AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-05-22 · Documentation low

File: securityhub/latest/userguide/exposure-findings.md

Summary

Added documentation about unused access information appearing as contextual traits in exposure findings, including affected resource types and risk context.

Security assessment

The change enhances documentation for a security feature (unused permission detection) but doesn't indicate resolution of a specific vulnerability. It provides contextual risk assessment without evidence of patching a security flaw.

Diff

diff --git a/securityhub/latest/userguide/exposure-findings.md b/securityhub/latest/userguide/exposure-findings.md
index f17ae6340..3b7422973 100644
--- a//securityhub/latest/userguide/exposure-findings.md
+++ b//securityhub/latest/userguide/exposure-findings.md
@@ -56,0 +57,17 @@ Each exposure finding includes:
+Unused access information from IAM Access Analyzer can appear as contextual traits in exposure findings. When an IAM role attached to a resource has unused permissions, Security Hub includes this information as a contextual trait in the exposure detail view. For example, if an Amazon EC2 instance has a software vulnerability and its attached IAM role has 47 unused permissions across 5 services, the exposure finding shows the unused permissions as supplementary context. This helps you understand the potential blast radius — a vulnerable resource with an over-privileged IAM role presents a higher risk than one with least-privilege permissions, because a compromised resource could use those unused permissions to escalate access. 
+
+The following resource types can display unused access contextual traits in their exposure findings: 
+
+  * Amazon Elastic Compute Cloud instances
+
+  * AWS Lambda functions
+
+  * Amazon Elastic Container Service services
+
+  * Amazon Elastic Kubernetes Service clusters
+
+  * IAM users (directly)
+
+
+
+