AWS Security Hub
User Guide

Terminology and Concepts

This topic describes the key concepts in AWS Security Hub to help you get started.

Account

A standard Amazon Web Services (AWS) account that contains your AWS resources. You can sign in to AWS with your account and enable Security Hub. You can also invite other accounts to enable Security Hub and become associated with your account in Security Hub. If your invitations are accepted, your account is designated as the Security Hub master account, and the added accounts are member accounts. With the master account, you can view findings in member accounts.

An account can't be both a Security Hub master account and a member account at the same time. An account can accept only one membership invitation. Accepting a membership invitation is optional.

For more information, see Master and Member Accounts in AWS Security Hub.

Archived finding

A finding that has a RecordState set to ARCHIVED. When you archive a finding in Security Hub it is excluded from the default view of the Findings page in the console. When you receive a finding for an issue or failed compliance check, you can archive it so that you see only active findings that you want to further investigate or take remediation steps for. Archived findings aren't deleted. You can modify the filter applied to the Findings page to display only the findings that you want to see. To view only archived findings, update or repalce the filter applied to the page to RecordState EQUALS ARCHIVED.

When you use the GetFindings operation of the Security Hub API, all findings are returned, both active and archived. Use filters in your request to return findings that match specific criteria. For example, to retrieve archived findings:

"RecordState": [ { "Comparison": "EQUALS", "Value": "ARCHIVED" } ],
AWS Security Finding Format

A standardized format for the contents of findings that Security Hub aggregates or generates. The AWS Security Finding Format enables you to use Security Hub to view and analyze findings that are generated by AWS security services, third-party solutions, or Security Hub itself from running security compliance checks. For more information, see AWS Security Finding Format.

Compliance check

A specific point-in-time evaluation of a compliance rule against a single resource resulting in a passed, failed, warning, or not available state. Running a compliance check produces a finding.

Compliance standard

A published statement on a topic specifying the characteristics, usually measurable and in the form of controls, that must be satisfied or achieved for compliance. Compliance standards can be based on regulatory frameworks, best practices, or internal company policies. To learn more about compliance standards in Security Hub, see Compliance Standards: CIS AWS Foundations.

Compliance rule

The logic used to evaluate a control and conduct a compliance check. A single control can be evaluated by one or multiple rules. A rule may be reused across multiple controls. Security Hub leverages compliance rules powered by Config and has developed some native compliance rules run outside of AWS Config.

Control

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. A compliance standard consists of controls.

Finding

The observable record of a compliance check or security-related detection.

For more information about findings in Security Hub, see Findings in AWS Security Hub.

Note

Findings are deleted 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in CloudWatch Events that routes findings to your Amazon S3 bucket.

Insight

A collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub offers several managed (default) insights that you can't modify. You can also create custom Security Hub insights to track security issues that are unique to your AWS environment and usage. For more information, see Insights in AWS Security Hub.