Enabling and managing integrations in Security Hub
AWS Security Hub can ingest security findings from several AWS services and supported third-party AWS Partner Network security solutions. These integrations can help you get a comprehensive view of security and compliance across your AWS environment.
Important
From the supported AWS and third-party product integrations, Security Hub receives and consolidates only findings that are generated after you enable Security Hub in your AWS accounts.
The service doesn't retroactively receive and consolidate security findings that were generated before you enabled Security Hub.
The Integrations page of the Security Hub console provides access to available AWS and third-party product integrations. The Security Hub API also has operations for managing integrations.
Note
Integrations might not be available in all AWS Regions. If an integration isn't supported in the current Region, it doesn't appear on the Integrations page.
For a list of integrations that are available in the China Regions and AWS GovCloud (US), see Integrations that are supported in China (Beijing) and China (Ningxia) and Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West).
This section provides information about how to manage built-in AWS service and third-party integrations. You can also integrate custom security products with Security Hub. For information, see Integrating Security Hub with custom products.
Viewing integration options and details
Choose your preferred method, and follow the steps to view a list of integrations in Security Hub or details about a specific integration.
Enabling the flow of findings from an integration
On the Integrations page of the Security Hub console, you can see the required steps to enable each integration.
For most of the integrations with other AWS services, the only required step to enable the integration is to enable the other service. The integration information includes a link to the other service's home page. When you enable the other service, a resource-level permission that allows Security Hub to receive findings from the service is then automatically created and applied.
For third-party product integrations, you may need to purchase the integration from the AWS Marketplace, and then configure the integration. The integration information provides links to complete these tasks.
If more than one version of a product is available in AWS Marketplace, select the version that you wan to subscribe to, and then choose Continue to Subscribe. For example, some products offer a standard version and an AWS GovCloud (US) version.
When you enable a product integration, a resource policy is automatically attached to that product subscription. This resource policy defines the permissions that Security Hub needs to receive findings from that product.
After you complete any preliminary steps to enable an integration, you can then disable and re-enable the flow of findings from that integration. On the Integrations page, for integrations that send findings, the Status information indicates whether you are currently accepting findings.
Disabling the flow of findings from an integration
Choose your preferred method, and follow the steps to disable the flow of findings from an integration.
Viewing the findings from an integration
When you start accepting findings from an integration, the Integrations page of the Security Hub console displays the Status of the integration as Accepting findings. To view a list of findings from the integration, choose See findings.
The findings list shows the active findings for the selected integration that have a
workflow status of NEW
or NOTIFIED
.
If you enable cross-Region aggregation, then in the aggregation Region, the list includes findings from the aggregation Region and from linked Regions where the integration is enabled. Security Hub does not automatically enable integrations based on the cross-Region aggregation configuration.
In other Regions, the finding list for an integration only contains findings from the current Region.
For information on how to configure cross-Region aggregation, see Understanding cross-Region aggregation in Security Hub.
From the findings list, you can perform the following actions.