Q: What is AWS Security Hub?
AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security industry standards and best practices. Security Hub centralizes and prioritizes security and compliance findings from across AWS accounts, services, and supported third-party partners to help you analyze your security trends and identify the highest priority security issues.
Q: What are the key benefits of AWS Security Hub?
AWS Security Hub eliminates the complexity and reduces the effort of managing and improving the security and compliance of your AWS accounts and workloads. AWS Security Hub is enabled within a particular region in minutes and the service helps you answer fundamental security and compliance questions you may have on a daily basis. Key benefits include:
Save time with centralized and normalized findings - Security Hub collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, and sensitive data identification findings from Amazon Macie. Security Hub also collects findings from partner security products using a standardized AWS Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts. Customers can designate a master account that can see all findings across their accounts.
Improve compliance with automated checks - Security Hub generates its own findings by running continuous and automated account and resource-level configuration checks against the rules in the supported industry best practices and standards (for example, the CIS AWS Foundations Benchmark).
Quickly take actions on findings - Security Hub aggregates findings into pre-built dashboards that provide bar graphs, line charts, and tables that show you the current security and compliance status of your environment as well as trends. Now you can easily identify potential issues, and take the necessary next steps. For example, you can send findings to ticketing, chat, email, or automated remediation systems using integration with Amazon CloudWatch Events.
Q: How much does AWS Security Hub cost?
There are two pricing dimensions for Security Hub: number of compliance checks per account/region/month and number of finding ingestion events per account/region/month. Pricing is $0.001 per compliance check per account/region/month for first 100,000 checks; $0.0008 per check for the next 400,000 checks; and $0.0005 per check for above 500,000 checks. There is a perpetual free tier of 10,000 finding ingestion events per account/region/month and the pricing is $0.00003 per finding ingestion event per account/region/month after the first 10,000. Customers are not charged for finding ingestion events generated by Security Hub’s compliance checks. All accounts and regions will have a 30-day free trial. Please see the AWS Security Hub pricing page for latest pricing information.
Note that AWS Config is required to be enabled in the account(s) using Security Hub. AWS Security Hub compliance checks use the configuration items recorded by AWS Config. If you are not already using AWS Config, please see the Config pricing page for the latest information on the price per configuration item recorded. There is no additional charge for the AWS Config rules enabled by Security Hub compliance checks.
Q: Is AWS Security Hub a regional or global service?
AWS Security Hub is a regional service. This ensures all findings data analyzed is regionally based and doesn’t cross AWS regional boundaries. Customer must enable Security Hub in each region to view findings in that region.
Q: What regions does AWS Security Hub support?
The regional availability of AWS Security Hub is listed here: AWS Region Table
Q: What partners work with AWS Security Hub?
There are many technology partners that support the standardized findings format and have integrated with AWS Security Hub. See AWS Security Hub partners.
Getting started with AWS Security Hub
Q: How do I enable AWS Security Hub?
When you open the Security Hub console for the first time, simply choose Get Started, and then choose Enable. AWS Security Hub uses a service-linked role that includes the permissions and trust policy that Security Hub requires to detect and aggregate findings, and to configure the requisite AWS Config infrastructure needed to run compliance checks. In order for Security Hub to run compliance checks in an account, you must have AWS Config enabled in that account.
Q: Does AWS Security Hub help manage security across multiple AWS accounts?
Yes, you can manage multiple accounts within a region by configuring the multi-account hierarchy within Security Hub or by importing an existing hierarchy from services like Amazon GuardDuty.
Q: What is a finding?
A finding is a potential security issue. Security Hub aggregates, normalizes, and prioritizes security alerts, or findings, from AWS and third-party services, as well as generating its own findings as the result of running continuous and automated configuration checks. A finding ingestion event is when a new finding is ingested into Security Hub or when a finding update is ingested into Security Hub.
Q: What is an insight?
An insight is a collection of related findings. Security Hub offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify EC2 instances that are missing security patches for important vulnerabilities, or S3 buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your AWS environment.
Q: What is a compliance standard vs. a control vs. a compliance check?
A compliance standard is a collection of controls based on regulatory frameworks or industry best practices. Security Hub conducts automated compliance checks against controls. Each compliance check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a compliance check is performed against each resource. For example, Security Hub supports the CIS AWS Foundations Benchmark standard, which consists of 43 controls. Once Security Hub is enabled, it immediately begins running continuous and automated compliance checks against each control and each relevant resource associated with the control.
Q: What findings sources does AWS Security Hub analyze?
AWS Security Hub analyzes your security alerts, or findings, from these AWS services: Amazon GuardDuty, Amazon Inspector, and Amazon Macie. In addition, see the list of AWS Security Hub Partner solutions that are integrated with Security Hub and support the standardized findings format.
Working in AWS Security Hub
Q: How can I see what are my most important security issues in AWS Security Hub?
There are multiple ways to see your most important security issues. The Security Hub dashboard provides views on which resources have the most findings, how your volume of security findings are evolving over time, which insights are generating the most findings. You can go to the insights page and use the managed insights to identify high priority issues. You can also create your own custom insights.
Q: Can Security Hub tell me how I measure against security best practices or compliance standards?
Yes. Security Hub creates a score to show you how you're doing against compliance standards and displays it on the main Security Hub dashboard. When you click through to the compliance standard, you will see a summary of the controls that need attention. Security Hub shows how the control was evaluated and informational best practices on how to mitigate the issue.
Q: If I score 100% on a compliance standard, does that mean that I will pass an audit for that compliance standard?
No. Security Hub is focused on automated compliance checks. Most compliance standards have various controls that can’t be checked in an automated fashion, and those are out of scope for Security Hub. Security Hub compliance checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the compliance standard.
Q: How can Security Hub prioritize the security data that I need the most?
Security Hub uses two mechanisms to help prioritize findings: insights and compliance standards. Insights are grouped or correlated findings that help you identify higher priority findings faster. Examples of insights are “Show me all my EC2 instances potentially infected with malware” and “Show me any possible cases of data exfiltration on EC2 instances.”
Compliance standards are sets of controls that are based on regulatory requirements or best practices. AWS has defined specific compliance checks (that align to the controls within standards. An example of a supported Security Hub standard is the CIS AWS Foundations Benchmark.
Q: How can Security Hub integrate with my existing security operations and remediation processes?
Security Hub supports workflow options by enabling the export of findings via CloudWatch events. You can use CloudWatch events to setup integrations with chat systems such as Slack, automated remediation pipelines via Lambda or partner security orchestration tools, SIEMs, and ticketing systems such as ServiceNow.
Q: Will Security Hub replace the consoles of our other security services, such as Amazon GuardDuty, Amazon Inspector, or Amazon Macie?
No. Security Hub is complementary and additive to the AWS security services. In fact, Security Hub will link back into the other consoles to help you gain additional context. Security Hub does not replicate the setup, configuration, or specialized features available within each security service.
Q: I deployed the CIS AWS Foundations Benchmark QuickStart, but the Security Hub CIS Compliance Standard is showing that I am failing some checks, why is that?
The QuickStart solution is designed as a single account and single region template for some hardening controls that cover checks 1.1, 2.1 through 2.7, and 3.1 through 3.14. The QuickStart includes a pre-requisite template that deploys a trail in a single region only. Since the CIS checks 1.1, 2.1 through 2.5, 2.7, and 3.1 through 3.14 require a multi-region trail, these checks fail in Security Hub CIS Compliance Standard. [Note that the CIS QuickStart solution implements hardening controls for only the following checks: 1.1, 2.1 through 2.7, and 3.1 through 3.14. The remaining checks are not addressed by the CIS QuickStart.] In addition, the QuickStart “Monitoring” checks 3.2, 3.4, 3.5, and 3.8 through 3.14 are implemented using CloudWatch events instead of CloudWatch metric filters, which also causes failures of these checks in Security Hub CIS Compliance Standard.