AWS securityhub medium security documentation change
Summary
Added Important notes about retiring AppSync.1 and AppSync.6 controls due to AWS AppSync enforcing default encryption for API caches. Removed old Note sections about control retirement dates.
Security assessment
The changes explicitly document the retirement of security controls because AWS AppSync now enforces encryption at rest and in transit by default. This indicates a service-level security improvement that addresses potential vulnerabilities from unencrypted API caches.
Diff
diff --git a/securityhub/latest/userguide/appsync-controls.md b/securityhub/latest/userguide/appsync-controls.md index f650641a4..71ce57117 100644 --- a//securityhub/latest/userguide/appsync-controls.md +++ b//securityhub/latest/userguide/appsync-controls.md @@ -14,0 +15,4 @@ These controls may not be available in all AWS Regions. For more information, se +###### Important + +Security Hub CSPM retired this control on March 9, 2026. For more information, see [Change log for Security Hub CSPM controls](./controls-change-log.html). AWS AppSync now provides default encryption on all current and future API caches. + @@ -31,4 +34,0 @@ Data at rest refers to data that's stored in persistent, non-volatile storage fo -###### Note - -Due to AWS AppSync implementing a service-level change that makes encryption at rest mandatory for all API caches, this control will be retired and removed from all applicable standards on March 9, 2026. - @@ -127,0 +128,4 @@ To set an authorization option for your AWS AppSync GraphQL API, see [Authorizat +###### Important + +Security Hub CSPM retired this control on March 9, 2026. For more information, see [Change log for Security Hub CSPM controls](./controls-change-log.html). AWS AppSync now provides default encryption on all current and future API caches. + @@ -144,4 +147,0 @@ Data in transit refers to data that moves from one location to another, such as -###### Note - -Due to AWS AppSync implementing a service-level change that makes encryption in transit mandatory for all API caches, this control will be retired and removed from all applicable standards on March 9, 2026. -