AWS Security Hub
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Terminology and Concepts

This topic describes the key concepts in AWS Security Hub to help you get started.


A standard Amazon Web Services (AWS) account that contains your AWS resources. You can sign in to AWS with your account and enable Security Hub. You can also invite other accounts to enable Security Hub and become associated with your account in Security Hub. If your invitations are accepted, your account is designated as the Security Hub master account, and the added accounts are member accounts. With the master account, you can view findings in member accounts.

An account can't be both a Security Hub master account and a member account at the same time. An account can accept only one membership invitation. Accepting a membership invitation is optional.

For more information, see Master and Member Accounts in AWS Security Hub.

AWS Security Finding Format

A consistent format for the contents of findings that Security Hub aggregates or generates. The AWS Security Finding Format enables you to use Security Hub to view and analyze findings that are generated by AWS security services, third-party solutions, or Security Hub itself from running security compliance checks. For more information, see AWS Security Finding Format.

Compliance check

A specific point-in-time evaluation of a requirement resulting in a passed, failed, or error state. Running a compliance check produces a result.

Compliance standard

A published statement on a topic specifying the characteristics, usually measurable and in the form of controls, that must be satisfied or achieved to comply with the standard. To learn more about compliance standards in Security Hub, see Compliance Standards: CIS AWS Foundations.


A measure that modifies risk. A compliance standard consists of controls.


A failed compliance check result. In the context of compliance, a finding always indicates a potential security issue.

For more information about findings in Security Hub, see Findings in AWS Security Hub.


Findings are deleted 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in CloudWatch Events that routes findings to your Amazon S3 bucket.


A collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub offers several managed (default) insights that you can't modify. You can also create custom Security Hub insights to track security issues that are unique to your AWS environment and usage. For more information, see Insights in AWS Security Hub.


The observable record of a check. A result can be a passed, failed, or error state. If the result is failed, the result is considered a finding.