AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-05-22 · Documentation medium

File: securityhub/latest/userguide/securityhub-v2-concepts.md

Summary

Added definitions for service-linked configuration recorders, service-linked analyzer, and unused access findings

Security assessment

The change documents new security capabilities including automated configuration recording and unused access detection, but doesn't indicate fixes for existing vulnerabilities. It enhances security documentation by explaining new preventive controls.

Diff

diff --git a/securityhub/latest/userguide/securityhub-v2-concepts.md b/securityhub/latest/userguide/securityhub-v2-concepts.md
index 0aa89b937..b7353c642 100644
--- a//securityhub/latest/userguide/securityhub-v2-concepts.md
+++ b//securityhub/latest/userguide/securityhub-v2-concepts.md
@@ -143,0 +144,17 @@ A finding that contributes to an exposure finding. A signal can be referred to a
+**Service-linked configuration recorder**
+    
+
+A type of AWS Config recorder that is used to record configuration data on service-specific resources. Security Hub uses these recorders in an event-driven approach to obtain resource configuration items for exposure analysis coverage, resource inventory reporting, and posture management control evaluations. This capability is provided to all Security Hub customers as part of the Essential plan pricing. After you enable Security Hub, the following service-linked configuration recorders are created in your account: 
+
+  * In each AWS account and AWS Region, a service-linked configuration recorder named `AWSConfigurationRecorderForSecurityHubAssets` is created. 
+
+  * For global resource types, an additional service-linked configuration recorder named `AWSConfigurationRecorderForSecurityHubAssetsGlobal` is created in the us-east-1 AWS Region. 
+
+
+
+
+**Service-linked analyzer**
+    
+
+An IAM Access Analyzer that Security Hub creates and manages on your behalf. When you enable Security Hub, it automatically creates a service-linked unused access analyzer to identify IAM roles, users, access keys, and permissions that have not been used within a 90-day lookback period. The analyzer runs in US East (N. Virginia) because IAM is a global service. Security Hub replicates unused access findings to all Regions where you have enabled Security Hub. You do not need to separately enable IAM Access Analyzer or take any additional action. This capability is provided to all Security Hub customers as part of the Essential plan pricing. You can view the service-linked analyzer in the IAM Access Analyzer console, but you cannot modify or delete it while Security Hub is enabled. Security Hub deletes the analyzer when you disable the service in all regions of an AWS account. For more information, see [Understanding unused access findings in Security Hub](./unused-access-findings.html). 
+
@@ -148,0 +166,5 @@ A security deviation that results in an exposure finding. Trait types include **
+**Unused access finding**
+    
+
+A finding that identifies an IAM role, user, access key, or set of permissions that has not been used within a 90-day lookback period. Security Hub generates unused access findings using a service-linked IAM Access Analyzer. There are four types of unused access findings: unused IAM roles, unused IAM user access keys, unused IAM user passwords, and unused permissions. 
+