Security Hub concepts

Security Hub is in preview release and is subject to change.

The following terms and concepts will help you understand how to manage exposure findings.

Exposure: A potential security scenario in your account that may be due to vulnerabilities, exploitable resources, or misconfigurations.
Exposure finding: A type of finding that describes an exposure present in your environment. An exposure finding includes traits and signals. A signal can include one or more types of exposure traits. Security Hub generates an exposure finding when signals from Security Hub CSPM control findings or other AWS services, such as Amazon Inspector, indicate the presence of an exposure. A resource can have at most one exposure finding. Security Hub generates an exposure finding when a resource is exposed. If a resource doesn't have any exposure traits or has insufficient traits, Security Hub doesn't generate an exposure finding for that resource.
Signal: A finding that contributes to an exposure finding. A signal can be referred to as a contributing finding. A signal can originate in Security Hub CSPM, AWS Config, or other AWS services, such as Amazon Inspector.
Trait: A security deviation that results in an exposure finding. Trait types include Misconfiguration, Reachability, Sensitive Data, and Vulnerability. A trait is associated with one signal, and a signal can contain multiple traits. For example, a Security Hub CSPM control indicates a customer managed policy allows administrative access control. This signal contains a misconfiguration trait.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Recommendations

OCSF findings