Document history for the AWS Security Hub User Guide - AWS Security Hub

Document history for the AWS Security Hub User Guide

The following table describes the updates to the documentation for AWS Security Hub.

ChangeDescriptionDate

Region expansion for cross-Region aggregation

Cross-Region aggregation is now available for findings, finding updates, and insights across AWS GovCloud (US).

August 2, 2022

New third-party product integrations

Fortinet - FortiCNP is a third-party integration that receives Security Hub findings, and JFrog is a third-party integration that sends findings to Security Hub.

July 26, 2022

EC2.27 is retired

Security Hub has retired EC2.27 - Running EC2 Instances should not use key pairs, a former control in the AWS Foundational Security Best Practices (FSBP) standard.

July 20, 2022

Lambda.2 no longer supports python3.6

Security Hub no longer supports python3.6 as a parameter for Lambda.2, a control in the AWS Foundational Security Best Practices (FSBP) standard.

July 19, 2022

AWS Security Hub adds new security controls

The following 36 new Security Hub controls are available to customers who have enabled the FSBP standard. Some controls have Regional limitations.

June 22, 2022

AWS Security Hub supports a new Region

Security Hub is now available in Asia Pacific (Jakarta). Some controls are not available in this Region.

June 7, 2022

Improved integration between AWS Security Hub and AWS Config

Security Hub users can see the results of AWS Config rule evaluations as findings in Security Hub.

June 6, 2022

Added ability to opt out of auto-enabled standards

For users who have integrated with AWS Organizations, this feature allows you to log into the Security Hub administrator account and opt new member accounts out of auto-enabled standards.

April 25, 2022

Expanded cross-Region aggregation

Added cross-Region aggregation to control statuses and security scores.

April 20, 2022

CompanyName and ProductName are now top level attributes

Added new top level attributes for setting company and product names associated with custom integrations

April 1, 2022

Added new controls to the AWS Foundational Security Best Practices standard

Added 5 new controls to the AWS Foundational Security Best Practices standard.

March 31, 2022

Added new resource details objectes to ASFF

Added AwsRdsDbSecurityGroup resource type to ASFF.

March 25, 2022

Added additional resources details in ASFF

Added additional details to AwsAutoScalingScalingGroup, AwsElbLoadBalancer, AwsRedshiftCluster, and AwsCodeBuildProject.

March 25, 2022

Added new controls to the AWS Foundational Security Best Practices standard

Added 15 new controls to the AWS Foundational Security Best Practices standard.

March 16, 2022

Added new controls to the AWS Foundational Security Best Practices standard and Payment Card Industry Data Security Standard (PCI DSS)

Added new controls for Amazon OpenSearch Service, Amazon RDS, Amazon EC2, Elastic Load Balancing, and CloudFront to the AWS Foundational Security Best Practices standard. Also added two new controls for OpenSearch Service to the PCI DSS.

February 15, 2022

Added new field to ASFF

Added new field: Sample.

January 26, 2022

Added integration with AWS Health

AWS Health uses service-to-service event messaging to send findings to Security Hub.

January 19, 2022

Added integration with AWS Trusted Advisor

Trusted Advisor sends the results of its checks to Security Hub as Security Hub findings. Security Hub sends the results of its AWS Foundational Security Best Practices checks to Trusted Advisor.

January 18, 2022

Updated resource details objects in ASFF

Added MixedInstancesPolicy and AvailabilityZones to AwsAutoScalingAutoScalingGroup. Added MetadataOptions to AwsAutoScalingLaunchConfiguration. Added BucketVersioningConfiguration to AwsS3Bucket.

December 20, 2021

Updated output for ASFF documentation

The descriptions of ASFF attributes were previously in a single topic. Each top-level object and each resource details object is now in its own topic. The ASFF syntax topic contains links to those topics.

December 20, 2021

Added new resource details objects to ASFF for AWS Network Firewall

For AWS Network Firewall, added the following resource details objects: AwsNetworkFirewallFirewall, AwsNetworkFireFirewallPolicy, and AwsNetworkFirewallRuleGroup.

December 20, 2021

Added support for the new version of Amazon Inspector

Security Hub is integrated with the new version of Amazon Inspector as well as with Amazon Inspector Classic. Amazon Inspector sends findings to Security Hub.

November 29, 2021

Changed the severity of EC2.19

The severity of EC2.19 (Security groups should not allow unrestricted access to ports with high risk) is changed from High to Critical.

November 17, 2021

New integration with Sonrai Dig

Security Hub now offers an integration with Sonrai Dig. Sonrai Dig monitors cloud environments to identify security risks. Sonrai Dig sends findings to Security Hub.

November 12, 2021

Updated check for CIS 2.1 and CloudTrail.1 controls

In addition to checking that at least one multi-Region CloudTrail trail is in place, CIS 2.1 and CloudTrail.1 now also check that the ExcludeManagementEventSources parameter is empty in at least one of the multi-Region CloudTrail trails.

November 9, 2021

Added support for VPC endpoints

Security Hub is now integrated with AWS PrivateLink and supports VPC endpoints.

November 3, 2021

Added controls to the AWS Foundational Security Best Practices standard

Added new controls for Elastic Load Balancing (ELB.2 and ELB.8) and AWS Systems Manager (SSM.4).

November 2, 2021

Added ports to the check for the EC2.19 control

EC2.19 now also checks that security groups do not allow unrestricted ingress access to the following ports: 3000 (Go, Node.js, and Ruby web development frameworks), 5000 (Python web development frameworks), 8088 (legacy HTTP port), and 8888 (alternative HTTP port)

October 27, 2021

Added the integration with Logz.io Cloud SIEM

Logz.io is a provider of Cloud SIEM that provides advanced correlation of log and event data to help security teams to detect, analyze, and respond to security threats in real time. Logz.io receives findings from Security Hub.

October 25, 2021

Added support for cross-Region aggregation of findings

Cross-Region aggregation allows you to view all of your findings without having to change Regions. Administrator accounts choose an aggregation Region and linked Regions. Findings for the administrator account and its member accounts are aggregated from the linked Regions to the aggregation Region.

October 20, 2021

Updated resource details objects in ASFF

Added viewer certificate details to AwsCloudFrontDistribution. Added additional details to AwsCodeBuildProject. Added load balancer attributes to AwsElbV2LoadBalancer. Added the S3 bucket owner account identifier to AwsS3Bucket.

October 8, 2021

Added new resource details objects to ASFF

Added the following new resource details objects to ASFF: AwsEc2VpcEndpointService, AwsEcrRepository, AwsEksCluster, AwsOpenSearchServiceDomain, AwsWafRateBasedRule, AwsWafRegionalRateBasedRule, AwsXrayEncryptionConfig

October 8, 2021

Removed deprecated runtime from the Lambda.2 control

In the AWS Foundational Security Best Practices standard, removed the dotnetcore2.1 runtime from [Lambda.2] Lambda functions should use supported runtimes.

October 6, 2021

New name for Check Point integration

The integration with Check Point Dome9 Arc is now Check Point CloudGuard Posture Management. The integration ARN did not change.

October 1, 2021

Removed the integration with Alcide

The integration with Alcide kAudit is discontinued.

September 30, 2021

Changed the severity of EC2.19

The severity of [EC2.19] Security groups should not allow unrestricted access to ports with high risk is changed from Medium to High.

September 30, 2021

Integration with AWS Organizations is now supported in the China Regions

The Security Hub integration with Organizations is now supported in China (Beijing) and China (Ningxia).

September 20, 2021

New AWS Config rule for the S3.1 and PCI.S3.6 controls

Both S3.1 and PCI.S3.6 verify that the Amazon S3 Block Public Access setting is enabled. The AWS Config rule for these controls is changed from s3-account-level-public-access-blocks to s3-account-level-public-access-blocks-periodic.

September 14, 2021

Removed deprecated runtimes from the Lambda.2 control

In the AWS Foundational Security Best Practices standard, removed the nodejs10.x and ruby2.5 runtimes from [Lambda.2] Lambda functions should use supported runtimes.

September 13, 2021

Changed the severity of the CIS 2.2 control

In the CIS AWS Foundations Benchmark standard, the severity for 2.2. – Ensure CloudTrail log file validation is enabled is changed from Low to Medium.

September 13, 2021

Updated ECS.1, Lambda.2, and SSM.1 in the AWS Foundational Security Best Practices standard

In the AWS Foundational Security Best Practices standard, ECS.1 now has a SkipInactiveTaskDefinitions parameter that is set to true. This ensures that the control only checks active task definitions. For Lambda.2, added Python 3.9 to the list of runtimes. SSM.1 now checks both stopped and running instances.

September 7, 2021

PCI.Lambda.2 control now excludes Lambda@Edge resources

In the Payment Card Industry Data Security Standard (PCI DSS) standard, the PCI.Lambda.2 control now excludes Lambda@Edge resources.

September 7, 2021

Added the integration with HackerOne Vulnerability Intelligence

Security Hub now offers an integration with HackerOne Vulnerability Intelligence. The integration sends findings to Security Hub.

September 7, 2021

Updated resource details objects in ASFF

For AwsKmsKey, added KeyRotationStatus. For AwsS3Bucket, added AccessControlList, BucketLoggingConfiguration, BucketNotificationConfiguration, and BucketWebsiteConfiguration.

September 2, 2021

Added new resource details objects to ASFF

Added the following new resource details objects to ASFF: AwsAutoScalingLaunchConfiguration, AwsEc2VpnConnection, and AwsEcrContainerImage.

September 2, 2021

Added details to the Vulnerabilities object in ASFF

In Cvss , added Adjustments and Source. In VulnerablePackages, added the file path and package manager.

September 2, 2021

Systems Manager Explorer and OpsCenter integration now supported in the China Regions

The Security Hub integration with SSM Explorer and OpsCenter is now supported in China (Beijing) and China (Ningxia).

August 31, 2021

Retiring the Lambda.4 control

Security Hub is retiring the control [Lambda.4] Lambda functions should have a dead-letter queue configured. When a control is retired, it no longer displays on the console, and Security Hub does not perform checks against it.

August 31, 2021

Retiring the PCI.EC2.3 control

Security Hub is retiring the control [PCI.EC2.3] Unused EC2 security groups should be removed. When a control is retired, it no longer displays on the console, and Security Hub does not perform checks against it.

August 27, 2021

Change to how Security Hub sends findings to custom actions

When you send findings to a custom action, Security Hub now sends each finding in a separate Security Hub Findings - Custom Action event.

August 20, 2021

Added a new compliance status reason code for custom Lambda runtimes

Added a new LAMBDA_CUSTOM_RUNTIME_DETAILS_NOT_AVAILABLE compliance status reason code. This reason code indicates that Security Hub could not perform a check against a custom Lambda runtime.

August 20, 2021

AWS Firewall Manager integration now supported in the China Regions

The Security Hub integration with Firewall Manager is now supported in China (Beijing) and China (Ningxia).

August 19, 2021

New integrations with Caveonix Cloud and Forcepoint Cloud Security Gateway

Security Hub now offers integrations with Caveonix Cloud and Forcepoint Cloud Security Gateway. Both integrations send findings to Security Hub.

August 10, 2021

Added new CompanyName, ProductName, and Region attributes to ASFF

Added CompanyName, ProductName, and Region fields to the top level of the ASFF. These fields are populated automatically and, except for custom product integrations, cannot be updated using BatchImportFindings or BatchUpdateFindings. On the console, finding filters use these new fields. In the API, the CompanyName and ProductName filters use the attributes that are under ProductFields.

July 23, 2021

Added and updated resource details objects in ASFF

Added a new AwsRdsEventSubscription resource type and resource details. Added resource details for the AwsEcsService resource type. Added attributes to the AwsElasticsearchDomain resource details object.

July 23, 2021

Added controls to the AWS Foundational Security Best Practices standard

Added new controls for Amazon API Gateway (APIGateway.5), Amazon EC2 (EC2.19), Amazon ECS (ECS.2), Elastic Load Balancing (ELB.7), Amazon OpenSearch Service (ES.5 through ES.8), Amazon RDS (RDS.16 through RDS.23), Amazon Redshift (Redshift.4), and Amazon SQS (SQS.1).

July 20, 2021

Moved a permission within the service-linked role managed policy

Moved the config:PutEvaluations permission within the managed policy AWSSecurityHubServiceRolePolicy, so that it is applied to all resources.

July 14, 2021

Added controls to the AWS Foundational Security Best Practices standard

Added new controls for Amazon API Gateway (APIGateway.4), Amazon CloudFront (CloudFront.5 and CloudFront.6), Amazon EC2 (EC2.17 and EC2.18), Amazon ECS (ECS.1), Amazon OpenSearch Service (ES.4), AWS Identity and Access Management (IAM.21), Amazon RDS (RDS.15), and Amazon S3 (S3.8).

July 8, 2021

Added new compliance status reason codes for control findings

INTERNAL_SERVICE_ERROR indicates that an unknown error occurred. SNS_TOPIC_CROSS_ACCOUNT indicates that the SNS topic is owned by a different account. SNS_TOPIC_INVALID indicates that the associated SNS topic is invalid.

July 6, 2021

Added the integration with AWS Chatbot

Added the integration with AWS Chatbot. Security Hub sends findings to AWS Chatbot.

June 30, 2021

Added a new permission to the service-linked role managed policy

Added a new permission to the managed policy AWSSecurityHubServiceRolePolicy to allow the service-linked role to deliver evaluation results to AWS Config.

June 29, 2021

New and updated resource details objects in the ASFF

Added new resource details objects for ECS clusters and ECS task definitions. Updated the EC2 instance object to list the associated network interfaces. Added the client certificate ID for the API Gateway V2 stages. Added the lifecycle configuration for S3 buckets.

June 24, 2021

Updated the calculation of aggregated control statuses and standard security scores

Security Hub now calculates the overall control status and standard security score every 24 hours. For administrator accounts, the score now reflects whether each control is enabled or disabled for each account.

June 23, 2021

Updated information about Security Hub handling of suspended accounts

Added information on how Security Hub handles accounts that are suspended in AWS.

June 23, 2021

Added tabs to display the enabled and disabled controls for the individual administrator account

For the administrator account, the main tabs on the standard details page contain aggregated information across accounts. The new Enabled for this account and Disabled for this account tabs list the accounts that are enabled or disabled for the individual administrator account.

June 23, 2021

Added java8.al2 to the parameters for Lambda.2

In the AWS Foundational Security Best Practices standard, added java8.al2 to the supported runtimes for the Lambda.2 control.

June 8, 2021

New integrations with MicroFocus ArcSight and NETSCOUT Cyber Investigator

Added integrations with MicroFocus ArcSight and NETSCOUT Cyber Investigator. MicroFocus ArcSight receives findings from Security Hub. NETSCOUT Cyber Investigator sends findings to Security Hub.

June 7, 2021

Added details for AWSSecurityHubServiceRolePolicy

Updated the managed policies section to add details for the existing managed policy AWSSecurityHubServiceRolePolicy, which is used by the Security Hub service-linked role.

June 4, 2021

New integration with Jira Service Management

The AWS Service Management Connector for Jira sends findings to Jira and uses them to create Jira issues. When the Jira issues are updated, the corresponding findings in Security Hub also are updated.

May 26, 2021

Updated the supported controls list for the Asia Pacific (Osaka) Region

Updated the CIS AWS Foundations standard and the Payment Card Industry Data Security Standard (PCI DSS) to indicate the controls that are not supported in Asia Pacific (Osaka).

May 21, 2021

New integration with Sysdig Secure for cloud

Added an integration with Sysdig Secure for cloud. The integration sends findings to Security Hub.

May 14, 2021

Added controls to the AWS Foundational Security Best Practices standard

Added new controls for Amazon API Gateway (APIGateway.2 and APIGateway.3), AWS CloudTrail (CloudTrail.4 and CloudTrail.5), Amazon EC2 (EC2.15 and EC2.16), AWS Elastic Beanstalk (ElasticBeanstalk.1 and ElasticBeanstalk.2), AWS Lambda (Lambda.4), Amazon RDS (RDS.12 – RDS.14), Amazon Redshift (Redshift.7), AWS Secrets Manager (SecretsManager.3 and SecretsManager.4), and AWS WAF (WAF.1).

May 10, 2021

Updates to GuardDuty and Amazon RDS controls

Changed the severity of GuardDuty.1 and PCI.GuardDuty.1 from Medium to High. Added a databaseEngines parameter to RDS.8.

May 4, 2021

Added new resource details to the ASFF

In Resources.Details, added new resource details objects for Amazon EC2 network ACLs, Amazon EC2 subnets, and AWS Elastic Beanstalk environments.

May 3, 2021

Added console fields to provide filter values for Amazon EventBridge rules

The new predefined filter patterns for Security Hub EventBridge rules provide console fields that you can use to specify filter values.

April 30, 2021

Added the integration with AWS Systems Manager Explorer and OpsCenter

Security Hub now supports an integration with Systems Manager Explorer and OpsCenter. The integration receives findings from Security Hub and updates those findings in Security Hub.

April 26, 2021

New type for product integrations

A new integration type, UPDATE_FINDINGS_IN_SECURITY_HUB, indicates that a product integration updates findings that it receives from Security Hub.

April 22, 2021

Changed "master account" to "administrator account"

The term "master account" is changed to "administrator account." The term is also changed in the Security Hub console and API.

April 22, 2021

Updated APIGateway.1 to replace HTTP with Websocket

Updated the title, description, and remediation for APIGateway.1. The control now checks for Websocket API execution logging instead of for HTTP API execution logging.

April 9, 2021

Amazon GuardDuty integration now supported in Beijing and Ningxia

The Security Hub integration with GuardDuty is now supported in the China (Beijing) and China (Ningxia) Regions.

April 5, 2021

Added nodejs14.x to the supported runtimes for Lambda.2 control

The Lambda.2 control in the Foundational Security Best Practices standard now supports the nodejs14.x runtime.

March 30, 2021

Security Hub launched in Asia Pacific (Osaka)

Security Hub is now available in the Asia Pacific (Osaka) Region.

March 29, 2021

Added finding provider fields to finding details

On the finding details panel, the new Finding Provider Fields section contains the finding provider values for confidence, criticality, related findings, severity, and types.

March 24, 2021

Added option to receive sensitive findings from Amazon Macie

The integration with Macie can now be configured to send sensitive findings to Security Hub.

March 23, 2021

Added information on making the transition to using AWS Organizations for account management

For customers who have an existing master account with member accounts, added new information on how to change from managing accounts by invitation to managing accounts using Organizations.

March 22, 2021

New objects in ASFF for information about Amazon S3 Public Access Block configuration

In Resources, a new AwsS3AccountPublicAccessBlock resource type and details object provides information about the Amazon S3 Public Access Block configuration for accounts. In the AwsS3Bucket resource details object, the PublicAccessBlockConfiguration object provides the Public Access Block configuration for the S3 bucket.

March 18, 2021

New object in ASFF to allow finding providers to update specific fields

The new FindingProviderFields object in ASFF is used in BatchImportFindings to provide values for Confidence, Criticality, RelatedFindings, Severity, and Types. The original fields should only be updated using BatchUpdateFindings.

March 18, 2021

New DataClassification object for resources in ASFF

The new Resources.DataClassification object in ASFF is used to provide information about sensitive data that was detected on the resource.

March 18, 2021

Added CONFIG_RETURNS_NOT_APPLICABLE value to the available compliance status codes

For the NOT_AVAILABLE compliance status, removed the reason code RESOURCE_NO_LONGER_EXISTS and added the reason code CONFIG_RETURNS_NOT_APPLICABLE.

March 16, 2021

New managed policy for integration with AWS Organizations

A new managed policy, AWSSecurityHubOrganizationsAccess, provides the Organizations permissions that are needed by the organization management account and the delegated Security Hub administrator account.

March 15, 2021

Managed policy and service-linked role information moved to the Security chapter

The information on managed policies is revised and expanded. Both the managed policy information and the information on service-linked roles has moved to the Security chapter.

March 15, 2021

New integration with SecureCloudDB

Added SecureCloudDB to the list of third-party integrations. SecureCloudDB is a cloud native database security tool that provides comprehensive visibility of internal and external security postures and activity. SecureCloudDB sends findings to Security Hub.

March 4, 2021

Revised severity for CIS 1.1 and CIS 3.1 – CIS 3.14 controls

The severity of the CIS 1.1 and CIS 3.1 – CIS 3.14 controls is changed to Low.

March 3, 2021

Removed the RDS.11 control

Removed the RDS.11 control from the Foundational Security Best Practices standard.

March 3, 2021

Updated integration for Turbot

The Turbot integration is updated to both send and receive findings.

February 26, 2021

Added controls to the Foundational Security Best Practices standard

Added new controls for Amazon API Gateway (APIGateway.1), Amazon EC2 (EC2.9 and EC2.10), Amazon Elastic File System (EFS.2), Amazon OpenSearch Service (ES.2 and ES.3), Elastic Load Balancing (ELB.6), and AWS Key Management Service (AWS KMS) (KMS.3).

February 11, 2021

Added optional ProductArn filter to the DescribeProducts API

The DescribeProducts API operation now includes an optional ProductArn parameter. The ProductArn parameter is used to identify the specific product integration to return details for.

February 3, 2021

New integration with Antivirus for Amazon S3 from Cloud Storage Security

The integration with Antivirus for Amazon S3 sends the virus scan results to Security Hub as findings.

January 27, 2021

Updated the security score calculation process for master accounts

For a master account, Security Hub uses a separate process to calculate the security score. The new process ensures that the score includes controls that are enabled for member accounts but disabled for the master account.

January 21, 2021

New fields and objects in the ASFF

Added a new Action object to track actions that occurred against a resource. Added fields to the AwsEc2NetworkInterface object to track DNS names and IP addresses. Added a new AwsSsmPatchCompliance object to the resource details.

January 21, 2021

Added controls to the Foundational Security Best Practices standard

Added new controls for Amazon CloudFront (CloudFront.1 through CloudFront.4), Amazon DynamoDB (DynamoDB.1 through DynamoDB.3), Elastic Load Balancing (ELB.3 through ELB.5), Amazon RDS (RDS.9 through RDS.11), Amazon Redshift (Redshift.1 through Redshift.3 and Redshift.6), and Amazon SNS (SNS.1).

January 15, 2021

Workflow status is reset based on the record state or compliance status

Security Hub automatically resets the workflow status from NOTIFIED or RESOLVED to NEW if an archived finding is made active, or if the compliance status of a finding changes from PASSED to either FAILED, WARNING, or NOT_AVAILABLE. These changes indicate that additional investigation is required.

January 7, 2021

Added ProductFields information for control-based findings

For findings that are generated from controls, added information about the content of the ProductFields object in the AWS Security Finding Format (ASFF).

December 29, 2020

Updates to managed insights

Changed the title of insight 5. Added a new insight 32 that checks for IAM users with suspicious activity.

December 22, 2020

Updates to IAM.7 and Lambda.1 controls

In the AWS Foundational Security Best Practices standard, updated the parameters for IAM.7. Updated the title and description of Lambda.1.

December 22, 2020

Expanded integration with ServiceNow ITSM

The ServiceNow ITSM integration allows users to automatically create incidents or problems when a Security Hub finding is received. Updates to these incidents or problems result in updates to the findings in Security Hub.

December 11, 2020

New integration with AWS Audit Manager

Security Hub now offers an integration with AWS Audit Manager. The integration allows Audit Manager to receive control-based findings from Security Hub.

December 8, 2020

New integration with Aqua Security Kube-bench

Security Hub added an integration with Aqua Security Kube-bench. The integration sends findings to Security Hub.

November 24, 2020

Cloud Custodian is now available in the China Regions

The integration with Cloud Custodian is now available in the China (Beijing) and China (Ningxia) Regions.

November 24, 2020

BatchImportFindings can now be used to update additional fields

Previously, you could not use BatchImportFindings to update the Confidence, Criticality, RelatedFindings, Severity, and Types fields. Now, if these fields have not been updated by BatchUpdateFindings, they can be updated by BatchImportFindings. Once they are updated by BatchUpdateFindings, they cannot be updated by BatchImportFindings.

November 24, 2020

Security Hub is now integrated with AWS Organizations

Customers can now manage member accounts using their Organizations account configuration. The organization management account designates the Security Hub administrator account, who determines which organization accounts to enable in Security Hub. The manual invitation process can still be used for accounts that are not part of an organization.

November 23, 2020

Removed the separate finding list format for high-volume controls

The finding list for a control no longer uses the Findings page format when there is a very large number of findings.

November 19, 2020

New and updated third-party integrations

Security Hub now supports integrations with cloudtamer.io, 3CORESec, Prowler, and StackRox Kubernetes Security. IBM QRadar no longer sends findings. It only receives findings.

October 30, 2020

Added option to download the list of findings from the control details page.

On the control details page, a new Download option allows you to download the finding list to a .csv file. The downloaded list respects any filters that are on the list. If you selected specific findings, then the downloaded list only includes those findings.

October 26, 2020

Added option to download the list of controls from the standard details page.

On the standard details page, a new Download option allows you to download the control list to a .csv file. The downloaded list respects any filters that are on the list. If you selected a specific control, then the downloaded list only includes that control.

October 26, 2020

New and updated partner integrations

Security Hub is now integrated with ThreatModeler. Updated the following partner integrations to reflect their new product names. Twistlock Enterprise Edition is now Palo Alto Networks - Prisma Cloud Compute. Also from Palo Alto Networks, Demisto is now Cortex XSOAR and Redlock is now Prisma Cloud Enterprise.

October 23, 2020

Security Hub launched in China (Beijing) and China (Ningxia)

Security Hub is now available in the China (Beijing) and China (Ningxia) Regions.

October 21, 2020

Revised format for ASFF attributes and third-party integrations

The lists of ASFF attributes and partner integrations now use a list-based format instead of tables. The ASFF syntax, attributes, and types taxonomy are now in separate topics.

October 15, 2020

Redesigned standard details page

The standard details page for an enabled standard now displays a tabbed list of controls. The tabs filter the control list based on the control status.

October 7, 2020

Replaced CloudWatch Events with EventBridge

Replaced references to Amazon CloudWatch Events with Amazon EventBridge.

October 1, 2020

New integrations with Blue Hexagon for AWS, Alcide kAudit, and Palo Alto Networks VM-Series.

Security Hub is now integrated with Blue Hexagon for AWS, Alcide kAudit, and Palo Alto Networks VM-Series. Blue Hexagon for AWS and kAudit send findings to Security Hub. VM-Series receives findings from Security Hub.

September 30, 2020

New and updated resource details objects in ASFF

Added new Resources.Details objects for AwsApiGatewayRestApi, AwsApiGatewayStage, AwsApiGatewayV2Api, AwsApiGatewayV2Stage, AwsCertificateManagerCertificate, AwsElbLoadBalancer, AwsIamGroup, and AwsRedshiftCluster. Added details to the AwsCloudFrontDistribution, AwsIamRole and AwsIamAccessKey objects.

September 30, 2020

New ResourceRole attribute for resources in ASFF to track whether a resource is an actor or a target.

The ResourceRole attribute for resources indicates whether the resource is the target of the finding activity or the perpetrator of the finding activity. The valid values are ACTOR and TARGET.

September 30, 2020

Added AWS Systems Manager Patch Manager to available AWS service integrations

AWS Systems Manager Patch Manager is now integrated with Security Hub. Patch Manager sends findings to Security Hub when instances in a customer's fleet go out of compliance with their patch compliance standard.

September 22, 2020

Added new controls to the Foundational Security Best Practices standard

Added new controls for the following services: Amazon EC2 (EC2.7 and EC2.8), Amazon EMR (EMR.1), IAM (IAM.8), Amazon RDS (RDS.4 through RDS.8), Amazon S3 (S3.6), and AWS Secrets Manager (SecretsManager.1 and SecretsManager.2).

September 15, 2020

New context keys for IAM policy to control access to BatchUpdateFindings fields

IAM policies can now be configured to restrict access to fields and field values when using BatchUpdateFindings.

September 10, 2020

Expanded access to BatchUpdateFindings for member accounts

By default, member accounts now have the same access to BatchUpdateFindings as master accounts.

September 10, 2020

New controls for AWS KMS in the Foundational Security Best Practices Standard

Added two new controls (KMS.1 and KMS.2) to the Foundational Security Best Practices Standard. The new controls check whether IAM policies restrict access to AWS KMS decryption actions.

September 9, 2020

Removed account-level findings for controls

Security Hub no longer generates account-level findings for a control. Only resource-level findings are generated.

September 1, 2020

New PatchSummary object in ASFF

Added the PatchSummary object to the ASFF. The PatchSummary object provides information about the patch compliance of a resource relative to a selected compliance standard.

September 1, 2020

Redesigned control details page

The details page for controls is redesigned. The control finding list provides tabs to allow you to quickly filter the list based on the compliance status. You can also quickly see suppressed findings. Each entry provides access to additional details about the finding resource, AWS Config rule, and finding notes.

August 28, 2020

New filter options for findings

For finding filters, you can use the is not filter to find findings for which a field value is not equal to the filter value. You can use the does not start with to find findings for which a field value does not start with the specified filter value.

August 28, 2020

New resource details objects in ASFF

Added new Resources.Details objects for the following resource types: AwsDynamoDbTable , AwsEc2Eip, AwsIamPolicy, AwsIamUser, AwsRdsDbCluster, AwsRdsDbClusterSnapshot, AwsRdsDbSnapshot, AwsSecretsManagerSecret

August 18, 2020

New integration with RSA Archer

Security Hub is now integrated with RSA Archer. RSA Archer receives findings from Security Hub.

August 18, 2020

New Description field for AwsKmsKey

Added a Description field to the AwsKmsKey object under Resources.Details.

August 18, 2020

Added fields to AwsRdsDbInstance

Added several attributes to the AwsRdsDbInstance object under Resources.Details.

August 18, 2020

Updated how Security Hub determines the overall status of a control

For controls that have no findings, the status is No data instead of Unknown. The control status includes both account-level and resource-level findings. The control status does not use the workflow status of findings, except to ignore suppressed findings.

August 13, 2020

Updated how Security Hub calculates the security score for a standard

When calculating the security score for a standard, Security Hub now ignores controls with a status of No Data. The security score is proportion of passed controls to enabled controls, excluding controls with no data.

August 13, 2020

New option to automatically enable new controls in enabled standards

Added a Settings option to automatically enable new controls in standards that are enabled. You can also use the UpdateSecurityHubConfiguration API operation to configure this option.

July 31, 2020

New controls for the Payment Card Industry Data Security Standard (PCI DSS) standard

Added new controls to the PCI DSS standard. The identifiers of the new controls are PCI.DMS.1, PCI.EC2.5, PCI.EC2.6, PCI.ELBV2.1, PCI.GuardDuty.1, PCI.IAM.7, PCI.IAM.8, PCI.S3.5, PCI.S3.6, PCI.SageMaker.1, PCI.SSM.2, and PCI.SSM.3.

July 29, 2020

New and updated controls for the Foundational Security Best Practices standard

Added new controls to the Foundational Security Best Practices standard. The identifiers of the new controls are AutoScaling.1, DMS.1, EC2.4, EC2.6, S3.5, and SSM.3. Updated the title of ACM.1 and changed the value of the daysToExpiration parameter to 30.

July 29, 2020

New Vulnerabilities object in the ASFF

Added the Vulnerabilities object, which provides information about vulnerabilities that are associated with the finding.

July 1, 2020

New Resource.Details objects in the ASFF for Auto Scaling groups, EC2 volumes, and EC2 VPCs

Added the AwsAutoScalingAutoScalingGroup, AWSEc2Volume, and AwsEc2Vpc objects to Resource.Details.

July 1, 2020

New NetworkPath object in the ASFF

Added the NetworkPath object, which provides information about a network path that is related to the finding.

July 1, 2020

Automatically resolve findings when Compliance.Status is PASSED

For findings from controls, if Compliance.Status is PASSED, then Security Hub automatically sets Workflow.Status to RESOLVED.

June 24, 2020

AWS Command Line Interface examples

Added AWS CLI syntax and examples for several Security Hub tasks. Includes enabling Security Hub, managing insights, managing standards and controls, managing product integrations, and disabling Security Hub.

June 24, 2020

New Severity.Original attribute in the ASFF

Added the Severity.Original attribute, which is the original severity from the finding provider. This replaces the deprecated Severity.Product attribute.

May 20, 2020

New Compliance.StatusReasons object in the ASFF for details about a control's status

Added the Compliance.StatusReasons object, which provides additional context for the current status of a control.

May 20, 2020

New AWS Foundational Security Best Practices standard

Added the new AWS Foundational Security Best Practices standard, which is a set of controls that detect when your deployed accounts and resources deviate from security best practices.

April 22, 2020

New console option to update the workflow status for a finding

Added information for using the Security Hub console or API to set the workflow status for findings.

April 16, 2020

New BatchUpdateFindings API for customer updates to findings

Added information on using BatchUpdateFindings to update information related to the process of investigating a finding. BatchUpdateFindings replaces UpdateFindings, which is deprecated.

April 16, 2020

Updates to the AWS Security Finding Format (ASFF)

Added several new resource types. Added a new Label attribute to the Severity object. Label is intended to replace the Normalized field. Added a new Workflow object to track the process of an investigation into a finding. Workflow contains a Status attribute, which replaces the existing Workflowstate attribute.

March 12, 2020

Updates to the Integrations page

Updated to reflect the changes to the Integrations page. For each integration, the page now shows the integration category and whether each integration sends findings to or receives findings from Security Hub. It also provides the specific steps required to enable each integration.

February 26, 2020

New third-party product integrations

Added the following new product integrations: Cloud Custodian, FireEye Helix, Forcepoint CASB, Forcepoint DLP, Forcepoint NGFW, Rackspace Cloud Native Security, and Vectra.ai Cognito Detect.

February 21, 2020

New security standard for the Payment Card Industry Data Security Standard (PCI DSS)

Added the Security Hub security standard for the Payment Card Industry Data Security Standard (PCI DSS). When this standard is enabled, Security Hub performs automated checks against controls related to PCI DSS requirements.

February 13, 2020

Updates to the AWS Security Finding Format (ASFF)

Added a field for related requirements for standards controls. Added new resource types and new resource details. The ASFF also now allows you to provide up to 32 resources.

February 5, 2020

New option to disable individual security standard controls

Added information on how to control whether each individual security standard control is enabled.

January 15, 2020

Updates to Terminology and Concepts

Updated some descriptions and added new terms to Terminology and Concepts.

September 21, 2019

AWS Security Hub general availability release

Content updates to reflect improvements made to Security Hub during the preview period.

June 25, 2019

Added remediation steps for CIS AWS Foundations checks

Added remediation steps to Security Standards Supported in AWS Security Hub.

April 15, 2019

Preview release of AWS Security Hub

Published the preview release version of the AWS Security Hub User Guide.

November 18, 2018