Q: What is AWS Security Hub?
AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Security Hub centralizes and prioritizes security findings from across AWS accounts, services, and supported third-party partners to help you analyze your security trends and identify the highest priority security issues.
Q: What are the key benefits of AWS Security Hub?
AWS Security Hub eliminates the complexity and reduces the effort of managing and improving the security of your AWS accounts and workloads. AWS Security Hub is enabled within a particular region in minutes and the service helps you answer fundamental security questions you may have on a daily basis. Key benefits include:
Save time with centralized and normalized findings - Security Hub collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, and sensitive data identification findings from Amazon Macie. Security Hub also collects findings from partner security products using a standardized AWS Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts. Customers can designate a master account that can see all findings across their accounts.
Improve security with automated checks - Security Hub generates its own findings by running continuous and automated account and resource-level configuration checks against the rules in the supported industry best practices and standards (for example, the CIS AWS Foundations Benchmark).
Quickly take actions on findings - Security Hub aggregates findings into pre-built dashboards that provide bar graphs, line charts, and tables that show you the current security status of your environment as well as trends. Now you can easily identify potential issues, and take the necessary next steps. For example, you can send findings to ticketing, chat, email, or automated remediation systems using integration with Amazon CloudWatch Events.
Q: How much does AWS Security Hub cost?
There are two pricing dimensions for Security Hub: number of security checks per account/region/month and number of finding ingestion events per account/region/month. Pricing is $0.001 per security check per account/region/month for first 100,000 checks; $0.0008 per check for the next 400,000 checks; and $0.0005 per check for above 500,000 checks. There is a perpetual free tier of 10,000 finding ingestion events per account/region/month and the pricing is $0.00003 per finding ingestion event per account/region/month after the first 10,000. Customers are not charged for finding ingestion events generated by Security Hub’s security checks. All accounts and regions will have a 30-day free trial. Please see the AWS Security Hub pricing page for latest pricing information.
Note that AWS Config is required to be enabled in the account(s) using Security Hub. AWS Security Hub security checks use the configuration items recorded by AWS Config. If you are not already using AWS Config, please see the Config pricing page for the latest information on the price per configuration item recorded. There is no additional charge for the AWS Config rules enabled by Security Hub security checks.
Q: Am I charged multiple times for a control that appears in multiple standards?
No. You are only charged once for each time a control is evaluated against a resource (i.e., for each security check) regardless of how many standards the control is linked to.
Q: Is AWS Security Hub a regional or global service?
AWS Security Hub is a regional service. This ensures all findings data analyzed is regionally based and doesn’t cross AWS regional boundaries. Customer must enable Security Hub in each region to view findings in that region.
Q: What regions does AWS Security Hub support?
The regional availability of AWS Security Hub is listed here: AWS Region Table
Q: What partners work with AWS Security Hub?
There are many technology partners that support the standardized findings format and have integrated with AWS Security Hub. See AWS Security Hub partners.
Getting started with AWS Security Hub
Q: How do I enable AWS Security Hub?
When you open the Security Hub console for the first time, simply choose Get Started, and then choose Enable. AWS Security Hub uses a service-linked role that includes the permissions and trust policy that Security Hub requires to detect and aggregate findings, and to configure the requisite AWS Config infrastructure needed to run security checks. In order for Security Hub to run security checks in an account, you must have AWS Config recorder enabled in that account. It is also recommended that you first enable AWS Organizations to simplify enabling Security Hub across your organization.
Q: Does AWS Security Hub help manage security across multiple AWS accounts?
Yes, you can manage multiple accounts within a region by configuring the multi-account hierarchy within Security Hub or by importing an existing hierarchy from services like Amazon GuardDuty.
Q: What is a finding?
A finding is a potential security issue. Security Hub aggregates, normalizes, and prioritizes security alerts, or findings, from AWS and third-party services, as well as generating its own findings as the result of running continuous and automated configuration checks. A finding ingestion event is when a new finding is ingested into Security Hub or when a finding update is ingested into Security Hub.
Q: What is an insight?
An insight is a collection of related findings. Security Hub offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify EC2 instances that are missing security patches for important vulnerabilities, or S3 buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your AWS environment.
Q: What is a security standard vs. a control vs. a security check?
A security standard is a collection of controls based on regulatory frameworks or industry best practices. Security Hub conducts automated security checks against controls. Each security check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a security check is performed against each resource. For example, Security Hub supports the CIS AWS Foundations Benchmark standard, which consists of 43 controls, and 32 PCI DSS requirements across 14 AWS services. Once Security Hub is enabled, it immediately begins running continuous and automated security checks against each control and each relevant resource associated with the control.
Q: What findings sources does AWS Security Hub analyze?
AWS Security Hub analyzes your security alerts, or findings, from these AWS services: Amazon GuardDuty, Amazon Inspector, AWS Firewall Manager, IAM Access Analyzer,and Amazon Macie. In addition, see the list of AWS Security Hub Partner solutions that are integrated with Security Hub and support the standardized findings format.
Q: How are AWS Config and AWS Config rules related to AWS Security Hub?
AWS Security Hub is a security and compliance service that provides security and compliance posture management, as a service. It uses AWS Config and Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to evaluate resource configuration directly. They also are used by other AWS services, such AWS Control Tower and AWS Firewall Manager.
Q: When do I use AWS Security Hub and AWS Config conformance packs?
If a compliance standard, such as PCI-DSS, is already present in AWS Security Hub, then the fully managed AWS Security Hub service is the easiest way to operationalize it. You can investigate findings via Security Hub’s integration with Amazon Detective, and you can build automated or semi-automated remediation actions using Security Hub’s Amazon Eventbridge integration. However, if you want to assemble your own compliance or security standard, which may include security, operational or cost optimization checks, AWS Config conformance packs are the way to go. AWS Config conformance packs simplify management of AWS Config rules by packaging a group of AWS Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the AWS Config conformance samples we provide, and customize as you see fit.
Q: Do both AWS Security Hub and AWS Config conformance packs support continuous monitoring?
Yes, both AWS Security Hub and AWS Config conformance packs support continuous monitoring of compliance, given their reliance on AWS Config and Config rules. The underlying AWS Config rules can be triggered either periodically or upon detecting changes to the configuration of resources. This enables you to continuously audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines.
Q: When do I use AWS Audit Manager and AWS Security Hub?
You should use both because they complement each other. AWS Audit Manager is used by audit and compliance professionals to continuously assess compliance with regulations and industry standards. AWS Security Hub is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. Security Hub conducts automated security checks aligned to different industry and regulatory frameworks. Audit Manager automatically collects the findings generated by these Security Hub checks as a form of evidence and combines them with other evidence, such as AWS CloudTrail logs, to help customers generate assessment reports. Audit Manager covers a full set of controls in each supported framework, including controls that have automated evidence associated with them and controls that require manual evidence upload, such as the presence of an incident response plan. Security Hub focuses on generating automated evidence via its security checks for a subset of controls in each supported framework in Audit Manager. Controls that require evidence from other AWS services, such as CloudTrail, or manual evidence uploaded by users are not covered by Security Hub.
Working in AWS Security Hub
Q: How can I see what are my most important security issues in AWS Security Hub?
There are multiple ways to see your most important security issues. The Security Hub dashboard provides views on which resources have the most findings, how your volume of security findings are evolving over time, which insights are generating the most findings. You can go to the insights page and use the managed insights to identify high priority issues. You can also create your own custom insights.
Q: Can Security Hub tell me how I measure against security best practices or security standards?
Yes. Security Hub creates a score to show you how you're doing against security standards and displays it on the main Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. Security Hub shows how the control was evaluated and informational best practices on how to mitigate the issue.
Q: If I score 100% on a security standard, does that mean that I will pass an audit for that security standard?
No. Security Hub is focused on automated security checks. Most security standards have various controls that can’t be checked in an automated fashion, and those are out of scope for Security Hub. Security Hub security checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the security standard.
Q: How can Security Hub prioritize the security data that I need the most?
Security Hub uses two mechanisms to help prioritize findings: insights and security standards. Insights are grouped or correlated findings that help you identify higher priority findings faster. Examples of insights are “Show me all my EC2 instances potentially infected with malware” and “Show me any possible cases of data exfiltration on EC2 instances.”
Security standards are sets of controls that are based on regulatory requirements or best practices. AWS has defined specific security checks (that align to the controls within standards. An example of a supported Security Hub standard is the CIS AWS Foundations Benchmark.
Q: How can Security Hub integrate with my existing security operations and remediation processes?
Security Hub supports workflow options by enabling the export of findings via CloudWatch events. You can use CloudWatch events to setup integrations with chat systems such as Slack, automated remediation pipelines via Lambda or partner security orchestration tools, SIEMs, and ticketing systems such as ServiceNow.
Q: Will Security Hub replace the consoles of our other security services, such as Amazon GuardDuty, Amazon Inspector, or Amazon Macie?
No. Security Hub is complementary and additive to the AWS security services. In fact, Security Hub will link back into the other consoles to help you gain additional context. Security Hub does not replicate the setup, configuration, or specialized features available within each security service.
Q: I deployed the CIS AWS Foundations Benchmark QuickStart, but the Security Hub CIS Security Standard is showing that I am failing some checks, why is that?
The QuickStart solution is designed as a single account and single region template for some hardening controls that cover checks 1.1, 2.1 through 2.7, and 3.1 through 3.14. The QuickStart includes a pre-requisite template that deploys a trail in a single region only. Since the CIS checks 1.1, 2.1 through 2.5, 2.7, and 3.1 through 3.14 require a multi-region trail, these checks fail in Security Hub CIS Security Standard. [Note that the CIS QuickStart solution implements hardening controls for only the following checks: 1.1, 2.1 through 2.7, and 3.1 through 3.14. The remaining checks are not addressed by the CIS QuickStart.] In addition, the QuickStart “Monitoring” checks 3.2, 3.4, 3.5, and 3.8 through 3.14 are implemented using CloudWatch events instead of CloudWatch metric filters, which also causes failures of these checks in Security Hub CIS Security Standard.
Q: What are the specific controls of PCI DSS supported by Security Hub?
The Payment Card Industry Data Security Standard (PCI DSS) standard in Security Hub consists of a set of AWS security best practices controls. Each control applies to a specific AWS resource, and relates to one or more PCI DSS version 3.2.1 requirements. Security Hub’s documentation provides details on how Security Hub’s PCI DSS checks map to specific PCI DSS requirements.