AWS Security Hub
User Guide

Findings in AWS Security Hub

Important

Security Hub is currently in Preview.

AWS provides a highly-secure cloud computing environment where you can run your workloads. When you use AWS services, you can also access various AWS and partner security, identity, and compliance tools. These tools include firewalls, endpoint and intrusion detection applications, as well as database security, vulnerability, and compliance scanners. These tools can generate thousands of security findings daily. Findings from these tools may all have different finding formats, and may be stored and viewed across different platforms.

In this context, it can be difficult to get a complete understanding of your overall security and compliance state. To do so, you would have to either continuously and manually process the output from all of these tools, or develop ways to aggregate and analyze the generated findings. With large workloads and environments, processing and analyzing this data can take hundreds of hours of building parsers, transformers, custom compliance rules, and data enrichment pipelines. Even then, the volume of the findings can sometimes be more than you can effectively process. Therefore, it can be difficult to separate potential security issues from noise, to prioritize the findings that matter to you most, and to ensure that you aren’t missing any critical findings. Security Hub eliminates this complexity and reduces the effort required to manage and improve the security and compliance of all of your AWS accounts, resources, and workloads.

AWS Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and also from the third-party product integrations you enable. Security Hub consumes these findings using a standard findings format called AWS Security Finding Format, which eliminates the need for time-consuming data conversion efforts. Security Hub then correlates the findings across integrated products to prioritize the most important ones. For more information, see AWS Security Finding Format.

Working with Findings in Security Hub

To view and manage findings in Security Hub, use the following procedure.

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Findings.

    By default, the Findings page lists all of your active Security Hub-processed and generated findings. The Record state filter attribute is preselected by default, and its value is ACTIVE. You can update the value of the Record state filter attribute to ARCHIVED to view only your archived findings. You can also remove this filter attribute to view all of your active and archived findings.

  3. Use the Filter field to select one attribute for the Group by aggregator and one or more filter attributes from the available attribute list to query through your findings.

    You can use one of the following attributes as the Group by aggregator:

    • Aws account Id

    • Company name

    • Compliance status

    • Generator ID

    • Malware name

    • Process name

    • Threat intel type

    • Product ARN

    • Product name

    • Record state

    • EC2 instance image ID

    • EC2 instance IPv4

    • EC2 instance IPv6

    • EC2 instance key name

    • EC2 instance subnet ID

    • EC2 instance type

    • EC2 instance VPC ID

    • IAM access key user name

    • S3 bucket owner name

    • Container image ID

    • Container image name

    • Container name

    • Resource ID

    • Resource type

    • Severity label

    • Source URL

    • Type

    • Verification state

    • Workflow state

    You can use all of the AWS Security Finding format's attributes as filters to query through your findings.

    Note

    For optional filters, AND logic is applied to your specified collection of filters to query your findings. However, OR logic is applied to multiple filters that use the same attribute set to different values.

    For the complete list of AWS Security Finding attributes and their descriptions, see AWS Security Finding Format.

  4. Choose a finding's title to view the finding's detail pane. In the detail pane, choose the finding ID to view the complete details JSON of that finding.

  5. To apply default (Archive) and custom actions to findings, select one or more findings' check boxes. Then expand the Actions menu and choose either Archive or one of the existing custom actions.

    Note

    You can create Security Hub custom actions to automate Security Hub with Amazon CloudWatch Events. For more information and detailed steps on creating custom actions, see Automating AWS Security Hub with CloudWatch Events.

  6. To update findings details, note the following.

    Important

    In this release, you can update the record state of a finding (ACTIVE or ARCHIVED) only on the Security Hub console. You can update the record state and a note attached to a finding via the UpdateFinding operation of the Security Hub API.