AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-05-22 · Documentation low

File: securityhub/latest/userguide/securityhub-v2-disable.md

Summary

Added details about automatic deletion of service-linked IAM Access Analyzer when disabling Security Hub

Security assessment

The change documents resource cleanup behavior for a security feature (unused access analyzer) but doesn't address any vulnerability. It improves transparency about security resource lifecycle management.

Diff

diff --git a/securityhub/latest/userguide/securityhub-v2-disable.md b/securityhub/latest/userguide/securityhub-v2-disable.md
index b3b24faac..8ba5b9d11 100644
--- a//securityhub/latest/userguide/securityhub-v2-disable.md
+++ b//securityhub/latest/userguide/securityhub-v2-disable.md
@@ -14,0 +15,2 @@ If your account is not part of an organization, you can disable Security Hub in
+When you disable Security Hub for your account in all Regions, Security Hub also deletes the service-linked IAM Access Analyzer that was created when you enabled the service. If automatic deletion fails, you can delete the analyzer by calling the IAM Access Analyzer `DeleteServiceLinkedAnalyzer` API operation. This operation succeeds only after Security Hub is fully disabled for your account. If you disable Security Hub in a single Region but remain enabled in other Regions, the unused access analyzer continues to run and findings continue to be replicated to your remaining enabled Regions. 
+