Results of security checks

When it runs checks against the enabled controls for the enabled security standards, AWS Security Hub generates findings. These findings use the AWS Security Finding Format (ASFF).

Standards-related information in the ASFF

For findings generated by security checks, the Compliance field in the ASFF contains the standards-related findings details. The Compliance field includes the following information.

A RelatedRequirements array that contains a list of related requirements for the control.
A Status field that contains result of the most recent check that Security Hub ran against a given control. The results of the previous checks are kept in an archived state for 90 days.
A StatusReasons object that contains a list of reasons for the value of Compliance.Status . For each reason, StatusReasons includes the reason code and a description.

The following table lists the available reason codes and descriptions.

Reason code	Compliance.Status	Description
`CLOUDTRAIL_METRIC_FILTER_NOT_VALID`	`FAILED`	The multi-Region CloudTrail trail does not have a valid metric filter.
`CLOUDTRAIL_METRIC_FILTERS_NOT_PRESENT`	`FAILED`	Metric filters are not present for the multi-Region CloudTrail trail.
`CLOUDTRAIL_MULTI_REGION_NOT_PRESENT`	`FAILED`	The account does not have a multi-Region CloudTrail trail with the required configuration.
`CLOUDTRAIL_REGION_INVAILD`	`WARNING`	Multi-Region CloudTrail trails are not in the current Region.
`CLOUDWATCH_ALARM_ACTIONS_NOT_VALID`	`FAILED`	No valid alarm actions are present.
`CLOUDWATCH_ALARMS_NOT_PRESENT`	`FAILED`	CloudWatch alarms do not exist in the account.
`CONFIG_ACCESS_DENIED`	`WARNING` AWS Config status is `ConfigError`	AWS Config access denied. Verify that AWS Config is enabled and has been granted sufficient permissions.
`CONFIG_EVALUATIONS_EMPTY`	`PASSED`	AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.
`CONFIG_RULE_EVALUATION_ERROR`	`WARNING` AWS Config status is `ConfigError`	This reason code is used for several different types of evaluation errors. The description provides the specific reason information. The type of error can be one of the following. An inability to perform the evaluation because of a lack of permissions. The description provides the specific permission that is missing. A missing or invalid value for a parameter. The description provides the parameter and the requirements for the parameter value. An error reading from an S3 bucket. The description identifies the bucket and provides the specific error. A missing AWS subscription. A general timeout on the evaluation. A suspended account.
`CONFIG_RULE_NOT_FOUND`	`WARNING` AWS Config status is `ConfigError`	Unable to find the supporting AWS Config rule. Verify that you have enabled AWS Config.
`RESOURCE_NO_LONGER_EXISTS`	`NOT_AVAILABLE`	Security Hub archived this finding because the resource no longer exists.
`S3_BUCKET_CROSS_ACCOUNT_CROSS_REGION`	`WARNING`	The finding is in a `WARNING` state, because the S3 bucket associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located.
`SNS_SUBSCRIPTION_NOT_PRESENT`	`FAILED`	The CloudWatch Logs metric filters do not have a valid Amazon SNS subscription.
`SNS_TOPIC_CROSS_ACCOUNT_CROSS_REGION`	`WARNING`	The finding is in a `WARNING` state because the SNS topic associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located.
`THROTTLING_ERROR`	`NOT_AVAILABLE`	The relevant API operation exceeded the allowed rate.

Determining the severity of security standards findings

For security standards findings, the severity (Severity.Label) is determined based on an assessment on how easy it would be to compromise AWS resources if the issue is detected.

CRITICAL – The issue must be remediated immediately to avoid it escalating.

For example, an open S3 bucket is considered a critical severity finding. Because so many actors scan for open S3, buckets, the data in an exposed S3 bucket is likely to be discovered and accessed by others. In general, resources with overly broad access rights that allow unintended public access are considered critical.

These issues should have the highest SLAs in terms of response times.
HIGH – The issue must be addressed as a priority.

For example, CloudTrail logging not being enabled is considered a high severity issue, because malicious actors can disable logging to hide the actions taken within infrastructure in which they've established a presence.

We recommend that you treat this security issue as a priority and take immediate remediation steps.
MEDIUM – The issue must be addressed but not urgently.

For example, lack of encryption at-rest is considered a medium severity finding, because the data is not active and is less vulnerable to exposure.

We recommend that you investigate the implicated resource at your earliest convenience.
LOW – The issue does not require action on its own.

For example, discovering EC2 instances without required tags is considered low severity because a lack of tags can lead to a lack of resource visibility. But a lack of tags does not usually directly lead to resources being compromised.

There is no immediate action needed on low severity issues, but they can provide context when correlated with other issues.
INFORMATIONAL – No issue was found. In other words, the status is PASSED. There is no recommended action. Informational findings help customers to demonstrate that they are in a compliant state.

Determining the overall status of a control from its findings

In the findings generated by security checks, the Compliance.Status field is assigned one of the following values.

PASSED. If Compliance.Status is PASSED, then Security Hub automatically sets Workflow.Status to RESOLVED.
FAILED
WARNING – Indicates that the check was completed, but Security Hub cannot determine whether the resource is in a PASSED or FAILED state
NOT_AVAILABLE – Indicates that the check cannot be completed because there is a server failure, the resource was deleted, or the result of the AWS Config evaluation was NOT_APPLICABLE.

If the AWS Config evaluation result was NOT_APPLICABLE, then Security Hub automatically archives the finding.

The overall status for each control is based on the Compliance.Status and Workflow.Status values of the active account-level findings for that control. See Account-level and resource-level findings. The overall status includes the active findings in the master account and the member accounts. The available values for the overall status are as follows:

Passed – Indicates that all findings have a Compliance.Status of PASSED or a Workflow.Status of RESOLVED.

Findings with a Workflow.Status of SUPPRESSED are ignored.
Failed – Indicates that at least one finding has a Compliance.Status of FAILED and does not have a Workflow.Status of RESOLVED.

Findings with a Workflow.Status of SUPPRESSED are ignored.
Unknown – Indicates that one of the following is true.
- There are no findings.
- All findings have a Workflow.Status of SUPPRESSED. Because SUPPRESSED findings are ignored, this is equivalent to no findings.
- No findings are FAILED. At least one finding has a Compliance.Status of WARNING or NOT_AVAILABLE and does not have a Workflow.Status of RESOLVED or SUPPRESSED.

Account-level and resource-level findings

When Security Hub runs security checks against controls, those security checks produce findings. The findings produced, and how the overall control status is updated, depends on whether the involved resource is an AWS account or some other type of resource.

Controls that only involve AWS accounts

If the involved resource for the control is an AWS account, then the control only produces account-level findings for the account. The finding identifies whether the account passed the control.

The overall control status is based on these findings. Changes to the workflow status are automatically reflected in the overall control status.

Controls that involve resources other than AWS accounts

If the involved resource is something other than an AWS account, then the control produces both resource-level findings and account-level findings.

The resource-level finding is for the involved resource, such as an EC2 instance.

The control also produces an account-level finding for each account. The account-level finding summarizes the compliance status for all of the resource-level findings across all resources for that account for the control. For the account-level finding, Resource.Type is AwsAccount. For example, for a control that involves EC2 instances, an account-level finding can reflect the resource-level findings for different EC2 instances for that account.

Security Hub automatically updates Compliance.Status for account-level findings based on the resource-level findings. If all of the resource-level findings pass, then the account-level finding passes. If at least one of the resource-level findings fails, then the account-level finding fails.

The overall status of the control is based on the account-level findings. However, the workflow status of an account-level finding is not automatically updated to reflect changes to the workflow status of the resource-level findings.

To update the overall control status after you suppress resource-level findings, you must manually update the workflow status of the account-level findings. For example, if you suppress all of the failed resource-level findings for a control, then you should change the workflow status of the account-level findings to RESOLVED. Do not suppress account-level findings. If you suppress account-level findings, the control status changes to Unknown.

Determining the security score for a security standard

On the Security standards page, each enabled standard displays a security score, which is between 0% and 100%.

The security score represents the proportion of Passed controls to enabled controls. The score is displayed as a percentage. For example, if 10 controls are enabled for a standard, and 7 of those controls are in a Passed state, then the security score is 70%.

On the Summary page, the Security standards card also displays the security scores for each enabled standard. It also displays a consolidated security score that represents the proportion of passed controls to enabled controls across all of the enabled standards.

Rules for updating standards-related findings

If a subsequent check against a given rule generates a new result (for example, the status of "Avoid the use of the root account" changes from FAILED to PASSED), a new finding is generated that contains the most recent result.

If a subsequent check against a given rule generates a result that is identical to the current result, the existing finding is updated. No new finding is generated.

Security Hub automatically archives findings from controls if the associated resource is deleted, the resource does not exist, or the control is disabled. A resource might no longer exist because the associated service is not currently used. The findings are archived automatically based on one of the following criteria:

The finding was not updated in three days.
The associated AWS Config evaluation returned NOT_APPLICABLE.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Schedule for running security checks

Disabling or enabling a security standard