General
Q: What is AWS Security Hub?
AWS Security Hub is a cloud security posture management (CSPM) service that performs automated, continuous security best practice checks against your AWS resources to help you identify misconfigurations, and aggregates your security alerts (i.e. findings) in a standardized format so that you can more easily enrich, investigate, and remediate them.
Q: What are the key benefits of Security Hub?
Security Hub reduces the complexity and effort of managing and improving the security of your AWS accounts, workloads, and resources. You can enable Security Hub within a particular Region in minutes, and the service helps you answer fundamental security questions you may have on a daily basis. Key benefits include:
- Detect deviations from security best practices with a single click. Security Hub runs continuous and automated account and resource-level configuration checks against the controls in the AWS Foundational Security Best Practices standard and other supported industry best practices and standards, including CIS AWS Foundations Benchmark, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS). Learn more about supported standards and controls available in Security Hub.
- Automatically aggregate security findings in a standardized data format from AWS and partner services. Security Hub collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, and sensitive data identification findings from Amazon Macie. Security Hub also collects findings from partner security products using a standardized AWS Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts. Customers can designate an administrator account that can access all findings across their accounts.
- Accelerate mean time to resolution with automated response and remediation actions. Create custom automated response, remediation, and enrichment workflows using the Security Hub integration with Amazon EventBridge, and other integrations to create Security Orchestration Automation and Response (SOAR) and Security Information and Event Management (SIEM) workflows. You can also use Security Hub Automation Rules to automatically update or suppress findings in near-real time.
Q: How much does Security Hub cost?
Security Hub is priced along three dimensions: the quantity of security checks, the quantity of finding ingestion events, and the quantity of automation rule evaluations processed per month. With AWS Organizations support, Security Hub allows you to connect multiple AWS accounts and consolidate findings across those accounts to enjoy tiered pricing for your entire organization’s security checks, finding ingestion events, and automation rule evaluations. Security Hub also offers a perpetual free tier of 10,000 finding ingestion events per month. Please see the Security Hub pricing page for latest pricing information.
Security Hub security checks leverage configuration items recorded by AWS Config. AWS Config is required for these security checks, and configuration items are priced separately from Security Hub. Please see AWS Config pricing for details. Security Hub customers are not charged separately for any AWS Config rules enabled by Security Hub. The AWS Config rules enabled by Security Hub are referred to as service-linked rules.
Q: Does Security Hub come with a free trial?
Yes. Every AWS account in each Region that is enabled with Security Hub receives a 30-day free trial. During the trial period, you will have access to all Security Hub features and security checks, and you will get an estimate of your monthly bill if you were to continue using Security Hub across the same accounts and Regions.
Q: Am I charged multiple times for a control that appears in multiple standards?
No. You are only charged once for each time a control is evaluated against a resource (i.e., for each security check) regardless of how many standards the control is linked to.
Q: Is Security Hub a regional or global service?
Security Hub is a regional service, but supports cross-Region aggregation of findings via designation of an aggregator Region. Customers must enable Security Hub in each Region to view findings in that Region.
Q: Which Regions does Security Hub support?
The regional availability of Security Hub is listed in the AWS Region Table.
Q: Which partners work with Security Hub?
There are many technology partners that support the standardized findings format and have integrated with Security Hub. Visit the AWS Security Hub partners page for details.
Getting started with AWS Security Hub
Q: What is Cloud Security Posture Management (CSPM)?
CSPM is a practice by which to identify misconfiguration issues and compliance risks across workloads, accounts, and resources to maintain your cloud security posture. Security Hub is the AWS service for CSPM that performs security best practice checks, aggregates alerts, and helps enable automated remediation across your AWS accounts, workloads, and resources.
Q: How do I enable Security Hub?
When you open the Security Hub console for the first time, simply choose Get Started, and then choose Enable. Security Hub uses a service-linked role that includes the permissions and trust policy that it requires to detect and aggregate findings, and to configure the requisite AWS Config infrastructure needed to run security checks. Many Security Hub controls require AWS Config to be activated in order to run security checks in an account. It is also recommended that you first enable AWS Organizations to simplify enabling Security Hub across your organization. You can also enable Security Hub via the
API, or using the
AWS::SecurityHub::Hub resource in AWS CloudFormation.
Q: How does Security Hub help manage security across multiple AWS accounts?
- You can manage multiple accounts within a Region and consolidate findings across those accounts by configuring the multi-account hierarchy within Security Hub or by importing an existing hierarchy from services like Amazon GuardDuty. By designating an administrator account, your security team can see consolidated findings for all accounts, while individual account owners see only findings associated with their account.
- Integration with AWS Organizations allows you to automatically enable any account in your organization with Security Hub and the AWS Foundational Security Best Practices standard.
- AWS CloudFormation StackSets can help you manage Security Hub across accounts and Regions with a single step. You can designate your entire Organization or a specific Organizational Unit (OU) as the action’s target, which gives new accounts your desired configuration. If you are an existing Security Hub customer, we recommend using the resource import capability in CloudFormation before using any of these capabilities to avoid overriding your current configuration.
Q: What is a finding?
A finding is a potential security issue. Security Hub aggregates, normalizes, and prioritizes security alerts, or findings, from AWS and third-party services, as in addition to generating its own findings as the result of running continuous and automated configuration checks. A finding ingestion event is when a new finding is ingested into Security Hub or when a finding update is ingested into Security Hub.
Q: What is an insight?
An insight is a collection of related findings. Security Hub offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify Amazon Elastic Compute Cloud (Amazon EC2) instances that are missing security patches for important vulnerabilities, or Amazon Simple Storage Service (Amazon S3) buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your AWS environment.
Q: What is a security standard vs. a control vs. a security check?
A security standard is a collection of controls based on regulatory frameworks or industry best practices. Security Hub conducts automated security checks against controls. Each security check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a security check is performed against each resource. Once Security Hub is enabled, it immediately begins running continuous and automated security checks for each control and against each relevant resource associated with the control. Visit
Security Hub standards reference for details on supported standards and related controls.
Q. What is the AWS Foundational Security Best Practices standard?
The
AWS Foundational Security Best Practices standard is a set of controls developed by AWS Security collaboration with relevant service teams that have specific AWS product knowledge. These controls detect when your AWS accounts and resources deviate from security best practices. The standard lets you continuously evaluate all of your AWS accounts and workloads to quickly identify areas of deviation from best practices. It provides actionable and prescriptive guidance about how to improve and maintain your organization’s security posture. The controls include security best practices for resources from multiple AWS services, and each control is assigned a
category that reflects the security function that it applies to.
Q: What findings sources does Security Hub analyze?
Security Hub analyzes your security alerts, or findings, from several
AWS services, including: AWS Config, Amazon GuardDuty, AWS Health, Amazon Inspector, AWS Firewall Manager, AWS IAM Access Analyzer, AWS IoT Device Defender, and Amazon Macie. In addition, refer to the list of
available third-party partner product integrations that are integrated with AWS Security Hub and support the standardized findings format.
Q: How are AWS Config and AWS Config rules related to Security Hub?
Security Hub is a security and compliance service that provides security and compliance posture management, as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to evaluate resource configuration directly. They also are used by other AWS services, such AWS Control Tower and AWS Firewall Manager.
Q: When do I use Security Hub and AWS Config conformance packs?
Q: When do I use Security Hub and AWS Config conformance packs?
If a compliance standard, such as PCI-DSS, is already present in Security Hub, then the fully-managed Security Hub service is the easiest way to operationalize it. You can investigate findings via the Security Hub integration with Amazon Detective, and you can build automated or semi-automated remediation actions using the Security Hub integration with EventBridge. However, if you want to assemble your own compliance or security standard, which may include security, operational or cost optimization checks, AWS Config conformance packs are the way to go.
AWS Config conformance packs are suggested
templates that you can use to simplify management of AWS Config rules by packaging a group of AWS Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the AWS Config conformance samples we provide, and customize as you see fit.
Q: Do both Security Hub and AWS Config conformance packs support continuous monitoring?
Yes, both Security Hub and AWS Config conformance packs support continuous monitoring of compliance. The underlying AWS Config rules can be invoked either periodically or upon detecting changes to the configuration of resources. This allows you to continuously audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines.
Q: When do I use AWS Audit Manager and Security Hub?
You should use both because they complement one another. Audit Manager is used by audit and compliance professionals to continuously assess compliance with regulations and industry standards. Security Hub is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. Security Hub conducts automated security checks aligned to different industry and regulatory frameworks. Audit Manager automatically collects the findings generated by these Security Hub checks as a form of evidence and combines them with other evidence, such as AWS CloudTrail logs, to help customers generate assessment reports.
Audit Manager covers a full set of controls in each supported framework, including controls that have automated evidence associated with them and controls that require manual evidence upload, such as the presence of an incident response plan.
Security Hub focuses on generating automated evidence via its security checks for a subset of controls in each supported framework in Audit Manager. Controls that require evidence from other AWS services, such as CloudTrail, or manual evidence uploaded by users, are not covered by Security Hub.
Q: When do I use AWS Systems Manager and Security Hub?
AWS Systems Manager is the operations hub for AWS, allowing you to manage your infrastructure with ease. Systems Manager OpsCenter helps IT operators and DevOps engineers diagnose and resolve operational issues related to AWS resources in a central location, and Systems Manager Explorer is an operations dashboard that provides a view of your operations data across your AWS accounts and Regions. Security and compliance professionals and DevOps engineers use Security Hub to continuously monitor and improve the security posture of their AWS accounts and resources.
Most customers separate their security issues (e.g., Amazon S3 buckets publicly accessible or crypto-mining detected on Amazon EC2 instances) and operational issues (e.g., underutilized Amazon Redshift instances or over-utilized Amazon EC2 instances) because security issues are sensitive and typically have different access requirements. As a result, they use Security Hub to understand, manage, and remediate their security issues, and they use Systems Manager to understand, manage, and remediate their operational issues. We also recommend that you use Security Hub for more specialized views into your security posture.
When the same engineers work on both security and operational issues, it can help to consolidate them in a single location. You can do that by opting in for findings to be sent to OpsCenter and Explorer where engineers can investigate and remediate security issues alongside operational issues via Systems Manager Automation runbooks.
Q: How is AWS Control Tower different from Security Hub?
AWS Control Tower and Security Hub are complementary services. Security Hub is used by security teams, compliance professionals, and DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. In addition to aggregating security findings and enabling automated remediation, Security Hub also performs security best practice checks against the
AWS Foundational Security Best Practices standard and other industry and regulatory standards. AWS Control Tower is used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS
best practices.
AWS Control Tower applies mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), and detect policy violations using AWS Config rules. AWS Control Tower also helps ensure that your default account configurations are in alignment with Security Hub AWS Foundational Security Best Practices.
Customers should use the AWS Control Tower preventative guardrails in combination with the security best practice controls in Security Hub, as they are mutually reinforcing and help ensure that your accounts and resources are in a secure state. Security Hub and AWS Control Tower are fully integrated, so you can enable over 170 Security Hub detective controls that map to related control objectives directly from AWS Control Tower.
Working in Security Hub
Q: How can I see which are my most important security issues in Security Hub?
There are multiple ways to see your most important security issues. The Security Hub dashboard provides views on which resources have the most findings, how your volume of security findings is evolving over time, which insights are generating the most findings. You can go to the insights page and use the managed insights to identify high priority issues. You can also create your own custom insights.
Q: Can Security Hub tell me how I measure against security best practices or security standards?
Yes. Security Hub creates a score to show you how you're doing against security standards and displays it on the main Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. Security Hub shows how the control was evaluated and informational best practices on how to mitigate the issue.
Q: If I score 100% on a security standard, does that mean that I will pass an audit for that security standard?
No. Security Hub is focused on automated security checks. Most security standards have various controls that can’t be checked in an automated fashion, and those are out of scope for Security Hub. Security Hub security checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the security standard.
Q: How can Security Hub prioritize the security data that I need the most?
Security Hub uses two mechanisms to help prioritize findings: insights and security standards. Insights are grouped or correlated findings that help you identify higher-priority findings faster. Examples of insights are “Show me all my Amazon EC2 instances potentially infected with malware” and “Show me any possible cases of data exfiltration on Amazon EC2 instances.”
Security standards are sets of controls that are based on regulatory requirements or best practices. AWS has defined specific security checks that align to the controls within standards. Details on the standards that Security Hub supports can be found in the
Security Hub documentation.
Q: How can Security Hub integrate with my existing security operations and remediation processes?
Security Hub supports workflow options by enabling the export of findings via EventBridge. You can use EventBridge to set up integrations with chat systems such as Slack, automated remediation pipelines via AWS Lambda or partner security orchestration tools, SIEMs, and ticketing systems such as ServiceNow.
Q: Will Security Hub replace the consoles of our other security services, such as GuardDuty, Inspector, or Macie?
No. Security Hub is complementary and additive to these AWS security services. In fact, Security Hub will link back into the other consoles to help you gain additional context. Security Hub does not replicate the setup, configuration, or specialized features available within each security service.
Q: What are the specific CIS AWS Foundations benchmark controls that Security Hub supports?
Security Hub supports CIS AWS Foundations Benchmark v1.2.0 and v1.4.0.
Security Hub documentation provides details on the specific controls and how each check maps to specific CIS AWS Foundations Benchmark requirements.
Q: What are the specific National Institute of Standards and Technology (NIST) controls that Security Hub supports?
NIST SP 800-53 Rev. 5 is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that is part of the U.S. Department of Commerce. Security Hub provides controls that support select NIST SP 800-53 requirements. These controls are evaluated through automated security checks.
Security Hub documentation provides details on the specific controls and how each check maps to specific CIS AWS Foundations Benchmark requirements.
Q: What are the specific controls of PCI DSS that Security Hub supports?
The Payment Card Industry Data Security Standard (PCI DSS) standard in Security Hub consists of a set of AWS security best practices controls. Each control applies to a specific AWS resource, and relates to one or more PCI DSS version 3.2.1 requirements.
Security Hub documentation provides details on how Security Hub’s PCI DSS checks map to specific PCI DSS requirements.
