AWS Security Hub features

Overview

AWS Security Hub is a cloud security posture management (CSPM) service that streamlines security operations with automated, continuous, security best practice checks against your AWS resources to help you identify misconfigurations. Security Hub  aggregates your security alerts (i.e. findings) in a standardized format and prioritizes them so that you can more easily enrich, investigate, and remediate them. 

Getting started with Security Hub requires just a few clicks from the AWS Management Console to begin aggregating findings and conducting security checks using our 30-day free trial. You can integrate Security Hub with AWS Organizations to automatically enable the service in all accounts in your organization.

Page Topics

Security and compliance checks Managing security alerts Automation and response Cost optimization

Security and compliance checks

The AWS Foundational Security Best Practices standard comes built into Security Hub. This is a highly-curated set of security best practices vetted by AWS security experts that give you event-based continuous monitoring, or run on a periodic schedule. Each control has a specific severity rating to help you prioritize your remediation efforts. We recommend that this standard is enabled across all accounts and Regions, and we are continuously updating it with new controls and additional service coverage.

In addition to the AWS Foundational Security Best Practices standard, Security Hub offers additional standards aligned to industry and regulatory frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), the Center for Internet Security (CIS) AWS Foundations Benchmark, and the National Institute of Standards and Technology (NIST). These standards are also powered by continuous, automated security checks, and you only pay once for the security check—regardless of how many standards it is mapped to.

Customize Security Hub controls in accordance with the specific security guidelines of your organization, without forgoing the benefits of using managed controls. You can modify the parameter values in many Security Hub controls, reducing the manual efforts of building and testing these across your accounts by hand, while still maintaining security scoring for them. Specify parameters such as the number of days until a resource is considered unused, specific characteristic of a password policy, or a list of high-risk ports. You can also centralize these configurations and capabilities for all or some accounts globally, without needing to update them account-by-account and Region-by-Region.

Security Hub provides a simple 0-100 security score for each standard, for each account across all enabled standards, and a total score for all accounts associated with your administrator account. This score is based on the number of controls that have passed vs. failed for a standard, account, or Organization.

Customize your Security Hub dashboard according to your specific requirements to more easily identify patterns, vulnerabilities, and threats— leading to faster response. Security Hub’s dashboard features a set of AWS managed insights that were carefully chosen to reflect the modern cloud security threat landscape as observed by AWS, and guided by lessons learned from AWS’s own security operations. You can select and modify the widgets you want to display, apply and save filters to create contextual views by specific criteria, and prioritize the data and view of your organization’s security posture that fits your needs.

Managing security alerts

Designate an aggregator Region and link some or all Regions to give you a centralized view of your findings across your accounts and your linked Regions. Findings are continuously synced between the Regions, so that updates made to a finding in one Region is replicated to the other Region. Your Amazon EventBridge feed in your administrator account and aggregator Region also now includes all your findings across all member accounts and linked Regions, which allows you to simplify integrations with ticketing, chat, incident management, logging, and auto-remediation tools by consolidating those integrations into your aggregator Region.

Security Hub automatically collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, Amazon Simple Storage Service (Amazon S3) bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager. Security Hub also consolidates findings from dozens of integrated AWS Partner Network (APN) security solutions. All findings are stored in Security hub for 90 days after last update date.

Simplify how you triage, investigate, and remediate findings by consolidating control findings across multiple standards to more easily identify misconfigurations based on severity and number of failed resources and improve your overall security score. You can also view all enabled controls in one place, along with their compliance status and a summary of passed and failed security checks, and configure each control across all standards in a single action.

Security Hub eliminates time-consuming and resource-intensive data normalization processes by introducing the AWS Security Findings Format (ASFF). With the ASFF, Security Hub integration partners (including both AWS services and external partners) send their findings to Security Hub in a well-typed JSON format consisting of over 1,000 available fields. This means that all of your security findings are normalized before they are ingested into Security Hub, and you don’t need to do any parsing and normalization yourself. The findings identify resources, severities, and timestamps in a consistent way, so that you can more easily search and take action on them.

Connect multiple AWS accounts and consolidate findings across those accounts with a few clicks in the Security Hub console. By designating an administrator account, you can enable your security team to see consolidated findings for all accounts, while individual account owners see only findings associated with their account. Integration with AWS Organizations allows you to automatically enable any account in your organization with Security Hub and the AWS Foundational Security Best Practices standard.

Filter findings based on fields in the ASFF and use GroupBy statements to aggregate findings into buckets. For example, you can filter findings to show only Critical or High severity findings and then group them by resource IDs to see which resources have the most critical or high findings. Security Hub calls these types searches insights, and Security Hub provides both prepackaged managed insights and lets you define your own custom insights. Each insight includes a time series sparkline to show the trend over time in findings that match the insight.

Automation and response

Automatically update or suppress findings in near-real time with Security Hub Automation Rules. Security admins can create rules with specific criteria that can automatically be evaluated against every incoming finding and update findings fields if matched. Use automation rules to change the severity or workflow status of specific findings, suppress them, or update their user-defined fields.

Create custom automated response, remediation, and enrichment workflows using Security Hub’s integration with Amazon EventBridge. Security Hub findings are automatically sent to EventBridge, and you can create EventBridge rules that have AWS Lambda functions, AWS Step Function functions, or AWS Systems Manager Automation runbooks as their targets. Security Hub also supports sending findings to EventBridge on demand via custom actions, and the Security Hub Automated Response and Remediation (ASR) solution provides you with prepackaged EventBridge rules for you to deploy via AWS Cloud Formation.

Security Hub has integrations with various ticketing, chat, incident management, threat investigation, Governance Risk and Compliance (GRC), Security Orchestration Automation and Response (SOAR), and Security Information and Event Management (SIEM) tools that can automatically send or receive findings from Security Hub.

Cost optimization

You can try Security Hub at no charge with a 30-day free trial. The trial includes the complete Security Hub feature set and security best practice checks. Every AWS account in each Region that is enabled with Security Hub receives a free trial. The free trial will provide you an estimate of your monthly bill if you continue using Security Hub across the same accounts and regions. Security Hub also offers a perpetual free tier of 10,000 findings ingested per account per Region per month. Learn more about Security Hub pricing.

Security Hub is priced along three dimensions: the quantity of security checks, the quantity of ingested findings, and the quantity of rule evaluations processed per month. With AWS Organizations support, Security Hub allows you to connect multiple AWS accounts and consolidate findings across those accounts to enjoy tiered pricing for your entire organization’s security checks, finding ingestions, and automation rule evaluations.
Security Hub will automatically and continuously conduct best practice checks against pre-packaged security standards to evaluate the security posture of your AWS accounts and resources. For checks conducted against identical controls that are common across the different standards available in Security Hub, you will not be charged for duplicative checks; Security Hub will only charge you once.