AWS Security Hub features

Security Hub correlates and enriches security findings to prioritize critical security issues across your accounts and AWS Regions. The integrated dashboard provides clear visualizations through customizable widgets showing exposure summaries, threat trends, and security coverage, including near real-time risk analytics and trends. Through automated analysis and risk-based prioritization, you can more quickly understand which issues require immediate attention, helping you make informed decisions about risk remediation in your environment.

Security Hub provides automated correlation and enhanced risk context by analyzing resource associations, potential impact, and relationships between security issues. This automated analysis offers deeper insights into security risks so you can make more informed decisions about which issues to address first. By correlating related threats, vulnerabilities, and misconfigurations, Security Hub surfaces complex security scenarios that might otherwise go unnoticed, helping you enhance your overall security posture.

Security Hub correlates security findings to prioritize the critical issues in your environment. By analyzing signals from services such as Amazon Inspector, AWS Security Hub Cloud Security Posture Management (CSPM), Amazon GuardDuty, and Amazon Macie, Security Hub connects related vulnerabilities, threats, and misconfigurations to help you understand potential exposures. Security Hub automatically generates exposure findings to help you identify, prioritize, and respond to your critical security issues. Through this correlation, you can rapidly triage security issues and understand how different findings combine to create potential attack paths. You can get clear insights into potentially exploitable resources and make confident decisions about which issues to address first, helping you identify complex security scenarios that may be missed when viewing findings in isolation.

Visualize potential attack paths by understanding how an adversary could chain together vulnerabilities and misconfigurations to compromise critical resources. By mapping these connections, Security Hub helps you understand possible routes an adversary could take through your environment and identify which critical resources could be impacted. You can see the scope of a potential compromise, helping you prioritize remediation efforts, protect critical resources more effectively, and disrupt potential attack chains before they can be exploited.

Access a consolidated view of your AWS resources that brings together security posture, configuration details, and application context in one solution. Security Hub resource inventory allows you to see a summarized view of your resources, their configuration, and related security findings without switching between different tools or consoles. You can streamline your security analysis by viewing findings by resource type and filtering based on key security criteria, helping you make informed decisions about where to focus your security efforts.

Track security posture changes through advanced analytics capabilities that identify patterns and trends in your security data across your environment. Security Hub provides pre-built managed insights with visualizations that show trends over time, enabling you to monitor the changes in your security posture and focus on critical areas. You can leverage dashboard widgets to analyze threat trends, exposure patterns, active resources, and security coverage metrics, enabling you to make data-driven decisions for long-term security strategies and demonstrate measurable security improvements to stakeholders.

Simplify your security operations with streamlined pricing across AWS security services and built-in cost estimation tool. Security Hub consolidates charges under a streamlined pricing model, reducing the complexity of managing multiple service bills and providing predictable resource-based pricing. Use the integrated cost estimator to plan and forecast your security investments across your AWS accounts and Regions before deployment, helping you make informed decisions about your security infrastructure and optimize costs at scale.

Reduce response times with automated workflows that seamlessly integrate with your existing ticketing systems, including Jira Cloud and ServiceNow, helping you streamline remediation at scale. By integrating with your tools and processes, Security Hub lets you focus on responding to security issues rather than managing administrative tasks, improving your overall security posture and operational efficiency.

Security Hub uses the Open Cybersecurity Schema Framework (OCSF), a standardized format for security data, to enable advanced security analytics that help you identify critical issues before they impact your operations. OCSF provides consistent formatting for security findings across various AWS services and partner integrations. By leveraging OCSF, Security Hub seamlessly integrates with your security tools and workflows. This standardized approach enhances your ability to identify patterns, trends, and anomalies across your cloud environment, leading to more effective security management.

Standardized security uses OCSF to streamline the ingestion and processing of security data from various AWS services and partner integrations. This unified data format enables seamless integration with your existing security tools and workflows. OCSF provides consistent formatting for security findings, including details such as resource identifiers, severity levels, and timestamps, making it easier to search, filter, and correlate security data across your environment.

Security Hub provides centralized deployment and management across AWS Organizations with just a few clicks in the console. By designating an administrator account, your security team can view correlated security findings across all accounts through a single consolidated view, while individual account owners see only findings associated with their account. Integration with AWS Organizations, provides unified enablement, allowing you to automatically enable Security Hub for any account in your organization, simplifying security operations at scale.

As part of your unified security solution, designate an aggregator Region to centralize security findings across your accounts and Regions, providing more comprehensive visibility into and simplified management of your security operations. Findings are continuously synced between the Regions so that updates made to a finding in one Region are replicated to other Regions. Your Amazon EventBridge event bus in your administrator account and aggregator Region publishes events for all your findings across all member accounts and linked Regions, which allows you to simplify integrations with ticketing, chat, incident management, logging, and auto-remediation tools by consolidating those integrations into your aggregator Region where events are published.

The advanced analytics capabilities in Security Hub lets you filter, group, and create saved searches across your security findings. Leveraging the standardized OCSF format, you can create custom views and insights that help surface critical risks across your environment. For example, you can filter findings to focus on high-severity issues and group them by resource to identify the vulnerable assets. Security Hub provides both pre-packaged managed insights and the ability to create custom insights, helping you identify patterns and trends in your security data. Each insight includes visualizations to show trends over time so you can track the evolution of your security posture and focus on what matters most.

Security Hub leverages the standardized OCSF format to enable seamless integration with your existing security tools, including ticketing, chat, incident management, threat investigation, GRC (Governance Risk and Compliance), SOAR (Security, Orchestration, Automation, and Response), and SIEM (Security Information and Event Management) tools. These integrations, combined with automated workflows, help streamline your security operations and enable response at scale.

CrowdStrike — Falcon for Endpoint

CrowdStrike protects the most critical areas of enterprise risk across endpoints, cloud workloads, identity, and data. By unifying next-generation antivirus (NGAV), endpoint detection and response (EDR), and cloud workload protection (CWP), customers gain real-time protection for workstations, servers, VMs, containers, and serverless workloads. AI-powered prevention and indicators of attack (IOAs) stop threats before damage occurs. Continuous event telemetry eliminates visibility gaps, enabling automated detection and response across every major operating system. A single lightweight sensor deploys in minutes, securing AWS, Azure, OCI, and GCP with instant visibility and scalable protection to stop breaches without complexity.

Okta — Workforce Identity for AWS

Okta Workforce Identity Foundations for AWS delivers a unified identity solution to secure employees, contractors, and partners across your cloud ecosystem. By integrating seamlessly with AWS, it eliminates password silos and strengthens your security posture through three core pillars: Single Sign-On (SSO) for centralized application access, Phishing-Resistant MFA for intelligent authentication, and Universal Directory for a single source of truth across AD or HR systems. This foundational package includes Silver Support and five automated Workflows, providing a scalable, secure environment that balances protection with a frictionless user experience for your entire modern workforce.

Britive — Privilege Access Management

Britive Unified Privileged Access Management (PAM) is the native identity security control plane for human, agentic AI, and non-human identities across AWS and multicloud environments. Unlike legacy vault-based solutions that create massive integration overhead, Britive operates without endpoint software or architecture changes, breaking the linear cost curve. Instead of static credentials, Britive enforces zero standing privileges through dynamic, ephemeral access minted precisely at execution. Access automatically revokes when tasks complete, architecting risk out of your environment. The API-first design integrates seamlessly with CI/CD pipelines and AWS infrastructure, applying one common policy across all actors to transform identity into your primary security boundary.

SailPoint — Identity Security Accelerator

SailPoint Identity Security Accelerator is a unified, expert-led solution built for growing organizations navigating the complexity of modern access management. It combines SailPoint Identity Security Cloud Foundations with SailPoint Accelerated Application Management, delivering robust governance fundamentals and prioritized, actionable insights through a rapid, low-friction deployment model. For organizations facing limited budgets, resource gaps, and the complexity of traditional identity solutions, this integrated offering provides immediate control and foundational security without lengthy implementation cycles. It is the ideal choice for cloud-first organizations looking to address critical identity risks and build scalable programs for the future.

Opti — AI-Native Identity

Opti is an AI-native identity platform that continuously monitors, analyzes, and remediates excessive permissions across enterprise environments. Unlike traditional tools that rely on static business data and manual processes, Opti delivers real-time detection and automates remediation of excessive permissions, reducing identity-based risk between audit cycles. Available through AWS Security Hub Extended, Opti integrates directly into your existing security operations with OCSF-compliant findings consolidated in AWS Security Hub – giving IT and security teams control over human, non-human and agentic identities from a single console. Enterprises use Opti to enforce least privilege continuously, accelerate compliance, and eliminate the manual effort of periodic access reviews, so organizations can move beyond detection to remediation.

Proofpoint — Collaboration Protection

Proofpoint Collaboration Protection helps stop email threats before they become compromises. Deployed in under 48 hours, it protects against advanced, targeted attacks while providing an intuitive user experience for managing spam and graymail. Real-time, in-the-moment coaching empowers users to recognize and report suspicious messages. Powered by the Nexus AI threat detection stack — combining threat intelligence, machine learning, relationship graphs, large language models, and computer vision — Proofpoint stops even the most sophisticated threats with 99.999% efficacy. This includes business email compromise (BEC), AI-driven exploits such as hidden prompt injection, ransomware, email bombing, callback phishing, and other advanced social engineering techniques.

Zscaler SSE — Private Access Platform

Zscaler describes ZPA as "the industry's first AI-powered Zero Trust Network Architecture" — a cloud-native solution that delivers zero trust access for all users with direct connectivity to private applications while minimizing the attack surface by hiding apps behind the Zero Trust Exchange, eliminating lateral movement using AI-powered user-to-app segmentation, and protecting against sophisticated attacks with integrated traffic inspection, application and data protection.

Cyera — DSPM + DataWatcher

Cyera Data Security Posture Management (DSPM) delivers actionable data intelligence across IaaS and DBaaS, autonomously discovering and classifying sensitive data, correlating access and exposure risk, and driving prioritized remediation of data security risks at scale. Continuous clarity supports safe AI adoption. For organizations seeking additional help, Cyera Managed Service: DataWatcher is an optional add-on that continuously monitors, optimizes, and operationalizes Cyera's DSPM. Expert-led risk analysis, remediation guidance, and ongoing support accelerate measurable outcomes without adding internal burden. Together, Cyera DSPM and DataWatcher reduce data security risks faster and more effectively.

Island — Safe browsing and AI protection

Island Safe Browsing & AI Protection transforms consumer browsers like Chrome and Edge into secure work environments through a lightweight extension that deploys in minutes and enforces policy locally. There's no traffic backhaul, no infrastructure overhaul, and no disruption to how employees work. Safe Browsing delivers inline URL categorization, real-time malware inspection, and advanced anti-phishing protection that blocks malicious sites, stops harmful downloads, and prevents credential theft. AI Protection provides visibility into AI apps and extensions, with policy controls over prompts and behavior, so employees can use AI confidently without exposing sensitive data or introducing unmanaged risk.

Upwind — Cloud Security

Upwind is a cloud-native application protection solution that leverages runtime context to identify the most critical risks across your cloud infrastructure, helping security teams prioritize accurately and respond faster. Upwind brings together cloud security posture management, cloud detection and response, vulnerability and exposure management, data security, and AI security with real-time protection in AWS, across other clouds, and on-premises.

Noma — AI-SPM + Discovery, Noma Red Teaming, Noma Runtime Protection

Noma is an AI security platform purpose-built for AI and agents. As organizations scale AI adoption across development, deployment, and production, Noma delivers comprehensive visibility, protection, and governance. The platform secures every AI type, including homegrown applications, SaaS agents, and local developer environments. Noma offers three core capabilities: AI Security Posture Management discovers assets and surfaces misconfigurations; Red Teaming tests systems against adversarial attacks before production; and Runtime Protection detects and blocks real-time threats like prompt injection and data exfiltration.

Oligo — AI Runtime Security

Oligo Runtime AI Security protects AI workloads at runtime. Its unified sensor combines AI Security Posture Management (AI-SPM) and AI Detection & Response (AI-DR) to provide continuous visibility into model behavior, supply chain risks, and runtime anomalies across AWS environments. AI-SPM identifies misconfigurations, exposed models, and policy violations before incidents occur. AI-DR monitors agent tool calls and behavior in real-time to detect adversarial manipulation and hallucination. Available through AWS Security Hub Extended, Oligo integrates natively with AWS infrastructure for immediate value with zero operational overhead.

Splunk — Enterprise Security Essentials

Bring together AWS Security Hub with Splunk Enterprise Security Essentials in a unified, AI-powered SecOps solution to deliver a powerful advantage for the SOC. This native integration, available via Security Hub Extended, fuses AWS's high-fidelity insights with Splunk's security monitoring and analytics for increased coverage and streamlined operations across hybrid environments. Splunk elevates AWS security findings as native findings, bypassing complex parsing and surfacing high-priority incidents in near real-time to analysts — significantly reducing mean time to detect (MTTD). Splunk further enriches findings with a proprietary correlation engine, AI, and threat intelligence, seamlessly embedded into unified analyst workflows.

7AI — Agentic Security Platform

7AI delivers autonomous security operations through dynamic AI agents that ingest findings from cloud, identity, endpoint, network, and DLP sources to assess risk, investigate threats, and execute remediation actions. Purpose-built for AWS Security Hub Extended, 7AI natively integrates with Security Hub, GuardDuty, and CloudTrail to autonomously investigate findings, assess blast radius, and take action across AWS environments. AI agents run full investigations in minutes with expert-level reasoning, execute flexible response actions beyond predefined playbooks, optimize detection rules to reduce false positives by up to 95–99%, and proactively hunt for threats.