Security checks and security scores in Security Hub - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security checks and security scores in Security Hub

For each control that you enable, Amazon Security Hub runs security checks. A security check determines whether your Amazon resources are in compliance with the rules that the control includes.

Some checks run on a periodic schedule. Other checks only run when there is a change to the resource state. For more information, see Schedule for running security checks.

Many security checks use Amazon Config managed or custom rules to establish the compliance requirements. To run these checks, you must set up Amazon Config. For more information, see How Security Hub uses Amazon Config rules to run security checks. Others use custom Lambda functions, which are managed by Security Hub and are not visible to customers.

As Security Hub runs security checks, it generates findings and assigns them a compliance status. For more information about compliance status, see Values for compliance status of a finding.

Security Hub uses the compliance status of control findings to determine an overall control status. Security Hub also calculates a security score across all enabled controls and for specific standards. For more information, see Compliance status and control status and Determining security scores.

If you've turned on consolidated control findings, Security Hub generates a single finding even when a control is associated with more than one standard. For more information, see Consolidated control findings.

Topics