Amazon Security Hub FAQs

Amazon Security Hub is a unified cloud security solution that prioritizes your critical security issues and helps you respond at scale. It detects critical issues by automatically correlating and enriching security signals from multiple sources, such as posture management (Amazon Security Hub CSPM), vulnerability management (Amazon Inspector), and threat detection (Amazon GuardDuty). This allows security teams to surface and prioritize active risks in their cloud environment through automated analysis and contextual insights. Through intuitive visualizations, including threat trends and exposure summaries, Security Hub transforms complex security signals into actionable insights through near real-time risk analytics, so you can make more informed security decisions quickly. The solution also includes automated response workflows to streamline remediation at scale, helping you reduce security risks while improving team productivity and minimizing operational disruptions.

Security Hub CSPM (Cloud Security Posture Management) provides automated security best practice checks to help you understand your overall security posture across your Amazon Web Services accounts. It delivers essential security posture signals that work together with other security capabilities to prioritize security issues and help you respond at scale.

Security Hub has enhanced its capabilities, evolving from a centralized security findings aggregator and security posture management service to a comprehensive unified cloud security solution. What you previously knew as Security Hub, focused on aggregating security findings, security best practice checks, and compliance monitoring, is now available as Security Hub CSPM. Building on this foundation, Security Hub now automatically correlates security signals across multiple capabilities including vulnerability management (Amazon Inspector), threat detection (Amazon GuardDuty), and posture management (Amazon Security Hub CSPM). This enhanced correlation helps you identify critical security risks that might be missed when viewing findings in isolation. For example, Security Hub can now automatically detect when a publicly exposed resource with a critical vulnerability also has a misconfiguration, providing crucial context for prioritization and response. Everything you valued about security findings aggregation and posture management remains intact and is enhanced by these new capabilities. Your existing security checks, compliance monitoring, and integrations continue to work as before, while gaining powerful new features for correlation, analysis, threat trends, exposure summaries, and automated response. This evolution helps you protect your cloud environment by transforming multiple security signals into actionable insights through near real-time risk analytics, enabling faster and more informed security decisions.

Amazon Security Hub has evolved from a cloud security posture management (CSPM) focused service to a unified cloud security solution. At GA, Security Hub delivers enhancements over the preview version, including near real-time risk analytics that provide enhanced risk context to enable faster, more informed security decisions, a trends dashboard that delivers visual analysis of exposure summaries and threat trend widgets, and unified enablement and management that streamlines operations with single-click setup across Regions and accounts to reduce configuration time and complexity. Security Hub is also introducing a streamlined pricing model that consolidates pricing across multiple services (Amazon Inspector, GuardDuty, Security Hub CSPM) to optimize cost management and improve budget predictability.

• Unified security operations: Gain broader visibility across your cloud environment through centralized management in a unified cloud security solution.
• Confident prioritization: Make informed decisions about your critical security issues through automated correlation and enhanced risk context.
• Actionable security insights: Gain actionable insights through near real-time risk analytics, including threat trends and exposure summaries, to surface security risks specific to your environment.
• Streamlined response at scale: Reduce response times with automated workflows to help protect your cloud environment.
• Continuous security monitoring: Detect deviations from security best practices with automated security checks against industry standards and Amazon best practices.

Yes, you can use both Security Hub and Security Hub CSPM simultaneously. The enhanced Security Hub is a unified cloud security solution that uses Security Hub CSPM for posture management alongside other security services including Amazon Inspector, and Amazon GuardDuty. When you enable the enhanced Security Hub, it leverages Security Hub CSPM to provide automated security best practice checks and compliance monitoring, while adding advanced correlation, exposure findings, and automated response capabilities across these multiple security services. This approach allows you to maintain your existing Security Hub CSPM functionality while gaining the enhanced correlation and prioritization features of the unified Security Hub solution. While you can choose which capabilities to enable, we recommend using the complete unified solution to help you prioritize and respond to your critical security issues at scale through automated correlation and enhanced context across security signals.

Security Hub enhances your security operations without disrupting existing workflows. You get unified console experience that consolidates security findings from multiple services while maintaining full access to individual service consoles when needed. Key operational improvements include streamlined multi-account deployment through Amazon Organizations integration, centralized security findings management, and automated risk prioritization that helps your team focus on critical issues first. Your existing security processes and team workflows remain intact but become more efficient through consolidated visibility and simplified management.

Security Hub streamlined pricing model consolidates charges from multiple Amazon Web Services security services under unified billing when you enable Security Hub. Instead of receiving separate bills for Amazon Inspector, GuardDuty, and Security Hub CSPM, you get consolidated pricing through Security Hub for included capabilities. The model has two main components: the Security Hub essentials plan (included automatically) provides risk analytics, vulnerability management, security posture management, and security response management, while the threat analytics plan (add-on) provides enhanced threat monitoring capabilities. When Security Hub is not enabled, these services use individual service pricing. See the Security Hub pricing page for more details.

You have two deployment approaches:

Unified security solution (recommended): At general availability (GA), Security Hub provides a unified enablement process and the ability to manage your preferences across multiple Amazon Web Services Regions and accounts from a single unified console.

• Enable Security Hub with its essential services:
• Security Hub CSPM for posture management
• Amazon Inspector for vulnerability management (Amazon EC2 scanning, Amazon ECR container scanning, and Amazon Lambda standard scanning)
• Amazon GuardDuty for threat detection

Individual approach: Use security services independently while managing security findings separately. While this allows for targeted use cases, you'll need to manually correlate findings to identify and prioritize critical security risks. New features in the enhanced Security Hub such as exposure findings, trends, real-time risk analytics, and automated correlation analysis require the essential services (Security Hub CSPM and Amazon Inspector) to be enabled. Without these essential services, you won't be able to benefit from these security features.

Choose the approach that best fits your specific security needs and preferences. However, the unified solution is recommended as it provides automated correlation and enhanced context across security signals, helping you prioritize and respond to security risks at scale.

When you enable Security Hub, it automatically enables Security Hub CSPM in your account for posture management. The next step requires you to use the console flow, policies, or APIs to enable additional services in individual accounts or member accounts, including Amazon Inspector capabilities (Amazon EC2 scanning, Amazon ECR scanning, and Amazon Lambda standard scanning) for vulnerability management and threat detection analytics capabilities powered by Amazon GuardDuty. These services are essential for features in the enhanced Security Hub, such as exposure findings, trends, and automated correlation analysis, so while Security Hub CSPM is enabled automatically, you must take additional steps to enable Amazon Inspector and GuardDuty capabilities to fully benefit from unified security operations in Security Hub.

Security Hub is a regional service, but supports cross-Region aggregation of findings via designation of an aggregator Region. Customers must enable Security Hub in each Region to view findings for that Region.

The enhanced Security Hub does not require Amazon Config. However, Security Hub CSPM, which is a core capability of Security Hub, requires that you enable Amazon Config in your account and configure it to record resource configuration changes. Amazon Config needs to track these configuration changes to identify potential misconfigurations in your resources.

No, Security Hub complements other Amazon Web Services security services by providing a unified view and advanced correlation capabilities. While Security Hub correlates and enriches findings from services like Amazon GuardDuty, and Amazon Inspector, you may still need to use individual service consoles for specific configurations or detailed investigations. Security Hub provides a unified security solution with enhanced analytics and automated response capabilities across your entire cloud environment.

Security Hub prioritizes your critical security issues and helps you respond at scale by automatically correlating and enriching security signals from multiple sources, such as threat detection and vulnerability management. Through this correlation, Security Hub surfaces and prioritizes active risks in your cloud environment, transforming complex security signals into actionable insights through intuitive visualizations and natural language summaries. This allows you to make more informed security decisions quickly while using automated response workflows to streamline remediation at scale. You can reduce security risks, improve your team's productivity, and minimize potential operational disruptions while maintaining comprehensive visibility into your security posture to protect your cloud environment.

Security Hub correlates security findings to prioritize the critical issues in your cloud environment. By analyzing resource relationships and signals from services such as Amazon Inspector, Amazon Security Hub CSPM, and Amazon GuardDuty, the enhanced Security Hub automatically generates exposure findings to help you address your critical security issues. Exposure findings also help you visually understand how different resource relations, configurations, and associated findings combine to create potential attack paths. For example: "Potential Credential Stealing: Internet reachable EC2 instance with administrative instance profile has network-exploitable software vulnerabilities with a high likelihood of exploitation." You can get clear insights into potentially exploitable resources and make confident decisions about which issues to address first, helping you identify complex security scenarios that may be missed when viewing findings in isolation.

Security Hub calculates exposure finding severity by analyzing and correlating multiple security traits across Amazon services. Instead of evaluating these factors in isolation, Security Hub uses a contextual approach, assigning a severity rating based on how these factors are correlated. For example, a resource with an identified vulnerability might receive a higher severity rating if it's exploitable from the internet.
Ease of discovery: The availability of automated tools, such as a port scans or internet searches, to discover the resource at risk.
Ease of exploit: The ease with which a threat actor can exploit the risk. For example, if there are open network paths or misconfigured metadata, a threat actor can more easily exploit the risk.
Likelihood of exploit: Security Hub uses both external signals, such as the Exploit Protection Scoring System (EPSS), as well as internal threat intelligence to determine the probability that the risk will be exploited. This comprehensive approach applies to exposure findings for Amazon Elastic Compute Cloud (EC2) instances and Amazon Lambda functions.
Awareness: The extent to which the risk is not merely theoretical but has publicly available or automated exploits. This factor applies to exposure findings for EC2 instances and Lambda functions.
Impact: The potential harm if the exploit is carried out. For example, an exposure could lead to loss of confidentiality from data exposure, loss of integrity from data corruption, loss of availability, or loss of accountability.

Security Hub helps you visualize how vulnerabilities and misconfigurations might be chained together to create potential attack paths to critical resources. Through automated correlation of security signals, Security Hub identifies these potential paths, helping you understand which critical resources could be impacted and the scope of potential exposure. This insight enables you to prioritize remediation efforts and help protect your critical resources before risks can be exploited.

Security Hub provides a unified view of your Amazon Web Services resources that combines security posture, configuration details, and application context. You can identify internet-reachable assets and their associated security findings through a single consolidated view. This helps you prioritize your critical

security issues and respond at scale by enabling streamlined security analysis across your resource types.

Security Hub provides trend analysis through exposure summaries and threat trends that help you understand security patterns over time. The unified dashboard includes customizable widgets that display risk-based prioritization views, attack path visualization, and trend analytics. These capabilities enable you to track how your security posture evolves and identify emerging threats or recurring issues in your environment.

Security Hub helps you respond to critical security issues at scale through automated workflows and integration with existing ticketing systems. By transforming security signals into actionable insights and providing automated response capabilities, Security Hub helps you reduce security risks while improving team productivity and minimizing operational disruptions.

Findings differ between Security Hub and Security Hub CSPM in four key aspects: their sources, types, format, and event delivery.

• Sources of findings: Security Hub receives findings from Security Hub CSPM (findings from security checks), Amazon GuardDuty, and Amazon Inspector. Security Hub CSPM receives findings from several Amazon Web Services services such as Amazon Config, Amazon WAF, Amazon GuardDuty, Amazon Inspector, third-party Partner tools, and your custom findings.
• Types of findings: While both receive findings from integrated security services, the enhanced Security Hub also generates exposure findings by correlating security signals from Amazon Security Hub CSPM, and Amazon Inspector to identify critical security risks. These exposure findings provide enhanced context through automated correlation across multiple security signals.
• Format of findings: The enhanced Security Hub uses the OCSF (Open Cybersecurity Schema Framework) format, while Security Hub CSPM uses the ASFF (Amazon Security Finding Format). This difference in format reflects their distinct approaches to security finding management and analysis.
• Event delivery: Security Hub CSPM findings will come through Amazon EventBridge with a detail type of "Security Hub Findings – Imported." Security Hub findings will come through EventBridge with a detail type of "Findings Imported V2."

The enhanced Security Hub does not receive findings from third-party partner tools. However, you can continue to use Security Hub CSPM integrations with Amazon Web Services partner tools to send, receive, and update findings within Security Hub CSPM. This allows you to maintain your existing partner tool workflows while benefiting from the enhanced correlation and prioritization capabilities for Amazon native security service findings.

No, only the resource types that can be evaluated by our security services (Security Hub CSPM, Amazon Inspector, or GuardDuty) are available within the resource list. However, all individual resources within these resource types are included in the list. The Security Hub resource list view provides a security-focused resource inventory that displays supported resources along with their associated vulnerabilities, threats, and traits. This targeted view helps you identify and prioritize critical resources, for example, by displaying all publicly exposed assets across your cloud environment.

Security Hub accelerates response by providing automated workflows and integration with existing ticketing systems, helping you efficiently address security issues. It leverages the standardized Open Cybersecurity Schema Framework (OCSF) format, enabling seamless integration with your existing security tools, including SIEM, SOAR, and ticketing systems. You can set up automated response actions or trigger alerts in your preferred communication channels. This integration helps you efficiently address security issues, reducing response times and minimizing manual effort in your security operations.

The ability to have different Delegated Administrators in Security Hub depends on your current configuration. Here are the different scenarios:

• If Security Hub CSPM has defined the Delegated Administrator account as the organization management account then Security Hub can set the Delegated Administrator account to an account of your choosing.
• If Security Hub CSPM does not have a Delegated Administrator account defined then Security Hub can set the Delegated Administrator to an account of your choosing.
• If Security Hub CSPM has defined the Delegated Administrator account as an account other than the organization management account then Security Hub will automatically set the Delegated Administrator account to the same account as Security Hub CSPM. Any changes to the Delegated Administrator account for either service will apply to both services.

To maintain consistent governance and least-privileged access control, we recommend using the same Delegated Administrator for all security capabilities including Security Hub, Security Hub CSPM, GuardDuty, and Amazon Inspector.

Amazon Security Hub uses Amazon Organizations policies to manage enablement and configuration of Security Hub across your organization member accounts. You will not be able to use central configuration for Amazon Security Hub, however you can continue to use central configuration for Amazon Security Hub CSPM.

When using Security Hub and Security Hub CSPM together, it is recommended that you migrate any automation rules in CSPM to Security Hub when the rule applies to finding sources that are also present in Security Hub. This ensures that there is visibility in Security Hub to the final finding state and also ensures there is no conflicting use of rules for the same finding type in CSPM and Security Hub. 

CSPM is a practice by which to identify misconfiguration issues and compliance risks across workloads, accounts, and resources to maintain your cloud security posture. Security Hub CSPM is the Amazon Web Services service for CSPM that performs security best practice checks, aggregates alerts, and helps enable automated remediation across your Amazon Web Services accounts, workloads, and resources.

When you open the Security Hub CSPM console for the first time, simply choose Get Started, and then choose Enable. Security Hub CSPM uses a service-linked role that includes the permissions and trust policy that it requires to detect and aggregate findings, and to configure the requisite Amazon Config infrastructure needed to run security checks. Many Security Hub CSPM controls require Amazon Config to be activated in order to run security checks in an account.

An insight is a collection of related findings. Security Hub CSPM offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify Amazon Elastic Compute Cloud (Amazon EC2) instances that are missing security patches for important vulnerabilities or Amazon Simple Storage Service (Amazon S3) buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your Amazon Web Services environment.

A security standard is a collection of controls based on regulatory frameworks or industry best practices. Security Hub CSPM conducts automated security checks against controls. Each security check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a security check is performed against each resource. Once Security Hub CSPM is enabled, it immediately begins running continuous and automated security checks for each control and against each relevant resource associated with the control. Visit Security Hub CSPM standards reference for details on supported standards and related controls.

The Amazon Foundational Security Best Practices standard is a set of controls developed by Amazon Security collaboration with relevant service teams that have specific Amazon Web Services product knowledge. These controls detect when your Amazon Web Services accounts and resources deviate from security best practices. The standard lets you continuously evaluate all of your Amazon Web Services accounts and workloads to quickly identify areas of deviation from best practices. It provides actionable and prescriptive guidance about how to improve and maintain your organization’s security posture. The controls include security best practices for resources from multiple Amazon Web Services services, and each control is assigned a category that reflects the security function that it applies to.

Security Hub CSPM analyzes your security alerts, or findings, from several Amazon Web Services services, including: Amazon Config, Amazon GuardDuty, Amazon Health, Amazon Inspector, Amazon Firewall Manager, Amazon IAM Access Analyzer, and Amazon IoT Device Defender. In addition, refer to the list of available third-party partner product integrations that are integrated with Amazon Security Hub and support the standardized findings format.

Getting started with the enhanced Security Hub is easy, especially if you are using other Amazon security services. The enhanced Security Hub features unified enablement with single-click setup across Regions and accounts, reducing configuration complexity. When you enable Security Hub, it automatically enables both its essential services and additional services: Security Hub CSPM for posture management and Amazon Inspector capabilities (Amazon EC2 scanning, Amazon ECR scanning, and Amazon Lambda standard scanning) for vulnerability management, and Amazon GuardDuty for threat detection analytics. This unified enablement provides complete security coverage and enables you to fully benefit from the automated correlation capabilities of Security Hub. You can enable the enhanced Security Hub through the newly designed console or APIs. The process is designed to be seamless, allowing you to enhance visibility into your security posture without disrupting your current operations.

Yes, you can continue using Security Hub CSPM if your primary need is to evaluate your Amazon Web Services resources against security best practices. However, we recommend exploring the enhanced Security Hub to prioritize and help you respond to your critical security issues at scale. The enhanced Security Hub automatically correlates and enriches security signals across multiple capabilities, transforms them into actionable insights, and provides automated response workflows. This helps you reduce security risks, improve your team's productivity, and minimize potential operational disruptions while maintaining comprehensive visibility into your security posture.

Yes. Security Hub CSPM creates a score to show you how you're doing against security standards and displays it on the main Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. Security Hub CSPM shows how the control was evaluated and informational best practices on how to mitigate the issue.

No. Security Hub CSPM is focused on automated security checks. Most security standards have various controls that can’t be checked in an automated fashion, and those are out of scope for Security Hub CSPM. Security Hub CSPM security checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the security standard.

Yes. Security Hub CSPM allows you to customize your security checks to suit your organization's specific needs. This can be done by customizing parameters. For example, you can define what a strong IAM password means, or what should be the maximal period of time to remove unused credentials or stop unused instances.

NIST SP 800-53 Rev. 5 is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that is part of the U.S. Department of Commerce. Security Hub CSPM provides controls that support select NIST SP 800-53 requirements. These controls are evaluated through automated security checks. Security Hub CSPM documentation provides details on the specific controls and how each check maps to specific CIS Amazon Foundations Benchmark requirements.

The Payment Card Industry Data Security Standard (PCI DSS) in Security Hub CSPM consists of a set of Amazon security best practices controls. Each control applies to a specific Amazon Web Services resource and relates to one or more PCI DSS requirements. Security Hub CSPM now supports both PCI DSS version 3.2.1 and version 4.0.1. Security Hub CSPM documentation provides details on how Security Hub CSPM’s PCI DSS checks map to specific PCI DSS requirements.

Yes, you can use both Security Hub and Security Hub CSPM simultaneously. The enhanced Security Hub is a unified cloud security solution that includes services (Security Hub CSPM and Amazon Inspector) and integrates with additional services (Amazon GuardDuty) to help you protect your cloud environment. While you can choose which services to enable, we recommend using the complete unified solution to help you prioritize and respond to your critical security issues at scale through automated correlation and enhanced context across security signals.