Viewing Amazon Security Hub controls in Amazon Trusted Advisor - Amazon Web Services Support
PrerequisitesView your Security Hub findingsRefresh your Security Hub findingsDisable Security Hub from Trusted AdvisorTroubleshooting
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing Amazon Security Hub controls in Amazon Trusted Advisor

After you enable Amazon Security Hub for your Amazon Web Services account, you can view your security controls and their findings in the Trusted Advisor console. You can use Security Hub controls to identify security vulnerabilities in your account in the same way that you can use Trusted Advisor checks. You can view the check's status, the list of affected resources, and then follow Security Hub recommendations to address your security issues. You can use this feature to find security recommendations from Trusted Advisor and Security Hub in one convenient location.

Notes

  • From Trusted Advisor, you can view controls in the Amazon Foundational Security Best Practices security standard except for controls that have the Category: Recover > Resilience. For a list of supported controls, see Amazon Foundational Security Best Practices controls in the Amazon Security Hub User Guide.

    For more information about the Security Hub categories, see Control categories.

  • Currently, when Security Hub adds new controls to the Amazon Foundational Security Best Practices security standard, there can be a delay of two to four weeks before you can view them in Trusted Advisor. This time frame is best effort and isn't guaranteed.

Prerequisites

You must meet the following requirements to enable the Security Hub integration with Trusted Advisor:

Note

If you already completed these prerequisites, you can skip to View your Security Hub findings.

About Amazon Organizations accounts

If you already completed the prerequisites for a management account, this integration is enabled automatically for all member accounts in your organization. Individual member accounts don't need to contact Amazon Web Services Support to enable this feature. However, member accounts in your organization must enable Security Hub if they want to see their findings in Trusted Advisor.

If you want to disable this integration for a specific member account, see Disable this feature for Amazon Organizations accounts.

View your Security Hub findings

After you enable Security Hub for your account, it can take up to 24 hours for your Security Hub findings to appear in the Security page of the Trusted Advisor console.

To view your Security Hub findings in Trusted Advisor

  1. Navigate to the Trusted Advisor console, and then choose the Security category.

  2. In the Search by keyword field, enter the control name or description in the field.

    Tip

    For Source, you can choose Amazon Security Hub to filter for Security Hub controls.

  3. Choose the Security Hub control name to view the following information:

    • Description – Describes how this control checks your account for security vulnerabilities.

    • Source – Whether the check comes from Amazon Trusted Advisor or Amazon Security Hub. For Security Hub controls, you can find the control ID.

    • Alert Criteria – The status of the control. For example, if Security Hub detects an important issue, the status might be Red: Critical or High.

    • Recommended Action – Use the Security Hub documentation link to find the recommended steps to fix the issue.

    • Security Hub resources – You can find the resources in your account where Security Hub has detected an issue.

Notes

  • You must use Security Hub to exclude resources from your findings. Currently, you can't use the Trusted Advisor console to exclude items from Security Hub controls. For more information, see Setting the workflow status for findings.

  • The organizational view feature supports this integration with Security Hub. You can view your findings for your Security Hub controls across your organization, and then create and download reports. For more information, see Organizational view for Amazon Trusted Advisor.

Refresh your Security Hub findings

After you enable a security standard, it can take up to two hours for Security Hub to have findings for your resources. It can then take up to 24 hours for that data to appear in the Trusted Advisor console. If you recently enabled the Amazon Foundational Security Best Practices v1.0.0 security standard, check the Trusted Advisor console again later.

Note

  • The refresh schedule for each Security Hub control is periodic or change triggered. Currently, you can't use the Trusted Advisor console or the Amazon Web Services Support API to refresh your Security Hub controls. For more information, see Schedule for running security checks.

  • You must use Security Hub if you want to exclude resources from your findings. Currently, you can't use the Trusted Advisor console to exclude items from Security Hub controls. For more information, see Setting the workflow status for findings.

Disable Security Hub from Trusted Advisor

Follow this procedure if you don't want your Security Hub information to appear in the Trusted Advisor console. This procedure only disables the Security Hub integration with Trusted Advisor. It won't affect your configurations with Security Hub. You can continue to use the Security Hub console to view your security controls, resources, and recommendations.

To disable the Security Hub integration

  1. Contact Amazon Web Services Support and request to disable the Security Hub integration with Trusted Advisor.

    After Amazon Web Services Support disables this feature, Security Hub no longer sends data to Trusted Advisor. Your Security Hub data will be removed from Trusted Advisor.

  2. If you want to enable this integration again, contact Amazon Web Services Support.

Disable this feature for Amazon Organizations accounts

If you already completed the previous procedure for a management account, Security Hub integration is automatically removed from all member accounts in your organization. Individual member accounts in your organization don't need to contact Amazon Web Services Support separately.

If you're a member account in an organization, you can contact Amazon Web Services Support to remove this feature from only your account.

Troubleshooting

If you're having issues with this integration, see the following troubleshooting information.

I don't see Security Hub findings in the Trusted Advisor console

Verify that you completed the following steps:

  • You have a Business, Enterprise On-Ramp, or Enterprise Support plan.

  • You enabled resource recording in Amazon Config within the same Region as Security Hub.

  • You enabled Security Hub and selected the Amazon Foundational Security Best Practices v1.0.0 security standard.

  • New controls from Security Hub are added as checks in Trusted Advisor within two to four weeks. See the note.

For more information, see the Prerequisites.

I configured Security Hub and Amazon Config correctly, but my findings are still missing

It can take up to two hours for Security Hub to have findings for your resources. It can then take up to 24 hours for that data to appear in the Trusted Advisor console. Check the Trusted Advisor console again later.

Notes

  • Only your findings for controls in the Amazon Foundational Security Best Practices security standard will appear in Trusted Advisor except for controls that have the Category: Recover > Resilience.

  • If there's a service issue with Security Hub or Security Hub isn't available, it can take up to 24 hours for your findings to appear in Trusted Advisor. Check the Trusted Advisor console again later.

I want to disable specific Security Hub controls

Security Hub sends your data to Trusted Advisor automatically. If you disable a Security Hub control or no longer have resources for that control, your findings won't appear in Trusted Advisor.

You can sign in to the Security Hub console and verify if your control is enabled or disabled.

If you disable a Security Hub control or disable all controls for the Amazon Foundational Security Best Practices security standard, your findings are archived within the next five days. This five-day period to archive is approximate and best effort only, and isn't guaranteed. When your findings are archived, they are removed from Trusted Advisor.

For more information, see the following topics:

I want to find my excluded Security Hub resources

From the Trusted Advisor console, you can choose your Security Hub control name, and then choose the Excluded items option. This option displays all resources that are suppressed in Security Hub.

If the workflow status for a resource is set to SUPPRESSED, then that resource is an excluded item in Trusted Advisor. You can't suppress Security Hub resources from the Trusted Advisor console. To do so, use the Security Hub console. For more information, see Setting the workflow status for findings.

I want to enable or disable this feature for a member account that belongs to an Amazon organization

By default, member accounts inherit the feature from the management account for Amazon Organizations. If the management account has enabled the feature, then all accounts in the organization will also have the feature. If you have a member account and want to make specific changes for your account, you must contact Amazon Web Services Support.

I see multiple Amazon Web Services Regions for the same affected resource for a Security Hub check

Some Amazon Web Services are global and aren't specific to a Region, such as IAM and Amazon CloudFront. By default, global resources such as Amazon S3 buckets appear in the US East (N. Virginia) Region.

For Security Hub checks that evaluate resources for global services, you might see more than one item for affected resources. For example, if the Hardware MFA should be enabled for the root user check identifies that your account hasn't activated this feature, then you will see multiple Regions in the table for the same resource.

You can configure Security Hub and Amazon Config so that multiple Regions won't appear for the same resource. For more information, see Amazon Foundational Best Practices controls that you might want to disable.

I turned off Security Hub or Amazon Config in a Region

If you stop resource recording with Amazon Config or disable Security Hub in an Amazon Web Services Region, Trusted Advisor no longer receives data for any controls in that Region. Trusted Advisor removes your Security Hub findings within 7-9 days. This time frame is best effort and isn't guaranteed. For more information, see Disabling Security Hub.

To disable this feature for your account, see Disable Security Hub from Trusted Advisor.

My control is archived in Security Hub, but I still see the findings in Trusted Advisor

When the RecordState status changes to ARCHIVED for a finding, Trusted Advisor deletes the finding for that Security Hub control from your account. You might still see the finding in Trusted Advisor for up to 7-9 days before it's deleted. This time frame is best effort and isn't guaranteed.

I still can't view my Security Hub findings

If you still have issues with this feature, you can create a technical support case in the Amazon Web Services Support Center.