AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-03-25 · Documentation low

File: securityhub/latest/userguide/regions-controls.md

Summary

Updated the list of Security Hub controls not supported in various AWS regions. Added multiple SageMaker controls (9-15) related to inter-container traffic encryption and network isolation, removed numerous tagging controls across various services, updated ECS.5 control description, added new API Gateway, ELB, and RDS controls, and removed some existing controls like MSK.4-6 and Redshift controls in specific regions.

Security assessment

The changes update regional availability documentation for Security Hub controls. While many added controls (SageMaker.9-15, APIGateway.10, ELB.21-22, RDS.50) are security-focused (encryption, network isolation, backup retention), there's no evidence these changes address specific security vulnerabilities or incidents. The updates appear to reflect routine documentation of control availability across regions as AWS services evolve.

Diff

diff --git a/securityhub/latest/userguide/regions-controls.md b/securityhub/latest/userguide/regions-controls.md
index 97522de2a..e346587f7 100644
--- a//securityhub/latest/userguide/regions-controls.md
+++ b//securityhub/latest/userguide/regions-controls.md
@@ -608 +608,13 @@ The following controls are not supported in the Africa (Cape Town) Region.
-  * [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](./ssm-controls.html#ssm-3)
+  * [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-9)
+
+  * [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-10)
+
+  * [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-11)
+
+  * [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-12)
+
+  * [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-13)
+
+  * [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](./sagemaker-controls.html#sagemaker-14)
+
+  * [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-15)
@@ -816,2 +827,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[Backup.4] AWS Backup report plans should be tagged](./backup-controls.html#backup-4)
-
@@ -912,2 +921,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[EC2.48] Amazon VPC flow logs should be tagged](./ec2-controls.html#ec2-48)
-
@@ -1172 +1180 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[SES.1] SES contact lists should be tagged](./ses-controls.html#ses-1)
+  * [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-9)
@@ -1174 +1182,11 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[SES.2] SES configuration sets should be tagged](./ses-controls.html#ses-2)
+  * [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-10)
+
+  * [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-11)
+
+  * [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-12)
+
+  * [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-13)
+
+  * [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](./sagemaker-controls.html#sagemaker-14)
+
+  * [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-15)
@@ -1184,2 +1201,0 @@ The following controls are not supported in the Asia Pacific (Hyderabad) Region.
-  * [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](./ssm-controls.html#ssm-3)
-
@@ -1239,2 +1254,0 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
-  * [[Backup.4] AWS Backup report plans should be tagged](./backup-controls.html#backup-4)
-
@@ -1490,0 +1505,14 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  * [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-9)
+
+  * [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-10)
+
+  * [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-11)
+
+  * [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-12)
+
+  * [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-13)
+
+  * [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](./sagemaker-controls.html#sagemaker-14)
+
+  * [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-15)
+
@@ -1499,2 +1526,0 @@ The following controls are not supported in the Asia Pacific (Jakarta) Region.
-  * [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](./ssm-controls.html#ssm-3)
-
@@ -1558,2 +1583,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](./appsync-controls.html#appsync-4)
-
@@ -1564,4 +1587,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Athena.2] Athena data catalogs should be tagged](./athena-controls.html#athena-2)
-
-  * [[Athena.3] Athena workgroups should be tagged](./athena-controls.html#athena-3)
-
@@ -1582,2 +1601,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Backup.3] AWS Backup vaults should be tagged](./backup-controls.html#backup-3)
-
@@ -1586,2 +1603,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Backup.5] AWS Backup backup plans should be tagged](./backup-controls.html#backup-5)
-
@@ -1596,2 +1611,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[CloudFormation.2] CloudFormation stacks should be tagged](./cloudformation-controls.html#cloudformation-2)
-
@@ -1738,2 +1751,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[EC2.33] EC2 transit gateway attachments should be tagged](./ec2-controls.html#ec2-33)
-
@@ -1744,2 +1755,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[EC2.48] Amazon VPC flow logs should be tagged](./ec2-controls.html#ec2-48)
-
@@ -1748,2 +1757,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[EC2.52] EC2 transit gateways should be tagged](./ec2-controls.html#ec2-52)
-
@@ -1800 +1808 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[ECS.5] ECS containers should be limited to read-only access to root filesystems](./ecs-controls.html#ecs-5)
+  * [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](./ecs-controls.html#ecs-5)
@@ -1810,2 +1817,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[ECS.16] ECS task sets should not automatically assign public IP addresses](./ecs-controls.html#ecs-16)
-
@@ -1824,2 +1829,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[EFS.5] EFS access points should be tagged](./efs-controls.html#efs-5)
-
@@ -1836,2 +1839,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[EKS.6] EKS clusters should be tagged](./eks-controls.html#eks-6)
-
@@ -1886,2 +1887,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[EventBridge.2] EventBridge event buses should be tagged](./eventbridge-controls.html#eventbridge-2)
-
@@ -1920,4 +1919,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[GuardDuty.3] GuardDuty IPSets should be tagged](./guardduty-controls.html#guardduty-3)
-
-  * [[GuardDuty.4] GuardDuty detectors should be tagged](./guardduty-controls.html#guardduty-4)
-
@@ -1984,2 +1979,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[IAM.23] IAM Access Analyzer analyzers should be tagged](./iam-controls.html#iam-23)
-
@@ -2004,12 +1997,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[IoT.1] AWS IoT Device Defender security profiles should be tagged](./iot-controls.html#iot-1)
-
-  * [[IoT.2] AWS IoT Core mitigation actions should be tagged](./iot-controls.html#iot-2)
-
-  * [[IoT.3] AWS IoT Core dimensions should be tagged](./iot-controls.html#iot-3)
-
-  * [[IoT.4] AWS IoT Core authorizers should be tagged](./iot-controls.html#iot-4)
-
-  * [[IoT.5] AWS IoT Core role aliases should be tagged](./iot-controls.html#iot-5)
-
-  * [[IoT.6] AWS IoT Core policies should be tagged](./iot-controls.html#iot-6)
-
@@ -2056,2 +2037,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Kinesis.2] Kinesis streams should be tagged](./kinesis-controls.html#kinesis-2)
-
@@ -2196,2 +2175,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](./redshift-controls.html#redshift-3)
-
@@ -2264 +2242 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[SES.1] SES contact lists should be tagged](./ses-controls.html#ses-1)
+  * [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-9)
@@ -2266 +2244,11 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[SES.2] SES configuration sets should be tagged](./ses-controls.html#ses-2)
+  * [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-10)
+
+  * [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-11)
+
+  * [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-12)
+
+  * [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-13)
+
+  * [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](./sagemaker-controls.html#sagemaker-14)
+
+  * [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-15)
@@ -2280,2 +2267,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](./ssm-controls.html#ssm-3)
-
@@ -2292,4 +2277,0 @@ The following controls are not supported in the Asia Pacific (Malaysia) Region.
-  * [[StepFunctions.2] Step Functions activities should be tagged](./stepfunctions-controls.html#stepfunctions-2)
-
-  * [[Transfer.1] AWS Transfer Family workflows should be tagged](./transfer-controls.html#transfer-1)
-
@@ -2361,2 +2342,0 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
-  * [[Backup.4] AWS Backup report plans should be tagged](./backup-controls.html#backup-4)
-
@@ -2473,2 +2452,0 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
-  * [[EC2.48] Amazon VPC flow logs should be tagged](./ec2-controls.html#ec2-48)
-
@@ -2744,0 +2723,14 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
+  * [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-9)
+
+  * [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-10)
+
+  * [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-11)
+
+  * [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](./sagemaker-controls.html#sagemaker-12)
+
+  * [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-13)
+
+  * [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](./sagemaker-controls.html#sagemaker-14)
+
+  * [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](./sagemaker-controls.html#sagemaker-15)
+
@@ -2757,2 +2748,0 @@ The following controls are not supported in the Asia Pacific (Melbourne) Region.
-  * [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](./ssm-controls.html#ssm-3)
-
@@ -2902,0 +2893,2 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
+  * [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](./apigateway-controls.html#apigateway-10)
+
@@ -2949,2 +2940,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[Backup.3] AWS Backup vaults should be tagged](./backup-controls.html#backup-3)
-
@@ -2953,2 +2942,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[Backup.5] AWS Backup backup plans should be tagged](./backup-controls.html#backup-5)
-
@@ -3045,2 +3032,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[DMS.1] Database Migration Service replication instances should not be public](./dms-controls.html#dms-1)
-
@@ -3105,2 +3090,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[EC2.33] EC2 transit gateway attachments should be tagged](./ec2-controls.html#ec2-33)
-
@@ -3111,2 +3094,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio
-  * [[EC2.48] Amazon VPC flow logs should be tagged](./ec2-controls.html#ec2-48)
-
@@ -3115,2 +3096,0 @@ The following controls are not supported in the Asia Pacific (New Zealand) Regio