AWS Security Hub CSPM launches AI Security Best Practices standard with 31 automated controls
Today, AWS Security Hub CSPM announces the AI Security Best Practices standard, a set of 31 automated security controls that detect when your deployed AI resources do not align with security best practices. Developed by AWS security experts, this standard helps you continuously evaluate your Amazon Bedrock, Amazon Bedrock AgentCore, and Amazon SageMaker workloads against recommended security configurations—without requiring manual assessments or custom rule authoring.
The AI Security Best Practices standard covers critical security domains including but not limited to network isolation, encryption at rest and in transit, VPC placement, KMS key usage, private container registry requirements, and authorization controls. Controls span the breadth of AI infrastructure: from Bedrock AgentCore runtimes, gateways, memory stores, and custom browsers to SageMaker notebook instances, endpoints, models, monitoring jobs, and feature groups. Each control is assigned a security category and generates findings when resources deviate from best practices, enabling security teams to quickly identify and remediate misconfigurations across their AI workloads.
The AI Security Best Practices standard is available in all AWS Regions where Security Hub CSPM is currently available, including AWS GovCloud (US) and the China Regions. The standard identifier is standards/ai-security-best-practices/v/1.0.0. To learn more, see the AWS Security Hub CSPM User Guide. You can also try Security Hub CSPM at no cost for 30 days with the AWS Free Tier.