AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-03-25 · Documentation low

File: securityhub/latest/userguide/controls-change-log.md

Summary

Added two new entries to the security controls change log for March 24, 2026: updates to RDS.50 control title and ECS.5 control title/description, with ECS.5 now excluding Windows Server task definitions from generating findings.

Security assessment

This change documents updates to existing security controls in AWS Security Hub. The ECS.5 change excludes Windows Server task definitions from read-only root filesystem checks, which appears to be a refinement of the control scope rather than addressing a security vulnerability. There's no evidence of a security incident being fixed - these are routine updates to security control definitions and scope.

Diff

diff --git a/securityhub/latest/userguide/controls-change-log.md b/securityhub/latest/userguide/controls-change-log.md
index 45593d635..cdd28754c 100644
--- a//securityhub/latest/userguide/controls-change-log.md
+++ b//securityhub/latest/userguide/controls-change-log.md
@@ -12,0 +13,2 @@ Date of change | Control ID and title | Description of change
+March 24, 2026 | [[RDS.50] RDS DB clusters should have enough backup retention period set](./rds-controls.html#rds-50) | Security Hub CSPM updated the control title to reflect that the control checks all RDS DB clusters.  
+March 24, 2026 | [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](./ecs-controls.html#ecs-5) | Security Hub CSPM updated the control title and description to reflect that the control checks ECS task definitions. Security Hub CSPM also updated the control to not generate findings for task definitions with `runtimePlatform` configured to specify a `WINDOWS_SERVER` OS family.