Security Hub CSPM recommendations supported by Trusted Remediator

The following table lists the supported Security Hub CSPM recommendations, SSM automation documents, preconfigured parameters, and the expected outcome of the automation documents. Review the expected outcome to help you understand possible risks based on your business requirements before you enable an SSM automation document for check remediation.

Make sure that you enable Security Hub CSPM for the account. For more information see, Enabling Security Hub CSPM.

Check ID and name SSM document name and expected outcome Supported preconfigured parameters and constraints

Check ID and name	SSM document name and expected outcome	Supported preconfigured parameters and constraints
security-hub-IAM-22 IAM.22: IAM user credentials unused for 45 days should be removed.	AWSManagedServices-TrustedRemediatorDeactivateIamUserUnusedCredentials	DeleteAccessKeys: Set to true to permanently delete unused access keys, or false to deactivate them (making them inactive but recoverable). No constraints
security-hub-IAM-3 IAM.3: IAM users' access keys should be rotated every 90 days or less.	AWSManagedServices-TrustedRemediatorRotateIamAccessKeysOlderThan90Days	No preconfigured parameters are allowed. No constraints
security-hub-IAM-8 IAM.8: Unused IAM user credentials should be removed.	AWSManagedServices-TrustedRemediatorDeactivateIamUserUnusedCredentials	DeleteAccessKeys: Set to true to permanently delete unused access keys, or false to deactivate them (making them inactive but recoverable). No constraints
security-hub-networkfirewall-10 NetworkFirewall.10: Network Firewall firewalls should have subnet change protection enabled.	AWSManagedServices-TrustedRemediatorEnableNetworkFirewallSubnetChangeProtection	No preconfigured parameters are allowed. No constraints
security-hub-networkfirewall-2 NetworkFirewall.2: Network Firewall logging should be enabled.	AWSManagedServices-TrustedRemediatorEnableNetworkFirewallCloudWatchLog	LogGroupName: The name of the CloudWatch log group to send logs to. LogTypes: The types of logs to enable. Valid values are `FLOW`, `ALERT`, `TLS`. No constraints
security-hub-stepfunctions-1 StepFunctions.1: Step Functions state machines should have logging turned on.	AWSManagedServices-TrustedRemediatorEnableStepFunctionsLogging	LogGroupName: The name of the CloudWatch log group for Step Functions logging. LoggingLevel: The logging level for Step Functions. Valid values are `ALL`, `ERROR`, `FATAL`.
security-hub-lambda-7 Lambda.7: Lambda functions should have AWS X-Ray active tracing enabled.	AWSManagedServices-TrustedRemediatorEnableLambdaXrayActiveTracing	No preconfigured parameters are allowed. No constraints

security-hub-IAM-22

IAM.22: IAM user credentials unused for 45 days should be removed.

AWSManagedServices-TrustedRemediatorDeactivateIamUserUnusedCredentials

DeleteAccessKeys: Set to true to permanently delete unused access keys, or false to deactivate them (making them inactive but recoverable).

No constraints

security-hub-IAM-3

IAM.3: IAM users' access keys should be rotated every 90 days or less.

AWSManagedServices-TrustedRemediatorRotateIamAccessKeysOlderThan90Days

No preconfigured parameters are allowed.

No constraints

security-hub-IAM-8

IAM.8: Unused IAM user credentials should be removed.

AWSManagedServices-TrustedRemediatorDeactivateIamUserUnusedCredentials

DeleteAccessKeys: Set to true to permanently delete unused access keys, or false to deactivate them (making them inactive but recoverable).

No constraints

security-hub-networkfirewall-10

NetworkFirewall.10: Network Firewall firewalls should have subnet change protection enabled.

AWSManagedServices-TrustedRemediatorEnableNetworkFirewallSubnetChangeProtection

No preconfigured parameters are allowed.

No constraints

security-hub-networkfirewall-2

NetworkFirewall.2: Network Firewall logging should be enabled.

AWSManagedServices-TrustedRemediatorEnableNetworkFirewallCloudWatchLog

LogGroupName: The name of the CloudWatch log group to send logs to.

LogTypes: The types of logs to enable. Valid values are FLOW, ALERT, TLS.

No constraints

security-hub-stepfunctions-1

StepFunctions.1: Step Functions state machines should have logging turned on.

AWSManagedServices-TrustedRemediatorEnableStepFunctionsLogging

LogGroupName: The name of the CloudWatch log group for Step Functions logging.

LoggingLevel: The logging level for Step Functions. Valid values are ALL, ERROR, FATAL.

security-hub-lambda-7

Lambda.7: Lambda functions should have AWS X-Ray active tracing enabled.

AWSManagedServices-TrustedRemediatorEnableLambdaXrayActiveTracing

No preconfigured parameters are allowed.

No constraints

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported Trusted Advisor checks

Configure check remediation