AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-06-07 · Documentation low

File: securityhub/latest/userguide/controls-change-log.md

Summary

Added retirement notices for EKS.3, IoTEvents.1-3 controls and confirmed retirement of ECS.1/RDS.18 controls. Updated formatting for ECS.1, MQ.3 and RDS.18 entries.

Security assessment

Changes document control retirements due to service deprecation (IoT Events) or default security improvements (EKS secrets encryption). No vulnerabilities are addressed. MQ.3 severity change note pre-exists.

Diff

diff --git a/securityhub/latest/userguide/controls-change-log.md b/securityhub/latest/userguide/controls-change-log.md
index 4f0b33e5d..a6f7af0a1 100644
--- a//securityhub/latest/userguide/controls-change-log.md
+++ b//securityhub/latest/userguide/controls-change-log.md
@@ -14,0 +15,6 @@ Date of change | Control ID and title | Description of change
+June 5, 2026 | [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](./eks-controls.html#eks-3) | Security Hub CSPM provided notice that this control will be retired and removed from all applicable Security Hub CSPM standards after August 10, 2026. Starting with Kubernetes version 1.28, Amazon EKS clusters have Kubernetes secrets protected with envelope encryption by default.   
+June 5, 2026 | [[IoTEvents.1] AWS IoT Events inputs should be tagged](./iotevents-controls.html#iotevents-1) | Security Hub CSPM provided notice that this control will be retired and removed from all applicable Security Hub CSPM standards after July 7, 2026. AWS announced end of support for AWS IoT Events service effective May 20, 2026.  
+June 5, 2026 | [[IoTEvents.2] AWS IoT Events detector models should be tagged](./iotevents-controls.html#iotevents-2) | Security Hub CSPM provided notice that this control will be retired and removed from all applicable Security Hub CSPM standards after July 7, 2026. AWS announced end of support for AWS IoT Events service effective May 20, 2026.  
+June 5, 2026 | [[IoTEvents.3] AWS IoT Events alarm models should be tagged](./iotevents-controls.html#iotevents-3) | Security Hub CSPM provided notice that this control will be retired and removed from all applicable Security Hub CSPM standards after July 7, 2026. AWS announced end of support for AWS IoT Events service effective May 20, 2026.  
+June 5, 2026 | [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions | Security Hub CSPM retired this control and removed it from all applicable standards. Previously, the control checked whether an active Amazon ECS task definition that used host networking mode also had `privileged` or `user` container definitions.  
+June 5, 2026 | [RDS.18] RDS instances should be deployed in a VPC | Security Hub CSPM retired this control and removed it from all applicable standards. Since Amazon EC2-Classic networking was retired, Amazon Relational Database Service (Amazon RDS) instances can no longer be deployed outside a VPC. Previously, the control checked whether an Amazon RDS instance was deployed on an EC2-VPC.  
@@ -30 +36 @@ February 5, 2026 | [[AppSync.6] AWS AppSync API caches should be encrypted in tr
-January 16, 2026 | [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](./ecs-controls.html#ecs-1) | Security Hub CSPM provided notice that this control will be retired and removed from all applicable Security Hub CSPM standards after February 16, 2026.  
+January 16, 2026 | [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions | Security Hub CSPM provided notice that this control will be retired and removed from all applicable Security Hub CSPM standards after February 16, 2026.  
@@ -42 +48 @@ November 13, 2025 | [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be en
-November 13, 2025 | [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](./mq-controls.html#mq-3) | Security Hub CSPM changed the severity of this control from `LOW` to `MEDIUM`. Minor version upgrades include security patches that are necessary for maintaining Amazon MQ broker security.  
+November 13, 2025 | [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled | Security Hub CSPM changed the severity of this control from `LOW` to `MEDIUM`. Minor version upgrades include security patches that are necessary for maintaining Amazon MQ broker security.  
@@ -71 +77 @@ March 10, 2025 | [[Lambda.2] Lambda functions should use supported runtimes](./l
-March 7, 2025 | [[RDS.18] RDS instances should be deployed in a VPC](./rds-controls.html#rds-18) | Security Hub CSPM removed this control from the AWS Foundational Security Best Practices standard and automated checks for NIST SP 800-53 Rev. 5 requirements. Since Amazon EC2-Classic networking was retired, Amazon Relational Database Service (Amazon RDS) instances can no longer be deployed outside a VPC. The control continues to be part of the [AWS Control Tower service-managed standard](./service-managed-standard-aws-control-tower.html).  
+March 7, 2025 | [RDS.18] RDS instances should be deployed in a VPC | Security Hub CSPM removed this control from the AWS Foundational Security Best Practices standard and automated checks for NIST SP 800-53 Rev. 5 requirements. Since Amazon EC2-Classic networking was retired, Amazon Relational Database Service (Amazon RDS) instances can no longer be deployed outside a VPC.