Schedule for running security checks - AWS Security Hub

Schedule for running security checks

After you enable a security standard, AWS Security Hub begins to run all checks within two hours. Most checks begin to run within 25 minutes. Security Hub runs checks by evaluating the rule underlying a control. Until a control completes its first run of checks, its status is No data.

When you enable a new standard, Security Hub may take up to 24 hours to generate findings for controls that use the same underlying AWS Config service-linked rule as enabled controls from other enabled standards. For example, if you enable Lambda.1 in the AWS Foundational Security Best Practices (FSBP) standard, Security Hub will create the service-linked rule and typically generate findings in minutes. After this, if you enable Lambda.1 in the Payment Card Industry Data Security Standard (PCI DSS), Security Hub may take up to 24 hours to generate findings for this control because it uses the same service-linked rule as Lambda.1.

After the initial check, the schedule for each control can be either periodic or change triggered.

  • Periodic checks – These checks run automatically within 12 or 24 hours after the most recent run. Security Hub determines the periodicity, and you can't change it. Periodic controls reflect an evaluation at the moment the check runs. If you update the workflow status of a periodic control finding, and then in the next check the compliance status of the finding stays the same, the workflow status remains in its modified state. For example, if you have a failed finding for KMS.4 - AWS KMS key rotation should be enabled, and then remediate the finding, Security Hub changes the workflow status from NEW to RESOLVED. If you disable KMS key rotation before the next periodic check, the workflow status of the finding remains RESOLVED.

  • Change-triggered checks – These checks run when the associated resource changes state. AWS Config lets you choose between continuous recording of changes in resource state and daily recording. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub findings until a 24-hour period is complete. Regardless of your chosen recording period, Security Hub checks every 18 hours to ensure no resource updates from AWS Config were missed.

In general, Security Hub uses change-triggered rules whenever possible. For a resource to use a change-triggered rule, it must support AWS Config configuration items.

For a control that is based on a managed AWS Config rule, the control description includes a link to the rule description in the AWS Config Developer Guide. That description includes whether the rule is change triggered or periodic.

Checks that use Security Hub custom Lambda functions are periodic.