Change log for Security Hub controls
The following change log tracks material changes to existing AWS Security Hub security controls, which may result in changes to the overall status of a control and the compliance status of its findings. For information about how Security Hub evaluates control status, see Evaluating compliance status and control status in Security Hub. Changes may take a few days after their entry in this log to affect all AWS Regions in which the control is available.
This log tracks changes occurring since April 2023.
Select a control to view more details about it. Title changes are noted on each control's detailed description for 90 days.
Date of change | Control ID and title | Description of change |
---|---|---|
October 11, 2024 | ElastiCache controls | Changed control titles for ElastiCache.3, ElastiCache.4, ElastiCache.5, and ElastiCache.7. Titles no longer mention Redis OSS because the controls also apply to ElastiCache for Valkey. |
September 27, 2024 | [ELB.4] Application Load Balancer should be configured to drop invalid http headers | Changed control title from Application Load Balancer should be configured to drop http headers to Application Load Balancer should be configured to drop invalid http headers. |
August 19, 2024 | Title changes to DMS.12 and ElastiCache controls | Changed control titles for DMS.12 and ElastiCache.1 through ElastiCache.7. We changed these titles to reflect a name change in the Amazon ElastiCache (Redis OSS) service. |
August 15, 2024 | [Config.1] AWS Config should be enabled and use the service-linked role for resource recording | This control checks whether AWS Config is enabled, uses the service-linked role, and records resources for
enabled controls. Security Hub added a custom control parameter named includeConfigServiceLinkedRoleCheck .
By setting this parameter to false , you can opt out of checking whether AWS Config uses the
service-linked role. |
July 31, 2024 | [IoT.1] AWS IoT Device Defender security profiles should be tagged | Changed control title from AWS IoT Core security profiles should be tagged to AWS IoT Device Defender security profiles should be tagged. |
July 29, 2024 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
no longer supports nodejs16.x as a parameter. |
July 29, 2024 | [EKS.2] EKS clusters should run on a supported Kubernetes version | This control checks whether an Amazon Elastic Kubernetes Service (Amazon EKS) cluster runs on a supported Kubernetes version. The
oldest supported version is 1.28 . |
June 25, 2024 | [Config.1] AWS Config should be enabled and use the service-linked role for resource recording | This control checks whether AWS Config is enabled, uses the service-linked role, and records resources for enabled controls. Security Hub updated the control title to reflect what the control evaluates. |
June 14, 2024 | [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs | This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. Security Hub updated the control so that it doesn't generate findings for Aurora Serverless v1 DB clusters. |
June 11, 2024 | [EKS.2] EKS clusters should run on a supported Kubernetes version | This control checks whether an Amazon Elastic Kubernetes Service (Amazon EKS) cluster runs on a supported Kubernetes version. The
oldest supported version is 1.27 . |
June 10, 2024 | [Config.1] AWS Config should be enabled and use the service-linked role for resource recording | This control checks whether AWS Config is enabled and AWS Config resource recording is turned on. Previously, the control
produced a PASSED finding only if you configured recording for all resources. Security Hub updated the control to produce a PASSED finding when recording is
turned on for resources that are required for enabled controls. The control has also been updated to check whether the AWS Config
service-linked role is used, which provides permissions to record necessary resources. |
May 8, 2024 | [S3.20] S3 general purpose buckets should have MFA delete enabled | This control checks whether an Amazon S3 general purpose versioned bucket has multi-factor authentication (MFA) delete enabled.
Previously, the control produced a FAILED finding for buckets that have a Lifecycle
configuration. However, MFA delete with versioning can't be enabled on a bucket that has a Lifecycle
configuration. Security Hub updated the control to produce no findings for buckets that have a Lifecycle
configuration. The control description has been updated to reflect the current behavior. |
May 2, 2024 | [EKS.2] EKS clusters should run on a supported Kubernetes version | Security Hub updated the oldest supported version of Kubernetes that the Amazon EKS
cluster can run on to produce a passed finding. The current oldest supported
version is Kubernetes 1.26 . |
April 30, 2024 | [CloudTrail.3] At least one CloudTrail trail should be enabled | Changed control title from CloudTrail should be enabled to At least one CloudTrail trail should be enabled.
This control currently produces a PASSED finding if an AWS account has at least one CloudTrail trail enabled. The
title and description have been changed to accurately reflect the current behavior. |
April 29, 2024 | [AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks | Changed control title from Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks to Auto Scaling groups associated with a load balancer should use ELB health checks. This control currently evaluates Application, Gateway, Network, and Classic Load Balancers. The title and description have been changed to accurately reflect the current behavior. |
April 19, 2024 | [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | The control checks whether AWS CloudTrail is enabled and configured with at least one multi-Region trail
that includes read and write management events. Previously, the control incorrectly generated PASSED findings when
an account had CloudTrail enabled and configured with at least one multi-Region trail, even if no trail captured read
and write management events. The control now generates a PASSED finding only when CloudTrail is enabled and configured
with at least one multi-Region trail that captures read and write management events. |
April 10, 2024 | [Athena.1] Athena workgroups should be encrypted at rest | Security Hub retired this control and removed it from all standards. Athena workgroups send logs to Amazon Simple Storage Service (Amazon S3) buckets. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. |
April 10, 2024 | [AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1 | Security Hub retired this control and removed it from all standards. Metadata response hop limits for Amazon Elastic Compute Cloud (Amazon EC2) instances are workload dependent. |
April 10, 2024 | [CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS) | Security Hub retired this control and removed it from all standards. Integrating AWS CloudFormation stacks with Amazon SNS topics is no longer a security best practice. Though integrating important CloudFormation stacks with SNS topics can be useful, it is not required for all stacks. |
April 10, 2024 | [CodeBuild.5] CodeBuild project environments should not have privileged mode enabled | Security Hub retired this control and removed it from all standards. Enabling privileged mode in a CodeBuild project does not impose an additional risk to the customer environment. |
April 10, 2024 | [IAM.20] Avoid the use of the root user | Security Hub retired this control and removed it from all standards. The purpose of this control is covered by another control, [CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user. |
April 10, 2024 | [SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic | Security Hub retired this control and removed it from all standards. Logging delivery status for SNS topics is no longer a security best practice. Though logging delivery status for important SNS topics can be useful, it is not required for all topics. |
April 10, 2024 | [S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations | Security Hub removed this control from AWS Foundational Security Best Practices v1.0.0 and Service-Managed Standard: AWS Control Tower. The purpose of this control is covered by two other controls: [S3.13] S3 general purpose buckets should have Lifecycle configurations and [S3.14] S3 general purpose buckets should have versioning enabled. This control is still part of NIST SP 800-53 Rev. 5. |
April 10, 2024 | [S3.11] S3 general purpose buckets should have event notifications enabled | Security Hub removed this control from AWS Foundational Security Best Practices v1.0.0 and Service-Managed Standard: AWS Control Tower. Though there are some cases where event notifications for S3 buckets are useful, this not a universal security best practice. This control is still part of NIST SP 800-53 Rev. 5. |
April 10, 2024 | [SNS.1] SNS topics should be encrypted at-rest using AWS KMS | Security Hub removed this control from AWS Foundational Security Best Practices v1.0.0 and Service-Managed Standard: AWS Control Tower. By default, SNS encrypts topics at rest with disk encryption. For more information, see Data encryption. Using AWS KMS to encrypt topics is no longer recommended as a security best practice. This control is still part of NIST SP 800-53 Rev. 5. |
April 8, 2024 | [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled | Changed control title from Application Load Balancer deletion protection should be enabled to Application, Gateway, and Network Load Balancers should have deletion protection enabled. This control currently evaluates Application, Gateway, and Network Load Balancers. The title and description have been changed to accurately reflect the current behavior. |
March 22, 2024 | [Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy | Changed control title from Connections to OpenSearch domains should be encrypted using TLS 1.2 to
Connections to OpenSearch domains should be encrypted using the latest TLS security policy.
Previously, the control only checked whether connections to OpenSearch domains used TLS 1.2. The control now
produces a PASSED finding if OpenSearch domains are encrypted using the latest TLS security
policy. The control title and description have been updated to reflect the current behavior. |
March 22, 2024 | [ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy | Changed control title from Connections to Elasticsearch domains should be encrypted using TLS 1.2 to
Connections to Elasticsearch domains should be encrypted using the latest TLS security policy.
Previously, the control only checked whether connections to Elasticsearch domains used TLS 1.2. The control now
produces a PASSED finding if Elasticsearch domains are encrypted using the latest TLS security
policy. The control title and description have been updated to reflect the current behavior. |
March 12, 2024 | [S3.1] S3 general purpose buckets should have block public access settings enabled | Changed title from S3 Block Public Access setting should be enabled to S3 general purpose buckets should have block public access settings enabled. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.2] S3 general purpose buckets should block public read access | Changed title from S3 buckets should prohibit public read access to S3 general purpose buckets should block public read access. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.3] S3 general purpose buckets should block public write access | Changed title from S3 buckets should prohibit public write access to S3 general purpose buckets should block public write access. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.5] S3 general purpose buckets should require requests to use SSL | Changed title from S3 buckets should require requests to use Secure Socket Layer to S3 general purpose buckets should require requests to use SSL. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts | Changed title from S3 permissions granted to other AWS accounts in bucket policies should be restricted to S3 general purpose bucket policies should restrict access to other AWS accounts. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.7] S3 general purpose buckets should use cross-Region replication | Changed title from S3 buckets should have cross-Region replication enabled to S3 general purpose buckets should use cross-Region replication. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.7] S3 general purpose buckets should use cross-Region replication | Changed title from S3 buckets should have cross-Region replication enabled to S3 general purpose buckets should use cross-Region replication. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.8] S3 general purpose buckets should block public access | Changed title from S3 Block Public Access setting should be enabled at the bucket-level to S3 general purpose buckets should block public access. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.9] S3 general purpose buckets should have server access logging enabled | Changed title from S3 bucket server access logging should be enabled to Server access logging should be enabled for S3 general purpose buckets. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations | Changed title from S3 buckets with versioning enabled should have lifecycle policies configured to S3 general purpose buckets with versioning enabled should have Lifecycle configurations. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.11] S3 general purpose buckets should have event notifications enabled | Changed title from S3 buckets should have event notifications enabled to S3 general purpose buckets should have event notifications enabled. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.12] ACLs should not be used to manage user access to S3 general purpose buckets | Changed title from S3 access control lists (ACLs) should not be used to manage user access to buckets to ACLs should not be used to manage user access to S3 general purpose buckets. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.13] S3 general purpose buckets should have Lifecycle configurations | Changed title from S3 buckets should have lifecycle policies configured to S3 general purpose buckets should have Lifecycle configurations. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.14] S3 general purpose buckets should have versioning enabled | Changed title from S3 buckets should use versioning to S3 general purpose buckets should have versioning enabled. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.15] S3 general purpose buckets should have Object Lock enabled | Changed title from S3 buckets should be configured to use Object Lock to S3 general purpose buckets should have Object Lock enabled. Security Hub changed the title to account for a new S3 bucket type. |
March 12, 2024 | [S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys | Changed title from S3 buckets should be encrypted at rest with AWS KMS keys to S3 general purpose buckets should be encrypted at rest with AWS KMS keys. Security Hub changed the title to account for a new S3 bucket type. |
March 7, 2024 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
now supports nodejs20.x and ruby3.3 as a parameter. |
February 22, 2024 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
now supports dotnet8 as a parameter. |
February 5, 2024 | [EKS.2] EKS clusters should run on a supported Kubernetes version | Security Hub updated the oldest supported version of Kubernetes that the Amazon EKS
cluster can run on to produce a passed finding. The current oldest supported
version is Kubernetes 1.25 . |
January 10, 2024 | [CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | Changed title from CodeBuild GitHub or Bitbucket source repository URLs should use OAuth to CodeBuild Bitbucket source repository URLs should not contain sensitive credentials. Security Hub removed mention of OAuth because other connection methods can also be secure. Security Hub removed mention of GitHub because it's no longer possible to have a personal access token or username and password in GitHub source repository URLs. |
January 8, 2024 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
no longer supports go1.x and java8 as parameters because
these are retired runtimes. |
December 29, 2023 | [RDS.8] RDS DB instances should have deletion protection enabled | RDS.8 checks whether an Amazon RDS DB instance that uses one of the supported
database engines has deletion protection enabled. Security Hub now supports
custom-oracle-ee , oracle-ee-cdb , and
oracle-se2-cdb as database engines. |
December 22, 2023 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
now supports java21 and python3.12 as parameters.
Security Hub no longer supports ruby2.7 as a parameter. |
December 15, 2023 | [CloudFront.1] CloudFront distributions should have a default root object configured | CloudFront.1 checks whether an Amazon CloudFront distribution has a default root object configured. Security Hub lowered the severity of this control from CRITICAL to HIGH because adding the default root object is a recommendation that depends on a user's application and specific requirements. |
December 5, 2023 | [EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 | Changed control title from Security groups should not allow ingress from 0.0.0.0/0 to port 22 to Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22. |
December 5, 2023 | [EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | Changed control title from Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 to Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389. |
December 5, 2023 | [RDS.9] RDS DB instances should publish logs to CloudWatch Logs | Changed control title from Database logging should
be enabled to RDS DB instances should
publish logs to CloudWatch Logs. Security Hub identified that this control
only checks whether logs are published to Amazon CloudWatch Logs and doesn't check
whether RDS logs are enabled. The control produces a PASSED
finding if RDS DB instances are configured to publish logs to CloudWatch Logs. The
control title has been updated to reflect the current behavior. |
December 5, 2023 | [EKS.8] EKS clusters should have audit logging enabled | This control checks whether Amazon EKS clusters have audit logging enabled. The AWS Config rule that Security Hub uses to
evaluate this control changed from eks-cluster-logging-enabled to eks-cluster-log-enabled . |
November 17, 2023 | [EC2.19] Security groups should not allow unrestricted access to ports with high risk | EC2.19 checks whether unrestricted incoming traffic for a security
group is accessible to the specified ports that are considered to be high
risk. Security Hub updated this control to account for managed prefix lists when
they are supplied as the source for a security group rule. The control
produces a FAILED finding if the prefix lists contain the
strings '0.0.0.0/0' or '::/0'. |
November 16, 2023 | [CloudWatch.15] CloudWatch alarms should have specified actions configured | Changed control title from CloudWatch alarms should have an action configured for the ALARM state to CloudWatch alarms should have specified actions configured. |
November 16, 2023 | [CloudWatch.16] CloudWatch log groups should be retained for a specified time period | Changed control title from CloudWatch log groups should be retained for at least 1 year to CloudWatch log groups should be retained for a specified time period. |
November 16, 2023 | [Lambda.5] VPC Lambda functions should operate in multiple Availability Zones | Changed control title from VPC Lambda functions should operate in more than one Availability Zone to VPC Lambda functions should operate in multiple Availability Zones. |
November 16, 2023 | [AppSync.2] AWS AppSync should have field-level logging enabled | Changed control title from AWS AppSync should have request-level and field-level logging turned on to AWS AppSync should have field-level logging enabled. |
November 16, 2023 | [EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses | Changed control title from Amazon Elastic MapReduce cluster master nodes should not have public IP addresses to Amazon EMR cluster primary nodes should not have public IP addresses. |
November 16, 2023 | [Opensearch.2] OpenSearch domains should not be publicly accessible | Changed control title from OpenSearch domains should be in a VPC to OpenSearch domains should not be publicly accessible. |
November 16, 2023 | [ES.2] Elasticsearch domains should not be publicly accessible | Changed control title from Elasticsearch domains should be in a VPC to Elasticsearch domains should not be publicly accessible. |
October 31, 2023 | [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled | ES.4 checks whether Elasticsearch domains are configured to send error
logs to Amazon CloudWatch Logs. The control previously produced a PASSED
finding for an Elasticsearch domain that has any logs configured to send to
CloudWatch Logs. Security Hub updated the control to produce a PASSED finding
only for an Elasticsearch domain that is configured to send error logs to
CloudWatch Logs. The control was also updated to exclude Elasticsearch versions that
don’t support error logs from evaluation. |
October 16, 2023 | [EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 | EC2.13 checks whether security groups allow unrestricted ingress
access to port 22. Security Hub updated this control to account for managed prefix
lists when they are supplied as the source for a security group rule. The
control produces a FAILED finding if the prefix lists contain
the strings '0.0.0.0/0' or '::/0'. |
October 16, 2023 | [EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | EC2.14 checks whether security groups allow unrestricted ingress
access to port 3389. Security Hub updated this control to account for managed
prefix lists when they are supplied as the source for a security group rule.
The control produces a FAILED finding if the prefix lists
contain the strings '0.0.0.0/0' or '::/0'. |
October 16, 2023 | [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports | EC2.18 checks whether the security groups that are in use allow
unrestricted incoming traffic. Security Hub updated this control to account for
managed prefix lists when they are supplied as the source for a security
group rule. The control produces a FAILED finding if the prefix
lists contain the strings '0.0.0.0/0' or '::/0'. |
October 16, 2023 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
now supports python3.11 as a parameter. |
October 4, 2023 | [S3.7] S3 general purpose buckets should use cross-Region replication | Security Hub added the parameter ReplicationType with a value of
CROSS-REGION to ensure that S3 buckets have cross-Region
replication enabled rather than same-Region replication. |
September 27, 2023 | [EKS.2] EKS clusters should run on a supported Kubernetes version | Security Hub updated the oldest supported version of Kubernetes that the Amazon EKS
cluster can run on to produce a passed finding. The current oldest supported
version is Kubernetes 1.24 . |
September 20, 2023 | CloudFront.2 – CloudFront distributions should have origin access identity enabled | Security Hub retired this control and removed it from all standards. Instead, see [CloudFront.13] CloudFront distributions should use origin access control. Origin access control is the current security best practice. This control will be removed from documentation in 90 days. |
September 20, 2023 | [EC2.22] Unused Amazon EC2 security groups should be removed | Security Hub removed this control from AWS Foundational Security Best Practices (FSBP) and National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5. It is still part of Service-Managed Standard: AWS Control Tower. This control produces a passed finding if security groups are attached to EC2 instances or to an elastic network interface. However, for certain use cases, unattached security groups don't pose a security risk. You can use other EC2 controls—such as EC2.2, EC2.13, EC2.14, EC2.18, and EC2.19—to monitor your security groups. |
September 20, 2023 | EC2.29 – EC2 instances should be launched in a VPC | Security Hub retired this control and removed it from all standards. Amazon EC2 has migrated EC2-Classic instances to a VPC. This control will be removed from documentation in 90 days. |
September 20, 2023 | S3.4 – S3 buckets should have server-side encryption enabled | Security Hub retired this control and removed it from all standards. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. The encryption settings are unchanged for existing buckets that are encrypted with SS3-S3 or SS3-KMS server-side encryption. This control will be removed from documentation in 90 days. |
September 14, 2023 | [EC2.2] VPC default security groups should not allow inbound or outbound traffic | Changed control title from The VPC default security group should not allow inbound and outbound traffic to VPC default security groups should not allow inbound or outbound traffic. |
September 14, 2023 | [IAM.9] MFA should be enabled for the root user | Changed control title from Virtual MFA should be enabled for the root user to MFA should be enabled for the root user. |
September 14, 2023 |
[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events | Changed control title from An RDS event notifications subscription should be configured for critical cluster events to Existing RDS event notification subscriptions should be configured for critical cluster events. |
September 14, 2023 | [RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events | Changed control title from An RDS event notifications subscription should be configured for critical database instance events to Existing RDS event notification subscriptions should be configured for critical database instance events. |
September 14, 2023 | [WAF.2] AWS WAF Classic Regional rules should have at least one condition | Changed control title from A WAF Regional rule should have at least one condition to AWS WAF Classic Regional rules should have at least one condition. |
September 14, 2023 | [WAF.3] AWS WAF Classic Regional rule groups should have at least one rule | Changed control title from A WAF Regional rule group should have at least one rule to AWS WAF Classic Regional rule groups should have at least one rule. |
September 14, 2023 | [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group | Changed control title from A WAF Regional web ACL should have at least one rule or rule group to AWS WAF Classic Regional web ACLs should have at least one rule or rule group. |
September 14, 2023 | [WAF.6] AWS WAF Classic global rules should have at least one condition | Changed control title from A WAF global rule should have at least one condition to AWS WAF Classic global rules should have at least one condition. |
September 14, 2023 | [WAF.7] AWS WAF Classic global rule groups should have at least one rule | Changed control title from A WAF global rule group should have at least one rule to AWS WAF Classic global rule groups should have at least one rule. |
September 14, 2023 | [WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group | Changed control title from A WAF global web ACL should have at least one rule or rule group to AWS WAF Classic global web ACLs should have at least one rule or rule group. |
September 14, 2023 | [WAF.10] AWS WAF web ACLs should have at least one rule or rule group | Changed control title from A WAFv2 web ACL should have at least one rule or rule group to AWS WAF web ACLs should have at least one rule or rule group. |
September 14, 2023 | [WAF.11] AWS WAF web ACL logging should be enabled | Changed control title from AWS WAFv2 web ACL logging should be activated to AWS WAF web ACL logging should be enabled. |
July 20, 2023 |
S3.4 – S3 buckets should have server-side encryption enabled | S3.4 checks whether an Amazon S3 bucket either has server-side encryption
enabled or that the S3 bucket policy explicitly denies
PutObject requests without server-side encryption. Security Hub
updated this control to include dual-layer server side encryption with
KMS keys (DSSE-KMS). The control produces a passed finding when an S3
bucket is encrypted with SSE-S3, SSE-KMS, or DSSE-KMS. |
July 17, 2023 | [S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys | S3.17 checks whether an Amazon S3 bucket is encrypted with an AWS KMS key. Security Hub updated this control to include dual-layer server side encryption with KMS keys (DSSE-KMS). The control produces a passed finding when an S3 bucket is encrypted with SSE-KMS or DSSE-KMS. |
June 9, 2023 | [EKS.2] EKS clusters should run on a supported Kubernetes version | EKS.2 checks whether an Amazon EKS cluster is running on a supported
Kubernetes version.The oldest supported version is now 1.23 .
|
June 9, 2023 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
now supports ruby3.2 as a parameter. |
June 5, 2023 | [APIGateway.5] API Gateway REST API cache data should be encrypted at rest | APIGateway.5.checks whether all methods in Amazon API Gateway REST API stages are encrypted at rest. Security Hub updated the control to evaluate the encryption of a particular method only when caching is enabled for that method. |
May 18, 2023 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
now supports java17 as a parameter. |
May 18, 2023 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
no longer supports nodejs12.x as a parameter. |
April 23, 2023 | [ECS.10] ECS Fargate services should run on the latest Fargate platform version | ECS.10 checks whether Amazon ECS Fargate services are running the latest Fargate platform version. Customers can deploy Amazon ECS through ECS directly, or by using CodeDeploy. Security Hub updated this control to produce Passed findings when you use CodeDeploy to deploy ECS Fargate services. |
April 20, 2023 | [S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts | S3.6 checks whether an Amazon Simple Storage Service (Amazon S3) bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket. Security Hub updated the control to account for conditionals in a bucket policy. |
April 18, 2023 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
now supports python3.10 as a parameter. |
April 18, 2023 | [Lambda.2] Lambda functions should use supported runtimes | Lambda.2 checks whether the AWS Lambda function settings for runtimes match
the expected values set for the supported runtimes in each language. Security Hub
no longer supports dotnetcore3.1 as a parameter. |
April 17, 2023 | [RDS.11] RDS instances should have automatic backups enabled | RDS.11 checks whether Amazon RDS instances have automated backups enabled,
with a backup retention period that's greater than or equal to seven days.
Security Hub updated this control to exclude read replicas from evaluation, as not
all engines support automated backups on read replicas. Additionally, RDS
doesn’t provide the option to specify a backup retention period when
creating read replicas. Read replicas are created with a backup retention
period of 0 by default. |