Coverage findings for Security Hub CSPM Coverage findings for GuardDuty Coverage findings for Amazon Inspector Coverage findings for Macie

Coverage findings in Security Hub

Note

Security Hub is in preview release and is subject to change.

Coverage findings for Security Hub provide visibility into which AWS security features are enabled and where there might be gaps in coverage in a standalone account or across an organization's AWS environment. Enabling additional security features will enhance the detection capabilities of Security Hub. Coverage Findings evaluate what GuardDuty, Amazon Inspector, Macie, and Security Hub CSPM features are enabled for an account. These findings appear as a widget on the Security Hub dashboard with the ability to drill down into more detailed views by specific security capability. For the delegated administrator, this widget shows coverage breakdown across all Security Hub enabled accounts.

Limitations

For member accounts, coverage information is aggregated across linked AWS Regions, but only for that member account.
Coverage information is not shown for accounts not onboarded to Security Hub
Coverage only indicates if an AWS service is enabled, not whether specific features in an AWS service are enabled.

Coverage findings for Security Hub CSPM

Security Hub CSPM Coverage Findings assess whether a qualified posture management security standard is enabled in an account. Enabling any Security Hub CSPM Standard will qualify, with the exception of AWS Control Tower and Resource Tagging standards.

It can take up to 24 hours to detect standards enabled by default when enabling Security Hub CSPM.

Coverage findings for GuardDuty

GuardDuty coverage findings assess whether GuardDuty is enabled and which GuardDuty features are enabled in an AWS account:

Malware Protection for Amazon EC2 – Scans Amazon EC2 instances for potential malware
Amazon EKS Protection – Monitors Kubernetes audit logs for threats in Amazon EKS clusters
Lambda Protection – Analyzes Lambda function invocations for potential threats
Amazon S3 Protection – Analyzes data events for potential threats to Amazon S3 buckets
Amazon RDS Protection – Monitors for threats to Amazon RDS databases
Runtime Monitoring – Provides real-time monitoring of runtime behavior in Amazon EC2 instances

It can take up to 24 hours for updates to GuardDuty coverage to reflect across all member accounts in an organization.

Coverage findings for Amazon Inspector

Amazon Inspector Coverage Findings assess whether Amazon Inspector is enabled and which features are enabled in an account:

Amazon EC2 Scanning – Scans Amazon EC2 instances for vulnerabilities
Amazon ECR Scanning – Scans container images in Amazon ECR for vulnerabilities
Lambda Standard Scanning – Scans Lambda functions for vulnerabilities
Lambda Code Scanning – Scans Lambda code functions for code vulnerabilities
Amazon Inspector Code Security – Scans first-party application source code, third-party application dependencies, and Infrastructure as Code for vulnerabilities

Coverage findings for Macie

Macie Coverage Findings are assessments that indicate whether Macie is enabled across AWS accounts.

It can take up to 24 hours for updates to Macie automated sensitive data discovery to reflect across all member accounts in an organization.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

OCSF findings

Exposure findings