AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-07-10 · Documentation low

File: securityhub/latest/userguide/exposure-findings-severity.md

Summary

Expanded documentation on how Security Hub calculates exposure finding severity using a risk matrix combining likelihood and impact. Added detailed table showing severity combinations, likelihood factors (including EPSS reference), and impact analysis methodology.

Security assessment

The changes enhance documentation about security feature implementation (severity calculation methodology) but don't address a specific vulnerability. The update improves transparency about existing security controls without indicating a prior security defect.

Diff

diff --git a/securityhub/latest/userguide/exposure-findings-severity.md b/securityhub/latest/userguide/exposure-findings-severity.md
index 5b147deba..7e7418704 100644
--- a//securityhub/latest/userguide/exposure-findings-severity.md
+++ b//securityhub/latest/userguide/exposure-findings-severity.md
@@ -6,0 +7,2 @@
+Risk matrixLikelihoodImpact
+
@@ -9 +11,14 @@
-AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`, `HIGH`, `MEDIUM`, or `LOW`. Exposure findings with a severity of `INFORMATIONAL` aren't published. Security Hub uses several factors to determine the default severity level of an exposure finding: 
+AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`, `HIGH`, `MEDIUM`, or `LOW`. Exposure findings with a severity of `INFORMATIONAL` aren't published. Security Hub determines the severity of an exposure finding by combining two dimensions, **likelihood** and **impact** , on a risk matrix. Likelihood reflects how easily the exposure can be exploited, and impact reflects the magnitude of harm if it is exploited. 
+
+In cases where impact cannot be determined for a resource, the severity is based purely on likelihood. 
+
+## Risk matrix
+
+The following table shows how likelihood and impact combine to produce the final severity of an exposure finding. Likelihood establishes a baseline severity, and impact adjusts it: high impact increases severity by one level (capped at Critical), medium impact leaves severity unchanged, and low impact decreases severity by one level (floored at Low). 
+
+Severity risk matrix Likelihood ↓ / Impact → | Low | Medium | High  
+---|---|---|---  
+**Very High** | HIGH | CRITICAL | CRITICAL  
+**High** | MEDIUM | HIGH | CRITICAL  
+**Moderate** | LOW | MEDIUM | HIGH  
+**Low** | LOW | LOW | MEDIUM  
@@ -11 +26,5 @@ AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`,
-  * **Awareness** – The extent at which the exposure is not theoretical, but has publicly available or automated exploits. This applies to exposure findings for EC2 instances and Lambda functions. 
+## Likelihood
+
+**Likelihood** measures how easily an exposure can be exploited, based on the contributing traits present on the resource, such as **Assumability** , **Misconfiguration** , **Reachability** , **Sensitive Data** , and **Vulnerability**. Security Hub uses several characteristics to assess likelihood, including the following: 
+
+  * **Awareness** – The extent at which the exposure is not theoretical, but has publicly available or automated exploits. 
@@ -17 +36,3 @@ AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`,
-  * **Likelihood of exploit** – The likelihood the exposure will be exploited in the next 30 days. This factor corresponds to the Exploit Protection Scoring System (EPSS) and applies to exposure findings for Amazon EC2 instances and Lambda functions. 
+  * **Likelihood of exploit** – The likelihood the exposure will be exploited in the next 30 days. This factor corresponds to the [Exploit Prediction Scoring System (EPSS)](https://www.first.org/epss/). 
+
+
@@ -19 +39,0 @@ AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`,
-  * **Impact** – The harm if the exploit is carried out. For example, an exposure could lead to loss of accountability, loss of availability, loss of confidentiality from data exposure, or loss of integrity from data corruption. 
@@ -20,0 +41 @@ AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`,
+## Impact
@@ -21,0 +43 @@ AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`,
+**Impact** measures the magnitude of harm to your environment if the exposure is exploited. For example, an exposure could lead to loss of accountability, loss of availability, loss of confidentiality from data exposure, or loss of integrity from data corruption. 
@@ -22,0 +45 @@ AWS Security Hub assigns each exposure finding a default severity of `CRITICAL`,
+To assess impact, Security Hub analyzes the effective permissions of the AWS Identity and Access Management principals associated with the resource to determine the actions and AWS services an attacker could invoke. It also identifies the existing resources an attacker could reach and compromise through privilege escalation. For more information, see [Impact and effective permissions](./exposure-findings-supported-traits.html#exposure-findings-impact-analysis).