AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-03-07 · Documentation low

File: securityhub/latest/userguide/cloudformation-controls.md

Summary

Added clarification about service-managed StackSets triggering FAILED findings due to missing service roles, explaining limitations in control implementation

Security assessment

Documents behavior of a security control (CloudFormation service role checks) but does not address a new vulnerability. The note explains existing limitations in control enforcement.

Diff

diff --git a/securityhub/latest/userguide/cloudformation-controls.md b/securityhub/latest/userguide/cloudformation-controls.md
index 47fc5262a..280ca5a7e 100644
--- a//securityhub/latest/userguide/cloudformation-controls.md
+++ b//securityhub/latest/userguide/cloudformation-controls.md
@@ -112,0 +113,2 @@ This control checks whether an AWS CloudFormation stack has a service role assoc
+Service-managed StackSets use execution roles through AWS Organizations trusted access integration. The control also generates a FAILED finding for an AWS CloudFormation stack created by service-managed StackSets because there is no service role associated with it. Due to how service-managed StackSets authenticate, the `roleARN` field cannot be populated for these stacks.
+