Security checks and security scores in Security Hub

For each control that you enable, AWS Security Hub runs security checks. A security check determines whether your AWS resources are in compliance with the rules that the control includes.

Some checks run on a periodic schedule. Other checks only run when there is a change to the resource state. For more information, see Schedule for running security checks.

Many security checks use AWS Config managed or custom rules to establish the compliance requirements. To run these checks, you must set up AWS Config. For more information, see How Security Hub uses AWS Config rules to run security checks. Others use custom Lambda functions, which are managed by Security Hub and are not visible to customers.

As Security Hub runs security checks, it generates findings and assigns them a compliance status. For more information about compliance status, see Values for Compliance.Status.

Security Hub uses the compliance status of control findings to determine an overall control status. Security Hub also calculates a security score across all enabled controls and for specific standards. For more information, see Determining the overall status of a control from its findings and Determining security scores.

If you've turned on consolidated control findings, Security Hub generates a single finding even when a control is associated with more than one standard. For more information, see Consolidated control findings.

Topics

• How Security Hub uses AWS Config rules to run security checks
• AWS Config resources required to generate control findings
• Schedule for running security checks
• Generating and updating control findings
• Determining the overall status of a control from its findings
• Determining security scores