AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-04-25 · Documentation low

File: securityhub/latest/userguide/fsbp-standard.md

Summary

Added four new security controls to the AWS Foundational Security Best Practices standard: BedrockAgentCore.1, BedrockAgentCore.2, RDS.51, and SageMaker.19

Security assessment

This change expands the FSBP standard with new security controls for Bedrock AgentCore, RDS, and SageMaker services. These are proactive security best practices rather than responses to specific security incidents. The controls enhance security posture but aren't tied to disclosed vulnerabilities.

Diff

diff --git a/securityhub/latest/userguide/fsbp-standard.md b/securityhub/latest/userguide/fsbp-standard.md
index eda5fe960..63cdd454c 100644
--- a//securityhub/latest/userguide/fsbp-standard.md
+++ b//securityhub/latest/userguide/fsbp-standard.md
@@ -66,0 +67,4 @@ The following list specifies which AWS Security Hub CSPM controls apply to the A
+[[BedrockAgentCore.1] Bedrock AgentCore runtimes should be configured with VPC network mode](./bedrockagentcore-controls.html#bedrockagentcore-1)
+
+[[BedrockAgentCore.2] Bedrock AgentCore Gateways should require authorization for inbound requests](./bedrockagentcore-controls.html#bedrockagentcore-2)
+
@@ -604,0 +609,2 @@ The following list specifies which AWS Security Hub CSPM controls apply to the A
+[[RDS.51] RDS global clusters should run on a supported Aurora MySQL version](./rds-controls.html#rds-51)
+
@@ -688,0 +695,2 @@ The following list specifies which AWS Security Hub CSPM controls apply to the A
+[[SageMaker.19] SageMaker models should use private registry in VPC for multi-container inference pipelines](./sagemaker-controls.html#sagemaker-19)
+