudFormation.4] CloudFormation stacks should have associated service roles](./cloudformation-controls.html#cloudformation-4)
+
@@ -2978,0 +2997,2 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -3075,4 +3094,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](./ec2-controls.html#ec2-10)
-
-  * [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](./ec2-controls.html#ec2-19)
-
@@ -3153,4 +3168,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](./ecs-controls.html#ecs-1)
-
-  * [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](./ecs-controls.html#ecs-2)
-
@@ -3176,0 +3189,6 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
+  * [[ECS.19] ECS capacity providers should have managed termination protection enabled](./ecs-controls.html#ecs-19)
+
+  * [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](./ecs-controls.html#ecs-20)
+
+  * [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](./ecs-controls.html#ecs-21)
+
@@ -3207,6 +3224,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](./elb-controls.html#elb-3)
-
-  * [[ELB.7] Classic Load Balancers should have connection draining enabled](./elb-controls.html#elb-7)
-
-  * [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](./elb-controls.html#elb-8)
-
@@ -3255,4 +3266,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[ES.1] Elasticsearch domains should have encryption at-rest enabled](./es-controls.html#es-1)
-
-  * [[ES.2] Elasticsearch domains should not be publicly accessible](./es-controls.html#es-2)
-
@@ -3263,8 +3270,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[ES.5] Elasticsearch domains should have audit logging enabled](./es-controls.html#es-5)
-
-  * [[ES.6] Elasticsearch domains should have at least three data nodes](./es-controls.html#es-6)
-
-  * [[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes](./es-controls.html#es-7)
-
-  * [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](./es-controls.html#es-8)
-
@@ -3453,2 +3452,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[KMS.3] AWS KMS keys should not be deleted unintentionally](./kms-controls.html#kms-3)
-
@@ -3467,2 +3464,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](./mq-controls.html#mq-3)
-
@@ -3553,4 +3548,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](./rds-controls.html#rds-16)
-
-  * [[RDS.17] RDS DB instances should be configured to copy tags to snapshots](./rds-controls.html#rds-17)
-
@@ -3559,10 +3550,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](./rds-controls.html#rds-19)
-
-  * [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](./rds-controls.html#rds-20)
-
-  * [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](./rds-controls.html#rds-21)
-
-  * [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](./rds-controls.html#rds-22)
-
-  * [[RDS.23] RDS instances should not use a database engine default port](./rds-controls.html#rds-23)
-
@@ -3622,0 +3605,2 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
+  * [](./.html#redshift-9)
+
@@ -3665,2 +3648,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](./s3-controls.html#s3-17)
-
@@ -3701,2 +3682,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](./secretsmanager-controls.html#secretsmanager-1)
-
@@ -3705,4 +3684,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[SecretsManager.3] Remove unused Secrets Manager secrets](./secretsmanager-controls.html#secretsmanager-3)
-
-  * [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](./secretsmanager-controls.html#secretsmanager-4)
-
@@ -3782,2 +3757,0 @@ The following controls are not supported in the Asia Pacific (Osaka) Region.
-  * [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](./acm-controls.html#acm-1)
-
@@ -3825,0 +3800,2 @@ The following controls are not supported in the Asia Pacific (Osaka) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -3890,6 +3865,0 @@ The following controls are not supported in the Asia Pacific (Osaka) Region.
-  * [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](./elb-controls.html#elb-3)
-
-  * [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](./elb-controls.html#elb-8)
-
-  * [[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL](./elb-controls.html#elb-16)
-
@@ -3902,4 +3871,0 @@ The following controls are not supported in the Asia Pacific (Osaka) Region.
-  * [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](./elasticbeanstalk-controls.html#elasticbeanstalk-2)
-
-  * [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](./emr-controls.html#emr-1)
-
@@ -4058,0 +4025,2 @@ The following controls are not supported in the Asia Pacific (Seoul) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -4175,0 +4144,2 @@ The following controls are not supported in the Asia Pacific (Singapore) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -4250,0 +4221,2 @@ The following controls are not supported in the Asia Pacific (Sydney) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -4381,0 +4354,2 @@ The following controls are not supported in the Asia Pacific (Taipei) Region.
+  * [[CloudFormation.4] CloudFormation stacks should have associated service roles](./cloudformation-controls.html#cloudformation-4)
+
@@ -4409,0 +4384,2 @@ The following controls are not supported in the Asia Pacific (Taipei) Region.
+  * [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](./cloudfront-controls.html#cloudfront-17)
+
@@ -4645,0 +4622,6 @@ The following controls are not supported in the Asia Pacific (Taipei) Region.
+  * [[ECS.19] ECS capacity providers should have managed termination protection enabled](./ecs-controls.html#ecs-19)
+
+  * [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](./ecs-controls.html#ecs-20)
+
+  * [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](./ecs-controls.html#ecs-21)
+
@@ -4938,2 +4919,0 @@ The following controls are not supported in the Asia Pacific (Taipei) Region.
-  * [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](./mq-controls.html#mq-3)
-
@@ -5103,0 +5084,2 @@ The following controls are not supported in the Asia Pacific (Taipei) Region.