AWS securityhub documentation change
Summary
Added documentation about unused access information appearing as contextual traits in exposure findings, including affected resource types and risk context.
Security assessment
The change enhances documentation for a security feature (unused permission detection) but doesn't indicate resolution of a specific vulnerability. It provides contextual risk assessment without evidence of patching a security flaw.
Diff
diff --git a/securityhub/latest/userguide/exposure-findings.md b/securityhub/latest/userguide/exposure-findings.md index f17ae6340..3b7422973 100644 --- a//securityhub/latest/userguide/exposure-findings.md +++ b//securityhub/latest/userguide/exposure-findings.md @@ -56,0 +57,17 @@ Each exposure finding includes: +Unused access information from IAM Access Analyzer can appear as contextual traits in exposure findings. When an IAM role attached to a resource has unused permissions, Security Hub includes this information as a contextual trait in the exposure detail view. For example, if an Amazon EC2 instance has a software vulnerability and its attached IAM role has 47 unused permissions across 5 services, the exposure finding shows the unused permissions as supplementary context. This helps you understand the potential blast radius — a vulnerable resource with an over-privileged IAM role presents a higher risk than one with least-privilege permissions, because a compromised resource could use those unused permissions to escalate access. + +The following resource types can display unused access contextual traits in their exposure findings: + + * Amazon Elastic Compute Cloud instances + + * AWS Lambda functions + + * Amazon Elastic Container Service services + + * Amazon Elastic Kubernetes Service clusters + + * IAM users (directly) + + + +