AWS Security Hub FAQs

Q: What is AWS Security Hub?
AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. AWS Security Hub centralizes and prioritizes security findings from across AWS accounts, services, and supported third-party partners to help you analyze your security trends and identify the highest priority security issues.

Q: What are the key benefits of AWS Security Hub?
AWS Security Hub eliminates the complexity and reduces the effort of managing and improving the security of your AWS accounts and workloads. AWS Security Hub is enabled within a particular region in minutes and the service helps you answer fundamental security questions you may have on a daily basis. Key benefits include:

Save time with centralized and normalized findings - AWS Security Hub collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, and sensitive data identification findings from Amazon Macie. AWS Security Hub also collects findings from partner security products using a standardized AWS Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts. Customers can designate a master account that can see all findings across their accounts.

Improve security with automated checks - AWS Security Hub generates its own findings by running continuous and automated account and resource-level configuration checks against the rules in the supported industry best practices and standards (for example, the CIS AWS Foundations Benchmark).

Quickly take actions on findings - AWS Security Hub aggregates findings into pre-built dashboards that provide bar graphs, line charts, and tables that show you the current security status of your environment as well as trends. Now you can easily identify potential issues, and take the necessary next steps. For example, you can send findings to ticketing, chat, email, or automated remediation systems using integration with Amazon CloudWatch Events.

Q: How much does AWS Security Hub cost?
There are two pricing dimensions for AWS Security Hub: number of security checks per account/region/month and number of finding ingestion events per account/region/month. Pricing is $0.001 per security check per account/region/month for first 100,000 checks; $0.0008 per check for the next 400,000 checks; and $0.0005 per check for above 500,000 checks. There is a perpetual free tier of 10,000 finding ingestion events per account/region/month and the pricing is $0.00003 per finding ingestion event per account/region/month after the first 10,000. Customers are not charged for finding ingestion events generated by AWS Security Hub’s security checks. All accounts and regions will have a 30-day free trial. Please see the AWS Security Hub pricing page for latest pricing information.

Note that AWS Config is required to be enabled in the account(s) using AWS Security Hub. AWS Security Hub security checks use the configuration items recorded by AWS Config. If you are not already using AWS Config, please see the Config pricing page for the latest information on the price per configuration item recorded. There is no additional charge for the AWS Config rules enabled by AWS Security Hub security checks.

Q: Am I charged multiple times for a control that appears in multiple standards?
No. You are only charged once for each time a control is evaluated against a resource (i.e., for each security check) regardless of how many standards the control is linked to.

Q: Is AWS Security Hub a regional or global service?
AWS Security Hub is a regional service, but supports cross-region aggregation of findings via designation of an aggregator region. Customers must enable AWS Security Hub in each region to view findings in that region.

Q: What regions does AWS Security Hub support?
The regional availability of AWS Security Hub is listed here: AWS Region Table

Q: What partners work with AWS Security Hub?
There are many technology partners that support the standardized findings format and have integrated with AWS Security Hub. See AWS Security Hub partners.

Q: How do I enable AWS Security Hub?
When you open the AWS Security Hub console for the first time, simply choose Get Started, and then choose Enable. AWS Security Hub uses a service-linked role that includes the permissions and trust policy that AWS Security Hub requires to detect and aggregate findings, and to configure the requisite AWS Config infrastructure needed to run security checks. In order for AWS Security Hub to run security checks in an account, you must have AWS Config recorder enabled in that account. It is also recommended that you first enable AWS Organizations to simplify enabling AWS Security Hub across your organization.

Q: Does AWS Security Hub help manage security across multiple AWS accounts?
Yes, you can manage multiple accounts within a region by configuring the multi-account hierarchy within AWS Security Hub or by importing an existing hierarchy from services like Amazon GuardDuty.

Q: What is a finding?
A finding is a potential security issue. AWS Security Hub aggregates, normalizes, and prioritizes security alerts, or findings, from AWS and third-party services, as well as generating its own findings as the result of running continuous and automated configuration checks. A finding ingestion event is when a new finding is ingested into AWS Security Hub or when a finding update is ingested into AWS Security Hub.

Q: What is an insight?
An insight is a collection of related findings. AWS Security Hub offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify EC2 instances that are missing security patches for important vulnerabilities, or S3 buckets with public read or write permissions. Managed and custom AWS Security Hub insights help you track security issues in your AWS environment.

Q: What is a security standard vs. a control vs. a security check?
A security standard is a collection of controls based on regulatory frameworks or industry best practices. AWS Security Hub conducts automated security checks against controls. Each security check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a security check is performed against each resource. For example, AWS Security Hub supports the CIS AWS Foundations Benchmark standard, which consists of 43 controls, and 32 PCI DSS requirements across 14 AWS services. Once AWS Security Hub is enabled, it immediately begins running continuous and automated security checks against each control and each relevant resource associated with the control.

Q: What findings sources does AWS Security Hub analyze?
AWS Security Hub analyzes your security alerts, or findings, from these AWS services: Amazon GuardDuty, Amazon Inspector, AWS Firewall Manager, IAM Access Analyzer,and Amazon Macie. In addition, see the list of AWS Security Hub Partner solutions that are integrated with AWS Security Hub and support the standardized findings format.

Q: How are AWS Config and AWS Config rules related to AWS Security Hub?
AWS Security Hub is a security and compliance service that provides security and compliance posture management, as a service. It uses AWS Config and Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to evaluate resource configuration directly. They also are used by other AWS services, such AWS Control Tower and AWS Firewall Manager.

Q: When do I use AWS Security Hub and AWS Config conformance packs?
If a compliance standard, such as PCI-DSS, is already present in AWS Security Hub, then the fully managed AWS Security Hub service is the easiest way to operationalize it. You can investigate findings via AWS Security Hub’s integration with Amazon Detective, and you can build automated or semi-automated remediation actions using AWS Security Hub’s Amazon Eventbridge integration. However, if you want to assemble your own compliance or security standard, which may include security, operational or cost optimization checks, AWS Config conformance packs are the way to go. AWS Config conformance packs simplify management of AWS Config rules by packaging a group of AWS Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the AWS Config conformance samples we provide, and customize as you see fit.

Q: Do both AWS Security Hub and AWS Config conformance packs support continuous monitoring?
Yes, both AWS Security Hub and AWS Config conformance packs support continuous monitoring of compliance, given their reliance on AWS Config and Config rules. The underlying AWS Config rules can be triggered either periodically or upon detecting changes to the configuration of resources. This enables you to continuously audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines.

Q: When do I use AWS Audit Manager and AWS Security Hub?
You should use both because they complement each other. AWS Audit Manager is used by audit and compliance professionals to continuously assess compliance with regulations and industry standards. AWS Security Hub is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. AWS Security Hub conducts automated security checks aligned to different industry and regulatory frameworks. Audit Manager automatically collects the findings generated by these AWS Security Hub checks as a form of evidence and combines them with other evidence, such as AWS CloudTrail logs, to help customers generate assessment reports. Audit Manager covers a full set of controls in each supported framework, including controls that have automated evidence associated with them and controls that require manual evidence upload, such as the presence of an incident response plan. AWS Security Hub focuses on generating automated evidence via its security checks for a subset of controls in each supported framework in Audit Manager. Controls that require evidence from other AWS services, such as CloudTrail, or manual evidence uploaded by users are not covered by AWS Security Hub.

Q: When do I use AWS Systems Manager and AWS Security Hub?
AWS Systems Manager is the operations hub for AWS, enabling you to manage your Cloud and hybrid infrastructure with ease. AWS Systems Manager OpsCenter enables IT operators and DevOps engineers to diagnose and resolve operational issues related to AWS resources in a central location, and AWS Systems Manager Explorer is an operations dashboard that provides a view of your operations data across your AWS accounts and Regions. AWS Security Hub is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources.

Most customers segregate their security issues (e.g., Amazon S3 buckets publicly accessible or crypto-mining detected on Amazon EC2 instances) and operational issues (e.g., underutilized Amazon Redshift instances or over-utilized Amazon EC2 instances) because security issues are sensitive and typically have different access requirements. As a result, they use AWS Security Hub to understand, manage, and remediate their security issues, and they use Systems Manager to understand, manage, and remediate their operational issues. We also recommend that you use AWS Security Hub for more specialized views into your security posture.

When the same engineers work on both security and operational issues, it can help to consolidate them in a single location. You can do that by opting in for findings to be sent to OpsCenter and Explorer where engineers can investigate and remediate security issues alongside operational issues via AWS Systems Manager Automation runbooks.

Q: How is AWS Control Tower different from AWS Security Hub?
AWS Control Tower and AWS Security Hub are complementary services. AWS Security Hub is used by security teams, compliance professionals, and DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. Besides aggregating security findings and enabling automated remediation, Security Hub also performs security best practice checks against the AWS Foundational Security Best Practices standard and other industry and regulatory standards. AWS Control Tower is used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS best practices. Control Tower applies mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), and detect policy violations using AWS Config rules. Control Tower also helps ensure that your default account configurations are in alignment with Security Hub’s AWS Foundational Security Best Practices. Customers should use Control Tower’s preventative guardrails in combination with Security Hub’s security best practice controls, as they are mutually reinforcing and help ensure that your accounts and resources are in a secure state.

Q: How can I see what are my most important security issues in AWS Security Hub?
There are multiple ways to see your most important security issues. The AWS Security Hub dashboard provides views on which resources have the most findings, how your volume of security findings are evolving over time, which insights are generating the most findings. You can go to the insights page and use the managed insights to identify high priority issues. You can also create your own custom insights.

Q: Can AWS Security Hub tell me how I measure against security best practices or security standards?
Yes. AWS Security Hub creates a score to show you how you're doing against security standards and displays it on the main AWS Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. AWS Security Hub shows how the control was evaluated and informational best practices on how to mitigate the issue.

Q: If I score 100% on a security standard, does that mean that I will pass an audit for that security standard?
No. AWS Security Hub is focused on automated security checks. Most security standards have various controls that can’t be checked in an automated fashion, and those are out of scope for AWS Security Hub. AWS Security Hub security checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the security standard.

Q: How can AWS Security Hub prioritize the security data that I need the most?
AWS Security Hub uses two mechanisms to help prioritize findings: insights and security standards. Insights are grouped or correlated findings that help you identify higher priority findings faster. Examples of insights are “Show me all my EC2 instances potentially infected with malware” and “Show me any possible cases of data exfiltration on EC2 instances.”

Security standards are sets of controls that are based on regulatory requirements or best practices. AWS has defined specific security checks (that align to the controls within standards. An example of a supported AWS Security Hub standard is the CIS AWS Foundations Benchmark.

Q: How can AWS Security Hub integrate with my existing security operations and remediation processes?
AWS Security Hub supports workflow options by enabling the export of findings via CloudWatch events. You can use CloudWatch events to setup integrations with chat systems such as Slack, automated remediation pipelines via Lambda or partner security orchestration tools, SIEMs, and ticketing systems such as ServiceNow.

Q: Will AWS Security Hub replace the consoles of our other security services, such as Amazon GuardDuty, Amazon Inspector, or Amazon Macie?
No. AWS Security Hub is complementary and additive to the AWS security services. In fact, AWS Security Hub will link back into the other consoles to help you gain additional context. AWS Security Hub does not replicate the setup, configuration, or specialized features available within each security service.

Q: I deployed the CIS AWS Foundations Benchmark QuickStart, but the AWS Security Hub CIS Security Standard is showing that I am failing some checks, why is that?
The QuickStart solution is designed as a single account and single region template for some hardening controls that cover checks 1.1, 2.1 through 2.7, and 3.1 through 3.14. The QuickStart includes a pre-requisite template that deploys a trail in a single region only. Since the CIS checks 1.1, 2.1 through 2.5, 2.7, and 3.1 through 3.14 require a multi-region trail, these checks fail in AWS Security Hub CIS Security Standard. [Note that the CIS QuickStart solution implements hardening controls for only the following checks: 1.1, 2.1 through 2.7, and 3.1 through 3.14. The remaining checks are not addressed by the CIS QuickStart.] In addition, the QuickStart “Monitoring” checks 3.2, 3.4, 3.5, and 3.8 through 3.14 are implemented using CloudWatch events instead of CloudWatch metric filters, which also causes failures of these checks in AWS Security Hub CIS Security Standard.

Q: What are the specific controls of PCI DSS supported by AWS Security Hub?
The Payment Card Industry Data Security Standard (PCI DSS) standard in AWS Security Hub consists of a set of AWS security best practices controls. Each control applies to a specific AWS resource, and relates to one or more PCI DSS version 3.2.1 requirements. AWS Security Hub’s documentation provides details on how AWS Security Hub’s PCI DSS checks map to specific PCI DSS requirements.