Sample control findings
The format of control findings varies depending on whether you've turned on consolidated control findings. When you turn on this feature, Security Hub generates a single finding for a control check even when the control applies to multiple enabled standards. For more information, see Consolidated control findings.
The following section shows sample control findings. These include findings from each Security Hub standard when consolidated control findings is turned off in your account, and a sample control finding across standards when it's turned on.
Note
Findings will reference different fields and values in the China Regions and Amazon GovCloud (US) Region. For more information, see Impact of consolidation on ASFF fields and values.
Consolidated control findings is turned off
-
Sample finding for Amazon Foundational Security Best Practices (FSBP) standard
-
Sample finding for Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0
-
Sample finding for Center for Internet Security (CIS) Amazon Foundations Benchmark v1.4.0
-
Sample finding for Center for Internet Security (CIS) Amazon Foundations Benchmark v3.0.0
-
Sample finding for National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5
-
Sample finding for Payment Card Industry Data Security Standard (PCI DSS)
-
Sample finding for Service-Managed Standard: Amazon Control Tower
Consolidated control findings is turned on
Sample finding for FSBP
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-2", "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/Amazon-Foundational-Security-Best-Practices" ], "FirstObservedAt": "2020-08-06T02:18:23.076Z", "LastObservedAt": "2021-09-28T16:10:06.956Z", "CreatedAt": "2020-08-06T02:18:23.076Z", "UpdatedAt": "2021-09-28T16:10:00.093Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAmazonResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAmazonResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub/arn:aws-cn:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/aws-foundation-best-practices/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/Amazon-Foundational-Security-Best-Practices" ] } }
Sample finding for CIS Amazon Foundations Benchmark v3.0.0
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ], "FirstObservedAt": "2024-04-18T07:46:18.193Z", "LastObservedAt": "2024-04-23T07:47:01.137Z", "CreatedAt": "2024-04-18T07:46:18.193Z", "UpdatedAt": "2024-04-23T07:46:46.165Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.2.1 EBS default encryption should be enabled", "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/cis-aws-foundations-benchmark/v/3.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0", "ControlId": "2.2.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation", "RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2843ed9e", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/annotation": "EBS Encryption by default is not enabled.", "Resources:0/Id": "arn:aws:iam::123456789012:root", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c" }, "Resources": [ { "Type": "AwsAccount", "Id": "Amazon::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v3.0.0/2.2.1" ], "SecurityControlId": "EC2.7", "AssociatedStandards": [ { "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ] }, "ProcessedAt": "2024-04-23T07:47:07.088Z" }
Sample finding for CIS Amazon Foundations Benchmark v1.4.0
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/1.4.0/3.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ], "FirstObservedAt": "2022-10-21T22:14:48.913Z", "LastObservedAt": "2022-12-22T22:24:56.980Z", "CreatedAt": "2022-10-21T22:14:48.913Z", "UpdatedAt": "2022-12-22T22:24:52.409Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "Amazon CloudTrail is a web service that records Amazon API calls for an account and makes those logs available to users and resources in accordance with IAM policies. Amazon Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and Amazon KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0", "ControlId": "3.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-855f82d1", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/1.4.0/3.7", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-west-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-west-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS Amazon Foundations Benchmark v1.4.0/3.7" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ] } }
Sample finding for CIS Amazon Foundations Benchmark v1.2.0
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-2", "GeneratorId": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ], "FirstObservedAt": "2020-08-29T04:10:06.337Z", "LastObservedAt": "2021-09-28T16:10:05.350Z", "CreatedAt": "2020-08-29T04:10:06.337Z", "UpdatedAt": "2021-09-28T16:10:00.087Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "Amazon Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "2.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAmazonResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAmazonResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/2.7", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub/arn:aws-cn:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ] } }
Sample finding for NIST SP 800-53 Rev. 5
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "nist-800-53/v/5.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2023-02-17T14:22:46.726Z", "LastObservedAt": "2023-02-17T14:22:50.846Z", "CreatedAt": "2023-02-17T14:22:46.726Z", "UpdatedAt": "2023-02-17T14:22:46.726Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, consult the Amazon Security Hub NIST 800-53 R5 documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/nist-800-53/v/5.0.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.9/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-west-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-1:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "NIST.800-53.r5 AU-9", "NIST.800-53.r5 CA-9(1)", "NIST.800-53.r5 CM-3(6)", "NIST.800-53.r5 SC-13", "NIST.800-53.r5 SC-28", "NIST.800-53.r5 SC-28(1)", "NIST.800-53.r5 SC-7(10)", "NIST.800-53.r5 SI-7(6)" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [ { "StandardsId": "standards/nist-800-53/v/5.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2023-02-17T14:22:53.572Z" }
Sample finding for PCI DSS
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-2", "GeneratorId": "pci-dss/v/3.2.1/PCI.CloudTrail.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FirstObservedAt": "2020-08-06T02:18:23.089Z", "LastObservedAt": "2021-09-28T16:10:06.942Z", "CreatedAt": "2020-08-06T02:18:23.089Z", "UpdatedAt": "2021-09-28T16:10:00.090Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "PCI.CloudTrail.1 CloudTrail logs should be encrypted at rest using Amazon KMS CMKs", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption by checking if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.CloudTrail.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAmazonResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAmazonResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/pci-dss/v/3.2.1/PCI.CloudTrail.1", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub/arn:aws-cn:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "PCI DSS 3.4" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/pci-dss/v/3.2.1" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] } }
Sample finding for Amazon Resource Tagging Standard
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:eu-central-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "eu-central-1", "GeneratorId": "security-control/EC2.44", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2024-02-19T21:00:32.206Z", "LastObservedAt": "2024-04-29T13:01:57.861Z", "CreatedAt": "2024-02-19T21:00:32.206Z", "UpdatedAt": "2024-04-29T13:01:41.242Z", "Severity": { "Label": "LOW", "Normalized": 1, "Original": "LOW" }, "Title": "EC2 subnets should be tagged", "Description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn't have any tag keys or if it doesn't have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" } }, "ProductFields": { "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-6ceafede", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/annotation": "No tags are present.", "Resources:0/Id": "arn:aws-cn:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsEc2Subnet", "Id": "arn:aws-cn:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "Partition": "aws", "Region": "eu-central-1", "Details": { "AwsEc2Subnet": { "AssignIpv6AddressOnCreation": false, "AvailabilityZone": "eu-central-1b", "AvailabilityZoneId": "euc1-az3", "AvailableIpAddressCount": 4091, "CidrBlock": "10.24.34.0/23", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "OwnerId": "123456789012", "State": "available", "SubnetArn": "arn:aws-cn:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "SubnetId": "subnet-1234567890abcdef0", "VpcId": "vpc-021345abcdef6789" } } } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.44", "AssociatedStandards": [ { "StandardsId": "standards/aws-resource-tagging-standard/v/1.0.0" } ], "SecurityControlParameters": [ { "Name": "requiredTagKeys", "Value": [ "peepoo" ] } ], }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "LOW" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2024-04-29T13:02:03.259Z" }
Sample finding for Service-Managed Standard: Amazon Control Tower
Note
This standard is available to you only if you're an Amazon Control Tower user who has created the standard in Amazon Control Tower. For more information, see Service-Managed Standard: Amazon Control Tower.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2022-11-17T01:25:30.296Z", "LastObservedAt": "2022-11-17T01:25:45.805Z", "CreatedAt": "2022-11-17T01:25:30.296Z", "UpdatedAt": "2022-11-17T01:25:30.296Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CT.CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0", "ControlId": "CT.CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-1:123456789012:control/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "Amazon::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/service-managed-aws-control-tower/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] } }
Sample finding across standards (when consolidated control findings is turned on)
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-2:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "Amazon", "Region": "us-east-2", "GeneratorId": "security-control/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2022-10-06T02:18:23.076Z", "LastObservedAt": "2022-10-28T16:10:06.956Z", "CreatedAt": "2022-10-06T02:18:23.076Z", "UpdatedAt": "2022-10-28T16:10:00.093Z", "Severity": { "Label": "MEDIUM", "Normalized": "40", "Original": "MEDIUM" }, "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "RelatedAmazonResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAmazonResources:0/type": "Amazon::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub/arn:aws-cn:securityhub:us-east-2:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "PCI DSS v3.2.1/3.4", "CIS Amazon Foundations Benchmark v1.2.0/2.7", "CIS Amazon Foundations Benchmark v1.4.0/3.7" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [ { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"}, { "StandardsId": "standards/pci-dss/v/3.2.1"}, { "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, { "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"}, { "StandardsId": "standards/service-managed-aws-control-tower/v/1.0.0"}, ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] } }