AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-05-22 · Documentation medium

File: securityhub/latest/userguide/sh-security-iam-awsmanpol.md

Summary

Updated AWSSecurityHubV2ServiceRolePolicy permissions to include IAM Access Analyzer, CloudWatch, ECR, and Lambda capabilities. Added changelog entry for policy update.

Security assessment

The change documents expanded permissions for security features like generating policy recommendations for unused access findings and managing service-linked analyzers. It enhances security documentation but shows no evidence of patching a vulnerability.

Diff

diff --git a/securityhub/latest/userguide/sh-security-iam-awsmanpol.md b/securityhub/latest/userguide/sh-security-iam-awsmanpol.md
index f76f8d8a4..8a80bcc21 100644
--- a//securityhub/latest/userguide/sh-security-iam-awsmanpol.md
+++ b//securityhub/latest/userguide/sh-security-iam-awsmanpol.md
@@ -136,4 +135,0 @@ To review the permissions for this policy, see [AWSSecurityHubOrganizationsAcces
-###### Note
-
-Security Hub is in preview release and subject to change. 
-
@@ -146 +142,9 @@ This policy includes the following permissions:
-  * `config` – Manage service-linked configuration recorders for Security Hub resources. 
+  * `access-analyzer` – Create and delete service-linked IAM Access Analyzers when customers enable or disable Security Hub, list analyzers to verify that analyzer state is consistent with enablement state, and generate and retrieve policy recommendations for unused access findings. 
+
+  * `cloudwatch` – Retrieve metrics data to support metering capabilities for Security Hub resources. 
+
+  * `config` – Manage service-linked configuration recorders for Security Hub resources, including support for global Config recorders. 
+
+  * `ecr` – Retrieve information about Amazon Elastic Container Registry images and repositories to support metering capabilities. 
+
+  * `iam` – Create the service-linked role for AWS Config, create the IAM Access Analyzer service-linked role in the customer account, retrieve account information to support metering capabilities, and retrieve existing IAM policies so that customers can view a comparison of their current policy and the recommended least-privilege replacement. 
@@ -148 +152 @@ This policy includes the following permissions:
-  * `iam` – Create the service-linked role for AWS Config. 
+  * `lambda` – Retrieve AWS Lambda function information to support metering capabilities. 
@@ -166,0 +171 @@ Change | Description | Date
+AWSSecurityHubV2ServiceRolePolicy – Updated policy  |  Security Hub updated the policy to add IAM Access Analyzer permissions. The update allows Security Hub to create and manage service-managed analyzers, list analyzers to verify that the analyzer configuration is consistent with the enablement state, generate and retrieve policy recommendations for unused access findings, and retrieve IAM policies for recommendation display. | May 10th, 2026