AWS securityhub medium security documentation change
Summary
Added new 'Unused access analysis' section explaining automated identification of unused IAM resources and least-privilege recommendations. Also added IAM Access Analyzer to the list of integrated services.
Security assessment
The change documents proactive security capabilities for identifying excessive permissions (violating least-privilege principle) and reducing attack surface. It directly addresses security risks from over-privileged accounts by enabling unused access detection and policy hardening recommendations.
Diff
diff --git a/securityhub/latest/userguide/what-is-securityhub-v2.md b/securityhub/latest/userguide/what-is-securityhub-v2.md index daa76b6c3..8bd041a64 100644 --- a//securityhub/latest/userguide/what-is-securityhub-v2.md +++ b//securityhub/latest/userguide/what-is-securityhub-v2.md @@ -30,0 +31,4 @@ Security Hub correlates findings from Security Hub CSPM control checks, Amazon I +###### Unused access analysis + +Security Hub automatically identifies IAM roles, users, access keys, and permissions that have not been used within a 90-day lookback period. When you enable Security Hub, the service creates a service-linked IAM Access Analyzer in your account. Unused access findings help you implement least-privilege access by highlighting over-provisioned IAM principals. For unused permissions findings, Security Hub can generate least-privilege policy recommendations that show you a scoped-down replacement policy. + @@ -63,0 +68,2 @@ Security Hub receives findings from the following AWS services. + * IAM Access Analyzer +