Understanding security checks and scores
For each control that you enable, AWS Security Hub runs security checks. A security check produces a finding that tells you whether a specific AWS resource is in compliance with the rules that the control includes.
Some checks run on a periodic schedule. Other checks only run when there is a change to the resource state. For more information, see Schedule for running security checks.
Many security checks use AWS Config managed or custom rules to establish the compliance requirements. To run these checks, you must set up AWS Config and turn on resource recording for required resources. For more information on setting up AWS Config, see Enabling and configuring AWS Config for Security Hub. For a list of AWS Config resources that you must record for each standard, see Required AWS Config resources for Security Hub control findings. Other controls use custom Lambda functions, which are managed by Security Hub and don't require any prerequisites.
As Security Hub runs security checks, it generates findings and assigns them a compliance status. For more information about compliance status, see Evaluating the compliance status of Security Hub findings.
Security Hub uses the compliance status of control findings to determine an overall control status. Based on the control status, Security Hub also calculates a security score across all enabled controls and for specific standards. For more information, see Evaluating compliance status and control status in Security Hub and Calculating security scores.
If you've turned on consolidated control findings, Security Hub generates a single finding even when a control is associated with more than one standard. For more information, see Consolidated control findings.