Viewing details about a control finding and finding resource - AWS Security Hub

Viewing details about a control finding and finding resource

AWS Security Hub provides the following details for each control finding to help you investigate it:

  • A history of changes that users have made to the finding

  • A .json file for the finding

  • Information about the resource related to the finding

  • The configuration rule related to the finding

  • Notes that users have added to the finding

The following section explains how to access these details.

Finding history

Finding history is a Security Hub feature that lets you track changes made to a finding during the last 90 days.

Finding history is available for control findings and other Security Hub findings. For more information, see Reviewing finding history.

Viewing the complete .json for a finding

You can display and download the full .json of a finding.

To display the .json, in the Finding .json column, choose the icon.

On the Finding JSON panel, to download the .json, choose Download.

Viewing information about a finding resource

The Resource column contains the resource type and resource identifier.

To display information about the resource, choose the resource identifier. For AWS accounts, if the account is an organization member account, then the information includes both the account ID and the account name. For accounts that were invited manually, the information only includes the account ID.

If you have permission to view the resource in its original service, then the resource identifier displays a link to the service. For example, for an AWS user, the resource details provide a link to the view the user details in IAM.

If the resource is in a different account, Security Hub displays a message to notify you.

Viewing the configuration timeline for a finding resource

One avenue of investigation is the configuration timeline for the resource in AWS Config.

If you have permission to view the configuration timeline for the finding resource, then the finding list provides a link to the timeline.

Security Hub displays a message to notify you if the resource is in a different account.

To navigate to the configuration timeline in AWS Config
  1. In the Investigate column, choose the icon.

  2. On the menu, choose Configuration timeline. If you do not have access to the configuration timeline, then the link does not appear.

Viewing the AWS Config rule for a finding resource

If the control is based on an AWS Config rule, then you might also want to view the details for the AWS Config rule. The AWS Config rule information can help you to get a better understanding why a check passed or failed.

If you have permission to view the AWS Config rule for the control, then the finding list provides a link to the AWS Config rule in AWS Config.

Security Hub displays a message to notify you if the resource is in a different account.

To navigate to the AWS Config rule
  1. In the Investigate column, choose the icon.

  2. On the menu, choose Config rule. If you do not have access to the AWS Config rule, then Config rule is not linked.

Viewing notes for findings

If a finding has an associated note, then the Updated column displays a note icon.

To display the note that is associated with a finding

In the Updated column, choose the note icon.