Security Hub FAQs

AWS Security Hub (Preview) is a unified cloud security solution that prioritizes your critical security issues and helps you respond at scale. It detects critical issues by automatically correlating and enriching security signals from multiple sources, such as posture management (AWS Security Hub CSPM), vulnerability management (Amazon Inspector), sensitive data (Amazon Macie), and threat detection (Amazon GuardDuty). This allows security teams to surface and prioritize active risks in their cloud environment through automated analysis and contextual insights. Through intuitive visualizations, Security Hub transforms complex security signals into actionable insights so you can make more informed security decisions quickly. The solution also includes automated response workflows to streamline remediation at scale, helping you reduce security risks while improving team productivity and minimizing operational disruptions.

Security Hub CSPM (Cloud Security Posture Management) is a capability of Security Hub offering automated security best practice checks to help you understand your overall security posture across your AWS accounts. It delivers essential security posture signals that work together with other security capabilities to prioritize security issues and help you respond at scale.

Security Hub has enhanced its capabilities, evolving from a centralized security findings aggregator and security posture management service to a comprehensive unified cloud security solution. What you previously knew as Security Hub, focused on aggregating security findings, security best practice checks, and compliance monitoring, is now Security Hub CSPM—a core capability within the enhanced Security Hub solution. Building on this foundation, Security Hub now automatically correlates security signals across multiple capabilities including vulnerability management (Amazon Inspector), threat detection (Amazon GuardDuty), posture management (AWS Security Hub), and sensitive data discovery (Amazon Macie). This enhanced correlation helps you identify critical security risks that might be missed when viewing findings in isolation. For example, Security Hub can now automatically detect when a publicly exposed resource with a critical vulnerability also has access to sensitive data, providing crucial context for prioritization and response. Everything you valued about security findings aggregation and posture management remains intact and is enhanced by these new capabilities. Your existing security checks, compliance monitoring, and integrations continue to work as before, while gaining powerful new features for correlation, analysis, and automated response. This evolution helps you protect your cloud environment by transforming multiple security signals into actionable insights, enabling faster and more informed security decisions.

• Unified security operations: Gain broader visibility across your cloud environment through centralized management in a unified cloud security solution.
• Confident prioritization: Make informed decisions about your critical security issues through automated correlation and enhanced risk context.
• Actionable security insights: Gain actionable insights through advanced analytics to surface security risks specific to your environment.
• Streamlined response at scale: Reduce response times with automated workflows and ticketing system integration to help protect your cloud environment.
• Continuous security monitoring: Detect deviations from security best practices with automated security checks against industry standards and AWS best practices.

AWS Security Hub includes core security capabilities that provide the foundation for correlation and exposure findings features:

• Posture management through Security Hub CSPM
• Vulnerability management through Amazon Inspector

Security Hub integrates these core capabilities with additional security capabilities including Amazon GuardDuty for threat detection and Amazon Macie for sensitive data discovery, enabling more comprehensive security coverage. Through automated correlation of security signals across these capabilities, Security Hub helps you identify and prioritize critical security risks that might be missed when viewing findings in isolation.

You have two deployment approaches:

1. Unified security solution (recommended): Enable Security Hub with its core capabilities:

• Security Hub CSPM for posture management
• Amazon Inspector for vulnerability management (Amazon EC2 scanning, Amazon ECR container scanning, and AWS Lambda standard scanning)

For enhanced security coverage, you can also enable:

• Amazon GuardDuty for threat detection
• Amazon Macie for sensitive data discovery
• Amazon Inspector for code security and AWS Lambda code scanning

This unified approach provides automated correlation and response capabilities across all enabled security capabilities. During the preview period, you'll need to enable each capability separately, and manage each capability through its individual delegated administrator console. At general availability (GA), the enhanced Security Hub will provide a unified enablement process and the ability to manage your preferences across multiple AWS Regions and accounts from a single unified console.

       2. Individual approach: Use capabilities independently while managing security findings separately. While this allows for targeted use cases, you'll need to manually correlate findings to identify and prioritize critical security risks. New features in the enhanced Security Hub such as exposure findings and automated correlation analysis require the core capabilities (Security Hub CSPM and Amazon Inspector) to be enabled. Without these core capabilities, you won't be able to benefit from these security features.

Choose the approach that best fits your specific security needs and preferences. However, the unified solution is recommended as it provides automated correlation and enhanced context across security signals, helping you prioritize and respond to security risks at scale.

During the public preview period, the enhanced AWS Security Hub capabilities will be free of charge. However, customers will still incur costs for the integrated capabilities including Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Security Hub CSPM. New customers can take advantage of the free trial period available for these underlying security capabilities.

When Security Hub reaches General Availability, enabling Security Hub will automatically enable its core capabilities: Security Hub CSPM for posture management and Amazon Inspector capabilities (Amazon EC2 scanning, Amazon ECR scanning, and AWS Lambda standard scanning) for vulnerability management. These core capabilities are essential for features in the enhanced Security Hub, such as exposure findings and automated correlation analysis and thus must be enabled in order to use the enhanced Security Hub.

At GA, this will be a unified, streamlined process through the Security Hub console. While Amazon GuardDuty, Amazon Macie, and other Amazon Inspector capabilities (AWS Lambda code scanning and Amazon Inspector code security) will remain optional after GA, we recommend enabling them for comprehensive security coverage and to fully benefit from Security Hub's automated correlation capabilities.

Security Hub is a regional service, but supports cross-Region aggregation of findings via designation of an aggregator Region. Customers must enable Security Hub in each Region to view findings in that Region.

During the public preview period, Security Hub will be available in the following regions: US East (N.Virginia), US East (Ohio), US West (N. California), US West (Oregon), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Stockholm), Middle East (Bahrain), and South America (São Paolo).

The enhanced Security Hub does not require AWS Config. However, Security Hub CSPM, which is a core capability of Security Hub, requires that you enable AWS Config in your account and configure it to record resource configuration changes. AWS Config needs to track these configuration changes to identify potential misconfigurations in your resources.

No, Security Hub complements other AWS security services by providing a unified view and advanced correlation capabilities. While Security Hub correlates and enriches findings from capabilities like Amazon GuardDuty, Amazon Inspector, and Amazon Macie, you may still need to use individual service consoles for specific configurations or detailed investigations. Security Hub provides a unified security solution with enhanced analytics and automated response capabilities across your entire cloud environment.

Security Hub correlates security findings to prioritize the critical issues in your cloud environment. By analyzing resource relationships and signals from capabilities such as Amazon Inspector, AWS Security Hub CSPM, and Amazon Macie, the enhanced Security Hub automatically generates exposure findings to help you address your critical security issues. Exposure findings also help you visually understand how different resource relations, configurations, and associated findings combine to create potential attack paths. For example: "Potential Credential Stealing: Internet reachable EC2 instance with administrative instance profile has network-exploitable software vulnerabilities with a high likelihood of exploitation." You can get clear insights into potentially exploitable resources and make confident decisions about which issues to address first, helping you identify complex security scenarios that may be missed when viewing findings in isolation.

An insight is a collection of related findings. Security Hub CSPM offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify Amazon Elastic Compute Cloud (Amazon EC2) instances that are missing security patches for important vulnerabilities or Amazon Simple Storage Service (Amazon S3) buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your AWS environment.

Security Hub calculates exposure finding severity by analyzing and correlating multiple security traits across AWS services. Instead of evaluating these factors in isolation, Security Hub uses a contextual approach, assigning a severity rating based on how these factors are correlated. For example, a resource with an identified vulnerability might receive a higher severity rating if it's exploitable from the internet or has access to sensitive data.

Ease of discovery: The availability of automated tools, such as a port scans or internet searches, to discover the resource at risk.

Ease of exploit: The ease with which a threat actor can exploit the risk. For example, if there are open network paths or misconfigured metadata, a threat actor can more easily exploit the risk.

Likelihood of exploit: Security Hub uses both external signals, such as the Exploit Protection Scoring System (EPSS), as well as internal threat intelligence to determine the probability that the risk will be exploited. This comprehensive approach applies to exposure findings for Amazon Elastic Compute Cloud (EC2) instances and AWS Lambda functions.

Awareness: The extent to which the risk is not merely theoretical but has publicly available or automated exploits. This factor applies to exposure findings for EC2 instances and Lambda functions.

Impact: The potential harm if the exploit is carried out. For example, an exposure could lead to loss of confidentiality from data exposure, loss of integrity from data corruption, loss of availability, or loss of accountability.

Security Hub helps you visualize how vulnerabilities and misconfigurations might be chained together to create potential attack paths to critical resources. Through automated correlation of security signals, Security Hub identifies these potential paths, helping you understand which critical resources could be impacted and the scope of potential exposure. This insight enables you to prioritize remediation efforts and help protect your critical resources before risks can be exploited.

Security Hub provides a unified view of your AWS resources that combines security posture, configuration details, and application context. You can identify internet-reachable assets and their associated security findings through a single consolidated view. This helps you prioritize your critical security issues and respond at scale by enabling streamlined security analysis across your resource types.

Security Hub helps you respond to critical security issues at scale through automated workflows and integration with existing ticketing systems. By transforming security signals into actionable insights and providing automated response capabilities, Security Hub helps you reduce security risks while improving team productivity and minimizing operational disruptions.

Findings differ between Security Hub and Security Hub CSPM in four key aspects: their sources, types, format, and event delivery. 

• Sources of findings: During the preview period, Security Hub receives findings from Security Hub CSPM (findings from security checks), Amazon GuardDuty, Amazon Inspector, and Amazon Macie. Security Hub CSPM receives findings from several AWS services such as AWS Config, AWS WAF, Amazon GuardDuty, Amazon Inspector, third-party Partner tools, and your custom findings.
• Types of findings: While both receive findings from integrated security capabilities, the enhanced Security Hub also generates exposure findings by correlating security signals from AWS Security Hub CSPM, Amazon Inspector, and Amazon Macie to identify critical security risks. These exposure findings provide enhanced context through automated correlation across multiple security signals. 
• Format of findings: The enhanced Security Hub uses the OCSF (Open Cybersecurity Schema Framework) format, while Security Hub CSPM uses the ASFF (AWS Security Finding Format). This difference in format reflects their distinct approaches to security finding management and analysis. 
• Event delivery: Security Hub CSPM findings will come through Amazon EventBridge with a detail type of "Security Hub Findings – Imported." Security Hub findings will come through EventBridge with a detail type of "Findings Imported V2."

During the preview period, the enhanced Security Hub does not receive findings from third- party partner tools. You can continue to use Security Hub CSPM integrations with AWS partner tools to send, receive, and update findings within Security Hub CSPM.

No, only the resource types that can be evaluated by our security capabilities (Security Hub CSPM, Amazon Inspector, GuardDuty, or Macie) are available within the resource list. However, all individual resources within these resource types are included in the list. The Security Hub resource list view provides a security-focused asset inventory that displays supported resources along with their associated vulnerabilities, threats, and traits. This targeted view helps you identify and prioritize critical resources, for example, by displaying all publicly exposed assets across your cloud environment.

Security Hub supports workflow options by enabling the export of findings via EventBridge. You can use EventBridge to set up integrations with chat systems such as Slack, automated remediation pipelines via AWS Lambda or partner security orchestration tools, SIEMs, and ticketing systems such as ServiceNow.

The ability to have different Delegated Administrators in Security Hub depends on your current configuration. Here are the different scenarios: 

• If Security Hub CSPM has defined the Delegated Administrator account as the organization management account then Security Hub can set the Delegated Administrator account to an account of your choosing.
• If Security Hub CSPM does not have a Delegated Administrator account defined then Security Hub can set the Delegated Administrator to an account of your choosing.
• If Security Hub CSPM has defined the Delegated Administrator account as an account other than the organization management account then Security Hub will automatically set the Delegated Administrator account to the same account as Security Hub CSPM. Any changes to the Delegated Administrator account for either service will apply to both services.

To maintain consistent governance and least-privileged access control, we recommend using the same Delegated Administrator for all security capabilities including Security Hub, Security Hub CSPM, GuardDuty, Amazon Inspector, and Macie. Note that at General Availability (GA), all customers will need to consolidate to a single Delegated Administrator.

AWS Security Hub uses AWS Organizations policies to manage enablement and configuration of Security Hub across your organization member accounts. You will not be able to use central configuration for AWS Security Hub, however you can continue to use central configuration for AWS Security Hub CSPM.

While automation rules are available in both Security Hub and Security Hub CSPM, these capabilities work independently of each other. Automation rules in Security Hub can make updates to findings and automatically create tickets in Jira or ServiceNow, but these rules apply only to findings within Security Hub. Similarly, automation rules in Security Hub CSPM can make updates to findings, but these rules apply only to findings within Security Hub CSPM. Each solution's automation rules operate separately, so you'll need to configure them individually based on where you want to manage your findings.

CSPM is a practice by which to identify misconfiguration issues and compliance risks across workloads, accounts, and resources to maintain your cloud security posture. Security Hub is the AWS service for CSPM that performs security best practice checks, aggregates alerts, and helps enable automated remediation across your AWS accounts, workloads, and resources.

When you open the Security Hub CSPM console for the first time, simply choose Get Started, and then choose Enable. Security Hub CSPM uses a service-linked role that includes the permissions and trust policy that it requires to detect and aggregate findings, and to configure the requisite AWS Config infrastructure needed to run security checks. Many Security Hub CSPM controls require AWS Config to be activated in order to run security checks in an account.

An insight is a collection of related findings. Security Hub CSPM offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify Amazon Elastic Compute Cloud (Amazon EC2) instances that are missing security patches for important vulnerabilities or Amazon Simple Storage Service (Amazon S3) buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your AWS environment.

A security standard is a collection of controls based on regulatory frameworks or industry best practices. Security Hub CSPM conducts automated security checks against controls. Each security check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a security check is performed against each resource. Once Security Hub CSPM is enabled, it immediately begins running continuous and automated security checks for each control and against each relevant resource associated with the control. Visit Security Hub CSPM standards reference for details on supported standards and related controls.

The AWS Foundational Security Best Practices standard is a set of controls developed by AWS Security collaboration with relevant service teams that have specific AWS product knowledge. These controls detect when your AWS accounts and resources deviate from security best practices. The standard lets you continuously evaluate all of your AWS accounts and workloads to quickly identify areas of deviation from best practices. It provides actionable and prescriptive guidance about how to improve and maintain your organization’s security posture. The controls include security best practices for resources from multiple AWS services, and each control is assigned a category that reflects the security function that it applies to.

Yes, both Security Hub CSPM and AWS Config conformance packs support continuous monitoring of compliance. The underlying AWS Config rules can be invoked either periodically or upon detecting changes to the configuration of resources. This allows you to continuously audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines.

Security Hub CSPM is a core capability of AWS Security Hub that provides security and compliance posture management, as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to evaluate resource configuration directly. They also are used by other AWS services, such AWS Control Tower and AWS Firewall Manager.

If a compliance standard, such as PCI-DSS, is already present in Security Hub CSPM, then the fully-managed Security Hub CSPM capability is the easiest way to operationalize it. You can investigate findings via the Security Hub CSPM integration with Amazon Detective, and you can build automated or semi-automated remediation actions using the Security Hub CSPM integration with EventBridge. However, if you want to assemble your own compliance or security standard, which may include security, operational or cost optimization checks, AWS Config conformance packs are the way to go.

AWS Config conformance packs are suggested templates that you can use to simplify management of AWS Config rules by packaging a group of AWS Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the AWS Config conformance samples we provide, and customize as you see fit.

You should use both because they complement one another. Audit Manager is used by audit and compliance professionals to continuously assess compliance with regulations and industry standards. Security Hub CSPM is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. Security Hub CSPM conducts automated security checks aligned to different industry and regulatory frameworks. Audit Manager automatically collects the findings generated by these Security Hub CSPM checks as a form of evidence and combines them with other evidence, such as AWS CloudTrail logs, to help customers generate assessment reports.

Audit Manager covers a full set of controls in each supported framework, including controls that have automated evidence associated with them and controls that require manual evidence upload, such as the presence of an incident response plan.

Security Hub CSPM focuses on generating automated evidence via its security checks for a subset of controls in each supported framework in Audit Manager. Controls that require evidence from other AWS services, such as CloudTrail, or manual evidence uploaded by users, are not covered by Security Hub CSPM.

AWS Systems Manager is the operations hub for AWS, allowing you to manage your infrastructure with ease. Systems Manager OpsCenter helps IT operators and DevOps engineers diagnose and resolve operational issues related to AWS resources in a central location, and Systems Manager Explorer is an operations dashboard that provides a view of your operations data across your AWS accounts and Regions. Security and compliance professionals and DevOps engineers use Security Hub CSPM to continuously monitor and improve the security posture of their AWS accounts and resources.

Most customers separate their security issues (e.g., Amazon S3 buckets publicly accessible or crypto-mining detected on Amazon EC2 instances) and operational issues (e.g., underutilized Amazon Redshift instances or over-utilized Amazon EC2 instances) because security issues are sensitive and typically have different access requirements. As a result, they use Security Hub to understand, manage, and remediate their security issues, and they use Systems Manager to understand, manage, and remediate their operational issues. We also recommend that you use Security Hub CSPM for more specialized views into your security posture.

When the same engineers work on both security and operational issues, it can help to consolidate them in a single location. You can do that by opting in for findings to be sent to OpsCenter and Explorer where engineers can investigate and remediate security issues alongside operational issues via Systems Manager Automation runbooks.

Security Hub analyzes your security alerts, or findings, from several AWS services, including: AWS Config, Amazon GuardDuty, AWS Health, Amazon Inspector, AWS Firewall Manager, AWS IAM Access Analyzer, AWS IoT Device Defender, and Amazon Macie. In addition, refer to the list of available third-party partner product integrations that are integrated with AWS Security Hub and support the standardized findings format.

Getting started with the enhanced Security Hub is easy, especially if you are using other AWS security services. During the preview period, you'll need to enable each capability separately: Security Hub CSPM, Amazon Inspector, Amazon GuardDuty, and Amazon Macie. While all the capabilities are not required before enabling the new Security Hub, it is recommended to gain the most benefit from Security Hub. You can enable the enhanced Security Hub through the newly designed console or APIs. The process is designed to be seamless, allowing you to enhance visibility into your security posture without disrupting your current operations.

Yes, you can continue using Security Hub CSPM if your primary need is to evaluate your AWS resources against security best practices. However, we recommend exploring the enhanced Security Hub to prioritize and help you respond to your critical security issues at scale. The enhanced Security Hub automatically correlates and enriches security signals across multiple capabilities, transforms them into actionable insights, and provides automated response workflows. This helps you reduce security risks, improve your team's productivity, and minimize potential operational disruptions while maintaining comprehensive visibility into your security posture. 

Yes, you can use both Security Hub and Security Hub CSPM simultaneously. The enhanced Security Hub is a unified cloud security solution that includes core capabilities (Security Hub CSPM and Amazon Inspector) and integrates with additional capabilities (Amazon GuardDuty and Amazon Macie) to help you protect your cloud environment. While you can choose which capabilities to enable, we recommend using the complete unified solution to help you prioritize and respond to your critical security issues at scale through automated correlation and enhanced context across security signals.

Yes. Security Hub CSPM creates a score to show you how you're doing against security standards and displays it on the main Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. Security Hub CSPM shows how the control was evaluated and informational best practices on how to mitigate the issue.

No. Security Hub CSPM is focused on automated security checks. Most security standards have various controls that can’t be checked in an automated fashion, and those are out of scope for Security Hub CSPM. Security Hub CSPM security checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the security standard.

Yes. Security Hub allows you Security Hub CSPM allows you to customize your security checks to suit your organization's specific needs. This can be done by customizing parameters. For example, you can define what a strong IAM password means, or what should be the maximal period of time to remove unused credentials or stop unused instances.

Security Hub CSPM supports CIS AWS Foundations Benchmark v1.2.0 and v1.4.0. Security Hub CSPM documentation provides details on the specific controls and how each check maps to specific CIS AWS Foundations Benchmark requirements.

NIST SP 800-53 Rev. 5 is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that is part of the U.S. Department of Commerce. Security Hub CSPM provides controls that support select NIST SP 800-53 requirements. These controls are evaluated through automated security checks. Security Hub CSPM documentation provides details on the specific controls and how each check maps to specific CIS AWS Foundations Benchmark requirements.

The Payment Card Industry Data Security Standard (PCI DSS) in Security Hub CSPM consists of a set of AWS security best practices controls. Each control applies to a specific AWS resource and relates to one or more PCI DSS requirements. Security Hub CSPM now supports both PCI DSS version 3.2.1 and version 4.0.1. Security Hub CSPM documentation provides details on how Security Hub CSPM’s PCI DSS checks map to specific PCI DSS requirements.