# Document history for the AWS Security Hub User Guide The following table describes the important changes to the documentation since the last release of AWS Security Hub and Security Hub CSPM. For releases of new Security Hub CSPM controls, the date specifies when the controls begin to be available in supported AWS Regions. It can take 1‐2 weeks for controls to be available in all supported Regions. For details about material changes to existing controls, see [Change log for Security Hub CSPM controls](controls-change-log.md). To receive notifications about updates to the *AWS Security Hub User Guide*, you can subscribe to an RSS feed. | Change | Description | Date | | --- |--- |--- | | [New security controls](#doc-history) | Security Hub CSPM released five new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The new controls are: [APIGateway.11](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-11), [EC2.183](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-183), [EKS.9](https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-9), [SageMaker.16](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-16), and [SageMaker.17](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-17). | April 7, 2026 | | [Updates to security standards and controls](#doc-history) | We retired the AppSync.1 and AppSync.6 controls and removed them from the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). AWS AppSync now provides default encryption on all current and future API caches. | March 9, 2026 | | [Updates to security standards and controls](#doc-history) | We retired the ECS.1 control and removed the control from the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [NIST SP 800-53 Rev. 5 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html). | March 4, 2026 | | [New security controls](#doc-history) | Security Hub CSPM released eleven new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The new controls are: [APIGateway.10](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-10), [ELB.21](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-21), [ELB.22](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#ecs-19), [RDS.50](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-50), [SageMaker.9](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-9) [SageMaker.10](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-10) [SageMaker.11](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-11) [SageMaker.12](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-12) [SageMaker.13](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-13) [SageMaker.14](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-14), and [SageMaker.15](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-15). | February 16, 2026 | | [Updates to security standards and controls](#doc-history) | We retired the MQ.3 control and removed the control from all applicable standards. We retired the control due to Amazon MQ requirements for automatic minor version upgrades.Previously, this control applied to the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html), the [NIST SP 800-53 Rev. 5 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) and the [PCI DSS v4.0.1 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). | January 12, 2026 | | [Updates to cost estimator documentation](#doc-history) | Added details to the Security Hub cost estimator documentation on how to grant cross account access for doing estimates in accounts besides the management account. | January 12, 2026 | | [New security controls](#doc-history) | Security Hub CSPM released five new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The new controls are:[CloudFormation.4](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html#cloudformation-4), [CloudFront.17](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-17), [ECS.19](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-19), [ECS.20](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-20), and [ECS.21](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-21). | January 6, 2026 | | [Updates to security standards and controls](#doc-history) | Due to Amazon MQ requirements for automatic minor version upgrades, we are planning to retire the MQ.3 and remove the control from all applicable standards on January 12, 2026. Currently, the control applies to the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html), the [NIST SP 800-53 Rev. 5 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) and the [PCI DSS v4.0.1 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). | December 12, 2025 | | [Updated content for Service-Managed Standard: AWS Control Tower](#doc-history) | Updated content for [Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html) to provide improved guidance for creating, viewing and disabling controls in the standard from AWS Control Tower. | December 8, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released seven new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The new controls are: [Cognito.4](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-4), [Cognito.5](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-5), [Cognito.6](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-6), [EC2.182](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-182), [CloudFormation.3](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html#cloudformation-3), [ECS.18](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-18), and [SES.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ses-controls.html#ses-3). | December 8, 2025 | | [Updated content for Security Hub General Availability](#doc-history) | Added content to support the General Availability release of AWS Security Hub | December 2, 2025 | | [Updated content for Security Hub](#doc-history) | Added content for [Trends](https://docs.aws.amazon.com/securityhub/latest/userguide/dashboard-v2.html#dashboard-v2-widgets.html), and [Region Aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/security-hub-region-aggregation.html). These changes support the Security Hub preview release. | November 21, 2025 | | [Updates to a managed policy – `AWSSecurityHubV2ServiceRolePolicy`](#doc-history) | Security Hub updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubV2ServiceRolePolicy`. The updates added metering capabilities for Amazon Elastic Container Registry, AWS Lambda, Amazon CloudWatch, and AWS Identity and Access Management to support Security Hub features. The updates also added support for global AWS Config recorders. These changes support the Security Hub preview release. | November 17, 2025 | | [Updates to a managed policy – `AWSSecurityHubOrganizationsAccess`](#doc-history) | Security Hub updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubOrganizationsAccess`. The updates added permissions to describe resource policies that support Security Hub features. These changes support the Security Hub preview release. | November 17, 2025 | | [Updates to a managed policy – `AWSSecurityHubFullAccess`](#doc-history) | Security Hub updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubFullAccess`. The updates added capabilities around managing GuardDuty, Amazon Inspector, and account management to support Security Hub features. These changes support the Security Hub preview release. | November 17, 2025 | | [Updates to security controls](#doc-history) | We changed the severity of 10 Security Hub CSPM controls: CloudFront.7, CloudTrail.5, ELB.7, GuardDuty.7, MQ.3, Opensearch.10, RDS.7, ServiceCatalog.1, SNS.4, and SQS.3. For a breakdown of the changes, see the [Change log for Security Hub CSPM controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-change-log.html). | November 13, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released six new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The new controls are: [Cognito.3](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-3), [DMS.13](https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-13), [EC2.181](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-181), [RDS.43](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-43), [RDS.47](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-47), and [RDS.48](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-48). | October 28, 2025 | | [New security standard](#doc-history) | Security Hub CSPM now provides a [security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html) that aligns with CIS AWS Foundations Benchmark v5.0.0. This new standard includes 40 existing security controls. The controls perform automated checks that evaluate certain resources for compliance with a subset of the requirements defined by the framework. | October 16, 2025 | | [New third-party integration](#doc-history) | Elastic is a new [third-party integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) that can receive findings from Security Hub CSPM. | October 3, 2025 | | [Updates to security standards and controls](#doc-history) | We retired the Redshift.9 and RedshiftServerless.7 controls and removed them from all applicable standards. We retired these controls due to inherent Amazon Redshift limitations that prevented effective remediation of `FAILED` findings for the controls.Previously, these controls applied to the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [NIST SP 800-53 Rev. 5 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html). The Redshift.9 control also applied to the [AWS Control Tower service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). | September 24, 2025 | | [Regional availability](#doc-history) | Security Hub CSPM is now available in the Asia Pacific (New Zealand) Region. For a complete list of AWS Regions where Security Hub CSPM is currently available, see [AWS Security Hub endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sechub.html) in the *AWS General Reference*. | September 19, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released two new controls for the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html): [CloudFront.16](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-16) and [RDS.46](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-46). | September 3, 2025 | | [Regional availability](#doc-history) | The [AWS Resource Tagging standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) is now available in the Asia Pacific (Thailand) and Mexico (Central) Regions. | August 29, 2025 | | [Updates to security standards and controls](#doc-history) | Due to Amazon Redshift limitations, we are planning to retire the Redshift.9 and RedshiftServerless.7 controls and remove them from all applicable standards on September 15, 2025. Currently, these controls apply to the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and the [NIST SP 800-53 Rev. 5 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html). The Redshift.9 control also applies to the [AWS Control Tower service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). | August 15, 2025 | | [New resource details object in the ASFF](#doc-history) | The [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) now includes a `CodeRepository` resource object. This object provides details about an external code repository that you connected to AWS resources and configured Amazon Inspector to scan for vulnerabilities. | August 1, 2025 | | [Regional availability](#doc-history) | Security Hub CSPM is now available in the Asia Pacific (Taipei) Region. For a complete list of AWS Regions where Security Hub CSPM is currently available, see [AWS Security Hub endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sechub.html) in the *AWS General Reference*. | July 23, 2025 | | [New third-party integration](#doc-history) | Dynatrace is a new [third-party integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) that can receive findings from Security Hub CSPM. | July 18, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released 13 new controls. Most of the controls support the [AWS Foundational Security Best Practices (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) standard. Some of the controls support [NIST SP 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) requirements. For the AWS FSBP standard, IDs for the applicable controls are: [CloudFront.15](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-15), [Cognito.2](https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-2), [EC2.180](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-180), [ELB.18](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-18), [MSK.4](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-4), [MSK.5](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-5), [MSK.6](https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-6), [RDS.45](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-45), [Redshift.18](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-18), [S3.25](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-25), [SSM.6](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-6), and [SSM.7](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-7). For NIST SP 800-53 Rev. 5, IDs for the applicable controls are: [Lambda.7](https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-7) and [RDS.45](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-45). | July 15, 2025 | | [Updates to generation of control findings](#doc-history) | To help you track compliance changes, Security Hub CSPM now [updates existing control findings](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html), instead of generating new findings, when there are changes to the compliance status of individual resources. This means that you can use the data provided by individual findings to track compliance changes for particular resources against particular controls. | July 3, 2025 | | [Updates to security standards and controls](#doc-history) | We removed the [IAM.13 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-13) from the [PCI DSS v4.0.1 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). We also removed the [IAM.17 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-17) from the [NIST SP 800-171 Revision 2 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference-nist-800-171.html). The standards don't explicitly require the checks that these controls provide. We also updated related requirement details for these standards for certain controls that check IAM password policies: IAM.7, and IAM.10 through IAM.17. | June 30, 2025 | | [Updates to finding retention](#doc-history) | Security Hub CSPM now [stores archived findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html) for 30 days instead of 90 days, which can reduce finding noise. For longer-term retention, you can export findings to an S3 bucket by [using a custom action with an Amazon EventBridge rule](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html). | June 20, 2025 | | [Updates to existing managed policies](#doc-history) | Security Hub CSPM added new permission to the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubOrganizationsAccess`. The permission allows the organization management to enable and manage Security Hub and Security Hub CSPM within an organization. Security Hub CSPM also added new permission to the AWS managed policy named `AWSSecurityHubFullAccess`. The permission allows principals to create a service-linked role for Security Hub. | June 18, 2025 | | [Public preview release and a new managed policy for Security Hub](#doc-history) | Public preview release of AWS Security Hub and the [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-security-hub-adv.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-security-hub-adv.html). This release includes a new [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html), `AWSSecurityHubV2ServiceRolePolicy`. The policy allows Security Hub to manage AWS Config rules and Security Hub resources in a customer's organization and on the customer's behalf. Security Hub is in preview release and subject to change. | June 17, 2025 | | [Updates to security standards and controls](#doc-history) | We removed the [IAM.10 control](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-10) from the [PCI DSS v4.0.1 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). This control checks whether account password policies for IAM users meet minimum requirements, including a minimum password length of 7 characters. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. The IAM.10 control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements. | May 30, 2025 | | [New security standard](#doc-history) | Security Hub CSPM now provides a [security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference-nist-800-171.html) that aligns with the NIST SP 800-171 Revision 2 cybersecurity and compliance framework. This new standard includes more than 60 existing security controls. The controls perform automated checks that evaluate certain AWS services and resources for compliance with a subset of the requirements defined by the framework. | May 29, 2025 | | [Updates to security controls](#doc-history) | Security Hub CSPM rolled back the release of the following control in all AWS Regions: *[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways*. Previously, this control supported the AWS Foundational Security Best Practices (FSBP) standard. | May 8, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released 9 new controls. Most of the controls support the [AWS Foundational Security Best Practices (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) standard. Some of the controls support [NIST SP 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) requirements. For the AWS FSBP standard, IDs for the applicable controls are: [DocumentDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-6), [RDS.44](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-44), [RedshiftServerless.2](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-2), [RedshiftServerless.3](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-3), [RedshiftServerless.5](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-5), [RedshiftServerless.6](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-6), and RedshiftServerless.7 (later retired). For NIST SP 800-53 Rev. 5, IDs for the applicable controls are: [CloudTrail.10](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-10), [RedshiftServerless.4](https://docs.aws.amazon.com/securityhub/latest/userguide/redshiftserverless-controls.html#redshiftserverless-4), and RedshiftServerless.7 (later retired). | May 7, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released 24 new controls. Most of the controls support the [AWS Foundational Security Best Practices (FSBP)](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) or [AWS Resource Tagging](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) standard. Some of the controls support [NIST SP 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) requirements. For the AWS FSBP standard, IDs for the applicable controls are: [EC2.173](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-173), [RDS.41](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-41), [RDS.42](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-42), and [SageMaker.8](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-8). For the AWS Resource Tagging standard, IDs for the applicable controls are: [Amplify.1](https://docs.aws.amazon.com/securityhub/latest/userguide/amplify-controls.html#amplify-1), [Amplify.2](https://docs.aws.amazon.com/securityhub/latest/userguide/amplify-controls.html#amplify-2), [Batch.4](https://docs.aws.amazon.com/securityhub/latest/userguide/batch-controls.html#batch-4), [DataSync.2](https://docs.aws.amazon.com/securityhub/latest/userguide/datasync-controls.html#datasync-2), [EC2.174](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-174), [EC2.175](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-175), [EC2.176](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-176), [EC2.177](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-177), [EC2.178](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-178), [EC2.179](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-179), [Redshift.17](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-17), [SageMaker.6](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-6), [SageMaker.7](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-7), [SSM.5](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-5), [Transfer.4](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-4), [Transfer.5](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-5), [Transfer.6](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-6), and [Transfer.7](https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-7). For NIST SP 800-53 Rev. 5, IDs for the applicable controls are: [ECS.17](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-17) and [RDS.42](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-42). | April 16, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released four new controls for the [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). The controls are: [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) | March 18, 2025 | | [Updates to security standards and controls](#doc-history) | We removed the [RDS.18 security control](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-18) from the AWS Foundational Security Best Practices standard and automated checks for NIST SP 800-53 Rev. 5 requirements. Since Amazon EC2-Classic networking was retired, Amazon Relational Database Service (Amazon RDS) instances can no longer be deployed outside a VPC. The control continues to be part of the [AWS Control Tower service-managed standard](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). | March 7, 2025 | | [Updates to control findings](#doc-history) | Security Hub CSPM now generates `WARNING` findings for an enabled control if [resource recording](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-setup-prereqs.html#config-resource-recording) isn't turned on in AWS Config for the type of resource that the control checks. This can help you identify and address potential configuration gaps in your security control checks. | February 25, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released 11 new controls. The controls are: [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) | February 24, 2025 | | [New security controls](#doc-history) | Security Hub CSPM released 37 new controls for the [AWS Resource Tagging Standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html). Security Hub CSPM also released the following new controls: [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) | January 22, 2025 | | [New security control](#doc-history) | Security Hub CSPM released [EC2.172 EC2 VPC Block Public Access settings should block internet gateway traffic](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-172). | January 15, 2025 | | [New security controls](#doc-history) | The following new Security Hub CSPM controls are available. [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) | December 17, 2024 | | [Security Hub CSPM supports PCI DSS v4.0.1](#doc-history) | Security Hub CSPM now supports v4.0.1 of the Payment Card Industry Data Security Standard (PCI DSS). For more information about the standard and the controls that apply to it, see [PCI DSS in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html). | December 11, 2024 | | [Security Hub CSPM receives GuardDuty attack sequence findings](#doc-history) | Security Hub CSPM now receives attack sequence findings from Amazon GuardDuty Extended Threat Detection. Attack sequence finding details are available in the [Detection](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-detection) object of the AWS Security Finding Format (ASFF). | December 1, 2024 | | [Security Hub CSPM supported in new AWS Region](#doc-history) | Security Hub CSPM is now available in the Asia Pacific (Malaysia) Region. Some security controls have Regional limitations. For a list of controls that aren't available in this Region, see [Regional limits on Security Hub CSPM controls](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html). | November 22, 2024 | | [Changes to Config.1](#doc-history) | Security Hub CSPM increased the severity of the Config.1 control from `MEDIUM` to `CRITICAL`, and added new status codes and status reasons for failed Config.1 findings. For more information about the changes, see the entry for November 20, 2024 in the [Change log for Security Hub CSPM controls](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-change-log.html). | November 20, 2024 | | [New security controls](#doc-history) | The following new Security Hub CSPM controls are available. These controls are part of AWS Foundational Security Best Practices and NIST SP 800-53 Rev. 5, and they evaluate whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for an AWS service or AWS resource. [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) | November 15, 2024 | | [New security controls](#doc-history) | The following new Security Hub CSPM controls are available. [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) | October 18, 2024 | | [New security controls](#doc-history) | The following new Security Hub CSPM controls are available. [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) | October 3, 2024 | | [New security controls](#doc-history) | The following new Security Hub CSPM controls are available. [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) Glue.2 (retired) [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) | August 30, 2024 | | [New finding panel](#doc-history) | The [new finding panel](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html) on the Security Hub CSPM console helps you quickly take action on findings, review resource details and finding history, and find other pertinent information about a finding. | August 16, 2024 | | [Update to Config.1 control](#doc-history) | The [Config.1 control](https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html#config-1) checks whether AWS Config is enabled, uses the service-linked role, and records resources for enabled controls. Security Hub CSPM added a custom control parameter named `includeConfigServiceLinkedRoleCheck`. By setting this parameter to `false`, you can opt out of checking whether AWS Config uses the service-linked role. | August 15, 2024 | | [Designate a home Region without linked Regions](#doc-history) | You can now create a finding aggregator and establish a home Region without linking any AWS Regions to the home Region. This allows you to enable [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) without specifying linked Regions. | July 25, 2024 | | [Select controls available in more Regions](#doc-history) | The following controls are now available in additional AWS Regions, including US East (N. Virginia) and US East (Ohio). [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) | July 15, 2024 | | [New security controls](#doc-history) | The following new Security Hub CSPM controls are available: [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) | July 11, 2024 | | [Release of CIS AWS Foundations Benchmark v3.0.0](#doc-history) | Security Hub CSPM released [Center for Internet Security (CIS) AWS Foundations Benchmark v3.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html). The release includes the following new controls, as well as mappings to several existing controls. [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) | May 13, 2024 | | [New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) | The following new Security Hub CSPM controls are available: [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) | May 3, 2024 | | [AWS Resource Tagging Standard](#doc-history) | The [AWS Resource Tagging Standard](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html) from Security Hub CSPM is now generally available, along with new controls that apply to the standard. | April 30, 2024 | | [Update to existing managed policy](#doc-history) | Security Hub CSPM updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AmazonSecurityHubFullAccess` to get pricing details for AWS services and products. | April 24, 2024 | | [In-context configuration of control parameters](#doc-history) | If you use central configuration, you can now configure [control parameters in context](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-in-context.html), from the details page of a control on the Security Hub CSPM console. | March 29, 2024 | | [Update to existing managed policy](#doc-history) | Security Hub CSPM updated the [AWS managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) named `AWSSecurityHubReadOnlyAccess` by adding a `Sid` field. | February 22, 2024 | | [New security control](#doc-history) | The control [[Macie.2] Macie automated sensitive data discovery should be enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html#macie-2) is now available. For Regional limits on this control, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html). | February 19, 2024 | | [Security Hub CSPM available in Canada West (Calgary)](#doc-history) | Security Hub CSPM is now available in Canada West (Calgary). All Security Hub CSPM features are now available in this Region, with the exception of certain security controls. For more information, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html). | December 20, 2023 | | [New security controls](#doc-history) | The following new Security Hub CSPM controls are available: [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) | December 14, 2023 | | [Finding enrichment](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-view-details.html) | Security Hub CSPM added the new finding fields `AwsAccountName`, `ApplicationArn`, and `ApplicationName` to the AWS Security Finding Format (ASFF). | November 27, 2023 | | [Enhancements to Summary dashboard](https://docs.aws.amazon.com/securityhub/latest/userguide/dashboard.html) | You can now access more dashboard widgets on the **Summary** page of the Security Hub CSPM console, save dashboard filter sets to quickly focus on specific security issues, and customize the dashboard layout. | November 27, 2023 | | [Central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) | Central configuration is now available. With central configuration, the Security Hub CSPM delegated administrator can configure Security Hub CSPM, standards, and controls across multiple organization accounts, organizational units (OUs), and Regions. | November 27, 2023 | | [Updates to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy) | Security Hub CSPM added new permissions to the `AWSSecurityHubServiceRolePolicy` managed policy that allow Security Hub CSPM to read and update customizable security control properties. | November 26, 2023 | | [Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html) | You can now customize parameter values for select Security Hub CSPM controls. This can make findings for a specific control more relevant to your business requirements and security expectations. | November 26, 2023 | | [Updates to managed policies](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) | Security Hub CSPM updated the `AWSSecurityHubFullAccess` and `AWSSecurityHubOrganizationsAccess` managed policies that permit you to use, respectively, Security Hub CSPM features and the integration with AWS Organizations. | November 16, 2023 | | [Existing security controls added to Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html) | The following existing Security Hub CSPM controls have been added to Service-Managed Standard: AWS Control Tower. **ACM.2** **AppSync.5** **CloudTrail.6** **DMS.9** **DocumentDB.3** **DynamoDB.3** **EC2.23** **EKS.1** **ElastiCache.3** **ElastiCache.4** **ElastiCache.5** **ElastiCache.6** **EventBridge.3** **KMS.4** **Lambda.3** **MQ.5** **MQ.6** **MSK.1** **RDS.12** **RDS.15** **S3.17** | November 14, 2023 | | [Updates to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy) | Security Hub CSPM added a new tagging permission to the `AWSSecurityHubServiceRolePolicy` managed policy that allows Security Hub CSPM to read resource tags related to findings. | November 7, 2023 | | [New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) | The following new Security Hub CSPM controls are available: [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) | October 10, 2023 | | [Updates to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy) | Security Hub CSPM added new Organizations actions to the `AWSSecurityHubServiceRolePolicy` managed policy that allow Security Hub CSPM to retrieve account and organizational unit (OU) information. We also added new Security Hub CSPM actions that allow Security Hub CSPM to read and update service configurations, including standards and controls. | September 27, 2023 | | [Existing security controls added to Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html) | The following existing Security Hub CSPM controls have been added to Service-Managed Standard: AWS Control Tower. [[Athena.1] Athena workgroups should be encrypted at rest](athena-controls.md#athena-1) [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) | September 26, 2023 | | [Consolidated controls view and consolidated control findings available in AWS GovCloud (US)](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#consolidated-control-findings) | Consolidated controls view and consolidated control findings are now available in the AWS GovCloud (US) Region. The **Controls** page of the Security Hub CSPM console shows all your controls across standards. Each control has the same control ID across standards. When you turn on consolidated control findings, you receive a single finding per security check even when a control applies to multiple enabled standards. | September 6, 2023 | | [Consolidated controls view and consolidated control findings available in China Regions](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#consolidated-control-findings) | Consolidated controls view and consolidated control findings are now available in the China Regions. The **Controls** page of the Security Hub CSPM console shows all your controls across standards. Each control has the same control ID across standards. When you turn on consolidated control findings, you receive a single finding per security check even when a control applies to multiple enabled standards. | August 28, 2023 | | [Security Hub CSPM available in Israel (Tel Aviv) Region](https://docs.aws.amazon.com/general/latest/gr/sechub.html) | Security Hub CSPM is now available in Israel (Tel Aviv). All Security Hub CSPM features are now available in this Region, with the exception of certain security controls. For more information, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support). | August 8, 2023 | | [New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) | The following new Security Hub CSPM controls are available: [[Athena.1] Athena workgroups should be encrypted at rest](athena-controls.md#athena-1) [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) | July 28, 2023 | | [New operators for automation rule criteria](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html#automation-rules-criteria-actions) | You can now use CONTAINS and NOT\$1CONTAINS comparison operators for automation rule map and string criteria. | July 25, 2023 | | [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) | Security Hub CSPM now offers automation rules that automatically update findings based on criteria that you specify. | June 13, 2023 | | [New third party integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Snyk is a new third-party integration that sends findings to Security Hub CSPM. | June 12, 2023 | | [Existing security controls added to Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html) | The following existing Security Hub CSPM controls have been added to Service-Managed Standard: AWS Control Tower. [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) | June 12, 2023 | | [New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) | The following new Security Hub CSPM controls are available: [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](s3-controls.md#s3-17) [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) | June 6, 2023 | | [Security Hub CSPM available in Asia Pacific (Melbourne)](https://docs.aws.amazon.com/general/latest/gr/sechub.html) | Security Hub CSPM is now available in Asia Pacific (Melbourne). All Security Hub CSPM features are now available in this Region, with the exception of certain security controls. For more information, see [ Availability of controls by Region](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support). | May 25, 2023 | | [Finding history](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-view-details.html#finding-history) | Security Hub CSPM can now track the history of a finding during the last 90 days. | May 4, 2023 | | [New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) | The following new Security Hub CSPM controls are available: [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) [[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL](elb-controls.md#elb-16) [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) [[S3.15] S3 general purpose buckets should have Object Lock enabled](s3-controls.md#s3-15) | March 29, 2023 | | [Expanded support for consolidated control findings](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-changes-consolidation.html#securityhub-findings-format-consolidated-control-findings) | The [Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) now supports consolidated control findings. | March 24, 2023 | | [Security Hub CSPM available in new AWS Regions](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support) | Security Hub CSPM is now available in Asia Pacific (Hyderabad), Europe (Spain), and Europe (Zurich). Limits exist on which controls are available in these Regions. | March 21, 2023 | | [Update to managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy) | Security Hub CSPM has updated an existing permission in the `AWSSecurityHubServiceRolePolicy` managed policy. | March 17, 2023 | | [New security controls for NIST 800-53 standard](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) | Security Hub CSPM has added the following security controls, which are applicable to the NIST 800-53 standard: [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) [[CloudWatch.15] CloudWatch alarms should have specified actions configured](cloudwatch-controls.md#cloudwatch-15) [[CloudWatch.16] CloudWatch log groups should be retained for a specified time period](cloudwatch-controls.md#cloudwatch-16) [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) **EC2.29 – EC2 instances should be launched in a VPC** (retired) [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14) [[WAF.11] AWS WAF web ACL logging should be enabled](waf-controls.md#waf-11) | March 3, 2023 | | [National Institute of Standards and Technology (NIST) 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) | Security Hub CSPM now supports the NIST 800-53 Rev. 5 standard with more than 200 applicable security controls. | February 28, 2023 | | [Consolidated controls view and control findings](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#consolidated-control-findings) | With the release of consolidated controls view, the **Controls** page of the Security Hub CSPM console shows all your controls across standards. Each control has the same control ID across standards. When you turn on consolidated control findings, you receive a single finding per security check even when a control applies to multiple enabled standards. | February 23, 2023 | | [New security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | The following new Security Hub CSPM controls are available. Some controls have [Regional limitations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support). [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) | February 16, 2023 | | [New ASFF fields](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#control-findings-asff-productfields) | Security Hub CSPM has added ProductFields.ArchivalReasons:0/Description and ProductFields.ArchivalReasons:0/ReasonCode to the AWS Security Finding Format (ASFF). | February 8, 2023 | | [New ASFF fields](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-compliance) | Security Hub CSPM has added Compliance.AssociatedStandards and Compliance.SecurityControlId to the AWS Security Finding Format (ASFF). | January 31, 2023 | | [Vulnerability details now available](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-view-details.html) | You can now see vulnerability details in the Security Hub CSPM console for findings that Amazon Inspector sends to Security Hub CSPM. | January 14, 2023 | | [Security Hub CSPM is available in Middle East (UAE)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html) | Security Hub CSPM is now available in Middle East (UAE). Some controls have Regional limits. | January 12, 2023 | | [Added third-party integration with MetricStream](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM now supports a third-party integration with MetricStream in all Regions except China and AWS GovCloud (US). | January 11, 2023 | | [Increased organizational account limit](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub_limits.html) | Security Hub CSPM now supports up to 11,000 member accounts for each Security Hub CSPM administrator account per Region. | December 27, 2022 | | [ElasticBeanstalk.3 rolled back](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Security Hub CSPM rolled back the control **[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch** from the FSBP standard in all Regions. | December 21, 2022 | | [Security Hub CSPM adds new security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | New Security Hub CSPM controls are available to customers who have enabled the FSBP standard. Some controls have [Regional limitations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support). | December 15, 2022 | | [Guidance on upcoming features](https://docs.aws.amazon.com/securityhub/latest/userguide/prepare-upcoming-features.html) | Security Hub CSPM is planning to release two new features: consolidated controls view and consolidated control findings. These upcoming features may impact existing workflows that rely on control finding fields and values. | December 9, 2022 | | [Amazon Security Lake integration now available](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-security-lake) | Security Lake now integrates with Security Hub CSPM by receiving Security Hub CSPM findings. | November 29, 2022 | | [Support for Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html) | Security Hub CSPM supports a new security standard called Service-Managed Standard: AWS Control Tower. AWS Control Tower manages this standard. | November 28, 2022 | | [CIS AWS Foundations Benchmark v1.4.0 now available in China Regions](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) | Security Hub CSPM now supports CIS AWS Foundations Benchmark v1.4.0 in the China Regions. | November 18, 2022 | | [Jira Service Management Cloud integration now available](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html#integration-atlassian-jira-service-management-cloud) | Jira Service Management Cloud now receives Security Hub CSPM findings in all available Regions, except the China Regions. | November 17, 2022 | | [AWS IoT Device Defender integration now available](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-iot-device-defender) | AWS IoT Device Defender now sends findings to Security Hub CSPM in all available Regions. | November 17, 2022 | | [Support for CIS AWS Foundations Benchmark v1.4.0](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) | Security Hub CSPM now provides security controls that support CIS AWS Foundations Benchmark v1.4.0. This standard is available in all available Regions, except the China Regions. | November 9, 2022 | | [Support for Security Hub CSPM announcements in AWS GovCloud (US)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-announcements.html) | You can now subscribe to Security Hub CSPM announcements with Amazon Simple Notification Service (Amazon SNS) in AWS GovCloud (US-East) and AWS GovCloud (US-West) to receive notifications about Security Hub CSPM. | October 3, 2022 | | [AWS Security Hub CSPM adds a new security control](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | The new Security Hub CSPM control **AutoScaling.9** is available to customers who have enabled the FSBP standard. Controls may have [Regional limitations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support). | September 1, 2022 | | [Subscribe to Security Hub CSPM announcements](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-announcements.html) | You can now subscribe to Security Hub CSPM announcements with Amazon Simple Notification Service (Amazon SNS) to receive notifications about Security Hub CSPM. | August 29, 2022 | | [Region expansion for cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) | Cross-Region aggregation is now available for findings, finding updates, and insights across AWS GovCloud (US). | August 2, 2022 | | [New third-party product integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Fortinet - FortiCNP is a third-party integration that receives Security Hub CSPM findings, and JFrog is a third-party integration that sends findings to Security Hub CSPM. | July 26, 2022 | | [EC2.27 is retired](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Security Hub CSPM has retired **EC2.27 - Running EC2 Instances should not use key pairs**, a former control in the AWS Foundational Security Best Practices (FSBP) standard. | July 20, 2022 | | [Lambda.2 no longer supports python3.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-lambda-2) | Security Hub CSPM no longer supports python3.6 as a parameter for **Lambda.2 - Lambda functions should use supported runtimes**, a control in the AWS Foundational Security Best Practices (FSBP) standard. | July 19, 2022 | | [AWS Security Hub CSPM adds new security controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | New Security Hub CSPM controls are available to customers who have enabled the FSBP standard. Some controls have [Regional limitations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support). | June 22, 2022 | | [AWS Security Hub CSPM supports a new Region](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-control-support-apsoutheast-3) | Security Hub CSPM is now available in Asia Pacific (Jakarta). Some controls are not available in this Region. | June 7, 2022 | | [Improved integration between AWS Security Hub CSPM and AWS Config](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-config) | Security Hub CSPM users can see the results of AWS Config rule evaluations as findings in Security Hub CSPM. | June 6, 2022 | | [Added ability to opt out of auto-enabled standards](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html) | For users who have integrated with AWS Organizations, this feature allows you to log into the Security Hub CSPM administrator account and opt new member accounts out of auto-enabled standards. | April 25, 2022 | | [Expanded cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) | Added cross-Region aggregation to control statuses and security scores. | April 20, 2022 | | [CompanyName and ProductName are now top level attributes](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-custom-providers.html#securityhub-custom-providers-bfi-reqs) | Added new top level attributes for setting company and product names associated with custom integrations | April 1, 2022 | | [Added new controls to the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added 5 new controls to the AWS Foundational Security Best Practices standard. | March 31, 2022 | | [Added new resource details objectes to ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added `AwsRdsDbSecurityGroup` resource type to ASFF. | March 25, 2022 | | [Added additional resources details in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added additional details to `AwsAutoScalingScalingGroup`, `AwsElbLoadBalancer`, `AwsRedshiftCluster`, and `AwsCodeBuildProject`. | March 25, 2022 | | [Added new controls to the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added 15 new controls to the AWS Foundational Security Best Practices standard. | March 16, 2022 | | [Added new controls to the AWS Foundational Security Best Practices standard and Payment Card Industry Data Security Standard (PCI DSS)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for Amazon OpenSearch Service, Amazon RDS, Amazon EC2, Elastic Load Balancing, and CloudFront to the AWS Foundational Security Best Practices standard. Also added two new controls for OpenSearch Service to the PCI DSS. | February 15, 2022 | | [Added new field to ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added new field: Sample. | January 26, 2022 | | [Added integration with AWS Health](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-health) | AWS Health uses service-to-service event messaging to send findings to Security Hub CSPM. | January 19, 2022 | | [Added integration with AWS Trusted Advisor](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-trusted-advisor) | Trusted Advisor sends the results of its checks to Security Hub CSPM as Security Hub CSPM findings. Security Hub CSPM sends the results of its AWS Foundational Security Best Practices checks to Trusted Advisor. | January 18, 2022 | | [Updated resource details objects in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added `MixedInstancesPolicy` and `AvailabilityZones` to `AwsAutoScalingAutoScalingGroup`. Added `MetadataOptions` to `AwsAutoScalingLaunchConfiguration`. Added `BucketVersioningConfiguration` to `AwsS3Bucket`. | December 20, 2021 | | [Updated output for ASFF documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | The descriptions of ASFF attributes were previously in a single topic. Each top-level object and each resource details object is now in its own topic. The ASFF syntax topic contains links to those topics. | December 20, 2021 | | [Added new resource details objects to ASFF for AWS Network Firewall](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | For AWS Network Firewall, added the following resource details objects: `AwsNetworkFirewallFirewall`, `AwsNetworkFireFirewallPolicy`, and `AwsNetworkFirewallRuleGroup`. | December 20, 2021 | | [Added support for the new version of Amazon Inspector](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-amazon-inspector) | Security Hub CSPM is integrated with the new version of Amazon Inspector as well as with Amazon Inspector Classic. Amazon Inspector sends findings to Security Hub CSPM. | November 29, 2021 | | [Changed the severity of EC2.19](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-19) | The severity of EC2.19 (Security groups should not allow unrestricted access to ports with high risk) is changed from High to Critical. | November 17, 2021 | | [New integration with Sonrai Dig](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM now offers an integration with Sonrai Dig. Sonrai Dig monitors cloud environments to identify security risks. Sonrai Dig sends findings to Security Hub CSPM. | November 12, 2021 | | [Updated check for CIS 2.1 and CloudTrail.1 controls](#doc-history) | In addition to checking that at least one multi-Region CloudTrail trail is in place, CIS 2.1 and CloudTrail.1 now also check that the `ExcludeManagementEventSources` parameter is empty in at least one of the multi-Region CloudTrail trails. | November 9, 2021 | | [Added support for VPC endpoints](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-vpc-endpoints.html) | Security Hub CSPM is now integrated with AWS PrivateLink and supports VPC endpoints. | November 3, 2021 | | [Added controls to the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for Elastic Load Balancing (ELB.2 and ELB.8) and AWS Systems Manager (SSM.4). | November 2, 2021 | | [Added ports to the check for the EC2.19 control](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-19) | EC2.19 now also checks that security groups do not allow unrestricted ingress access to the following ports: 3000 (Go, Node.js, and Ruby web development frameworks), 5000 (Python web development frameworks), 8088 (legacy HTTP port), and 8888 (alternative HTTP port) | October 27, 2021 | | [Added the integration with Logz.io Cloud SIEM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Logz.io is a provider of Cloud SIEM that provides advanced correlation of log and event data to help security teams to detect, analyze, and respond to security threats in real time. Logz.io receives findings from Security Hub CSPM. | October 25, 2021 | | [Added support for cross-Region aggregation of findings](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) | Cross-Region aggregation allows you to view all of your findings without having to change Regions. Administrator accounts choose an aggregation Region and linked Regions. Findings for the administrator account and its member accounts are aggregated from the linked Regions to the aggregation Region. | October 20, 2021 | | [Updated resource details objects in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added viewer certificate details to `AwsCloudFrontDistribution`. Added additional details to `AwsCodeBuildProject`. Added load balancer attributes to `AwsElbV2LoadBalancer`. Added the S3 bucket owner account identifier to `AwsS3Bucket`. | October 8, 2021 | | [Added new resource details objects to ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added the following new resource details objects to ASFF: `AwsEc2VpcEndpointService`, `AwsEcrRepository`, `AwsEksCluster`, `AwsOpenSearchServiceDomain`, `AwsWafRateBasedRule`, `AwsWafRegionalRateBasedRule`, `AwsXrayEncryptionConfig` | October 8, 2021 | | [Removed deprecated runtime from the Lambda.2 control](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-lambda-2) | In the AWS Foundational Security Best Practices standard, removed the `dotnetcore2.1` runtime from **[Lambda.2] Lambda functions should use supported runtimes**. | October 6, 2021 | | [New name for Check Point integration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | The integration with Check Point Dome9 Arc is now Check Point CloudGuard Posture Management. The integration ARN did not change. | October 1, 2021 | | [Removed the integration with Alcide](#doc-history) | The integration with Alcide kAudit is discontinued. | September 30, 2021 | | [Changed the severity of EC2.19](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-19) | The severity of **[EC2.19] Security groups should not allow unrestricted access to ports with high risk** is changed from Medium to High. | September 30, 2021 | | [Integration with AWS Organizations is now supported in the China Regions](#doc-history) | The Security Hub CSPM integration with Organizations is now supported in China (Beijing) and China (Ningxia). | September 20, 2021 | | [New AWS Config rule for the S3.1 and PCI.S3.6 controls](#doc-history) | Both S3.1 and PCI.S3.6 verify that the Amazon S3 Block Public Access setting is enabled. The AWS Config rule for these controls is changed from `s3-account-level-public-access-blocks` to `s3-account-level-public-access-blocks-periodic`. | September 14, 2021 | | [Removed deprecated runtimes from the Lambda.2 control](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-lambda-2) | In the AWS Foundational Security Best Practices standard, removed the `nodejs10.x` and `ruby2.5` runtimes from **[Lambda.2] Lambda functions should use supported runtimes**. | September 13, 2021 | | [Changed the severity of the CIS 2.2 control](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.2) | In the CIS AWS Foundations Benchmark standard, the severity for **2.2. – Ensure CloudTrail log file validation is enabled** is changed from Low to Medium. | September 13, 2021 | | [Updated ECS.1, Lambda.2, and SSM.1 in the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | In the AWS Foundational Security Best Practices standard, ECS.1 now has a `SkipInactiveTaskDefinitions` parameter that is set to `true`. This ensures that the control only checks active task definitions. For Lambda.2, added Python 3.9 to the list of runtimes. SSM.1 now checks both stopped and running instances. | September 7, 2021 | | [PCI.Lambda.2 control now excludes Lambda@Edge resources](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html) | In the Payment Card Industry Data Security Standard (PCI DSS) standard, the PCI.Lambda.2 control now excludes Lambda@Edge resources. | September 7, 2021 | | [Added the integration with HackerOne Vulnerability Intelligence](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM now offers an integration with HackerOne Vulnerability Intelligence. The integration sends findings to Security Hub CSPM. | September 7, 2021 | | [Updated resource details objects in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | For `AwsKmsKey`, added `KeyRotationStatus`. For `AwsS3Bucket`, added `AccessControlList`, `BucketLoggingConfiguration`, `BucketNotificationConfiguration`, and `BucketWebsiteConfiguration`. | September 2, 2021 | | [Added new resource details objects to ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added the following new resource details objects to ASFF: `AwsAutoScalingLaunchConfiguration`, `AwsEc2VpnConnection`, and `AwsEcrContainerImage`. | September 2, 2021 | | [Added details to the `Vulnerabilities` object in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | In `Cvss` , added `Adjustments` and `Source`. In `VulnerablePackages`, added the file path and package manager. | September 2, 2021 | | [Systems Manager Explorer and OpsCenter integration now supported in the China Regions](#doc-history) | The Security Hub CSPM integration with SSM Explorer and OpsCenter is now supported in China (Beijing) and China (Ningxia). | August 31, 2021 | | [Retiring the Lambda.4 control](#doc-history) | Security Hub CSPM is retiring the control **[Lambda.4] Lambda functions should have a dead-letter queue configured**. When a control is retired, it no longer displays on the console, and Security Hub CSPM does not perform checks against it. | August 31, 2021 | | [Retiring the PCI.EC2.3 control](#doc-history) | Security Hub CSPM is retiring the control **[PCI.EC2.3] Unused EC2 security groups should be removed**. When a control is retired, it no longer displays on the console, and Security Hub CSPM does not perform checks against it. | August 27, 2021 | | [Change to how Security Hub CSPM sends findings to custom actions](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html) | When you send findings to a custom action, Security Hub CSPM now sends each finding in a separate **Security Hub Findings - Custom Action** event. | August 20, 2021 | | [Added a new compliance status reason code for custom Lambda runtimes](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#control-findings-asff-compliance) | Added a new `LAMBDA_CUSTOM_RUNTIME_DETAILS_NOT_AVAILABLE` compliance status reason code. This reason code indicates that Security Hub CSPM could not perform a check against a custom Lambda runtime. | August 20, 2021 | | [AWS Firewall Manager integration now supported in the China Regions](#doc-history) | The Security Hub CSPM integration with Firewall Manager is now supported in China (Beijing) and China (Ningxia). | August 19, 2021 | | [New integrations with Caveonix Cloud and Forcepoint Cloud Security Gateway](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM now offers integrations with Caveonix Cloud and Forcepoint Cloud Security Gateway. Both integrations send findings to Security Hub CSPM. | August 10, 2021 | | [Added new `CompanyName`, `ProductName`, and `Region` attributes to ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added `CompanyName`, `ProductName`, and `Region` fields to the top level of the ASFF. These fields are populated automatically and, except for custom product integrations, cannot be updated using `BatchImportFindings` or `BatchUpdateFindings`. On the console, finding filters use these new fields. In the API, the `CompanyName` and `ProductName` filters use the attributes that are under `ProductFields`. | July 23, 2021 | | [Added and updated resource details objects in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added a new `AwsRdsEventSubscription` resource type and resource details. Added resource details for the `AwsEcsService` resource type. Added attributes to the `AwsElasticsearchDomain` resource details object. | July 23, 2021 | | [Added controls to the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for Amazon API Gateway (APIGateway.5), Amazon EC2 (EC2.19), Amazon ECS (ECS.2), Elastic Load Balancing (ELB.7), Amazon OpenSearch Service (ES.5 through ES.8), Amazon RDS (RDS.16 through RDS.23), Amazon Redshift (Redshift.4), and Amazon SQS (SQS.1). | July 20, 2021 | | [Moved a permission within the service-linked role managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy) | Moved the `config:PutEvaluations` permission within the managed policy `AWSSecurityHubServiceRolePolicy`, so that it is applied to all resources. | July 14, 2021 | | [Added controls to the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for Amazon API Gateway (APIGateway.4), Amazon CloudFront (CloudFront.5 and CloudFront.6), Amazon EC2 (EC2.17 and EC2.18), Amazon ECS (ECS.1), Amazon OpenSearch Service (ES.4), AWS Identity and Access Management (IAM.21), Amazon RDS (RDS.15), and Amazon S3 (S3.8). | July 8, 2021 | | [Added new compliance status reason codes for control findings](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#control-findings-asff-compliance) | `INTERNAL_SERVICE_ERROR` indicates that an unknown error occurred. `SNS_TOPIC_CROSS_ACCOUNT` indicates that the SNS topic is owned by a different account. `SNS_TOPIC_INVALID` indicates that the associated SNS topic is invalid. | July 6, 2021 | | [Added the integration with Amazon Q Developer in chat applications](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html) | Added the integration with Amazon Q Developer in chat applications. Security Hub CSPM sends findings to Amazon Q Developer in chat applications. | June 30, 2021 | | [Added a new permission to the service-linked role managed policy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubservicerolepolicy) | Added a new permission to the managed policy `AWSSecurityHubServiceRolePolicy` to allow the service-linked role to deliver evaluation results to AWS Config. | June 29, 2021 | | [New and updated resource details objects in the ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added new resource details objects for ECS clusters and ECS task definitions. Updated the EC2 instance object to list the associated network interfaces. Added the client certificate ID for the API Gateway V2 stages. Added the lifecycle configuration for S3 buckets. | June 24, 2021 | | [Updated the calculation of aggregated control statuses and standard security scores](#doc-history) | Security Hub CSPM now calculates the overall control status and standard security score every 24 hours. For administrator accounts, the score now reflects whether each control is enabled or disabled for each account. | June 23, 2021 | | [Updated information about Security Hub CSPM handling of suspended accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-data-retention.html#securityhub-effects-account-suspended) | Added information on how Security Hub CSPM handles accounts that are suspended in AWS. | June 23, 2021 | | [Added tabs to display the enabled and disabled controls for the individual administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-view-controls.html#standard-details-admin-additional-tabs) | For the administrator account, the main tabs on the standard details page contain aggregated information across accounts. The new **Enabled for this account** and **Disabled for this account** tabs list the accounts that are enabled or disabled for the individual administrator account. | June 23, 2021 | | [Added `java8.al2` to the parameters for `Lambda.2`](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-lambda-2) | In the AWS Foundational Security Best Practices standard, added `java8.al2` to the supported runtimes for the `Lambda.2` control. | June 8, 2021 | | [New integrations with MicroFocus ArcSight and NETSCOUT Cyber Investigator](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Added integrations with MicroFocus ArcSight and NETSCOUT Cyber Investigator. MicroFocus ArcSight receives findings from Security Hub CSPM. NETSCOUT Cyber Investigator sends findings to Security Hub CSPM. | June 7, 2021 | | [Added details for `AWSSecurityHubServiceRolePolicy`](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html) | Updated the managed policies section to add details for the existing managed policy `AWSSecurityHubServiceRolePolicy`, which is used by the Security Hub CSPM service-linked role. | June 4, 2021 | | [New integration with Jira Service Management](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | The AWS Service Management Connector for Jira sends findings to Jira and uses them to create Jira issues. When the Jira issues are updated, the corresponding findings in Security Hub CSPM also are updated. | May 26, 2021 | | [Updated the supported controls list for the Asia Pacific (Osaka) Region](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-control-support-apnortheast3) | Updated the CIS AWS Foundations standard and the Payment Card Industry Data Security Standard (PCI DSS) to indicate the controls that are not supported in Asia Pacific (Osaka). | May 21, 2021 | | [New integration with Sysdig Secure for cloud](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Added an integration with Sysdig Secure for cloud. The integration sends findings to Security Hub CSPM. | May 14, 2021 | | [Added controls to the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for Amazon API Gateway (APIGateway.2 and APIGateway.3), AWS CloudTrail (CloudTrail.4 and CloudTrail.5), Amazon EC2 (EC2.15 and EC2.16), AWS Elastic Beanstalk (ElasticBeanstalk.1 and ElasticBeanstalk.2), AWS Lambda (Lambda.4), Amazon RDS (RDS.12 – RDS.14), Amazon Redshift (Redshift.7), AWS Secrets Manager (SecretsManager.3 and SecretsManager.4), and AWS WAF (WAF.1). | May 10, 2021 | | [Updates to GuardDuty and Amazon RDS controls](#doc-history) | Changed the severity of `GuardDuty.1` and `PCI.GuardDuty.1` from Medium to High. Added a `databaseEngines` parameter to `RDS.8`. | May 4, 2021 | | [Added new resource details to the ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | In `Resources.Details`, added new resource details objects for Amazon EC2 network ACLs, Amazon EC2 subnets, and AWS Elastic Beanstalk environments. | May 3, 2021 | | [Added console fields to provide filter values for Amazon EventBridge rules](#doc-history) | The new predefined filter patterns for Security Hub CSPM EventBridge rules provide console fields that you can use to specify filter values. | April 30, 2021 | | [Added the integration with AWS Systems Manager Explorer and OpsCenter](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html) | Security Hub CSPM now supports an integration with Systems Manager Explorer and OpsCenter. The integration receives findings from Security Hub CSPM and updates those findings in Security Hub CSPM. | April 26, 2021 | | [New type for product integrations](#doc-history) | A new integration type, `UPDATE_FINDINGS_IN_SECURITY_HUB`, indicates that a product integration updates findings that it receives from Security Hub CSPM. | April 22, 2021 | | [Changed "master account" to "administrator account"](#doc-history) | The term "master account" is changed to "administrator account." The term is also changed in the Security Hub CSPM console and API. | April 22, 2021 | | [Updated APIGateway.1 to replace HTTP with Websocket](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-apigateway-1) | Updated the title, description, and remediation for APIGateway.1. The control now checks for Websocket API execution logging instead of for HTTP API execution logging. | April 9, 2021 | | [Amazon GuardDuty integration now supported in Beijing and Ningxia](#doc-history) | The Security Hub CSPM integration with GuardDuty is now supported in the China (Beijing) and China (Ningxia) Regions. | April 5, 2021 | | [Added `nodejs14.x` to the supported runtimes for Lambda.2 control](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-lambda-2) | The Lambda.2 control in the Foundational Security Best Practices standard now supports the `nodejs14.x` runtime. | March 30, 2021 | | [Security Hub CSPM launched in Asia Pacific (Osaka)](#doc-history) | Security Hub CSPM is now available in the Asia Pacific (Osaka) Region. | March 29, 2021 | | [Added finding provider fields to finding details](#doc-history) | On the finding details panel, the new **Finding Provider Fields** section contains the finding provider values for confidence, criticality, related findings, severity, and types. | March 24, 2021 | | [Added option to receive sensitive findings from Amazon Macie](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html) | The integration with Macie can now be configured to send sensitive findings to Security Hub CSPM. | March 23, 2021 | | [Transitioning to AWS Organizations for account management](https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-transition-to-orgs.html) | For customers who have an existing administrator account with member accounts, added new information on how to change from managing accounts by invitation to managing accounts using Organizations. | March 22, 2021 | | [New objects in ASFF for information about Amazon S3 Public Access Block configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | In `Resources`, a new `AwsS3AccountPublicAccessBlock` resource type and details object provides information about the Amazon S3 Public Access Block configuration for accounts. In the `AwsS3Bucket` resource details object, the `PublicAccessBlockConfiguration` object provides the Public Access Block configuration for the S3 bucket. | March 18, 2021 | | [New object in ASFF to allow finding providers to update specific fields](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | The new `FindingProviderFields` object in ASFF is used in `BatchImportFindings` to provide values for `Confidence`, `Criticality`, `RelatedFindings`, `Severity`, and `Types`. The original fields should only be updated using `BatchUpdateFindings`. | March 18, 2021 | | [New `DataClassification` object for resources in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | The new `Resources.DataClassification` object in ASFF is used to provide information about sensitive data that was detected on the resource. | March 18, 2021 | | [Added `CONFIG_RETURNS_NOT_APPLICABLE` value to the available compliance status codes](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html) | For the `NOT_AVAILABLE` compliance status, removed the reason code `RESOURCE_NO_LONGER_EXISTS` and added the reason code `CONFIG_RETURNS_NOT_APPLICABLE`. | March 16, 2021 | | [New managed policy for integration with AWS Organizations](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhuborganizationsaccess) | A new managed policy, `AWSSecurityHubOrganizationsAccess`, provides the Organizations permissions that are needed by the organization management account and the delegated Security Hub CSPM administrator account. | March 15, 2021 | | [Managed policy and service-linked role information moved to the Security chapter](https://docs.aws.amazon.com/securityhub/latest/userguide/security.html) | The information on managed policies is revised and expanded. Both the managed policy information and the information on service-linked roles has moved to the Security chapter. | March 15, 2021 | | [Revised severity for CIS 1.1 and CIS 3.1 – CIS 3.14 controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html) | The severity of the CIS 1.1 and CIS 3.1 – CIS 3.14 controls is changed to Low. | March 3, 2021 | | [Removed the RDS.11 control](#doc-history) | Removed the RDS.11 control from the Foundational Security Best Practices standard. | March 3, 2021 | | [Updated integration for Turbot](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | The Turbot integration is updated to both send and receive findings. | February 26, 2021 | | [Added controls to the Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for Amazon API Gateway (APIGateway.1), Amazon EC2 (EC2.9 and EC2.10), Amazon Elastic File System (EFS.2), Amazon OpenSearch Service (ES.2 and ES.3), Elastic Load Balancing (ELB.6), and AWS Key Management Service (AWS KMS) (KMS.3). | February 11, 2021 | | [Added optional `ProductArn` filter to the `DescribeProducts` API](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integrations-view-api) | The `DescribeProducts` API operation now includes an optional `ProductArn` parameter. The `ProductArn` parameter is used to identify the specific product integration to return details for. | February 3, 2021 | | [New integration with Antivirus for Amazon S3 from Cloud Storage Security](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | The integration with Antivirus for Amazon S3 sends the virus scan results to Security Hub CSPM as findings. | January 27, 2021 | | [Updated the security score calculation process for administrator accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-results.html#securityhub-standards-security-score) | For an administrator account, Security Hub CSPM uses a separate process to calculate the security score. The new process ensures that the score includes controls that are enabled for member accounts but disabled for the administrator account. | January 21, 2021 | | [New fields and objects in the ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added a new `Action` object to track actions that occurred against a resource. Added fields to the `AwsEc2NetworkInterface` object to track DNS names and IP addresses. Added a new `AwsSsmPatchCompliance` object to the resource details. | January 21, 2021 | | [Added controls to the Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for Amazon CloudFront (CloudFront.1 through CloudFront.4), Amazon DynamoDB (DynamoDB.1 through DynamoDB.3), Elastic Load Balancing (ELB.3 through ELB.5), Amazon RDS (RDS.9 through RDS.11), Amazon Redshift (Redshift.1 through Redshift.3 and Redshift.6), and Amazon SNS (SNS.1). | January 15, 2021 | | [Workflow status is reset based on the record state or compliance status](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-workflow-status.html) | Security Hub CSPM automatically resets the workflow status from `NOTIFIED` or `RESOLVED` to `NEW` if an archived finding is made active, or if the compliance status of a finding changes from `PASSED` to either `FAILED`, `WARNING`, or `NOT_AVAILABLE`. These changes indicate that additional investigation is required. | January 7, 2021 | | [Added `ProductFields` information for control-based findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-results.html#control-findings-asff-productfields) | For findings that are generated from controls, added information about the content of the `ProductFields` object in the AWS Security Finding Format (ASFF). | December 29, 2020 | | [Updates to managed insights](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-managed-insights.html) | Changed the title of insight 5. Added a new insight, 32, that checks for IAM users with suspicious activity. | December 22, 2020 | | [Updates to IAM.7 and Lambda.1 controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | In the AWS Foundational Security Best Practices standard, updated the parameters for IAM.7. Updated the title and description of Lambda.1. | December 22, 2020 | | [Expanded integration with ServiceNow ITSM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | The ServiceNow ITSM integration allows users to automatically create incidents or problems when a Security Hub CSPM finding is received. Updates to these incidents or problems result in updates to the findings in Security Hub CSPM. | December 11, 2020 | | [New integration with AWS Audit Manager](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html) | Security Hub CSPM now offers an integration with AWS Audit Manager. The integration allows Audit Manager to receive control-based findings from Security Hub CSPM. | December 8, 2020 | | [New integration with Aqua Security Kube-bench](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM added an integration with Aqua Security Kube-bench. The integration sends findings to Security Hub CSPM. | November 24, 2020 | | [Cloud Custodian is now available in the China Regions](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | The integration with Cloud Custodian is now available in the China (Beijing) and China (Ningxia) Regions. | November 24, 2020 | | [`BatchImportFindings` can now be used to update additional fields](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchimportfindings.html) | Previously, you could not use `BatchImportFindings` to update the `Confidence`, `Criticality`, `RelatedFindings`, `Severity`, and `Types` fields. Now, if these fields have not been updated by `BatchUpdateFindings`, they can be updated by `BatchImportFindings`. Once they are updated by `BatchUpdateFindings`, they cannot be updated by `BatchImportFindings`. | November 24, 2020 | | [Security Hub CSPM is now integrated with AWS Organizations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html) | Customers can now manage member accounts using their Organizations account configuration. The organization management account designates the Security Hub CSPM administrator account, who determines which organization accounts to enable in Security Hub CSPM. The manual invitation process can still be used for accounts that are not part of an organization. | November 23, 2020 | | [Removed the separate finding list format for high-volume controls](#doc-history) | The finding list for a control no longer uses the **Findings** page format when there is a very large number of findings. | November 19, 2020 | | [New and updated third-party integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM now supports integrations with cloudtamer.io, 3CORESec, Prowler, and StackRox Kubernetes Security. IBM QRadar no longer sends findings. It only receives findings. | October 30, 2020 | | [Added option to download the list of findings from the control details page.](https://docs.aws.amazon.com/securityhub/latest/userguide/control-finding-list.html#control-finding-list-download) | On the control details page, a new **Download** option allows you to download the finding list to a .csv file. The downloaded list respects any filters that are on the list. If you selected specific findings, then the downloaded list only includes those findings. | October 26, 2020 | | [Added option to download the list of controls from the standard details page.](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-view-controls.html#securityhub-standards-download-controls) | On the standard details page, a new **Download** option allows you to download the control list to a .csv file. The downloaded list respects any filters that are on the list. If you selected a specific control, then the downloaded list only includes that control. | October 26, 2020 | | [New and updated partner integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM is now integrated with ThreatModeler. Updated the following partner integrations to reflect their new product names. Twistlock Enterprise Edition is now Palo Alto Networks - Prisma Cloud Compute. Also from Palo Alto Networks, Demisto is now Cortex XSOAR and Redlock is now Prisma Cloud Enterprise. | October 23, 2020 | | [Security Hub CSPM launched in China (Beijing) and China (Ningxia)](#doc-history) | Security Hub CSPM is now available in the China (Beijing) and China (Ningxia) Regions. | October 21, 2020 | | [Revised format for ASFF attributes and third-party integrations](#doc-history) | The lists of [ASFF attributes](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html) and [partner integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) now use a list-based format instead of tables. The ASFF syntax, attributes, and types taxonomy are now in separate topics. | October 15, 2020 | | [Redesigned standard details page](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-view-controls.html) | The standard details page for an enabled standard now displays a tabbed list of controls. The tabs filter the control list based on the control status. | October 7, 2020 | | [Replaced CloudWatch Events with EventBridge](#doc-history) | Replaced references to Amazon CloudWatch Events with Amazon EventBridge. | October 1, 2020 | | [New integrations with Blue Hexagon for AWS, Alcide kAudit, and Palo Alto Networks VM-Series.](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM is now integrated with Blue Hexagon for AWS, Alcide kAudit, and Palo Alto Networks VM-Series. Blue Hexagon for AWS and kAudit send findings to Security Hub CSPM. VM-Series receives findings from Security Hub CSPM. | September 30, 2020 | | [New and updated resource details objects in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-resources) | Added new `Resources.Details` objects for `AwsApiGatewayRestApi`, `AwsApiGatewayStage`, `AwsApiGatewayV2Api`, `AwsApiGatewayV2Stage`, `AwsCertificateManagerCertificate`, `AwsElbLoadBalancer`, `AwsIamGroup`, and `AwsRedshiftCluster`. Added details to the `AwsCloudFrontDistribution`, `AwsIamRole` and `AwsIamAccessKey` objects. | September 30, 2020 | | [New `ResourceRole` attribute for resources in ASFF to track whether a resource is an actor or a target.](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-resources) | The `ResourceRole` attribute for resources indicates whether the resource is the target of the finding activity or the perpetrator of the finding activity. The valid values are `ACTOR` and `TARGET`. | September 30, 2020 | | [Added AWS Systems Manager Patch Manager to available AWS service integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html) | AWS Systems Manager Patch Manager is now integrated with Security Hub CSPM. Patch Manager sends findings to Security Hub CSPM when instances in a customer's fleet go out of compliance with their patch compliance standard. | September 22, 2020 | | [Added new controls to the AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls for the following services: Amazon EC2 (EC2.7 and EC2.8), Amazon EMR (EMR.1), IAM (IAM.8), Amazon RDS (RDS.4 through RDS.8), Amazon S3 (S3.6), and AWS Secrets Manager (SecretsManager.1 and SecretsManager.2). | September 15, 2020 | | [New context keys for IAM policy to control access to `BatchUpdateFindings` fields](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html#batchupdatefindings-configure-access) | IAM policies can now be configured to restrict access to fields and field values when using `BatchUpdateFindings`. | September 10, 2020 | | [Expanded access to `BatchUpdateFindings` for member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html) | By default, member accounts now have the same access to `BatchUpdateFindings` as administrator accounts. | September 10, 2020 | | [New controls for AWS KMS in the Foundational Security Best Practices Standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added two new controls (KMS.1 and KMS.2) to the Foundational Security Best Practices Standard. The new controls check whether IAM policies restrict access to AWS KMS decryption actions. | September 9, 2020 | | [Removed account-level findings for controls](#doc-history) | Security Hub CSPM no longer generates account-level findings for a control. Only resource-level findings are generated. | September 1, 2020 | | [New PatchSummary object in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-patchsummary) | Added the `PatchSummary` object to the ASFF. The `PatchSummary` object provides information about the patch compliance of a resource relative to a selected compliance standard. | September 1, 2020 | | [Redesigned control details page](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-control-details.html) | The details page for controls is redesigned. The control finding list provides tabs to allow you to quickly filter the list based on the compliance status. You can also quickly see suppressed findings. Each entry provides access to additional details about the finding resource, AWS Config rule, and finding notes. | August 28, 2020 | | [New filter options for findings](https://docs.aws.amazon.com/securityhub/latest/userguide/findings-filtering-grouping.html) | For finding filters, you can use the **is not** filter to find findings for which a field value is not equal to the filter value. You can use the **does not start with** to find findings for which a field value does not start with the specified filter value. | August 28, 2020 | | [New resource details objects in ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-resources) | Added new `Resources.Details` objects for the following resource types: `AwsDynamoDbTable` , `AwsEc2Eip`, `AwsIamPolicy`, `AwsIamUser`, `AwsRdsDbCluster`, `AwsRdsDbClusterSnapshot`, `AwsRdsDbSnapshot`, `AwsSecretsManagerSecret` | August 18, 2020 | | [New integration with RSA Archer](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Security Hub CSPM is now integrated with RSA Archer. RSA Archer receives findings from Security Hub CSPM. | August 18, 2020 | | [New Description field for AwsKmsKey](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-resourcedetails-awskmskey) | Added a `Description` field to the `AwsKmsKey` object under `Resources.Details`. | August 18, 2020 | | [Added fields to AwsRdsDbInstance](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-resourcedetails-awsrdsdbinstance) | Added several attributes to the `AwsRdsDbInstance` object under `Resources.Details`. | August 18, 2020 | | [Updated how Security Hub CSPM determines the overall status of a control](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-results.html#securityhub-standards-results-status) | For controls that have no findings, the status is **No data** instead of **Unknown**. The control status includes both account-level and resource-level findings. The control status does not use the workflow status of findings, except to ignore suppressed findings. | August 13, 2020 | | [Updated how Security Hub CSPM calculates the security score for a standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-results.html#securityhub-standards-security-score) | When calculating the security score for a standard, Security Hub CSPM now ignores controls with a status of **No Data**. The security score is proportion of passed controls to enabled controls, excluding controls with no data. | August 13, 2020 | | [New option to automatically enable new controls in enabled standards](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-auto-enable.html) | Added a **Settings** option to automatically enable new controls in standards that are enabled. You can also use the `UpdateSecurityHubConfiguration` API operation to configure this option. | July 31, 2020 | | [New controls for the Payment Card Industry Data Security Standard (PCI DSS) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html) | Added new controls to the PCI DSS standard. The identifiers of the new controls are PCI.DMS.1, PCI.EC2.5, PCI.EC2.6, PCI.ELBV2.1, PCI.GuardDuty.1, PCI.IAM.7, PCI.IAM.8, PCI.S3.5, PCI.S3.6, PCI.SageMaker.1, PCI.SSM.2, and PCI.SSM.3. | July 29, 2020 | | [New and updated controls for the Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) | Added new controls to the Foundational Security Best Practices standard. The identifiers of the new controls are AutoScaling.1, DMS.1, EC2.4, EC2.6, S3.5, and SSM.3. Updated the title of ACM.1 and changed the value of the `daysToExpiration` parameter to 30. | July 29, 2020 | | [New `Vulnerabilities` object in the ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-vulnerabilities) | Added the `Vulnerabilities` object, which provides information about vulnerabilities that are associated with the finding. | July 1, 2020 | | [New `Resource.Details` objects in the ASFF for Auto Scaling groups, EC2 volumes, and EC2 VPCs](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-resources) | Added the `AwsAutoScalingAutoScalingGroup`, `AWSEc2Volume`, and `AwsEc2Vpc` objects to `Resource.Details`. | July 1, 2020 | | [New `NetworkPath` object in the ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-networkpath) | Added the `NetworkPath` object, which provides information about a network path that is related to the finding. | July 1, 2020 | | [Automatically resolve findings when `Compliance.Status` is `PASSED`](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-workflow-status.html) | For findings from controls, if `Compliance.Status` is `PASSED`, then Security Hub CSPM automatically sets `Workflow.Status` to `RESOLVED`. | June 24, 2020 | | [AWS Command Line Interface examples](#doc-history) | Added AWS CLI syntax and examples for several Security Hub CSPM tasks. Includes enabling Security Hub CSPM, managing insights, managing standards and controls, managing product integrations, and disabling Security Hub CSPM. | June 24, 2020 | | [New `Severity.Original` attribute in the ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-severity) | Added the `Severity.Original` attribute, which is the original severity from the finding provider. This replaces the deprecated `Severity.Product` attribute. | May 20, 2020 | | [New `Compliance.StatusReasons` object in the ASFF for details about a control's status](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-compliance) | Added the `Compliance.StatusReasons` object, which provides additional context for the current status of a control. | May 20, 2020 | | [New AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html) | Added the new AWS Foundational Security Best Practices standard, which is a set of controls that detect when your deployed accounts and resources deviate from security best practices. | April 22, 2020 | | [New console option to update the workflow status for a finding](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-workflow-status.html) | Added information for using the Security Hub console or API to set the workflow status for findings. | April 16, 2020 | | [New `BatchUpdateFindings` API for customer updates to findings](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html) | Added information on using `BatchUpdateFindings` to update information related to the process of investigating a finding. `BatchUpdateFindings` replaces `UpdateFindings`, which is deprecated. | April 16, 2020 | | [Updates to the AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added several new resource types. Added a new `Label` attribute to the `Severity` object. `Label` is intended to replace the `Normalized` field. Added a new `Workflow` object to track the process of an investigation into a finding. `Workflow` contains a `Status` attribute, which replaces the existing `Workflowstate` attribute. | March 12, 2020 | | [Updates to the Integrations page](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html) | Updated to reflect the changes to the **Integrations** page. For each integration, the page now shows the integration category and whether each integration sends findings to or receives findings from Security Hub CSPM. It also provides the specific steps required to enable each integration. | February 26, 2020 | | [New third-party product integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) | Added the following new product integrations: Cloud Custodian, FireEye Helix, Forcepoint CASB, Forcepoint DLP, Forcepoint NGFW, Rackspace Cloud Native Security, and Vectra.ai Cognito Detect. | February 21, 2020 | | [New security standard for the Payment Card Industry Data Security Standard (PCI DSS)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-pcidss.html) | Added the Security Hub CSPM security standard for the Payment Card Industry Data Security Standard (PCI DSS). When this standard is enabled, Security Hub CSPM performs automated checks against controls related to PCI DSS requirements. | February 13, 2020 | | [Updates to the AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) | Added a field for [related requirements for standards controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-compliance). Added [new resource types and new resource details](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html#asff-resources). The ASFF also now allows you to provide up to 32 resources. | February 5, 2020 | | [New option to disable individual security standard controls](#doc-history) | Added information on how to control whether each individual security standard control is enabled. | January 15, 2020 | | [Updates to Security Hub CSPM concepts](#doc-history) | Updated some descriptions and added new terms to [Security Hub CSPM concepts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-concepts.html). | September 21, 2019 | | [AWS Security Hub CSPM general availability release](#doc-history) | Content updates to reflect improvements made to Security Hub CSPM during the beta period. | June 25, 2019 | | [Added remediation steps for CIS AWS Foundations checks](#doc-history) | Added remediation steps to [Security Standards Supported in AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html). | April 15, 2019 | | [beta release of AWS Security Hub CSPM](#doc-history) | Published the beta release version of the *AWS Security Hub CSPM User Guide*. | November 18, 2018 |