AWS Security Hub
User Guide

Findings in AWS Security Hub

Important

Currently, AWS Security Hub is in Preview release.

AWS provides the most secure cloud computing environment available where you can run your workloads. It enables you to access various AWS and partner security, identity, and compliance tools, including firewalls, endpoint and intrusion detection, and database security, vulnerability, and compliance scanners. These tools can generate thousands of security findings every day. These findings all have different finding formats and can be stored and viewed across different consoles.

To understand your overall security and compliance state, you would have to either continuously manually pivot across these tools or develop ways to aggregate and analyze the generated findings. With large workloads and environments, processing and analyzing this data can take hundreds of hours of building parsers, transformers, custom compliance rules, and data enrichment pipelines. Even then, the volume of the findings can sometimes be more than you can effectively process. Therefore, it can be difficult to separate potential security issues from noise, to prioritize the findings that matter to you most, and to ensure that you aren’t missing any critical findings. Security Hub eliminates this complexity and reduces the effort required to manage and improve the security and compliance of all of your AWS accounts and workloads.

Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and also from the integrated partner providers' solutions. Security Hub ingests these findings using a standard findings format called AWS Security Finding, thus eliminating the need for time-consuming data conversion efforts. It then correlates ingested findings across providers to prioritize the most important ones. For more information, see AWS Security Finding Format.

Working with Findings in Security Hub

You can use the following procedure to view and manage findings in Security Hub.

  1. Open the Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Findings.

    By default, the Findings page lists all of your active Security Hub-processed and generated findings. The Record state filter attribute is preselected by default, and its value is set to ACTIVE. You can update the value of the Record state filter attribute to ARCHIVED to view only your archived findings. You can also remove this filter attribute to view all of your active and archived findings.

  3. Use the Filter field to select one attribute for the Group by aggregator and one or more filter attributes from the available attribute list to query through your findings.

    You can use one of the following attributes as the Group by aggregator:

    • AwsAccountId

    • CompanyName

    • ComplianceStatus

    • GeneratorId

    • MalwareName

    • ProcessName

    • ThreatIntelIndicatorType

    • ProductArn

    • ProductName

    • RecordState

    • ResourceAwsEc2InstanceImageId

    • ResourceAwsEc2InstanceIpV4Addresses

    • ResourceAwsEc2InstanceIpV6Addresses

    • ResourceAwsEc2InstanceKeyName

    • ResourceAwsEc2InstanceSubnetId

    • ResourceAwsEc2InstanceType

    • ResourceAwsEc2InstanceVpcId

    • ResourceAwsIamAccessKeyUserName

    • ResourceAwsS3BucketOwnerName

    • ResourceContainerImageId

    • ResourceContainerImageName

    • ResourceContainerName

    • ResourceId

    • ResourceType

    • SeverityLabel

    • SourceUrl

    • Type

    • VerificationState

    • WorkflowState

    You can use all of the AWS Security Finding format's attributes as filters to query through your findings.

    Note

    For optional filters, AND logic is applied to your specified collection of filters to query your findings. However, OR logic is applied to multiple filters that use the same attribute set to different values.

    For the complete list of AWS Security Finding attributes and their descriptions, see AWS Security Finding Format.

  4. Choose a finding's title to view this finding's detail pane. Once the finding's detail pane appears, choose the finding ID to view the complete details JSON of that finding.

  5. To apply default (Archive) and custom actions to findings, select one or more findings' check boxes. Then expand the Actions menu and choose either Archive or one of the existing custom actions.

    Note

    You can create Security Hub custom actions to automate Security Hub with Amazon CloudWatch Events. For more information and detailed steps on creating custom actions, see Automating AWS Security Hub with CloudWatch Events.

  6. To update findings details, note the following:

    Important

    In this release, you can only update the record state of a finding (ACTIVE or ARCHIVED) via the Security Hub console. You can update the record state and a note attached to a finding via the UpdateFinding API operation.