Document history for the Amazon Security Hub User Guide

The following table describes the updates to the documentation for Amazon Security Hub.

Note

For security control releases, the date specified is the date when the controls are available in all accounts and Regions. It can take 1-2 weeks for controls to reach all accounts and Regions.

Change	Description	Date
Select controls available in more Regions	The following controls are now available in additional Amazon Web Services Regions, including US East (N. Virginia) and US East (Ohio). [DataFirehose.1] Firehose delivery streams should be encrypted at rest [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled [DMS.12] DMS endpoints for Redis should have TLS enabled [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit [EFS.6] EFS mount targets should not be associated with a public subnet [EKS.3] EKS clusters should use encrypted Kubernetes secrets [FSx.2] FSx for Lustre file systems should be configured to copy tags to backups [MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled [Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes [Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins [SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1 [ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection	July 15, 2024
New security controls	The following new Security Hub controls are available: [GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled [GuardDuty.6] GuardDuty Lambda Protection should be enabled [GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled [GuardDuty.9] GuardDuty RDS Protection should be enabled [GuardDuty.10] GuardDuty S3 Protection should be enabled [Inspector.1] Amazon Inspector EC2 scanning should be enabled [Inspector.2] Amazon Inspector ECR scanning should be enabled [Inspector.3] Amazon Inspector Lambda code scanning should be enabled [Inspector.4] Amazon Inspector Lambda standard scanning should be enabled	July 11, 2024
Release of CIS Amazon Foundations Benchmark v3.0.0	Security Hub released Center for Internet Security (CIS) Amazon Foundations Benchmark v3.0.0. The release includes the following new controls, as well as mappings to several existing controls. [EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports [EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports [IAM.26] Expired SSL/TLS certificates managed in IAM should be removed [IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached [IAM.28] IAM Access Analyzer external access analyzer should be enabled [S3.22] S3 general purpose buckets should log object-level write events [S3.23] S3 general purpose buckets should log object-level read events	May 13, 2024
New security controls	The following new Security Hub controls are available: [DataFirehose.1] Firehose delivery streams should be encrypted at rest [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled [DMS.12] DMS endpoints for Redis should have TLS enabled [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit [EFS.6] EFS mount targets should not be associated with a public subnet [EKS.3] EKS clusters should use encrypted Kubernetes secrets [FSx.2] FSx for Lustre file systems should be configured to copy tags to backups [MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled [Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes [Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins [SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1 [ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection	May 3, 2024
Amazon Resource Tagging Standard	The Amazon Resource Tagging Standard from Security Hub is now generally available, along with new controls that apply to the standard.	April 30, 2024
Update to existing managed policy	Security Hub updated the Amazon managed policy named `AmazonSecurityHubFullAccess` to get pricing details for Amazon Web Services and products.	April 24, 2024
In-context configuration of control parameters	If you use central configuration, you can now configure control parameters in context, from the details page of a control on the Security Hub console.	March 29, 2024
Update to existing managed policy	Security Hub updated the Amazon managed policy named `AWSSecurityHubReadOnlyAccess` by adding a `Sid` field.	February 22, 2024
New security control	The control [Macie.2] Macie automated sensitive data discovery should be enabled is now available. For Regional limits on this control, see Availability of controls by Region.	February 19, 2024
Security Hub available in Canada West (Calgary)	Security Hub is now available in Canada West (Calgary). All Security Hub features are now available in this Region, with the exception of certain security controls. For more information, see Availability of controls by Region.	December 20, 2023
New security controls	The following new Security Hub controls are available: [Backup.1] Amazon Backup recovery points should be encrypted at rest [DynamoDB.6] DynamoDB tables should have deletion protection enabled [EC2.51] EC2 Client VPN endpoints should have client connection logging enabled [EKS.8] EKS clusters should have audit logging enabled [EMR.2] Amazon EMR block public access setting should be enabled [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes [Macie.1] Amazon Macie should be enabled [MSK.2] MSK clusters should have enhanced monitoring configured [Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones [NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones [NetworkFirewall.2] Network Firewall logging should be enabled [Opensearch.10] OpenSearch domains should have the latest software update installed [PCA.1] Amazon Private CA root certificate authority should be disabled [S3.19] S3 access points should have block public access settings enabled [S3.20] S3 general purpose buckets should have MFA delete enabled	December 14, 2023
Finding enrichment	Security Hub added the new finding fields `AwsAccountName`, `ApplicationArn`, and `ApplicationName` to the Amazon Security Finding Format (ASFF).	November 27, 2023
Enhancements to Summary dashboard	You can now access more dashboard widgets on the Summary page of the Security Hub console, save dashboard filter sets to quickly focus on specific security issues, and customize the dashboard layout.	November 27, 2023
Central configuration	Central configuration is now available. With central configuration, the Security Hub delegated administrator can configure Security Hub, standards, and controls across multiple organization accounts, organizational units (OUs), and Regions.	November 27, 2023
Updates to managed policy	Security Hub added new permissions to the `AWSSecurityHubServiceRolePolicy` managed policy that allow Security Hub to read and update customizable security control properties.	November 26, 2023
Custom control parameters	You can now customize parameter values for select Security Hub controls. This can make findings for a specific control more relevant to your business requirements and security expectations.	November 26, 2023
Updates to managed policies	Security Hub updated the `AWSSecurityHubFullAccess` and `AWSSecurityHubOrganizationsAccess` managed policies that permit you to use, respectively, Security Hub features and the integration with Amazon Organizations.	November 16, 2023
Existing security controls added to Service-Managed Standard: Amazon Control Tower	The following existing Security Hub controls have been added to Service-Managed Standard: Amazon Control Tower. ACM.2 AppSync.5 CloudTrail.6 DMS.9 DocumentDB.3 DynamoDB.3 EC2.23 EKS.1 ElastiCache.3 ElastiCache.4 ElastiCache.5 ElastiCache.6 EventBridge.3 KMS.4 Lambda.3 MQ.5 MQ.6 MSK.1 RDS.12 RDS.15 S3.17	November 14, 2023
Updates to managed policy	Security Hub added a new tagging permission to the `AWSSecurityHubServiceRolePolicy` managed policy that allows Security Hub to read resource tags related to findings.	November 7, 2023
New security controls	The following new Security Hub controls are available: [AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys [DMS.6] DMS replication instances should have automatic minor version upgrade enabled [DMS.7] DMS replication tasks for the target database should have logging enabled [DMS.8] DMS replication tasks for the source database should have logging enabled [DMS.9] DMS endpoints should use SSL [DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled [ECS.9] ECS task definitions should have a logging configuration [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached [EventBridge.4] EventBridge global endpoints should have event replication enabled [MSK.1] MSK clusters should be encrypted in transit among broker nodes [MQ.5] ActiveMQ brokers should use active/standby deployment mode [MQ.6] RabbitMQ brokers should use cluster deployment mode [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs [RDS.35] RDS DB clusters should have automatic minor version upgrade enabled [Route53.2] Route 53 public hosted zones should log DNS queries [WAF.12] Amazon WAF rules should have CloudWatch metrics enabled	October 10, 2023
Updates to managed policy	Security Hub added new Organizations actions to the `AWSSecurityHubServiceRolePolicy` managed policy that allow Security Hub to retrieve account and organizational unit (OU) information. We also added new Security Hub actions that allow Security Hub to read and update service configurations, including standards and controls.	September 27, 2023
Existing security controls added to Service-Managed Standard: Amazon Control Tower	The following existing Security Hub controls have been added to Service-Managed Standard: Amazon Control Tower. [Athena.1] Athena workgroups should be encrypted at rest [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest [DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period [Neptune.1] Neptune DB clusters should be encrypted at rest [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs [Neptune.3] Neptune DB cluster snapshots should not be public [Neptune.4] Neptune DB clusters should have deletion protection enabled [Neptune.5] Neptune DB clusters should have automated backups enabled [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest [Neptune.7] Neptune DB clusters should have IAM database authentication enabled [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots [RDS.27] RDS DB clusters should be encrypted at rest	September 26, 2023
Consolidated controls view and consolidated control findings available in Amazon GovCloud (US)	Consolidated controls view and consolidated control findings are now available in the Amazon GovCloud (US) Region. The Controls page of the Security Hub console shows all your controls across standards. Each control has the same control ID across standards. When you turn on consolidated control findings, you receive a single finding per security check even when a control applies to multiple enabled standards.	September 6, 2023
Consolidated controls view and consolidated control findings available in China Regions	Consolidated controls view and consolidated control findings are now available in the China Regions. The Controls page of the Security Hub console shows all your controls across standards. Each control has the same control ID across standards. When you turn on consolidated control findings, you receive a single finding per security check even when a control applies to multiple enabled standards.	August 28, 2023
Security Hub available in Israel (Tel Aviv) Region	Security Hub is now available in Israel (Tel Aviv). All Security Hub features are now available in this Region, with the exception of certain security controls. For more information, see Availability of controls by Region.	August 8, 2023
New security controls	The following new Security Hub controls are available: [Athena.1] Athena workgroups should be encrypted at rest [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest [DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period [Neptune.1] Neptune DB clusters should be encrypted at rest [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs [Neptune.3] Neptune DB cluster snapshots should not be public [Neptune.4] Neptune DB clusters should have deletion protection enabled [Neptune.5] Neptune DB clusters should have automated backups enabled [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest [Neptune.7] Neptune DB clusters should have IAM database authentication enabled [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots [RDS.27] RDS DB clusters should be encrypted at rest	July 28, 2023
New operators for automation rule criteria	You can now use CONTAINS and NOT_CONTAINS comparison operators for automation rule map and string criteria.	July 25, 2023
Automation rules	Security Hub now offers automation rules that automatically update findings based on criteria that you specify.	June 13, 2023
New third party integration	Snyk is a new third-party integration that sends findings to Security Hub.	June 12, 2023
Existing security controls added to Service-Managed Standard: Amazon Control Tower	The following existing Security Hub controls have been added to Service-Managed Standard: Amazon Control Tower. [Account.1] Security contact information should be provided for an Amazon Web Services account [APIGateway.8] API Gateway routes should specify an authorization type [APIGateway.9] Access logging should be configured for API Gateway V2 Stages [CodeBuild.3] CodeBuild S3 logs should be encrypted [EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS [Redshift.10] Redshift clusters should be encrypted at rest [SageMaker.2] SageMaker notebook instances should be launched in a custom VPC [SageMaker.3] Users should not have root access to SageMaker notebook instances [WAF.10] Amazon WAF web ACLs should have at least one rule or rule group	June 12, 2023
New security controls	The following new Security Hub controls are available: [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits [AppSync.2] Amazon AppSync should have field-level logging enabled [CloudFront.13] CloudFront distributions should use origin access control [ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch [S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys [StepFunctions.1] Step Functions state machines should have logging turned on	June 6, 2023
Security Hub available in Asia Pacific (Melbourne)	Security Hub is now available in Asia Pacific (Melbourne). All Security Hub features are now available in this Region, with the exception of certain security controls. For more information, see Availability of controls by Region.	May 25, 2023
Finding history	Security Hub can now track the history of a finding during the last 90 days.	May 4, 2023
New security controls	The following new Security Hub controls are available: [EKS.1] EKS cluster endpoints should not be publicly accessible [ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL [Redshift.10] Redshift clusters should be encrypted at rest [S3.15] S3 general purpose buckets should have Object Lock enabled	March 29, 2023
Expanded support for consolidated control findings	The Automated Security Response on Amazon v2.0.0 now supports consolidated control findings.	March 24, 2023
Security Hub available in new Amazon Web Services Regions	Security Hub is now available in Asia Pacific (Hyderabad), Europe (Spain), and Europe (Zurich). Limits exist on which controls are available in these Regions.	March 21, 2023
Update to managed policy	Security Hub has updated an existing permission in the `AWSSecurityHubServiceRolePolicy` managed policy.	March 17, 2023
New security controls for NIST 800-53 standard	Security Hub has added the following security controls, which are applicable to the NIST 800-53 standard: [Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization [CloudWatch.15] CloudWatch alarms should have specified actions configured [CloudWatch.16] CloudWatch log groups should be retained for a specified time period [CloudWatch.17] CloudWatch alarm actions should be activated [DynamoDB.4] DynamoDB tables should be present in a backup plan [EC2.28] EBS volumes should be covered by a backup plan EC2.29 – EC2 instances should be launched in a VPC (retired) [RDS.26] RDS DB instances should be protected by a backup plan [S3.14] S3 general purpose buckets should have versioning enabled [WAF.11] Amazon WAF web ACL logging should be enabled	March 3, 2023
National Institute of Standards and Technology (NIST) 800-53 Rev. 5	Security Hub now supports the NIST 800-53 Rev. 5 standard with more than 200 applicable security controls.	February 28, 2023
Consolidated controls view and control findings	With the release of consolidated controls view, the Controls page of the Security Hub console shows all your controls across standards. Each control has the same control ID across standards. When you turn on consolidated control findings, you receive a single finding per security check even when a control applies to multiple enabled standards.	February 23, 2023
New security controls	The following new Security Hub controls are available. Some controls have Regional limitations. [ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled [ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled [ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled [ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest [ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit [ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH [ElastiCache.7] ElastiCache clusters should not use the default subnet group	February 16, 2023
New ASFF fields	Security Hub has added ProductFields.ArchivalReasons:0/Description and ProductFields.ArchivalReasons:0/ReasonCode to the Amazon Security Finding Format (ASFF).	February 8, 2023
New ASFF fields	Security Hub has added Compliance.AssociatedStandards and Compliance.SecurityControlId to the Amazon Security Finding Format (ASFF).	January 31, 2023
Vulnerability details now available	You can now see vulnerability details in the Security Hub console for findings that Amazon Inspector sends to Security Hub.	January 14, 2023
Security Hub is available in Middle East (UAE)	Security Hub is now available in Middle East (UAE). Some controls have Regional limits.	January 12, 2023
Added third-party integration with MetricStream	Security Hub now supports a third-party integration with MetricStream in all Regions except China and Amazon GovCloud (US).	January 11, 2023
Increased organizational account limit	Security Hub now supports up to 11,000 member accounts for each Security Hub administrator account per Region.	December 27, 2022
ElasticBeanstalk.3 rolled back	Security Hub rolled back the control [ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch from the FSBP standard in all Regions.	December 21, 2022
Security Hub adds new security controls	New Security Hub controls are available to customers who have enabled the FSBP standard. Some controls have Regional limitations.	December 15, 2022
Guidance on upcoming features	Security Hub is planning to release two new features: consolidated controls view and consolidated control findings. These upcoming features may impact existing workflows that rely on control finding fields and values.	December 9, 2022
Amazon Security Lake integration now available	Security Lake now integrates with Security Hub by receiving Security Hub findings.	November 29, 2022
Support for Service-Managed Standard: Amazon Control Tower	Security Hub supports a new security standard called Service-Managed Standard: Amazon Control Tower. Amazon Control Tower manages this standard.	November 28, 2022
CIS Amazon Foundations Benchmark v1.4.0 now available in China Regions	Security Hub now supports CIS Amazon Foundations Benchmark v1.4.0 in the China Regions.	November 18, 2022
Jira Service Management Cloud integration now available	Jira Service Management Cloud now receives Security Hub findings in all available Regions, except the China Regions.	November 17, 2022
Amazon IoT Device Defender integration now available	Amazon IoT Device Defender now sends findings to Security Hub in all available Regions.	November 17, 2022
Support for CIS Amazon Foundations Benchmark v1.4.0	Security Hub now provides security controls that support CIS Amazon Foundations Benchmark v1.4.0. This standard is available in all available Regions, except the China Regions.	November 9, 2022
Support for Security Hub announcements in Amazon GovCloud (US)	You can now subscribe to Security Hub announcements with Amazon Simple Notification Service (Amazon SNS) in Amazon GovCloud (US-East) and Amazon GovCloud (US-West) to receive notifications about Security Hub.	October 3, 2022
Amazon Security Hub adds a new security control	The new Security Hub control AutoScaling.9 is available to customers who have enabled the FSBP standard. Controls may have Regional limitations.	September 1, 2022
Subscribe to Security Hub announcements	You can now subscribe to Security Hub announcements with Amazon Simple Notification Service (Amazon SNS) to receive notifications about Security Hub.	August 29, 2022
Region expansion for cross-Region aggregation	Cross-Region aggregation is now available for findings, finding updates, and insights across Amazon GovCloud (US).	August 2, 2022
New third-party product integrations	Fortinet - FortiCNP is a third-party integration that receives Security Hub findings, and JFrog is a third-party integration that sends findings to Security Hub.	July 26, 2022
EC2.27 is retired	Security Hub has retired EC2.27 - Running EC2 Instances should not use key pairs, a former control in the Amazon Foundational Security Best Practices (FSBP) standard.	July 20, 2022
Lambda.2 no longer supports python3.6	Security Hub no longer supports python3.6 as a parameter for Lambda.2 - Lambda functions should use supported runtimes, a control in the Amazon Foundational Security Best Practices (FSBP) standard.	July 19, 2022
Amazon Security Hub adds new security controls	New Security Hub controls are available to customers who have enabled the FSBP standard. Some controls have Regional limitations.	June 22, 2022
Amazon Security Hub supports a new Region	Security Hub is now available in Asia Pacific (Jakarta). Some controls are not available in this Region.	June 7, 2022
Improved integration between Amazon Security Hub and Amazon Config	Security Hub users can see the results of Amazon Config rule evaluations as findings in Security Hub.	June 6, 2022
Added ability to opt out of auto-enabled standards	For users who have integrated with Amazon Organizations, this feature allows you to log into the Security Hub administrator account and opt new member accounts out of auto-enabled standards.	April 25, 2022
Expanded cross-Region aggregation	Added cross-Region aggregation to control statuses and security scores.	April 20, 2022
CompanyName and ProductName are now top level attributes	Added new top level attributes for setting company and product names associated with custom integrations	April 1, 2022
Added new controls to the Amazon Foundational Security Best Practices standard	Added 5 new controls to the Amazon Foundational Security Best Practices standard.	March 31, 2022
Added new resource details objectes to ASFF	Added `AwsRdsDbSecurityGroup` resource type to ASFF.	March 25, 2022
Added additional resources details in ASFF	Added additional details to `AwsAutoScalingScalingGroup`, `AwsElbLoadBalancer`, `AwsRedshiftCluster`, and `AwsCodeBuildProject`.	March 25, 2022
Added new controls to the Amazon Foundational Security Best Practices standard	Added 15 new controls to the Amazon Foundational Security Best Practices standard.	March 16, 2022
Added new controls to the Amazon Foundational Security Best Practices standard and Payment Card Industry Data Security Standard (PCI DSS)	Added new controls for Amazon OpenSearch Service, Amazon RDS, Amazon EC2, Elastic Load Balancing, and CloudFront to the Amazon Foundational Security Best Practices standard. Also added two new controls for OpenSearch Service to the PCI DSS.	February 15, 2022
Added new field to ASFF	Added new field: Sample.	January 26, 2022
Added integration with Amazon Health	Amazon Health uses service-to-service event messaging to send findings to Security Hub.	January 19, 2022
Added integration with Amazon Trusted Advisor	Trusted Advisor sends the results of its checks to Security Hub as Security Hub findings. Security Hub sends the results of its Amazon Foundational Security Best Practices checks to Trusted Advisor.	January 18, 2022
Updated resource details objects in ASFF	Added `MixedInstancesPolicy` and `AvailabilityZones` to `AwsAutoScalingAutoScalingGroup`. Added `MetadataOptions` to `AwsAutoScalingLaunchConfiguration`. Added `BucketVersioningConfiguration` to `AwsS3Bucket`.	December 20, 2021
Updated output for ASFF documentation	The descriptions of ASFF attributes were previously in a single topic. Each top-level object and each resource details object is now in its own topic. The ASFF syntax topic contains links to those topics.	December 20, 2021
Added new resource details objects to ASFF for Amazon Network Firewall	For Amazon Network Firewall, added the following resource details objects: `AwsNetworkFirewallFirewall`, `AwsNetworkFireFirewallPolicy`, and `AwsNetworkFirewallRuleGroup`.	December 20, 2021
Added support for the new version of Amazon Inspector	Security Hub is integrated with the new version of Amazon Inspector as well as with Amazon Inspector Classic. Amazon Inspector sends findings to Security Hub.	November 29, 2021
Changed the severity of EC2.19	The severity of EC2.19 (Security groups should not allow unrestricted access to ports with high risk) is changed from High to Critical.	November 17, 2021
New integration with Sonrai Dig	Security Hub now offers an integration with Sonrai Dig. Sonrai Dig monitors cloud environments to identify security risks. Sonrai Dig sends findings to Security Hub.	November 12, 2021
Updated check for CIS 2.1 and CloudTrail.1 controls	In addition to checking that at least one multi-Region CloudTrail trail is in place, CIS 2.1 and CloudTrail.1 now also check that the `ExcludeManagementEventSources` parameter is empty in at least one of the multi-Region CloudTrail trails.	November 9, 2021
Added support for VPC endpoints	Security Hub is now integrated with Amazon PrivateLink and supports VPC endpoints.	November 3, 2021
Added controls to the Amazon Foundational Security Best Practices standard	Added new controls for Elastic Load Balancing (ELB.2 and ELB.8) and Amazon Systems Manager (SSM.4).	November 2, 2021
Added ports to the check for the EC2.19 control	EC2.19 now also checks that security groups do not allow unrestricted ingress access to the following ports: 3000 (Go, Node.js, and Ruby web development frameworks), 5000 (Python web development frameworks), 8088 (legacy HTTP port), and 8888 (alternative HTTP port)	October 27, 2021
Added the integration with Logz.io Cloud SIEM	Logz.io is a provider of Cloud SIEM that provides advanced correlation of log and event data to help security teams to detect, analyze, and respond to security threats in real time. Logz.io receives findings from Security Hub.	October 25, 2021
Added support for cross-Region aggregation of findings	Cross-Region aggregation allows you to view all of your findings without having to change Regions. Administrator accounts choose an aggregation Region and linked Regions. Findings for the administrator account and its member accounts are aggregated from the linked Regions to the aggregation Region.	October 20, 2021
Updated resource details objects in ASFF	Added viewer certificate details to `AwsCloudFrontDistribution`. Added additional details to `AwsCodeBuildProject`. Added load balancer attributes to `AwsElbV2LoadBalancer`. Added the S3 bucket owner account identifier to `AwsS3Bucket`.	October 8, 2021
Added new resource details objects to ASFF	Added the following new resource details objects to ASFF: `AwsEc2VpcEndpointService`, `AwsEcrRepository`, `AwsEksCluster`, `AwsOpenSearchServiceDomain`, `AwsWafRateBasedRule`, `AwsWafRegionalRateBasedRule`, `AwsXrayEncryptionConfig`	October 8, 2021
Removed deprecated runtime from the Lambda.2 control	In the Amazon Foundational Security Best Practices standard, removed the `dotnetcore2.1` runtime from [Lambda.2] Lambda functions should use supported runtimes.	October 6, 2021
New name for Check Point integration	The integration with Check Point Dome9 Arc is now Check Point CloudGuard Posture Management. The integration ARN did not change.	October 1, 2021
Removed the integration with Alcide	The integration with Alcide kAudit is discontinued.	September 30, 2021
Changed the severity of EC2.19	The severity of [EC2.19] Security groups should not allow unrestricted access to ports with high risk is changed from Medium to High.	September 30, 2021
Integration with Amazon Organizations is now supported in the China Regions	The Security Hub integration with Organizations is now supported in China (Beijing) and China (Ningxia).	September 20, 2021
New Amazon Config rule for the S3.1 and PCI.S3.6 controls	Both S3.1 and PCI.S3.6 verify that the Amazon S3 Block Public Access setting is enabled. The Amazon Config rule for these controls is changed from `s3-account-level-public-access-blocks` to `s3-account-level-public-access-blocks-periodic`.	September 14, 2021
Removed deprecated runtimes from the Lambda.2 control	In the Amazon Foundational Security Best Practices standard, removed the `nodejs10.x` and `ruby2.5` runtimes from [Lambda.2] Lambda functions should use supported runtimes.	September 13, 2021
Changed the severity of the CIS 2.2 control	In the CIS Amazon Foundations Benchmark standard, the severity for 2.2. – Ensure CloudTrail log file validation is enabled is changed from Low to Medium.	September 13, 2021
Updated ECS.1, Lambda.2, and SSM.1 in the Amazon Foundational Security Best Practices standard	In the Amazon Foundational Security Best Practices standard, ECS.1 now has a `SkipInactiveTaskDefinitions` parameter that is set to `true`. This ensures that the control only checks active task definitions. For Lambda.2, added Python 3.9 to the list of runtimes. SSM.1 now checks both stopped and running instances.	September 7, 2021
PCI.Lambda.2 control now excludes Lambda@Edge resources	In the Payment Card Industry Data Security Standard (PCI DSS) standard, the PCI.Lambda.2 control now excludes Lambda@Edge resources.	September 7, 2021
Added the integration with HackerOne Vulnerability Intelligence	Security Hub now offers an integration with HackerOne Vulnerability Intelligence. The integration sends findings to Security Hub.	September 7, 2021
Updated resource details objects in ASFF	For `AwsKmsKey`, added `KeyRotationStatus`. For `AwsS3Bucket`, added `AccessControlList`, `BucketLoggingConfiguration`, `BucketNotificationConfiguration`, and `BucketWebsiteConfiguration`.	September 2, 2021
Added new resource details objects to ASFF	Added the following new resource details objects to ASFF: `AwsAutoScalingLaunchConfiguration`, `AwsEc2VpnConnection`, and `AwsEcrContainerImage`.	September 2, 2021
Added details to the `Vulnerabilities` object in ASFF	In `Cvss` , added `Adjustments` and `Source`. In `VulnerablePackages`, added the file path and package manager.	September 2, 2021
Systems Manager Explorer and OpsCenter integration now supported in the China Regions	The Security Hub integration with SSM Explorer and OpsCenter is now supported in China (Beijing) and China (Ningxia).	August 31, 2021
Retiring the Lambda.4 control	Security Hub is retiring the control [Lambda.4] Lambda functions should have a dead-letter queue configured. When a control is retired, it no longer displays on the console, and Security Hub does not perform checks against it.	August 31, 2021
Retiring the PCI.EC2.3 control	Security Hub is retiring the control [PCI.EC2.3] Unused EC2 security groups should be removed. When a control is retired, it no longer displays on the console, and Security Hub does not perform checks against it.	August 27, 2021
Change to how Security Hub sends findings to custom actions	When you send findings to a custom action, Security Hub now sends each finding in a separate Security Hub Findings - Custom Action event.	August 20, 2021
Added a new compliance status reason code for custom Lambda runtimes	Added a new `LAMBDA_CUSTOM_RUNTIME_DETAILS_NOT_AVAILABLE` compliance status reason code. This reason code indicates that Security Hub could not perform a check against a custom Lambda runtime.	August 20, 2021
Amazon Firewall Manager integration now supported in the China Regions	The Security Hub integration with Firewall Manager is now supported in China (Beijing) and China (Ningxia).	August 19, 2021
New integrations with Caveonix Cloud and Forcepoint Cloud Security Gateway	Security Hub now offers integrations with Caveonix Cloud and Forcepoint Cloud Security Gateway. Both integrations send findings to Security Hub.	August 10, 2021
Added new `CompanyName`, `ProductName`, and `Region` attributes to ASFF	Added `CompanyName`, `ProductName`, and `Region` fields to the top level of the ASFF. These fields are populated automatically and, except for custom product integrations, cannot be updated using `BatchImportFindings` or `BatchUpdateFindings`. On the console, finding filters use these new fields. In the API, the `CompanyName` and `ProductName` filters use the attributes that are under `ProductFields`.	July 23, 2021
Added and updated resource details objects in ASFF	Added a new `AwsRdsEventSubscription` resource type and resource details. Added resource details for the `AwsEcsService` resource type. Added attributes to the `AwsElasticsearchDomain` resource details object.	July 23, 2021
Added controls to the Amazon Foundational Security Best Practices standard	Added new controls for Amazon API Gateway (APIGateway.5), Amazon EC2 (EC2.19), Amazon ECS (ECS.2), Elastic Load Balancing (ELB.7), Amazon OpenSearch Service (ES.5 through ES.8), Amazon RDS (RDS.16 through RDS.23), Amazon Redshift (Redshift.4), and Amazon SQS (SQS.1).	July 20, 2021
Moved a permission within the service-linked role managed policy	Moved the `config:PutEvaluations` permission within the managed policy `AWSSecurityHubServiceRolePolicy`, so that it is applied to all resources.	July 14, 2021
Added controls to the Amazon Foundational Security Best Practices standard	Added new controls for Amazon API Gateway (APIGateway.4), Amazon CloudFront (CloudFront.5 and CloudFront.6), Amazon EC2 (EC2.17 and EC2.18), Amazon ECS (ECS.1), Amazon OpenSearch Service (ES.4), Amazon Identity and Access Management (IAM.21), Amazon RDS (RDS.15), and Amazon S3 (S3.8).	July 8, 2021
Added new compliance status reason codes for control findings	`INTERNAL_SERVICE_ERROR` indicates that an unknown error occurred. `SNS_TOPIC_CROSS_ACCOUNT` indicates that the SNS topic is owned by a different account. `SNS_TOPIC_INVALID` indicates that the associated SNS topic is invalid.	July 6, 2021
Added the integration with Amazon Chatbot	Added the integration with Amazon Chatbot. Security Hub sends findings to Amazon Chatbot.	June 30, 2021
Added a new permission to the service-linked role managed policy	Added a new permission to the managed policy `AWSSecurityHubServiceRolePolicy` to allow the service-linked role to deliver evaluation results to Amazon Config.	June 29, 2021
New and updated resource details objects in the ASFF	Added new resource details objects for ECS clusters and ECS task definitions. Updated the EC2 instance object to list the associated network interfaces. Added the client certificate ID for the API Gateway V2 stages. Added the lifecycle configuration for S3 buckets.	June 24, 2021
Updated the calculation of aggregated control statuses and standard security scores	Security Hub now calculates the overall control status and standard security score every 24 hours. For administrator accounts, the score now reflects whether each control is enabled or disabled for each account.	June 23, 2021
Updated information about Security Hub handling of suspended accounts	Added information on how Security Hub handles accounts that are suspended in Amazon.	June 23, 2021
Added tabs to display the enabled and disabled controls for the individual administrator account	For the administrator account, the main tabs on the standard details page contain aggregated information across accounts. The new Enabled for this account and Disabled for this account tabs list the accounts that are enabled or disabled for the individual administrator account.	June 23, 2021
Added `java8.al2` to the parameters for `Lambda.2`	In the Amazon Foundational Security Best Practices standard, added `java8.al2` to the supported runtimes for the `Lambda.2` control.	June 8, 2021
New integrations with MicroFocus ArcSight and NETSCOUT Cyber Investigator	Added integrations with MicroFocus ArcSight and NETSCOUT Cyber Investigator. MicroFocus ArcSight receives findings from Security Hub. NETSCOUT Cyber Investigator sends findings to Security Hub.	June 7, 2021
Added details for `AWSSecurityHubServiceRolePolicy`	Updated the managed policies section to add details for the existing managed policy `AWSSecurityHubServiceRolePolicy`, which is used by the Security Hub service-linked role.	June 4, 2021
New integration with Jira Service Management	The Amazon Service Management Connector for Jira sends findings to Jira and uses them to create Jira issues. When the Jira issues are updated, the corresponding findings in Security Hub also are updated.	May 26, 2021
Updated the supported controls list for the Asia Pacific (Osaka) Region	Updated the CIS Amazon Foundations standard and the Payment Card Industry Data Security Standard (PCI DSS) to indicate the controls that are not supported in Asia Pacific (Osaka).	May 21, 2021
New integration with Sysdig Secure for cloud	Added an integration with Sysdig Secure for cloud. The integration sends findings to Security Hub.	May 14, 2021
Added controls to the Amazon Foundational Security Best Practices standard	Added new controls for Amazon API Gateway (APIGateway.2 and APIGateway.3), Amazon CloudTrail (CloudTrail.4 and CloudTrail.5), Amazon EC2 (EC2.15 and EC2.16), Amazon Elastic Beanstalk (ElasticBeanstalk.1 and ElasticBeanstalk.2), Amazon Lambda (Lambda.4), Amazon RDS (RDS.12 – RDS.14), Amazon Redshift (Redshift.7), Amazon Secrets Manager (SecretsManager.3 and SecretsManager.4), and Amazon WAF (WAF.1).	May 10, 2021
Updates to GuardDuty and Amazon RDS controls	Changed the severity of `GuardDuty.1` and `PCI.GuardDuty.1` from Medium to High. Added a `databaseEngines` parameter to `RDS.8`.	May 4, 2021
Added new resource details to the ASFF	In `Resources.Details`, added new resource details objects for Amazon EC2 network ACLs, Amazon EC2 subnets, and Amazon Elastic Beanstalk environments.	May 3, 2021
Added console fields to provide filter values for Amazon EventBridge rules	The new predefined filter patterns for Security Hub EventBridge rules provide console fields that you can use to specify filter values.	April 30, 2021
Added the integration with Amazon Systems Manager Explorer and OpsCenter	Security Hub now supports an integration with Systems Manager Explorer and OpsCenter. The integration receives findings from Security Hub and updates those findings in Security Hub.	April 26, 2021
New type for product integrations	A new integration type, `UPDATE_FINDINGS_IN_SECURITY_HUB`, indicates that a product integration updates findings that it receives from Security Hub.	April 22, 2021
Changed "master account" to "administrator account"	The term "master account" is changed to "administrator account." The term is also changed in the Security Hub console and API.	April 22, 2021
Updated APIGateway.1 to replace HTTP with Websocket	Updated the title, description, and remediation for APIGateway.1. The control now checks for Websocket API execution logging instead of for HTTP API execution logging.	April 9, 2021
Amazon GuardDuty integration now supported in Beijing and Ningxia	The Security Hub integration with GuardDuty is now supported in the China (Beijing) and China (Ningxia) Regions.	April 5, 2021
Added `nodejs14.x` to the supported runtimes for Lambda.2 control	The Lambda.2 control in the Foundational Security Best Practices standard now supports the `nodejs14.x` runtime.	March 30, 2021
Security Hub launched in Asia Pacific (Osaka)	Security Hub is now available in the Asia Pacific (Osaka) Region.	March 29, 2021
Added finding provider fields to finding details	On the finding details panel, the new Finding Provider Fields section contains the finding provider values for confidence, criticality, related findings, severity, and types.	March 24, 2021
Added option to receive sensitive findings from Amazon Macie	The integration with Macie can now be configured to send sensitive findings to Security Hub.	March 23, 2021
Transitioning to Amazon Organizations for account management	For customers who have an existing administrator account with member accounts, added new information on how to change from managing accounts by invitation to managing accounts using Organizations.	March 22, 2021
New objects in ASFF for information about Amazon S3 Public Access Block configuration	In `Resources`, a new `AwsS3AccountPublicAccessBlock` resource type and details object provides information about the Amazon S3 Public Access Block configuration for accounts. In the `AwsS3Bucket` resource details object, the `PublicAccessBlockConfiguration` object provides the Public Access Block configuration for the S3 bucket.	March 18, 2021
New object in ASFF to allow finding providers to update specific fields	The new `FindingProviderFields` object in ASFF is used in `BatchImportFindings` to provide values for `Confidence`, `Criticality`, `RelatedFindings`, `Severity`, and `Types`. The original fields should only be updated using `BatchUpdateFindings`.	March 18, 2021
New `DataClassification` object for resources in ASFF	The new `Resources.DataClassification` object in ASFF is used to provide information about sensitive data that was detected on the resource.	March 18, 2021
Added `CONFIG_RETURNS_NOT_APPLICABLE` value to the available compliance status codes	For the `NOT_AVAILABLE` compliance status, removed the reason code `RESOURCE_NO_LONGER_EXISTS` and added the reason code `CONFIG_RETURNS_NOT_APPLICABLE`.	March 16, 2021
New managed policy for integration with Amazon Organizations	A new managed policy, `AWSSecurityHubOrganizationsAccess`, provides the Organizations permissions that are needed by the organization management account and the delegated Security Hub administrator account.	March 15, 2021
Managed policy and service-linked role information moved to the Security chapter	The information on managed policies is revised and expanded. Both the managed policy information and the information on service-linked roles has moved to the Security chapter.	March 15, 2021
New integration with SecureCloudDB	Added SecureCloudDB to the list of third-party integrations. SecureCloudDB is a cloud native database security tool that provides comprehensive visibility of internal and external security postures and activity. SecureCloudDB sends findings to Security Hub.	March 4, 2021
Revised severity for CIS 1.1 and CIS 3.1 – CIS 3.14 controls	The severity of the CIS 1.1 and CIS 3.1 – CIS 3.14 controls is changed to Low.	March 3, 2021
Removed the RDS.11 control	Removed the RDS.11 control from the Foundational Security Best Practices standard.	March 3, 2021
Updated integration for Turbot	The Turbot integration is updated to both send and receive findings.	February 26, 2021
Added controls to the Foundational Security Best Practices standard	Added new controls for Amazon API Gateway (APIGateway.1), Amazon EC2 (EC2.9 and EC2.10), Amazon Elastic File System (EFS.2), Amazon OpenSearch Service (ES.2 and ES.3), Elastic Load Balancing (ELB.6), and Amazon Key Management Service (Amazon KMS) (KMS.3).	February 11, 2021
Added optional `ProductArn` filter to the `DescribeProducts` API	The `DescribeProducts` API operation now includes an optional `ProductArn` parameter. The `ProductArn` parameter is used to identify the specific product integration to return details for.	February 3, 2021
New integration with Antivirus for Amazon S3 from Cloud Storage Security	The integration with Antivirus for Amazon S3 sends the virus scan results to Security Hub as findings.	January 27, 2021
Updated the security score calculation process for administrator accounts	For an administrator account, Security Hub uses a separate process to calculate the security score. The new process ensures that the score includes controls that are enabled for member accounts but disabled for the administrator account.	January 21, 2021
New fields and objects in the ASFF	Added a new `Action` object to track actions that occurred against a resource. Added fields to the `AwsEc2NetworkInterface` object to track DNS names and IP addresses. Added a new `AwsSsmPatchCompliance` object to the resource details.	January 21, 2021
Added controls to the Foundational Security Best Practices standard	Added new controls for Amazon CloudFront (CloudFront.1 through CloudFront.4), Amazon DynamoDB (DynamoDB.1 through DynamoDB.3), Elastic Load Balancing (ELB.3 through ELB.5), Amazon RDS (RDS.9 through RDS.11), Amazon Redshift (Redshift.1 through Redshift.3 and Redshift.6), and Amazon SNS (SNS.1).	January 15, 2021
Workflow status is reset based on the record state or compliance status	Security Hub automatically resets the workflow status from `NOTIFIED` or `RESOLVED` to `NEW` if an archived finding is made active, or if the compliance status of a finding changes from `PASSED` to either `FAILED`, `WARNING`, or `NOT_AVAILABLE`. These changes indicate that additional investigation is required.	January 7, 2021
Added `ProductFields` information for control-based findings	For findings that are generated from controls, added information about the content of the `ProductFields` object in the Amazon Security Finding Format (ASFF).	December 29, 2020
Updates to managed insights	Changed the title of insight 5. Added a new insight, 32, that checks for IAM users with suspicious activity.	December 22, 2020
Updates to IAM.7 and Lambda.1 controls	In the Amazon Foundational Security Best Practices standard, updated the parameters for IAM.7. Updated the title and description of Lambda.1.	December 22, 2020
Expanded integration with ServiceNow ITSM	The ServiceNow ITSM integration allows users to automatically create incidents or problems when a Security Hub finding is received. Updates to these incidents or problems result in updates to the findings in Security Hub.	December 11, 2020
New integration with Amazon Audit Manager	Security Hub now offers an integration with Amazon Audit Manager. The integration allows Audit Manager to receive control-based findings from Security Hub.	December 8, 2020
New integration with Aqua Security Kube-bench	Security Hub added an integration with Aqua Security Kube-bench. The integration sends findings to Security Hub.	November 24, 2020
Cloud Custodian is now available in the China Regions	The integration with Cloud Custodian is now available in the China (Beijing) and China (Ningxia) Regions.	November 24, 2020
`BatchImportFindings` can now be used to update additional fields	Previously, you could not use `BatchImportFindings` to update the `Confidence`, `Criticality`, `RelatedFindings`, `Severity`, and `Types` fields. Now, if these fields have not been updated by `BatchUpdateFindings`, they can be updated by `BatchImportFindings`. Once they are updated by `BatchUpdateFindings`, they cannot be updated by `BatchImportFindings`.	November 24, 2020
Security Hub is now integrated with Amazon Organizations	Customers can now manage member accounts using their Organizations account configuration. The organization management account designates the Security Hub administrator account, who determines which organization accounts to enable in Security Hub. The manual invitation process can still be used for accounts that are not part of an organization.	November 23, 2020
Removed the separate finding list format for high-volume controls	The finding list for a control no longer uses the Findings page format when there is a very large number of findings.	November 19, 2020
New and updated third-party integrations	Security Hub now supports integrations with cloudtamer.io, 3CORESec, Prowler, and StackRox Kubernetes Security. IBM QRadar no longer sends findings. It only receives findings.	October 30, 2020
Added option to download the list of findings from the control details page.	On the control details page, a new Download option allows you to download the finding list to a .csv file. The downloaded list respects any filters that are on the list. If you selected specific findings, then the downloaded list only includes those findings.	October 26, 2020
Added option to download the list of controls from the standard details page.	On the standard details page, a new Download option allows you to download the control list to a .csv file. The downloaded list respects any filters that are on the list. If you selected a specific control, then the downloaded list only includes that control.	October 26, 2020
New and updated partner integrations	Security Hub is now integrated with ThreatModeler. Updated the following partner integrations to reflect their new product names. Twistlock Enterprise Edition is now Palo Alto Networks - Prisma Cloud Compute. Also from Palo Alto Networks, Demisto is now Cortex XSOAR and Redlock is now Prisma Cloud Enterprise.	October 23, 2020
Security Hub launched in China (Beijing) and China (Ningxia)	Security Hub is now available in the China (Beijing) and China (Ningxia) Regions.	October 21, 2020
Revised format for ASFF attributes and third-party integrations	The lists of ASFF attributes and partner integrations now use a list-based format instead of tables. The ASFF syntax, attributes, and types taxonomy are now in separate topics.	October 15, 2020
Redesigned standard details page	The standard details page for an enabled standard now displays a tabbed list of controls. The tabs filter the control list based on the control status.	October 7, 2020
Replaced CloudWatch Events with EventBridge	Replaced references to Amazon CloudWatch Events with Amazon EventBridge.	October 1, 2020
New integrations with Blue Hexagon for Amazon, Alcide kAudit, and Palo Alto Networks VM-Series.	Security Hub is now integrated with Blue Hexagon for Amazon, Alcide kAudit, and Palo Alto Networks VM-Series. Blue Hexagon for Amazon and kAudit send findings to Security Hub. VM-Series receives findings from Security Hub.	September 30, 2020
New and updated resource details objects in ASFF	Added new `Resources.Details` objects for `AwsApiGatewayRestApi`, `AwsApiGatewayStage`, `AwsApiGatewayV2Api`, `AwsApiGatewayV2Stage`, `AwsCertificateManagerCertificate`, `AwsElbLoadBalancer`, `AwsIamGroup`, and `AwsRedshiftCluster`. Added details to the `AwsCloudFrontDistribution`, `AwsIamRole` and `AwsIamAccessKey` objects.	September 30, 2020
New `ResourceRole` attribute for resources in ASFF to track whether a resource is an actor or a target.	The `ResourceRole` attribute for resources indicates whether the resource is the target of the finding activity or the perpetrator of the finding activity. The valid values are `ACTOR` and `TARGET`.	September 30, 2020
Added Amazon Systems Manager Patch Manager to available Amazon service integrations	Amazon Systems Manager Patch Manager is now integrated with Security Hub. Patch Manager sends findings to Security Hub when instances in a customer's fleet go out of compliance with their patch compliance standard.	September 22, 2020
Added new controls to the Amazon Foundational Security Best Practices standard	Added new controls for the following services: Amazon EC2 (EC2.7 and EC2.8), Amazon EMR (EMR.1), IAM (IAM.8), Amazon RDS (RDS.4 through RDS.8), Amazon S3 (S3.6), and Amazon Secrets Manager (SecretsManager.1 and SecretsManager.2).	September 15, 2020
New context keys for IAM policy to control access to `BatchUpdateFindings` fields	IAM policies can now be configured to restrict access to fields and field values when using `BatchUpdateFindings`.	September 10, 2020
Expanded access to `BatchUpdateFindings` for member accounts	By default, member accounts now have the same access to `BatchUpdateFindings` as administrator accounts.	September 10, 2020
New controls for Amazon KMS in the Foundational Security Best Practices Standard	Added two new controls (KMS.1 and KMS.2) to the Foundational Security Best Practices Standard. The new controls check whether IAM policies restrict access to Amazon KMS decryption actions.	September 9, 2020
Removed account-level findings for controls	Security Hub no longer generates account-level findings for a control. Only resource-level findings are generated.	September 1, 2020
New PatchSummary object in ASFF	Added the `PatchSummary` object to the ASFF. The `PatchSummary` object provides information about the patch compliance of a resource relative to a selected compliance standard.	September 1, 2020
Redesigned control details page	The details page for controls is redesigned. The control finding list provides tabs to allow you to quickly filter the list based on the compliance status. You can also quickly see suppressed findings. Each entry provides access to additional details about the finding resource, Amazon Config rule, and finding notes.	August 28, 2020
New filter options for findings	For finding filters, you can use the is not filter to find findings for which a field value is not equal to the filter value. You can use the does not start with to find findings for which a field value does not start with the specified filter value.	August 28, 2020
New resource details objects in ASFF	Added new `Resources.Details` objects for the following resource types: `AwsDynamoDbTable` , `AwsEc2Eip`, `AwsIamPolicy`, `AwsIamUser`, `AwsRdsDbCluster`, `AwsRdsDbClusterSnapshot`, `AwsRdsDbSnapshot`, `AwsSecretsManagerSecret`	August 18, 2020
New integration with RSA Archer	Security Hub is now integrated with RSA Archer. RSA Archer receives findings from Security Hub.	August 18, 2020
New Description field for AwsKmsKey	Added a `Description` field to the `AwsKmsKey` object under `Resources.Details`.	August 18, 2020
Added fields to AwsRdsDbInstance	Added several attributes to the `AwsRdsDbInstance` object under `Resources.Details`.	August 18, 2020
Updated how Security Hub determines the overall status of a control	For controls that have no findings, the status is No data instead of Unknown. The control status includes both account-level and resource-level findings. The control status does not use the workflow status of findings, except to ignore suppressed findings.	August 13, 2020
Updated how Security Hub calculates the security score for a standard	When calculating the security score for a standard, Security Hub now ignores controls with a status of No Data. The security score is proportion of passed controls to enabled controls, excluding controls with no data.	August 13, 2020
New option to automatically enable new controls in enabled standards	Added a Settings option to automatically enable new controls in standards that are enabled. You can also use the `UpdateSecurityHubConfiguration` API operation to configure this option.	July 31, 2020
New controls for the Payment Card Industry Data Security Standard (PCI DSS) standard	Added new controls to the PCI DSS standard. The identifiers of the new controls are PCI.DMS.1, PCI.EC2.5, PCI.EC2.6, PCI.ELBV2.1, PCI.GuardDuty.1, PCI.IAM.7, PCI.IAM.8, PCI.S3.5, PCI.S3.6, PCI.SageMaker.1, PCI.SSM.2, and PCI.SSM.3.	July 29, 2020
New and updated controls for the Foundational Security Best Practices standard	Added new controls to the Foundational Security Best Practices standard. The identifiers of the new controls are AutoScaling.1, DMS.1, EC2.4, EC2.6, S3.5, and SSM.3. Updated the title of ACM.1 and changed the value of the `daysToExpiration` parameter to 30.	July 29, 2020
New `Vulnerabilities` object in the ASFF	Added the `Vulnerabilities` object, which provides information about vulnerabilities that are associated with the finding.	July 1, 2020
New `Resource.Details` objects in the ASFF for Auto Scaling groups, EC2 volumes, and EC2 VPCs	Added the `AwsAutoScalingAutoScalingGroup`, `AWSEc2Volume`, and `AwsEc2Vpc` objects to `Resource.Details`.	July 1, 2020
New `NetworkPath` object in the ASFF	Added the `NetworkPath` object, which provides information about a network path that is related to the finding.	July 1, 2020
Automatically resolve findings when `Compliance.Status` is `PASSED`	For findings from controls, if `Compliance.Status` is `PASSED`, then Security Hub automatically sets `Workflow.Status` to `RESOLVED`.	June 24, 2020
Amazon Command Line Interface examples	Added Amazon CLI syntax and examples for several Security Hub tasks. Includes enabling Security Hub, managing insights, managing standards and controls, managing product integrations, and disabling Security Hub.	June 24, 2020
New `Severity.Original` attribute in the ASFF	Added the `Severity.Original` attribute, which is the original severity from the finding provider. This replaces the deprecated `Severity.Product` attribute.	May 20, 2020
New `Compliance.StatusReasons` object in the ASFF for details about a control's status	Added the `Compliance.StatusReasons` object, which provides additional context for the current status of a control.	May 20, 2020
New Amazon Foundational Security Best Practices standard	Added the new Amazon Foundational Security Best Practices standard, which is a set of controls that detect when your deployed accounts and resources deviate from security best practices.	April 22, 2020
New console option to update the workflow status for a finding	Added information for using the Security Hub console or API to set the workflow status for findings.	April 16, 2020
New `BatchUpdateFindings` API for customer updates to findings	Added information on using `BatchUpdateFindings` to update information related to the process of investigating a finding. `BatchUpdateFindings` replaces `UpdateFindings`, which is deprecated.	April 16, 2020
Updates to the Amazon Security Finding Format (ASFF)	Added several new resource types. Added a new `Label` attribute to the `Severity` object. `Label` is intended to replace the `Normalized` field. Added a new `Workflow` object to track the process of an investigation into a finding. `Workflow` contains a `Status` attribute, which replaces the existing `Workflowstate` attribute.	March 12, 2020
Updates to the Integrations page	Updated to reflect the changes to the Integrations page. For each integration, the page now shows the integration category and whether each integration sends findings to or receives findings from Security Hub. It also provides the specific steps required to enable each integration.	February 26, 2020
New third-party product integrations	Added the following new product integrations: Cloud Custodian, FireEye Helix, Forcepoint CASB, Forcepoint DLP, Forcepoint NGFW, Rackspace Cloud Native Security, and Vectra.ai Cognito Detect.	February 21, 2020
New security standard for the Payment Card Industry Data Security Standard (PCI DSS)	Added the Security Hub security standard for the Payment Card Industry Data Security Standard (PCI DSS). When this standard is enabled, Security Hub performs automated checks against controls related to PCI DSS requirements.	February 13, 2020
Updates to the Amazon Security Finding Format (ASFF)	Added a field for related requirements for standards controls. Added new resource types and new resource details. The ASFF also now allows you to provide up to 32 resources.	February 5, 2020
New option to disable individual security standard controls	Added information on how to control whether each individual security standard control is enabled.	January 15, 2020
Updates to Terminology and Concepts	Updated some descriptions and added new terms to Terminology and Concepts.	September 21, 2019
Amazon Security Hub general availability release	Content updates to reflect improvements made to Security Hub during the preview period.	June 25, 2019
Added remediation steps for CIS Amazon Foundations checks	Added remediation steps to Security Standards Supported in Amazon Security Hub.	April 15, 2019
Preview release of Amazon Security Hub	Published the preview release version of the Amazon Security Hub User Guide.	November 18, 2018

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Controls change log