AWS Security Hub FAQs

General

AWS Security Hub is a cloud security posture management (CSPM) service that performs automated, continuous security best practice checks against your AWS resources to help you identify misconfigurations, and aggregates your security alerts (i.e. findings) in a standardized format so that you can more easily enrich, investigate, and remediate them. 

Security Hub reduces the complexity and effort of managing and improving the security of your AWS accounts, workloads, and resources. You can enable Security Hub across all your accounts and Regions in minutes, and the service helps you answer fundamental security questions you may have on a daily basis. Key benefits include:

  • Detect deviations from security best practices with a single click. Security Hub runs continuous and automated account and resource-level configuration checks against the controls in the AWS Foundational Security Best Practices standard and other supported industry best practices and standards, including CIS AWS Foundations BenchmarkNational Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS). Learn more about supported standards and controls available in Security Hub.
  • Automatically aggregate security findings in a standardized data format from AWS and partner services. Security Hub collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, and sensitive data identification findings from Amazon Macie. Security Hub also collects findings from partner security products using a standardized AWS Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts. Customers can designate an administrator account that can access all findings across their accounts.
  • Accelerate mean time to resolution with automated response and remediation actions. Create custom automated response, remediation, and enrichment workflows using the Security Hub integration with Amazon EventBridge, and other integrations to create Security Orchestration Automation and Response (SOAR) and Security Information and Event Management (SIEM) workflows. You can also use Security Hub Automation Rules to automatically update or suppress findings in near-real time.
  • Visualize the security posture of your AWS-based applications. Customize your Security Hub dashboard according to your specific requirements to more easily identify patterns, vulnerabilities, and threats— leading to faster response. Select and modify the widgets you want to display, apply and save filters to create contextual views by specific criteria, and prioritize the data and view of your organization’s security posture that fits your needs. 

Security Hub is priced along three dimensions: the quantity of security checks, the quantity of finding ingestion events, and the quantity of automation rule evaluations processed per month. With AWS Organizations support, Security Hub allows you to connect multiple AWS accounts and consolidate findings across those accounts to enjoy tiered pricing for your entire organization’s security checks, finding ingestion events, and automation rule evaluations. Security Hub also offers a perpetual free tier of 10,000 finding ingestion events per month. Please see the Security Hub pricing page for latest pricing information.

Security Hub security checks leverage configuration items recorded by AWS Config. AWS Config is required for these security checks, and configuration items are priced separately from Security Hub. Please see AWS Config pricing for details. Security Hub customers are not charged separately for any AWS Config rules enabled by Security Hub. The AWS Config rules enabled by Security Hub are referred to as service-linked rules.

Yes. Every AWS account in each Region that is enabled with Security Hub receives a 30-day free trial. During the trial period, you will have access to all Security Hub features and security checks, and you will get an estimate of your monthly bill if you were to continue using Security Hub across the same accounts and Regions.

No. You are only charged once for each time a control is evaluated against a resource (i.e., for each security check) regardless of how many standards the control is linked to.

Security Hub is a regional service, but supports cross-Region aggregation of findings via designation of an aggregator Region. Customers must enable Security Hub in each Region to view findings in that Region.

The regional availability of Security Hub is listed in the AWS Region Table.

There are many technology partners that support the standardized findings format and have integrated with Security Hub. Visit the AWS Security Hub partners page for details.

Getting started with AWS Security Hub

CSPM is a practice by which to identify misconfiguration issues and compliance risks across workloads, accounts, and resources to maintain your cloud security posture. Security Hub is the AWS service for CSPM that performs security best practice checks, aggregates alerts, and helps enable automated remediation across your AWS accounts, workloads, and resources.

When you open the Security Hub console for the first time, simply choose Get Started, and then choose Enable. Security Hub uses a service-linked role that includes the permissions and trust policy that it requires to detect and aggregate findings, and to configure the requisite AWS Config infrastructure needed to run security checks. Many Security Hub controls require AWS Config to be activated in order to run security checks in an account. It is also recommended that you first enable AWS Organizations to simplify enabling Security Hub across your organization. You can also enable Security Hub via the API, or using the AWS::SecurityHub::Hub resource in AWS CloudFormation.

  • You can manage multiple accounts within a Region and consolidate findings across those accounts by configuring the multi-account hierarchy within Security Hub or by importing an existing hierarchy from services like Amazon GuardDuty. By designating an administrator account, your security team can see consolidated findings for all accounts, while individual account owners see only findings associated with their account.
  • Integration with AWS Organizations allows you to automatically enable any account in your organization with Security Hub and the AWS Foundational Security Best Practices standard.
  • AWS CloudFormation StackSets can help you manage Security Hub across accounts and Regions with a single step. You can designate your entire Organization or a specific Organizational Unit (OU) as the action’s target, which gives new accounts your desired configuration. If you are an existing Security Hub customer, we recommend using the resource import capability in CloudFormation before using any of these capabilities to avoid overriding your current configuration.

A finding is a potential security issue. Security Hub aggregates, normalizes, and prioritizes security alerts, or findings, from AWS and third-party services, as in addition to generating its own findings as the result of running continuous and automated configuration checks. A finding ingestion event is when a new finding is ingested into Security Hub or when a finding update is ingested into Security Hub.

An insight is a collection of related findings. Security Hub offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify Amazon Elastic Compute Cloud (Amazon EC2) instances that are missing security patches for important vulnerabilities, or Amazon Simple Storage Service (Amazon S3) buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your AWS environment.

A security standard is a collection of controls based on regulatory frameworks or industry best practices. Security Hub conducts automated security checks against controls. Each security check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a security check is performed against each resource. Once Security Hub is enabled, it immediately begins running continuous and automated security checks for each control and against each relevant resource associated with the control. Visit Security Hub standards reference for details on supported standards and related controls.

The AWS Foundational Security Best Practices standard is a set of controls developed by AWS Security collaboration with relevant service teams that have specific AWS product knowledge. These controls detect when your AWS accounts and resources deviate from security best practices. The standard lets you continuously evaluate all of your AWS accounts and workloads to quickly identify areas of deviation from best practices. It provides actionable and prescriptive guidance about how to improve and maintain your organization’s security posture. The controls include security best practices for resources from multiple AWS services, and each control is assigned a category that reflects the security function that it applies to.

Security Hub analyzes your security alerts, or findings, from several AWS services, including: AWS Config, Amazon GuardDuty, AWS Health, Amazon Inspector, AWS Firewall Manager, AWS IAM Access Analyzer, AWS IoT Device Defender, and Amazon Macie. In addition, refer to the list of available third-party partner product integrations that are integrated with AWS Security Hub and support the standardized findings format.

If a compliance standard, such as PCI-DSS, is already present in Security Hub, then the fully-managed Security Hub service is the easiest way to operationalize it. You can investigate findings via the Security Hub integration with Amazon Detective, and you can build automated or semi-automated remediation actions using the Security Hub integration with EventBridge. However, if you want to assemble your own compliance or security standard, which may include security, operational or cost optimization checks, AWS Config conformance packs are the way to go.

AWS Config conformance packs are suggested templates that you can use to simplify management of AWS Config rules by packaging a group of AWS Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the AWS Config conformance samples we provide, and customize as you see fit.

Yes, both Security Hub and AWS Config conformance packs support continuous monitoring of compliance. The underlying AWS Config rules can be invoked either periodically or upon detecting changes to the configuration of resources. This allows you to continuously audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines.

You should use both because they complement one another. Audit Manager is used by audit and compliance professionals to continuously assess compliance with regulations and industry standards. Security Hub is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. Security Hub conducts automated security checks aligned to different industry and regulatory frameworks. Audit Manager automatically collects the findings generated by these Security Hub checks as a form of evidence and combines them with other evidence, such as AWS CloudTrail logs, to help customers generate assessment reports.

Audit Manager covers a full set of controls in each supported framework, including controls that have automated evidence associated with them and controls that require manual evidence upload, such as the presence of an incident response plan.

Security Hub focuses on generating automated evidence via its security checks for a subset of controls in each supported framework in Audit Manager. Controls that require evidence from other AWS services, such as CloudTrail, or manual evidence uploaded by users, are not covered by Security Hub.

AWS Systems Manager is the operations hub for AWS, allowing you to manage your infrastructure with ease. Systems Manager OpsCenter helps IT operators and DevOps engineers diagnose and resolve operational issues related to AWS resources in a central location, and Systems Manager Explorer is an operations dashboard that provides a view of your operations data across your AWS accounts and Regions. Security and compliance professionals and DevOps engineers use Security Hub to continuously monitor and improve the security posture of their AWS accounts and resources.

Most customers separate their security issues (e.g., Amazon S3 buckets publicly accessible or crypto-mining detected on Amazon EC2 instances) and operational issues (e.g., underutilized Amazon Redshift instances or over-utilized Amazon EC2 instances) because security issues are sensitive and typically have different access requirements. As a result, they use Security Hub to understand, manage, and remediate their security issues, and they use Systems Manager to understand, manage, and remediate their operational issues. We also recommend that you use Security Hub for more specialized views into your security posture.

When the same engineers work on both security and operational issues, it can help to consolidate them in a single location. You can do that by opting in for findings to be sent to OpsCenter and Explorer where engineers can investigate and remediate security issues alongside operational issues via Systems Manager Automation runbooks.

AWS Control Tower and Security Hub are complementary services. Security Hub is used by security teams, compliance professionals, and DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. In addition to aggregating security findings and enabling automated remediation, Security Hub also performs security best practice checks against the AWS Foundational Security Best Practices standard and other industry and regulatory standards. AWS Control Tower is used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS best practices.
 
AWS Control Tower applies mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), and detect policy violations using AWS Config rules. AWS Control Tower also helps ensure that your default account configurations are in alignment with Security Hub AWS Foundational Security Best Practices.
 
Customers should use the AWS Control Tower preventative guardrails in combination with the security best practice controls in Security Hub, as they are mutually reinforcing and help ensure that your accounts and resources are in a secure state. Security Hub and AWS Control Tower are fully integrated, so you can enable over 170 Security Hub detective controls that map to related control objectives directly from AWS Control Tower.

Working in Security Hub

There are multiple ways to see your most important security issues. The Security Hub dashboard provides views on which resources have the most findings, how your volume of security findings is evolving over time, which insights are generating the most findings. You can customize the dashboard to filter and surface the security data that is the most relevant to your organization. You can go to the insights page and use the managed insights to identify high priority issues. You can also create your own custom insights.

Yes. Security Hub creates a score to show you how you're doing against security standards and displays it on the main Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. Security Hub shows how the control was evaluated and informational best practices on how to mitigate the issue.

No. Security Hub is focused on automated security checks. Most security standards have various controls that can’t be checked in an automated fashion, and those are out of scope for Security Hub. Security Hub security checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the security standard.

Yes. Security Hub allows you Security Hub allows you to your security checks to suit your organization's specific needs. This can be done by customizing parameters. For example, you can define what a strong IAM password means, or what should be the maximal period of time to remove unused credentials or stop unused instances.

Security Hub uses two mechanisms to help prioritize findings: insights and security standards. Insights are grouped or correlated findings that help you identify higher-priority findings faster. Examples of insights are “Show me all my Amazon EC2 instances potentially infected with malware” and “Show me any possible cases of data exfiltration on Amazon EC2 instances.”
 
Security standards are sets of controls that are based on regulatory requirements or best practices. AWS has defined specific security checks that align to the controls within standards. Details on the standards that Security Hub supports can be found in the Security Hub documentation.

Security Hub supports workflow options by enabling the export of findings via EventBridge. You can use EventBridge to set up integrations with chat systems such as Slack, automated remediation pipelines via AWS Lambda or partner security orchestration tools, SIEMs, and ticketing systems such as ServiceNow.

No. Security Hub is complementary and additive to these AWS security services. In fact, Security Hub will link back into the other consoles to help you gain additional context. Security Hub does not replicate the setup, configuration, or specialized features available within each security service.

Security Hub supports CIS AWS Foundations Benchmark v1.2.0 and v1.4.0. Security Hub documentation provides details on the specific controls and how each check maps to specific CIS AWS Foundations Benchmark requirements.

NIST SP 800-53 Rev. 5 is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that is part of the U.S. Department of Commerce. Security Hub provides controls that support select NIST SP 800-53 requirements. These controls are evaluated through automated security checks. Security Hub documentation provides details on the specific controls and how each check maps to specific CIS AWS Foundations Benchmark requirements.

The Payment Card Industry Data Security Standard (PCI DSS) in Security Hub consists of a set of AWS security best practices controls. Each control applies to a specific AWS resource and relates to one or more PCI DSS requirements. Security Hub now supports both PCI DSS version 3.2.1 and version 4.0.1. Security Hub documentation provides details on how Security Hub’s PCI DSS checks map to specific PCI DSS requirements.