What is AWS Security Hub? - AWS Security Hub

What is AWS Security Hub?

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices.

Security Hub collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the AWS Foundational Security Best Practices (FSBP) standard developed by AWS, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.

In addition to generating control findings, Security Hub also receives findings from other AWS services—such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie— and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other AWS services and supported third-party products.

Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.

Benefits of Security Hub

Here are some of the key ways that Security Hub helps you monitor your compliance and security posture across your AWS environment.

Reduced effort to collect and prioritize findings

Security Hub reduces the effort to collect and prioritize security findings across accounts from integrated AWS services and AWS partner products. Security Hub processes finding data using the AWS Security Finding Format (ASFF), a standard finding format. This eliminates the need to manage findings from myriad sources in multiple formats. Security Hub also correlates findings across providers to help you prioritize the most important ones.

Automatic security checks against best practices and standards

Security Hub automatically runs continuous, account-level configuration and security checks based on AWS best practices and industry standards. Security Hub uses the results of these checks to calculate security scores, and identifies specific accounts and resources that require attention.

Consolidated view of findings across accounts and providers

Security Hub consolidates your security findings across accounts and provider products and displays results on the Security Hub console. You can also retrieve findings through the Security Hub API, AWS CLI, or SDKs. With a holistic view of your current security status, you can spot trends, identify potential issues, and take necessary remediation steps.

Ability to automate finding updates and remediation

You can create automation rules that modify or suppress findings based on your defined criteria. Security Hub also supports an integration with Amazon EventBridge. To automate the remediation of specific findings, you can define custom actions to take when a finding is generated. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system.

Accessing Security Hub

Security Hub is available in most AWS Regions. For a list of Regions where Security Hub is currently available, see AWS Security Hub endpoints and quotas in the AWS General Reference. For information about managing AWS Regions for your AWS account, see Specifying which AWS Regions your account can use in the AWS Account Management Reference Guide.

In each Region, you can access and use Security Hub in any of the following ways:

Security Hub console

The AWS Management Console is a browser-based interface that you can use to create and manage AWS resources. As part of that console, the Security Hub console provides access to your Security Hub account, data, and resources. You can perform Security Hub tasks by using the Security Hub console—view findings, create automation rules, create an aggregation Region, and more.

Security Hub API

The Security Hub API gives you programmatic access to your Security Hub account, data, and resources. With the API, you can send HTTPS requests directly to Security Hub. For information about the API, see the AWS Security Hub API Reference.

AWS CLI

With the AWS CLI, you can run commands at your system's command line to perform Security Hub tasks. In some cases, using the command line can be faster and more convenient than using the console. The command line is also useful if you want to build scripts that perform tasks. For information about installing and using the AWS CLI, see the AWS Command Line Interface User Guide.

AWS SDKs

AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms—for example, Java, Go, Python, C++, and .NET. The SDKs provide convenient, programmatic access to Security Hub and other AWS services in your preferred language. They also handle tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about installing and using the AWS SDKs, see Tools to Build on AWS.

Important

Security Hub only detects and consolidates findings that are generated after you enable Security Hub. It doesn't retroactively detect and consolidate security findings that were generated before you enabled Security Hub.

Security Hub only receives and processes findings in the Region where you enabled Security Hub in your account.

For full compliance with CIS AWS Foundations Benchmark security checks, you must enable Security Hub in all supported AWS Regions.

To further secure your AWS environment, consider using other AWS services in combination with Security Hub. Some AWS services send their findings to Security Hub, and Security Hub normalizes the findings into a standard format. Some AWS services can also receive findings from Security Hub.

For a list of other AWS services that send or receive Security Hub findings, see AWS service integrations with Security Hub.

Security Hub uses service-linked rules from AWS Config to run security checks for most controls. Controls refer to specific AWS services and AWS resources. For a list of Security Hub controls, see Security Hub controls reference. You must enable AWS Config and record resources in AWS Config for Security Hub to generate most control findings. For more information, see Configuring AWS Config for Security Hub.

Security Hub free trial and pricing

When you enable Security Hub in an AWS account for the first time, that account is automatically enrolled in a 30-day Security Hub free trial.

When you use Security Hub during the free trial, you are charged for usage of other services that Security Hub interacts with, such as AWS Config items. You are not charged for AWS Config rules that are activated only by Security Hub security standards.

You are not charged for using Security Hub until your free trial ends.

Viewing usage details and estimated cost

Security Hub provides usage information, including an estimated 30-day cost for using Security Hub. The usage details include the time remaining in the free trial. The usage information can help you to understand what your Security Hub costs may be after the free trial ends. The usage information is also available after the free trial ends.

To display usage information (console)
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Usage under Settings.

The estimated monthly cost is based on your account's Security Hub usage for findings and security checks projected over a 30-day period.

The usage information and estimated cost are only for the current account and current Region. In an aggregation Region, the usage information and estimated cost don't include linked Regions. For more information about linked Regions, see Types of data that are aggregated.

Pricing details

For more information about how Security Hub charges for ingested findings and security checks, see Security Hub pricing.