AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-02-28 · Documentation medium

File: securityhub/latest/userguide/securityhub-controls-reference.md

Summary

Added new security controls for APIGateway, ELB, RDS, and SageMaker services focusing on encrypted protocols, backup retention, and network isolation

Security assessment

The changes document new security best practices controls (e.g., HTTPS usage, encrypted health checks, backup retention) but provide general guidance rather than addressing a specific disclosed vulnerability

Diff

diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md
index 073f5848a..62906af3f 100644
--- a//securityhub/latest/userguide/securityhub-controls-reference.md
+++ b//securityhub/latest/userguide/securityhub-controls-reference.md
@@ -47,0 +48 @@ Security control ID | Security control title | Applicable standards | Severity |
+[APIGateway.10](./apigateway-controls.html#apigateway-10) |  API Gateway V2 integrations should use HTTPS for private connections  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
@@ -296,0 +298,2 @@ Security control ID | Security control title | Applicable standards | Severity |
+[ELB.21](./elb-controls.html#elb-21) |  Application and Network Load Balancer target groups should use encrypted health check protocols  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
+[ELB.22](./elb-controls.html#elb-22) |  ELB target groups should use encrypted transport protocols  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
@@ -500,0 +504 @@ Security control ID | Security control title | Applicable standards | Severity |
+[RDS.50](./rds-controls.html#rds-50) |  RDS DB clusters should have enough backup retention period set  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  Yes  |  Change triggered   
@@ -553,0 +558,7 @@ Security control ID | Security control title | Applicable standards | Severity |
+[SageMaker.9](./sagemaker-controls.html#sagemaker-9) |  SageMaker data quality job definitions should have inter-container traffic encryption enabled  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
+[SageMaker.10](./sagemaker-controls.html#sagemaker-10) |  SageMaker model explainability job definitions should have inter-container traffic encryption enabled  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
+[SageMaker.11](./sagemaker-controls.html#sagemaker-11) |  SageMaker data quality job definitions should have network isolation enabled  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
+[SageMaker.12](./sagemaker-controls.html#sagemaker-12) |  SageMaker model bias job definitions should have network isolation enabled  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
+[SageMaker.13](./sagemaker-controls.html#sagemaker-13) |  SageMaker model quality job definitions should have inter-container traffic encryption enabled  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
+[SageMaker.14](./sagemaker-controls.html#sagemaker-14) |  SageMaker monitoring schedules should have network isolation enabled  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered   
+[SageMaker.15](./sagemaker-controls.html#sagemaker-15) |  SageMaker model bias job definitions should have inter-container traffic encryption enabled  |  AWS Foundational Security Best Practices v1.0.0  |  MEDIUM  |  No  |  Change triggered