List of managed insights in Security Hub
AWS Security Hub provides several managed insights.
You can't edit or delete Security Hub managed insights. You can view and take action on the insight results and findings. You can also use a managed insight as the basis for a new custom insight.
As with all insights, a managed insight only returns results if you have enabled product integrations or security standards that can produce matching findings.
For insights that are grouped by resource identifier, the results include the identifiers of all of the resources in the matching findings. This includes resources that have a different type from the resource type in the filter criteria. For example, insight 2 in the following list identifies findings that are associated with Amazon S3 buckets. If a matching finding contains both an S3 bucket resource and an IAM access key resource, the insight results include both resources.
Security Hub currently offers the following managed insights:
- 1. AWS resources with the most findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/1
Grouped by: Resource identifier
Finding filters:
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 2. S3 buckets with public write or read permissions
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/10
Grouped by: Resource identifier
Finding filters:
-
Type starts with
Effects/Data Exposure
-
Resource type is
AwsS3Bucket
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 3. AMIs that are generating the most findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/3
Grouped by: EC2 instance image ID
Finding filters:
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 4. EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/14
Grouped by: Resource ID
Finding filters:
-
Type starts with
TTPs
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 5. AWS principals with suspicious access key activity
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/9
Grouped by: IAM access key principal name
Finding filters:
-
Resource type is
AwsIamAccessKey
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 6. AWS resources instances that don't meet security standards / best practices
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/6
Grouped by: Resource ID
Finding filters:
-
Type is
Software and Configuration Checks/Industry and Regulatory Standards/AWS Security Best Practices
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 7. AWS resources associated with potential data exfiltration
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/7
Grouped by:: Resource ID
Finding filters:
-
Type starts with Effects/Data Exfiltration/
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 8. AWS resources associated with unauthorized resource consumption
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/8
Grouped by: Resource ID
Finding filters:
-
Type starts with
Effects/Resource Consumption
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 9. S3 buckets that don't meet security standards / best practice
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/11
Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsS3Bucket
-
Type is
Software and Configuration Checks/Industry and Regulatory Standards/AWS Security Best Practices
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 10. S3 buckets with sensitive data
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/12
Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsS3Bucket
-
Type starts with
Sensitive Data Identifications/
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 11. Credentials that may have leaked
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/13
Grouped by: Resource ID
Finding filters:
-
Type starts with
Sensitive Data Identifications/Passwords/
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 12. EC2 instances that have missing security patches for important vulnerabilities
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/16
Grouped by: Resource ID
Finding filters:
-
Type starts with
Software and Configuration Checks/Vulnerabilities/CVE
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 13. EC2 instances with general unusual behavior
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/17
Grouped by: Resource ID
Finding filters:
-
Type starts with
Unusual Behaviors
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 14. EC2 instances that have ports accessible from the Internet
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/18
Grouped by: Resource ID
Finding filters:
-
Type starts with
Software and Configuration Checks/AWS Security Best Practices/Network Reachability
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 15. EC2 instances that don't meet security standards / best practices
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/19
Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
Software and Configuration Checks/Industry and Regulatory Standards/
-
Software and Configuration Checks/AWS Security Best Practices
-
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 16. EC2 instances that are open to the Internet
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/21
Grouped by: Resource ID
Finding filters:
-
Type starts with
Software and Configuration Checks/AWS Security Best Practices/Network Reachability
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 17. EC2 instances associated with adversary reconnaissance
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/22
Grouped by: Resource ID
Finding filters:
-
Type starts with TTPs/Discovery/Recon
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 18. AWS resources that are associated with malware
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/23
Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
Effects/Data Exfiltration/Trojan
-
TTPs/Initial Access/Trojan
-
TTPs/Command and Control/Backdoor
-
TTPs/Command and Control/Trojan
-
Software and Configuration Checks/Backdoor
-
Unusual Behaviors/VM/Backdoor
-
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 19. AWS resources associated with cryptocurrency issues
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/24
Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
Effects/Resource Consumption/Cryptocurrency
-
TTPs/Command and Control/CryptoCurrency
-
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 20. AWS resources with unauthorized access attempts
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/25
Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
TTPs/Command and Control/UnauthorizedAccess
-
TTPs/Initial Access/UnauthorizedAccess
-
Effects/Data Exfiltration/UnauthorizedAccess
-
Unusual Behaviors/User/UnauthorizedAccess
-
Effects/Resource Consumption/UnauthorizedAccess
-
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 21. Threat Intel indicators with the most hits in the last week
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/26
Finding filters:
-
Created within the last 7 days
-
- 22. Top accounts by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/27
Grouped by: AWS account ID
Finding filters:
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 23. Top products by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/28
Grouped by: Product name
Finding filters:
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 24. Severity by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/29
Grouped by: Severity label
Finding filters:
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 25. Top S3 buckets by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/30
Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsS3Bucket
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 26. Top EC2 instances by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/31
Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 27. Top AMIs by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/32
Grouped by: EC2 instance image ID
Finding filters:
-
Resource type is
AwsEc2Instance
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 28. Top IAM users by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/33
Grouped by: IAM access key ID
Finding filters:
-
Resource type is
AwsIamAccessKey
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 29. Top resources by counts of failed CIS checks
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/34
Grouped by: Resource ID
Finding filters:
-
Generator ID starts with
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule
-
Updated in the last day
-
Compliance status is
FAILED
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 30. Top integrations by counts of findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/35
Grouped by: Product ARN
Finding filters:
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 31. Resources with the most failed security checks
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/36
Grouped by: Resource ID
Finding filters:
-
Updated in the last day
-
Compliance status is
FAILED
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 32. IAM users with suspicious activity
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/37
Grouped by: IAM user
Finding filters:
-
Resource type is
AwsIamUser
-
Record state is
ACTIVE
-
Workflow status is
NEW
orNOTIFIED
-
- 33. Resources with the most AWS Health findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/38
Grouped by: Resource ID
Finding filters:
-
ProductName
equalsHealth
-
- 34. Resources with the most AWS Config findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/39
Grouped by: Resource ID
Finding filters:
-
ProductName
equalsConfig
-
- 35. Applications with the most findings
-
ARN:
arn:aws:securityhub:::insight/securityhub/default/40
Grouped by: ResourceApplicationArn
Finding filters:
-
RecordState
equalsACTIVE
-
Workflow.Status
equalsNEW
orNOTIFIED
-