AWS securityhub documentation change
Summary
Added details about automatic deletion of service-linked IAM Access Analyzer when disabling Security Hub
Security assessment
The change documents resource cleanup behavior for a security feature (unused access analyzer) but doesn't address any vulnerability. It improves transparency about security resource lifecycle management.
Diff
diff --git a/securityhub/latest/userguide/securityhub-v2-disable.md b/securityhub/latest/userguide/securityhub-v2-disable.md index b3b24faac..8ba5b9d11 100644 --- a//securityhub/latest/userguide/securityhub-v2-disable.md +++ b//securityhub/latest/userguide/securityhub-v2-disable.md @@ -14,0 +15,2 @@ If your account is not part of an organization, you can disable Security Hub in +When you disable Security Hub for your account in all Regions, Security Hub also deletes the service-linked IAM Access Analyzer that was created when you enabled the service. If automatic deletion fails, you can delete the analyzer by calling the IAM Access Analyzer `DeleteServiceLinkedAnalyzer` API operation. This operation succeeds only after Security Hub is fully disabled for your account. If you disable Security Hub in a single Region but remain enabled in other Regions, the unused access analyzer continues to run and findings continue to be replicated to your remaining enabled Regions. +