Amazon Security Hub features

Amazon Security Hub collects and consolidates findings from Amazon Web Services security services enabled in your environment, such as noncompliant EC2 instances from Amazon Systems Manager Patch Manager and publicly accessible and cross-account resources from IAM Access Analyzer. All findings are stored for at least 90 days within Amazon Security Hub.

Amazon Security Hub can automatically aggregate security and/or receive findings from supported Amazon Web Services Partner Network (APN) security solutions, so you can have a comprehensive view of security and compliance across your Amazon environment.

The Amazon Security Hub partners listed in the service documentation are APN Technology Partners who have passed additional validation from the Security Hub team for sending findings to Security Hub or receiving findings from Security Hub. Note that all use of the term "partner" herein refers exclusively to a member of the Amazon Web Services Partner Network (APN).

Security Hub provides automated, continuous resource-level configuration and security checks using industry standards and best practices. For example, Amazon Security Hub automates the Payment Card Industry Data Security Standard (PCI DSS) and the Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark, a set of security configuration best practices for Amazon Web Services. If any of your accounts or resources deviate from a best practice, Amazon Security Hub flags the problem and recommends remediation steps.

Security Hub offers customers a set of automated security controls called the Amazon Web Services Foundational Security Best Practices standard. This is a highly curated set of security best practices vetted by our Amazon Web Services security experts. It is our recommendation that this standard is enabled across all accounts and regions.

Security findings from Amazon Web Services services such as Amazon  Systems Manager Patch Manager and IAM Access Analyzer are collected in Security Hub using a standardized Amazon Web Services Security Findings Format. Partner integrations use the same standardized findings format, eliminating time-consuming data parsing and normalization tasks. Now you can focus on prioritizing and acting on these consolidated findings.

Amazon Security Hub integrates with Amazon CloudWatch events, enabling you to create custom response and remediation workflows. You can easily send findings to SIEMs, chat tools, ticketing systems, Security Orchestration Automation and Response (SOAR) tools, and on-call management platforms. Response and remediation actions can be fully automated or they can be triggered manually in the console. You can also use Amazon System Manager Automation documents, Amazon Web Services Step Functions, and Amazon Lambda functions to build automated remediation workflows that can be initiated from Security Hub.

You can connect multiple Amazon Web Services accounts and consolidate findings across those accounts with a few clicks in the Amazon Security Hub console. By designating an administrator account, you can enable your security team to see consolidated findings for all accounts, while individual account owners see only findings associated with their account. Integration with Amazon Organizations allows you to automatically enable any account in your organization with Security Hub and the Amazon Web Services Foundational Security Best Practices standard.

Amazon Security Hub allows you to designate an aggregator Region and link your other Region to that aggregator Region to give you a centralized view of all your findings across all your accounts and all your linked Regions. After linking a Region to the aggregator Region, your findings are continuously synced between the Regions, so that any update made to a finding in one Region is replicated to the other Region. Your Security Hub administrator or delegated administrator account in your aggregator Region can view and manage all of your findings. Individual Security Hub member accounts in the aggregator Region can also view and manage all of their findings across all linked Regions. Your Amazon EventBridge feed in your administrator account and aggregator Region also now includes all your findings across all member accounts and linked Regions, which allows you to simplify integrations with ticketing, chat, incident management, logging, and auto-remediation tools by consolidating those integrations into your aggregator Region.

Security insights are grouped findings that highlight emerging trends or possible issues. For example, insights help to identify EC2 instances that are missing security patches for important vulnerabilities, or S3 buckets with public read or write permissions. Amazon Security Hub’s predefined (i.e., managed) insights are designed to quickly flag the resources and accounts of most concern.

Create and customize your own insights, tailored to your specific security and compliance needs. You can base custom insights on the predefined security insights offered by Amazon Security Hub or start from scratch. For example, you can create an insight to identify EC2 instances tagged as “production” that don't meet security standards.

Monitor your security posture and quickly identify security issues and trends using Amazon Security Hub’s summary dashboard. For example, you can drill down into a trendline graph to discover that a set of Amazon EC2 instances with a high number of findings were all created using the same Amazon Machine Images (AMI).