AWS securityhub documentation change
Summary
Added clarification about service-managed StackSets triggering FAILED findings due to missing service roles, explaining limitations in control implementation
Security assessment
Documents behavior of a security control (CloudFormation service role checks) but does not address a new vulnerability. The note explains existing limitations in control enforcement.
Diff
diff --git a/securityhub/latest/userguide/cloudformation-controls.md b/securityhub/latest/userguide/cloudformation-controls.md index 47fc5262a..280ca5a7e 100644 --- a//securityhub/latest/userguide/cloudformation-controls.md +++ b//securityhub/latest/userguide/cloudformation-controls.md @@ -112,0 +113,2 @@ This control checks whether an AWS CloudFormation stack has a service role assoc +Service-managed StackSets use execution roles through AWS Organizations trusted access integration. The control also generates a FAILED finding for an AWS CloudFormation stack created by service-managed StackSets because there is no service role associated with it. Due to how service-managed StackSets authenticate, the `roleARN` field cannot be populated for these stacks. +