AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-07-01 · Documentation low

File: securityhub/latest/userguide/securityhub-controls-reference.md

Summary

Added new security controls for Amazon Bedrock and SageMaker services focusing on encryption, network isolation, and KMS key usage

Security assessment

The change introduces new security controls (Bedrock.1, BedrockAgentCore.7, SageMaker.20-25) that document security best practices for encryption and network configurations. While these are security enhancements, there's no evidence they address specific vulnerabilities or incidents.

Diff

diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md
index 7f4fb3619..c54e60dd5 100644
--- a//securityhub/latest/userguide/securityhub-controls-reference.md
+++ b//securityhub/latest/userguide/securityhub-controls-reference.md
@@ -80,0 +81 @@ Security control ID | Security control title | Applicable standards | Severity |
+[Bedrock.1](./bedrock-controls.html#bedrock-1) | Amazon Bedrock data sources should be encrypted with customer managed AWS KMS keys | AWS Foundational Security Best Practices | MEDIUM |  No | Change triggered  
@@ -86,0 +88 @@ Security control ID | Security control title | Applicable standards | Severity |
+[BedrockAgentCore.7](./bedrockagentcore-controls.html#bedrockagentcore-7) | Bedrock AgentCore custom code interpreters should use a private network configuration | AWS Foundational Security Best Practices | HIGH |  No | Change triggered  
@@ -576,0 +579,6 @@ Security control ID | Security control title | Applicable standards | Severity |
+[SageMaker.20](./sagemaker-controls.html#sagemaker-20) | SageMaker model explainability job definitions should have network isolation enabled | AWS Foundational Security Best Practices | HIGH |  No | Change triggered  
+[SageMaker.21](./sagemaker-controls.html#sagemaker-21) | SageMaker notebook instances should be encrypted with customer managed AWS KMS keys | AWS Foundational Security Best Practices | MEDIUM |  No | Change triggered  
+[SageMaker.22](./sagemaker-controls.html#sagemaker-22) | SageMaker monitoring schedules should have inter-container traffic encryption enabled | AWS Foundational Security Best Practices | MEDIUM |  No | Change triggered  
+[SageMaker.23](./sagemaker-controls.html#sagemaker-23) | SageMaker inference experiments should have instance storage volume encrypted with customer managed AWS KMS keys | AWS Foundational Security Best Practices | MEDIUM |  No | Change triggered  
+[SageMaker.24](./sagemaker-controls.html#sagemaker-24) | SageMaker inference experiments should have data storage encrypted with customer managed AWS KMS keys | AWS Foundational Security Best Practices | MEDIUM |  No | Change triggered  
+[SageMaker.25](./sagemaker-controls.html#sagemaker-25) | SageMaker model quality job definitions should have network isolation enabled | AWS Foundational Security Best Practices | HIGH |  No | Change triggered