Amazon Security Hub and interface VPC endpoints (Amazon PrivateLink) - Amazon Security Hub
Considerations for Security Hub VPC endpointsCreating an interface VPC endpoint for Security HubCreating a VPC endpoint policy for Security HubShared subnets
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Security Hub and interface VPC endpoints (Amazon PrivateLink)

You can establish a private connection between your VPC and Amazon Security Hub by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to privately access Security Hub APIs without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Security Hub APIs. Traffic between your VPC and Security Hub does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon PrivateLink Guide.

Considerations for Security Hub VPC endpoints

Before you set up an interface VPC endpoint for Security Hub, ensure that you review Interface endpoint properties and limitations in the Amazon PrivateLink Guide.

Security Hub supports making calls to all of its API actions from your VPC.

Note

Security Hub does not support VPC endpoints in the Asia Pacific (Osaka) Region.

Creating an interface VPC endpoint for Security Hub

You can create a VPC endpoint for the Security Hub service using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Create an interface endpoint in the Amazon PrivateLink Guide.

Create a VPC endpoint for Security Hub using the following service name:

  • com.amazonaws.region.securityhub

If you enable private DNS for the endpoint, you can make API requests to Security Hub using its default DNS name for the Region, for example, securityhub.us-east-1.amazonaws.com.

For more information, see Access a service through an interface endpoint in the Amazon PrivateLink Guide.

Creating a VPC endpoint policy for Security Hub

You can attach an endpoint policy to your VPC endpoint that controls access to Security Hub. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Control access to services with VPC endpoints in the Amazon PrivateLink Guide.

Example: VPC endpoint policy for Security Hub actions

The following is an example of an endpoint policy for Security Hub. When attached to an endpoint, this policy grants access to the listed Security Hub actions for all principals on all resources.

{
   "Statement":[
      {
         "Principal":"*",
         "Effect":"Allow",
         "Action":[
            "securityhub:getFindings",
            "securityhub:getEnabledStandards",
            "securityhub:getInsights"
         ],
         "Resource":"*"
      }
   ]
}

Shared subnets

You can't create, describe, modify, or delete VPC endpoints in subnets that are shared with you. However, you can use the VPC endpoints in subnets that are shared with you. For information about VPC sharing, see Share your VPC with other accounts in the Amazon VPC User Guide.