Automated, continuous security best practice checks
Security Hub provides you with a set of automated security controls called the AWS Foundational Security Best Practices standard. This is a highly curated set of security best practices vetted by our AWS security experts that either run continuously whenever there are changes to the associated resources or on a set periodic schedule. Each control has a specific severity score to help you prioritize your remediation efforts. We recommend that this standard is enabled across all accounts and regions, and we are continuously updating it with new controls and additional service coverage.
Consolidated findings across AWS services and partner integrations
Security Hub automatically collects and consolidate findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager. AWS Security Hub also consolidates findings from dozens of integrated AWS Partner Network (APN) security solutions. All findings are stored in Security hub for 90 days after last update date.
A single, standardized data format for all of your findings
Traditionally, when combining security alerts into a single system, you would need to parse and normalize each data source to get it into a common format for search, analytics, and response and remediation actions. Security Hub eliminates these time-consuming and resource-intensive processes by introducing the AWS Security Findings Format (ASFF). With the ASFF, all of Security Hub’s integration partners (including both AWS services and external partners) send their findings to Security Hub in a well-typed JSON format consisting of over 1,000 available fields. This means that all of your security findings are normalized before they are ingested into Security Hub, and you don’t need to do any parsing and normalization yourself. The findings identify resources, severities, and timestamps in a consistent way, so that you can more easily search and take action on them.
Security standards aligned to regulatory and industry compliance frameworks
In addition to the AWS Foundational Security Best Practices standard, Security Hub also offers additional standards aligned to industry and regulatory frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Center for Internet Security (CIS) AWS Foundations Benchmark. These standards are also powered by continuous, automated security checks, and you only pay once for the a security check regardless of how many standards it is mapped to.
Automated response, remediation, and enrichment actions
You can create custom automated response, remediation, and enrichment workflows using Security Hub’s integration with Amazon EventBridge. All of Security Hub findings are automatically sent to EventBridge, and you can create EventBridge rules that have AWS Lambda functions, AWS Step Function functions, or AWS Systems Manager Automation runbooks as their targets. These functions or runbooks can automatically enrich findings with additional data or take automated response and remediation actions on the findings. Security Hub also supports sending findings to EventBridge on demand via custom actions, so that you can have an analyst decide when to trigger an automated response or remediation action. The Security Hub Automated Response and Remediation (SHARR) solution provides you with prepackaged EventBridge rules for you to deploy via AWS CloudFormation.
Multi-account and AWS Organizations support
You can connect multiple AWS accounts and consolidate findings across those accounts with a few clicks in the AWS Security Hub console. By designating an administrator account, you can enable your security team to see consolidated findings for all accounts, while individual account owners see only findings associated with their account. Integration with AWS Organizations allows you to automatically enable any account in your organization with Security Hub and the AWS Foundational Security Best Practices standard.
Integrations with ticketing, chat, incident management, investigation, GRC, SOAR, and SIEM tools
In addition to integrating with dozens of AWS security services and partner products that send Security Hub findings, Security Hub also has integrations with various ticketing, chat, incident management, threat investigation, Governance Risk and Compliance (GRC), Security Orchestration Automation and Response (SOAR), and Security Information and Event Management (SIEM) tools that can automatically receive findings from Security Hub. These integrations include AWS services such as Amazon Detective (threat investigations) and AWS Audit Manager (GRC) and various partner tools such as Splunk, Slack, PagerDuty, Sumo Logic, ServiceNow ITSM, and Atlassian’s Jira Service Management. The integration with ServiceNow and Jira are bi-directional, so that any updates to tickets are synced with the findings in Security Hub.
Security scores and summary dashboards
Security Hub provides a simple 0-100 security score for each standard, for each account across all enabled standards, and a total score for all accounts associated with your administrator account. This score is based on the number of controls that have passed vs. failed for a standard, account, and/or organization. This information is presented along with other key insights, such as which resources have the most failed security checks in summary dashboards to help you monitor your security posture.
Filtering, grouping, and saved searches for your findings
You can filter findings based on fields in the AWS Security Finding Format and use GroupBy statements to aggregate findings into buckets. For example, you can filter findings to show only Critical or High severity findings and then group them by resource IDs to see which resources have the most critical or high findings. Security Hub calls these types searches insights, and Security Hub provides both prepackaged managed insights and lets you define your own custom insights. Each insight includes a time series sparkline to show the trend over time in findings that match the insight.