AWS securityhub documentation change
Summary
Restructured documentation about resources created when enabling Security Hub. Replaced detailed explanation of service-linked recorders with a bullet-point list that adds documentation about service-linked analyzers and provides concept links.
Security assessment
The change adds documentation about service-linked analyzers (a security feature for access analysis) and improves clarity of created resources. While it enhances security documentation, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/securityhub/latest/userguide/securityhub-v2-enable.md b/securityhub/latest/userguide/securityhub-v2-enable.md index b44af6bfd..5dfd73f39 100644 --- a//securityhub/latest/userguide/securityhub-v2-enable.md +++ b//securityhub/latest/userguide/securityhub-v2-enable.md @@ -82,2 +81,0 @@ The delegated administrator account completes this step. After the AWS Organizat -After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For global resource types, an additional service-linked recorder is automatically created in the home region to record configuration changes for global resources, as AWS Config only records global resource types in their designated home region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked) and [Recording regional and global resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all). - @@ -87,0 +86,11 @@ After enbling Security Hub in the delegated administrator account for an organiz +After you enable Security Hub the following resources are created in your account: + + * A service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy). + + * Service-linked configuration recorders. See [Service-linked recorder](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-concepts.html#concept-slcr) in the Security Hub concepts documentation for more details. + + * A Service-linked analyzer. See [Service-linked analyzer](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-concepts.html#concept-sla) in the Security Hub concepts documentation for more details. + + + + @@ -113 +122,10 @@ This procedure describes how to enable Security Hub in a standalone account. A s -After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For global resource types, an additional service-linked recorder is automatically created in the home region to record configuration changes for global resources, as AWS Config only records global resource types in their designated home region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked) and [Recording regional and global resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all). +After you enable Security Hub the following resources are created in in each account where you enabled the service: + + * A service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy). + + * Service-linked configuration recorders. See [Service-linked recorder](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-concepts.html#concept-slcr) in the Security Hub concepts documentation for more details. + + * A Service-linked analyzer. See [Service-linked analyzer](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-concepts.html#concept-sla) in the Security Hub concepts documentation for more details. + + +