AWS securityhub documentation change
Summary
Updated IAM policy documentation to include new permissions for third-party cloud integrations, including Inspector connectors, STS federation tokens, and expanded Config/CloudWatch permissions.
Security assessment
The changes document expanded permissions for third-party integrations but lack evidence of addressing a specific vulnerability. However, they describe new security capabilities like Inspector scanning and identity federation, qualifying as security documentation enhancements.
Diff
diff --git a/securityhub/latest/userguide/sh-security-iam-awsmanpol.md b/securityhub/latest/userguide/sh-security-iam-awsmanpol.md index 8a80bcc21..db798c9a2 100644 --- a//securityhub/latest/userguide/sh-security-iam-awsmanpol.md +++ b//securityhub/latest/userguide/sh-security-iam-awsmanpol.md @@ -144 +144 @@ This policy includes the following permissions: - * `cloudwatch` – Retrieve metrics data to support metering capabilities for Security Hub resources. + * `cloudwatch` – Retrieve metrics data to support metering capabilities for Security Hub resources and Connector health metrics. @@ -146 +146 @@ This policy includes the following permissions: - * `config` – Manage service-linked configuration recorders for Security Hub resources, including support for global Config recorders. + * `config` – Manage service-linked configuration recorders and third-party service-linked configuration recorders for Security Hub resources, including support for global Config recorders. List configuration recorders and get connector information to support third-party cloud integrations. @@ -150 +150,3 @@ This policy includes the following permissions: - * `iam` – Create the service-linked role for AWS Config, create the IAM Access Analyzer service-linked role in the customer account, retrieve account information to support metering capabilities, and retrieve existing IAM policies so that customers can view a comparison of their current policy and the recommended least-privilege replacement. + * `iam` – Create the following service-linked roles: AWS Config, IAM Access Analyzer in the customer account, and Amazon Inspector for third-party scanning. Retrieve account information to support metering capabilities. Retrieve existing IAM policies so that customers can view a comparison of their current policy and the recommended least-privilege replacement. + + * `inspector2` – Create, update, delete, and list Amazon Inspector connectors and connector scan configurations to support third-party cloud integrations. @@ -156 +158,3 @@ This policy includes the following permissions: - * `securityhub` – Manage the Security Hub configuration. + * `securityhub` – Manage the Security Hub configuration. Create, update, and delete Security Hub connectors to support third-party cloud integrations. + + * `sts` – Obtain web identity tokens for outbound identity federation to support third-party cloud integrations. @@ -171 +175,2 @@ Change | Description | Date -AWSSecurityHubV2ServiceRolePolicy – Updated policy | Security Hub updated the policy to add IAM Access Analyzer permissions. The update allows Security Hub to create and manage service-managed analyzers, list analyzers to verify that the analyzer configuration is consistent with the enablement state, generate and retrieve policy recommendations for unused access findings, and retrieve IAM policies for recommendation display. | May 10th, 2026 +AWSSecurityHubV2ServiceRolePolicy – Updated policy | Security Hub updated the policy to support third-party integrations. The update adds the following permissions: manage third-party configuration recorders, create and manage Security Hub and Amazon Inspector connectors, retrieve Connector health metrics from CloudWatch, create the Amazon Inspector service-linked role for third-party scanning, and obtain web identity tokens for federation. | June 30, 2026 +AWSSecurityHubV2ServiceRolePolicy – Updated policy | Security Hub updated the policy to add IAM Access Analyzer permissions. The update allows Security Hub to create and manage service-managed analyzers, list analyzers to verify that the analyzer configuration is consistent with the enablement state, generate and retrieve policy recommendations for unused access findings, and retrieve IAM policies for recommendation display. | May 10, 2026