AWS securityhub documentation change
Summary
Updated description of AWSSecurityHubServiceRolePolicy to include new permissions for managing Security Hub CSPM service-linked configuration recorders and creating AWS Config service-linked role. Added change history entry for April 29, 2026.
Security assessment
This change documents updates to a security-related IAM policy, adding specific permissions for CSPM functionality. While it involves security permissions, there is no evidence of a security vulnerability being addressed. It is a routine update to reflect policy changes for new features.
Diff
diff --git a/securityhub/latest/userguide/security-iam-awsmanpol.md b/securityhub/latest/userguide/security-iam-awsmanpol.md index 2b32a8770..a191cc31c 100644 --- a//securityhub/latest/userguide/security-iam-awsmanpol.md +++ b//securityhub/latest/userguide/security-iam-awsmanpol.md @@ -158 +158 @@ This policy includes the following permissions: - * `config` – Retrieve information about configuration recorders, resources, and AWS Config rules. Also allows the service-linked role to create and delete AWS Config rules, and to run evaluations against the rules. + * `config` – Retrieve information about configuration recorders, resources, and AWS Config rules. Also allows the service-linked role to manage the Security Hub CSPM service-linked configuration recorders, create and delete AWS Config rules, and run evaluations against the rules. @@ -160 +160 @@ This policy includes the following permissions: - * `iam` – Retrieve and generate credential reports for accounts. + * `iam` – Retrieve and generate credential reports for accounts, and create the service-linked role for AWS Config. @@ -211,0 +212 @@ Change | Description | Date +AWSSecurityHubServiceRolePolicy – Updated policy | Security Hub CSPM updated the policy to add permissions to manage Security Hub CSPM service-linked configuration recorders and create the AWS Config service-linked role. | April 29, 2026