Amazon Security Hub FAQs

Q: What is Amazon Security Hub?

Amazon Security Hub provides you with a comprehensive view of your security state within Amazon Web Services and your compliance with security standards and best practices. Security Hub centralizes and prioritizes security findings from across Amazon Web Services accounts, services, and supported third-party partners to help you analyze your security trends and identify the highest priority security issues.

Q: What are the key benefits of Amazon Security Hub?

Amazon Security Hub eliminates the complexity and reduces the effort of managing and improving the security of your Amazon Web Services accounts and workloads. Amazon Security Hub is enabled within a particular region in minutes and the service helps you answer fundamental security questions you may have on a daily basis.

Key benefits include:
Save time with centralized and normalized findings - Security Hub collects findings from the security services enabled across your Amazon Web Services accounts, such as noncompliant EC2 instances from Amazon Systems Manager Patch Manager and identification of public resources from Amazon IAM Access Analyzer. Security Hub also collects findings from partner security products using a standardized Amazon Web Services Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts. Customers can designate a master account that can see all findings across their accounts.

Improve security with automated checks - Security Hub generates its own findings by running continuous and automated account and resource-level configuration checks against the rules in the supported industry best practices and standards (for example, the Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark).

Quickly take actions on findings - Security Hub aggregates findings into pre-built dashboards that provide bar graphs, line charts, and tables that show you the current security status of your environment as well as trends. Now you can easily identify potential issues, and take the necessary next steps. For example, you can send findings to ticketing, chat, email, or automated remediation systems using integration with Amazon CloudWatch Events.

Q: How much does Amazon Security Hub cost?

Please see the Amazon Security Hub pricing page for latest pricing information. Note that Amazon Config is required to be enabled in the account(s) using Security Hub. Amazon Security Hub security checks use the configuration items recorded by Amazon Config. If you are not already using Amazon Config, please see the Config pricing page for the latest information on the price per configuration item recorded. There is no additional charge for the Amazon Config rules enabled by Security Hub security checks.

Q: Is Amazon Security Hub a regional or global service?

Amazon Security Hub is a regional service. This ensures all findings data analyzed is regionally based and doesn’t cross Amazon Web Services regional boundaries. Customer must enable Security Hub in each region to view findings in that region.

Q: What regions does Amazon Security Hub support?

The regional availability of Amazon Security Hub is listed here: Amazon Region Table, including availability in the Amazon Web Services China (Beijing) Region operated by Sinnet and in the Amazon Web Services China (Ningxia) Region operated by NWCD.

Q: What partners work with Amazon Security Hub?

There are many technology partners that support the standardized findings format and have integrated with Amazon Security Hub. See  Amazon Web ServicesSecurity Hub partners.

Q: How do I enable Amazon Security Hub?

When you open the Security Hub console for the first time, simply choose Get Started, and then choose Enable. Amazon Security Hub uses a service-linked role that includes the permissions and trust policy that Security Hub requires to detect and aggregate findings, and to configure the requisite Amazon Config infrastructure needed to run security checks. In order for Security Hub to run security checks in an account, you must have Amazon Config enabled in that account.

Q: Does Amazon Security Hub help manage security across multiple Amazon Web Services accounts?

Yes, you can manage multiple accounts within a region by configuring the multi-account hierarchy within Security Hub.

Q: What is a finding?

A finding is a potential security issue. Security Hub aggregates, normalizes, and prioritizes security alerts, or findings, from Amazon Web Services and third-party services, as well as generating its own findings as the result of running continuous and automated configuration checks. A finding ingestion event is when a new finding is ingested into Security Hub or when a finding update is ingested into Security Hub.

Q: What is an insight?

An insight is a collection of related findings. Security Hub offers managed insights using filters that you can further tailor for your unique environment. For example, insights help to identify EC2 instances that are missing security patches for important vulnerabilities, or S3 buckets with public read or write permissions. Managed and custom Security Hub insights help you track security issues in your Amazon Web Services environment.

Q: What is a security standard vs. a control vs. a security check?

A security standard is a collection of controls based on regulatory frameworks or industry best practices. Security Hub conducts automated security checks against controls. Each security check consists of an evaluation of a rule against a single resource. A single control may involve multiple resources (e.g., IAM users) and a security check is performed against each resource. For example, Security Hub supports the CIS Amazon Web Services Foundations Benchmark standard, which consists of 43 controls. Once Security Hub is enabled, it immediately begins running continuous and automated security checks against each control and each relevant resource associated with the control.

Q: What findings sources does Amazon  Security Hub analyze?

Amazon Web Services Security Hub analyzes your security alerts, or findings, from these Amazon Web Services services: Amazon Systems Manager Patch Manager and IAM Access Analyzer. In addition, see the list of Amazon Security Hub Partner solutions that are integrated with Security Hub and support the standardized findings format.

Q: How are Amazon Config and Amazon Config rules related to Amazon Security Hub?

Amazon  Security Hub is a security and compliance service that provides security and compliance posture management, as a service. It uses Amazon Config and Config rules as its primary mechanism to evaluate the configuration of Amazon Web Services resources. Amazon Config rules can also be used to evaluate resource configuration directly.

Q: When do I use Amazon Security Hub and Amazon Config conformance packs?

If a compliance standard, such as the Payment Card Industry Data Security Standard (PCI-DSS), is already present in Amazon Security Hub, then the fully managed Amazon Security Hub service is the easiest way to operationalize it. You can can build automated or semi-automated remediation actions using Security Hub’s Amazon CloudWatch events integration. However, if you want to assemble your own compliance or security standard, which may include security, operational or cost optimization checks, Amazon Config conformance packs are the way to go. Amazon Config conformance packs simplify management of Amazon Config rules by packaging a group of Amazon Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the Amazon Config conformance samples we provide, and customize as you see fit.

Q: Do both Amazon Security Hub and Amazon Config conformance packs support continuous monitoring?

Yes, both Amazon Security Hub and Amazon Config conformance packs support continuous monitoring of compliance, given their reliance on Amazon Config and Config rules. The underlying Amazon Config rules can be triggered either periodically or upon detecting changes to the configuration of resources. This enables you to continuously audit and assess the overall compliance of your Amazon Web Services resource configurations with your organization’s policies and guidelines.

Q: How can I see what are my most important security issues in Amazon Security Hub?

There are multiple ways to see your most important security issues. The Security Hub dashboard provides views on which resources have the most findings, how your volume of security findings are evolving over time, which insights are generating the most findings. You can go to the insights page and use the managed insights to identify high priority issues. You can also create your own custom insights.

Q: Can Security Hub tell me how I measure against security best practices or security standards?

Yes. Security Hub creates a score to show you how you're doing against security standards and displays it on the main Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. Security Hub shows how the control was evaluated and informational best practices on how to mitigate the issue.

Q: If I score 100% on a security standard, does that mean that I will pass an audit for that security standard?

No. Security Hub is focused on automated security checks. Most security standards have various controls that can’t be checked in an automated fashion, and those are out of scope for Security Hub. Security Hub security checks can help you prepare for an audit, but they do not imply that you would pass an audit associated with the security standard.

Q: How can Security Hub prioritize the security data that I need the most?

Security Hub uses two mechanisms to help prioritize findings: insights and security standards. Insights are grouped or correlated findings that help you identify higher priority findings faster. Examples of insights are “Show me all my EC2 instances potentially infected with malware” and “Show me any possible cases of data exfiltration on EC2 instances.”

Security standards are sets of controls that are based on regulatory requirements or best practices. Amazon Web Services has defined specific security checks (that align to the controls within standards. An example of a supported Security Hub standard is the CIS Amazon Web Services Foundations Benchmark.

Q: How can Security Hub integrate with my existing security operations and remediation processes?

Security Hub supports workflow options by enabling the export of findings via CloudWatch events. You can use CloudWatch events to setup integrations with chat systems, automated remediation pipelines via Amazon Lambda, Amazon Systems Manager Automation documents, or Amazon Web Services Step Functions, SIEMs such as IBM QRadar, and ticketing systems.

Q: Will Security Hub replace the consoles of our other security services, such as Amazon IAM Access Analyzer?

No. Security Hub is complementary and additive to the Amazon Web Services security services. In fact, Security Hub will link back into the other consoles to help you gain additional context. Security Hub does not replicate the setup, configuration, or specialized features available within each security service.

Q: I deployed the CIS Amazon Web Services Foundations Benchmark QuickStart, but the Security Hub CIS Security Standard is showing that I am failing some checks, why is that?

The QuickStart solution is designed as a single account and single region template for some hardening controls that cover checks 1.1, 2.1 through 2.7, and 3.1 through 3.14. The QuickStart includes a pre-requisite template that deploys a trail in a single region only. Since the CIS checks 1.1, 2.1 through 2.5, 2.7, and 3.1 through 3.14 require a multi-region trail, these checks fail in Security Hub CIS Security Standard. [Note that the CIS QuickStart solution implements hardening controls for only the following checks: 1.1, 2.1 through 2.7, and 3.1 through 3.14. The remaining checks are not addressed by the CIS QuickStart.] In addition, the QuickStart “Monitoring” checks 3.2, 3.4, 3.5, and 3.8 through 3.14 are implemented using CloudWatch events instead of CloudWatch metric filters, which also causes failures of these checks in Security Hub CIS Security Standard.

Q: What are the specific controls of PCI DSS supported by Security Hub?

The Payment Card Industry Data Security Standard (PCI DSS) standard in Security Hub consists of a set of Amazon Web Services security best practices controls. Each control applies to a specific Amazon Web Services resource, and relates to one or more PCI DSS version 3.2.1 requirements. Security Hub’s documentation provides details on how Security Hub’s PCI DSS checks map to specific PCI DSS requirements.