AWS Security Hub
User Guide

Insights in AWS Security Hub


Currently, AWS Security Hub is in Preview release.

A Security Hub insight is a collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub offers several managed (default) insights that you can't modify or delete. You can also create custom insights to track security issues that are unique to your AWS environment and usage.

Use the following procedure to manage your Security Hub insights.


You can't edit or delete managed (default) Security Hub insights.

To manage insights

  1. Open the Security Hub console at

  2. In the navigation pane, choose Insights.

  3. To update insights' filters, choose the insight that you want to modify and then do the following:

    • Use the Filter field to select one attribute for the Group by aggregator for this insight and one or more attributes from the available attribute list as the optional filters for this insight. The Group by aggregator and the optional filters define what findings are to be included in this insight. Choose Apply for every filter that you select.

      You can use one of the following attributes as the Group by aggregator:


      You can only have one Group by aggregator in a Security Hub insight.

      • AwsAccountId

      • CompanyName

      • ComplianceStatus

      • GeneratorId

      • MalwareName

      • ProcessName

      • ThreatIntelIndicatorType

      • ProductArn

      • ProductName

      • RecordState

      • ResourceAwsEc2InstanceImageId

      • ResourceAwsEc2InstanceIpV4Addresses

      • ResourceAwsEc2InstanceIpV6Addresses

      • ResourceAwsEc2InstanceKeyName

      • ResourceAwsEc2InstanceSubnetId

      • ResourceAwsEc2InstanceType

      • ResourceAwsEc2InstanceVpcId

      • ResourceAwsIamAccessKeyUserName

      • ResourceAwsS3BucketOwnerName

      • ResourceContainerImageId

      • ResourceContainerImageName

      • ResourceContainerName

      • ResourceId

      • ResourceType

      • SeverityLabel

      • SourceUrl

      • Type

      • VerificationState

      • WorkflowState

      You can use all of the AWS Security Finding format's attributes as optional filters for your insights.

      For the complete list of AWS Security Finding attributes and their descriptions, see AWS Security Finding Format.

    • After you have selected the Group by aggregator and optional filters for your insight, choose Create insight.

    • In the Create/Update insight pop-up window, either choose Update insight to save your changes to the existing insight that you're modifying or choose Create insight to save your changes as a new custom insight. Specify the name for the new custom insight and then choose Ok.


      If you're modifying the filters and the Group by aggregator of a managed insight, you can only save your changes as the new custom insight. You can't update the filters and the Group by aggregator of a managed insight.

    • To delete an insight, choose the More options icon in an insight's tile and then choose Delete.


      You can only delete custom insights. You cannot delete managed insights.

  4. To apply default (Archive) and custom actions to an insight, choose that insight (either managed or default). Then select one or more insight results' check boxes, expand the Actions menu, and choose either Archive or one of the existing custom actions.


    You can create Security Hub custom actions to automate Security Hub with Amazon CloudWatch Events. For more information and detailed steps on creating custom actions, see Automating AWS Security Hub with CloudWatch Events.