Amazon Web Service integrations with Amazon Security Hub
Amazon Security Hub supports integrations with several other Amazon Web Services.
Note
Some integrations are only available in select Amazon Web Services Regions.
If an integration is not supported in a specific Region, it is not listed on the Integrations page of the Security Hub console.
For more information, see Integrations that are supported in China (Beijing) and China (Ningxia) and Integrations that are supported in Amazon GovCloud (US-East) and Amazon GovCloud (US-West).
Unless indicated below, Amazon Web Service integrations that send findings to Security Hub are automatically activated after you enable Security Hub. Integrations that receive Security Hub findings may require additional steps for activation. Review the information about each integration to learn more.
Overview of Amazon service integrations with Security Hub
Here is an overview of Amazon services that send findings to Security Hub or receive findings from Security Hub.
| Integrated Amazon service | Direction |
|---|---|
|
Sends findings |
|
|
Sends findings |
|
|
Sends findings |
|
|
Sends findings |
|
|
Sends findings |
|
|
Sends findings |
|
|
Sends findings |
|
|
Sends findings |
|
|
Sends findings |
|
|
Receives findings |
|
|
Receives findings |
|
|
Receives findings |
|
|
Receives findings |
|
|
Receives and updates findings |
|
|
Receives findings |
Amazon services that send findings to Security Hub
The following Amazon services integrate with Security Hub by sending findings to Security Hub. Security Hub transforms the findings into the Amazon Security Finding Format.
Amazon Config (Sends findings)
Amazon Config is a service that allows you to assess, audit, and evaluate the configurations of your Amazon resources. Amazon Config continuously monitors and records your Amazon resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
By using the integration with Amazon Config, you can see the results of Amazon Config managed and custom rule evaluations as findings in Security Hub. These findings can be viewed alongside other Security Hub findings, providing a comprehensive overview of your security posture.
Amazon Config uses Amazon EventBridge to send Amazon Config rule evaluations to Security Hub. Security Hub transforms the rule evaluations into findings that follow the Amazon Security Finding Format. Security Hub then enriches the findings on a best effort basis by getting more information about the impacted resources, such as the Amazon Resource Name (ARN) and creation date. Resource tags in Amazon Config rule evaluations aren't included in Security Hub findings.
For more information about this integration, see the following sections.
All findings in Security Hub use the standard JSON format of ASFF. ASFF includes details about the origin of the finding, the affected resource, and the current status of the finding. Amazon Config sends managed and custom rule evaluations to Security Hub via EventBridge. Security Hub transforms the rule evaluations into findings that follow ASFF and enriches the findings on a best effort basis.
Types of findings that Amazon Config sends to Security Hub
Once the integration is activated, Amazon Config sends evaluations of all Amazon Config managed rules and custom rules to Security Hub. Only evaluations from service-linked Amazon Config rules, such as those used to run checks on security controls, are excluded.
Sending Amazon Config findings to Security Hub
When the integration is activated, Security Hub will automatically assign the permissions necessary to receive findings from Amazon Config. Security Hub uses service-to-service level permissions that provide you with a safe way to activate this integration and import findings from Amazon Config via Amazon EventBridge.
Latency for sending findings
When Amazon Config creates a new finding, you can usually view the finding in Security Hub within five minutes.
Retrying when Security Hub is not available
Amazon Config sends findings to Security Hub on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub, EventBridge retries delivery for up to 24 hours or 185 times, whichever comes first.
Updating existing Amazon Config findings in Security Hub
After Amazon Config sends a finding to Security Hub, it can send updates to the same finding to Security Hub to reflect additional observations of the
finding activity. Updates are only sent for ComplianceChangeNotification events.
If no compliance change occurs, updates aren't sent to Security Hub. Security Hub deletes findings 90 days
after the most recent update or 90 days after creation if no update occurs.
Regions in which Amazon Config findings exist
Amazon Config findings occur on a Regional basis. Amazon Config sends findings to Security Hub in the same Region or Regions where the findings occur.
To view your Amazon Config findings, choose Findings from the Security Hub navigation pane. To filter the findings to display only Amazon Config findings, choose Product name in the search bar drop down. Enter Config, and choose Apply.
Interpreting Amazon Config finding names in Security Hub
Security Hub transforms Amazon Config rule evaluations into findings that follow the Amazon Security Finding Format (ASFF). Amazon Config rule evaluations use a different event pattern compared to ASFF. The following table maps the Amazon Config rule evaluation fields with their ASFF counterpart as they appear in Security Hub.
| Config rule evaluation finding type | ASFF finding type | Hardcoded value |
|---|---|---|
| detail.awsAccountId | AwsAccountId | |
| detail.newEvaluationResult.resultRecordedTime | CreatedAt | |
| detail.newEvaluationResult.resultRecordedTime | UpdatedAt | |
| ProductArn | "arn:<partition>:securityhub:<region>::product/aws/config" | |
| ProductName | "Config" | |
| CompanyName | "Amazon" | |
| Region | "eu-central-1" | |
| configRuleArn | GeneratorId, ProductFields | |
| detail.ConfigRuleARN/finding/hash | Id | |
| detail.configRuleName | Title, ProductFields | |
| detail.configRuleName | Description | "This finding is created for a resource compliance change for config rule: ${detail.ConfigRuleName}" |
| Configuration Item "ARN" or Security Hub computed ARN | Resources[i].id | |
| detail.resourceType | Resources[i].Type | "AwsS3Bucket" |
| Resources[i].Partition | "aws" | |
| Resources[i].Region | "eu-central-1" | |
| Configuration Item "configuration" | Resources[i].Details | |
| SchemaVersion | "2018-10-08" | |
| Severity.Label | See "Interpreting Severity Label" below | |
| Types | ["Software and Configuration Checks"] | |
| detail.newEvaluationResult.complianceType | Compliance.Status | "FAILED", "NOT_AVAILABLE", "PASSED", or "WARNING" |
| Workflow.Status | "RESOLVED" if an Amazon Config finding is generated with a Compliance.Status of "PASSED," or if the Compliance.Status changes from "FAILED" to "PASSED." Otherwise, Workflow.Status will be "NEW." You can change this value with the BatchUpdateFindings API operation. |
Interpreting severity label
All findings from Amazon Config rule evaluations have a default severity label of MEDIUM in the ASFF. You can update the severity label of a
finding with the BatchUpdateFindings API operation.
Typical finding from Amazon Config
Security Hub transforms Amazon Config rule evaluations into findings that follow the ASFF. The following is an example of a typical finding from Amazon Config in the ASFF.
Note
If the description is more than 1024 characters, it will be truncated to 1024 characters and will say "(truncated)" at the end.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/45g070df80cb50b68fa6a43594kc6fda1e517932", "ProductArn": "arn:aws-cn:securityhub:eu-central-1::product/aws/config", "ProductName": "Config", "CompanyName": "AWS", "Region": "eu-central-1", "GeneratorId": "arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks" ], "CreatedAt": "2022-04-15T05:00:37.181Z", "UpdatedAt": "2022-04-19T21:20:15.056Z", "Severity": { "Label": "MEDIUM", "Normalized": 40 }, "Title": "s3-bucket-level-public-access-prohibited-config-integration-demo", "Description": "This finding is created for a resource compliance change for config rule: s3-bucket-level-public-access-prohibited-config-integration-demo", "ProductFields": { "aws/securityhub/ProductName": "Config", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:eu-central-1::product/aws/config/arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/46f070df80cd50b68fa6a43594dc5fda1e517902", "aws/config/ConfigRuleArn": "arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq", "aws/config/ConfigRuleName": "s3-bucket-level-public-access-prohibited-config-integration-demo", "aws/config/ConfigComplianceType": "NON_COMPLIANT" }, "Resources": [{ "Type": "AwsS3Bucket", "Id": "arn:aws-cn:s3:::config-integration-demo-bucket", "Partition": "aws", "Region": "eu-central-1", "Details": { "AwsS3Bucket": { "OwnerId": "4edbba300f1caa608fba2aad2c8fcfe30c32ca32777f64451eec4fb2a0f10d8c", "CreatedAt": "2022-04-15T04:32:53.000Z" } } }], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM" }, "Types": [ "Software and Configuration Checks" ] } }
After you enable Security Hub, this integration is activated automatically. Amazon Config immediately begins to send findings to Security Hub.
To stop sending findings to Security Hub, you can use the Security Hub console, the Security Hub API, or the Amazon CLI.
See Disabling and enabling the flow of findings from an integration (console) or Disabling the flow of findings from an integration (Security Hub API, Amazon CLI).
Amazon Firewall Manager (Sends findings)
Firewall Manager sends findings to Security Hub when a web application firewall (WAF) policy for resources or a web access control list (web ACL) rule is not in compliance. Firewall Manager also sends findings when Amazon Shield Advanced is not protecting resources, or when an attack is identified.
After you enable Security Hub, this integration is automatically activated. Firewall Manager immediately begins to send findings to Security Hub.
To learn more about the integration, view the Integrations page in the Security Hub console.
To learn more about Firewall Manager, see the Amazon WAF Developer Guide.
Amazon GuardDuty (Sends findings)
GuardDuty sends all of the findings it generates to Security Hub.
New findings from GuardDuty are sent to Security Hub within five minutes. Updates to findings are sent based on the Updated findings setting for Amazon EventBridge in GuardDuty settings.
When you generate GuardDuty sample findings using the GuardDuty Settings
page, Security Hub receives the sample findings and omits the prefix [Sample] in the finding type. For example, the sample finding type in GuardDuty [SAMPLE] Recon:IAMUser/ResourcePermissions
is displayed as Recon:IAMUser/ResourcePermissions in Security Hub.
After you enable Security Hub, this integration is automatically activated. GuardDuty immediately begins to send findings to Security Hub.
For more information about the GuardDuty integration, see Integration with Amazon Security Hub in the Amazon GuardDuty User Guide.
Amazon Health (Sends findings)
Amazon Health provides ongoing visibility into your resource performance and the availability of your Amazon services and accounts. You can use Amazon Health events to learn how service and resource changes might affect your applications that run on Amazon.
The integration with Amazon Health does not use BatchImportFindings. Instead, Amazon Health uses service-to-service event messaging
to send findings to Security Hub.
For more information about the integration, see the following sections.
In Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by other Amazon services or by third-party partners. Security Hub also has a set of rules that it uses to detect security issues and generate findings.
Security Hub provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view details for a finding. See Managing and reviewing finding details and history. You can also track the status of an investigation into a finding. See Taking action on findings in Amazon Security Hub.
All findings in Security Hub use a standard JSON format called the Amazon Security Finding Format (ASFF). ASFF includes details about the source of the issue, the affected resources, and the current status of the finding.
Amazon Health is one of the Amazon services that sends findings to Security Hub.
Types of findings that Amazon Health sends to Security Hub
Once the integration is enabled, Amazon Health sends all security-related findings it generates to Security Hub. The findings are sent to Security Hub using the Amazon Security Finding Format (ASFF). Security-related findings are defined as the following:
-
Any finding associated with an Amazon security service
-
Any finding with the words
security,abuse, orcertificatein the Amazon Health typeCode -
Any finding where the Amazon Health service is
riskorabuse
Sending Amazon Health findings to Security Hub
When you choose to accept findings from Amazon Health, Security Hub will automatically assign the permissions necessary to receive the findings from Amazon Health. Security Hub uses service-to-service level permissions that provide you with a safe, easy way to enable this integration and import findings from Amazon Health via Amazon EventBridge on your behalf. Choosing Accept Findings grants Security Hub permission to consume findings from Amazon Health.
Latency for sending findings
When Amazon Health creates a new finding, it is usually sent to Security Hub within five minutes.
Retrying when Security Hub is not available
Amazon Health sends findings to Security Hub on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub, EventBridge retries sending the event for 24 hours.
Updating existing findings in Security Hub
After Amazon Health sends a finding to Security Hub, it can send updates to the same finding to reflect additional observations of the finding activity to Security Hub.
Regions in which findings exist
For global events, Amazon Health sends findings to Security Hub in us-east-1 (Amazon partition), cn-northwest-1 (China partition), and gov-us-west-1 (GovCloud partition). Amazon Health sends Region-specific events to Security Hub in the same Region or Regions where the events occur.
To view your Amazon Health findings in Security Hub, choose Findings from the navigation panel. To filter the findings to display only Amazon Health findings, choose Health from the Product name field.
Interpreting Amazon Health finding names in Security Hub
Amazon Health sends the findings to Security Hub using the Amazon Security Finding Format (ASFF). Amazon Health finding uses a different event pattern compared to Security Hub ASFF format. The table below details all the Amazon Health finding fields with their ASFF counterpart as they appear in Security Hub.
| Health finding type | ASFF finding type | Hardcoded value |
|---|---|---|
| account | AwsAccountId | |
| detail.startTime | CreatedAt | |
| detail.eventDescription.latestDescription | Description | |
| detail.eventTypeCode | GeneratorId | |
| detail.eventArn (including account) + hash of detail.startTime | Id | |
| "arn:aws-cn:securityhub:<region>::product/aws/health" | ProductArn | |
| account or resourceId | Resources[i].id | |
| Resources[i].Type | "Other" | |
| SchemaVersion | "2018-10-08" | |
| Severity.Label | See "Interpreting Severity Label" below | |
| “Amazon Health -" detail.eventTypeCode | Title | |
| - | Types | ["Software and Configuration Checks"] |
| event.time | UpdatedAt | |
| URL of the event on Health console | SourceUrl |
Interpreting severity label
The severity label in the ASFF finding is determined using the following logic:
-
Severity CRITICAL if:
-
The
servicefield in the Amazon Health finding has the valueRisk -
The
typeCodefield in the Amazon Health finding has the valueAWS_S3_OPEN_ACCESS_BUCKET_NOTIFICATION -
The
typeCodefield in the Amazon Health finding has the valueAWS_SHIELD_INTERNET_TRAFFIC_LIMITATIONS_PLACED_IN_RESPONSE_TO_DDOS_ATTACK -
The
typeCodefield in the Amazon Health finding has the valueAWS_SHIELD_IS_RESPONDING_TO_A_DDOS_ATTACK_AGAINST_YOUR_AWS_RESOURCES
Severity HIGH if:
-
The
servicefield in the Amazon Health finding has the valueAbuse -
The
typeCodefield in the Amazon Health finding contains the valueSECURITY_NOTIFICATION -
The
typeCodefield in the Amazon Health finding contains the valueABUSE_DETECTION
Severity MEDIUM if:
-
The
servicefield in the finding is any of the following:ACM,ARTIFACT,AUDITMANAGER,BACKUP,CLOUDENDURE,CLOUDHSM,CLOUDTRAIL,CLOUDWATCH,CODEGURGU,COGNITO,CONFIG,CONTROLTOWER,DETECTIVE,DIRECTORYSERVICE,DRS,EVENTS,FIREWALLMANAGER,GUARDDUTY,IAM,INSPECTOR,INSPECTOR2,IOTDEVICEDEFENDER,KMS,MACIE,NETWORKFIREWALL,ORGANIZATIONS,RESILIENCEHUB,RESOURCEMANAGER,ROUTE53,SECURITYHUB,SECRETSMANAGER,SES,SHIELD,SSO, orWAF -
The typeCode field in the Amazon Health finding contains the value
CERTIFICATE -
The typeCode field in the Amazon Health finding contains the value
END_OF_SUPPORT
-
Typical finding from Amazon Health
Amazon Health sends findings to Security Hub using the Amazon Security Finding Format (ASFF). The following is an example of a typical finding from Amazon Health.
Note
If the description is more than 1024 characters, it will be truncated to 1024 characters and will say (truncated) at the end.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:health:us-east-1:123456789012:event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96/101F7FBAEFC663977DA09CFF56A29236602834D2D361E6A8CA5140BFB3A69B30", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/health", "GeneratorId": "AWS_SES_CMF_PENDING_TO_SUCCESS", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks" ], "CreatedAt": "2022-01-07T16:34:04.000Z", "UpdatedAt": "2022-01-07T19:17:43.000Z", "Severity": { "Label": "MEDIUM", "Normalized": 40 }, "Title": "AWS Health - AWS_SES_CMF_PENDING_TO_SUCCESS", "Description": "Congratulations! Amazon SES has successfully detected the MX record required to use 4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com as a custom MAIL FROM domain for verified identity cmf.pinpoint.sysmon-iad.adzel.com in Amazon Region US East (N. Virginia).\\n\\nYou can now use this MAIL FROM domain with cmf.pinpoint.sysmon-iad.adzel.com and any other verified identity that is configured to use it. For information about how to configure a verified identity to use a custom MAIL FROM domain, see http://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from-set.html .\\n\\nPlease note that this email only applies to Amazon Region US East (N. Virginia).", "SourceUrl": "https://phd.aws.amazon.com/phd/home#/event-log?eventID=arn:aws-cn:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96", "ProductFields": { "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/health/arn:aws-cn:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96", "aws/securityhub/ProductName": "Health", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "Other", "Id": "4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com" } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM" }, "Types": [ "Software and Configuration Checks" ] } } ] }
After you enable Security Hub, this integration is automatically activated. Amazon Health immediately begins to send findings to Security Hub.
To stop sending findings to Security Hub, you can use the Security Hub console, Security Hub API, or Amazon CLI.
See Disabling and enabling the flow of findings from an integration (console) or Disabling the flow of findings from an integration (Security Hub API, Amazon CLI).
Amazon Identity and Access Management Access Analyzer (Sends findings)
With IAM Access Analyzer, all findings are sent to Security Hub.
IAM Access Analyzer uses logic-based reasoning to analyze resource-based policies that are applied to supported resources in your account. IAM Access Analyzer generates a finding when it detects a policy statement that lets an external principal access a resource in your account.
In IAM Access Analyzer, only the administrator account can see findings for analyzers that apply to an organization.
For organization analyzers, the AwsAccountId ASFF field reflects the administrator account ID. Under ProductFields, the
ResourceOwnerAccount field indicates the account in which the finding was discovered. If you
enable analyzers individually for each account, Security Hub generates multiple findings, one that identifies the administrator account ID and
one that identifies the resource account ID.
For more information, see Integration with Amazon Security Hub in the IAM User Guide.
Amazon Inspector (Sends findings)
Amazon Inspector is a vulnerability management service that continuously scans your Amazon workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images that reside in the Amazon Elastic Container Registry. The scan looks for software vulnerabilities and unintended network exposure.
After you enable Security Hub, this integration is automatically activated. Amazon Inspector immediately begins to send all of the findings that it generates to Security Hub.
For more information about the integration, see Integration with Amazon Security Hub in the Amazon Inspector User Guide.
Security Hub can also receive findings from Amazon Inspector Classic. Amazon Inspector Classic sends findings to Security Hub that are generated through assessment runs for all supported rules packages.
For more information about the integration, see Integration with Amazon Security Hub in the Amazon Inspector Classic User Guide.
Findings for Amazon Inspector and Amazon Inspector Classic use the same product ARN. Amazon Inspector findings have the following entry in ProductFields:
"aws/inspector/ProductVersion": "2",
Amazon IoT Device Defender (Sends findings)
Amazon IoT Device Defender is a security service that audits the configuration of your IoT devices, monitors connected devices to detect abnormal behavior, and helps mitigate security risks.
After enabling both Amazon IoT Device Defender and Security Hub, visit the Integrations page of the Security Hub console
Amazon IoT Device Defender Audit sends check summaries to Security Hub, which contain general information for a specific audit check type and audit task. Amazon IoT Device Defender Detect sends violation findings for machine learning (ML), statistical, and static behaviors to Security Hub. Audit also sends finding updates to Security Hub.
For more information about this integration, see Integration with Amazon Security Hub in the Amazon IoT Developer Guide.
Amazon Macie (Sends findings)
A finding from Macie can indicate that there is a potential policy violation or that sensitive data, such as personally identifiable information (PII), is present in data that your organization stores in Amazon S3.
After you enable Security Hub, Macie automatically starts sending policy findings to Security Hub. You can configure the integration to also send sensitive data findings to Security Hub.
In Security Hub, the finding type for a policy or sensitive data finding is changed to a
value that is compatible with ASFF. For example, the
Policy:IAMUser/S3BucketPublic finding type in Macie is displayed as
Effects/Data Exposure/Policy:IAMUser-S3BucketPublic in Security Hub.
Macie also sends generated sample findings to Security Hub. For sample findings, the name of
the affected resource is macie-sample-finding-bucket and the value for the
Sample field is true.
For more information, see Amazon Macie integration with Amazon Security Hub in the Amazon Macie User Guide.
Amazon Systems Manager Patch Manager (Sends findings)
Amazon Systems Manager Patch Manager sends findings to Security Hub when instances in a customer's fleet go out of compliance with their patch compliance standard.
Patch Manager automates the process of patching managed instances with both security related and other types of updates.
After you enable Security Hub, this integration is automatically activated. Systems Manager Patch Manager immediately begins to send findings to Security Hub.
For more information about using Patch Manager, see Amazon Systems Manager Patch Manager in the Amazon Systems Manager User Guide.
Amazon services that receive findings from Security Hub
The following Amazon services are integrated with Security Hub and receive findings from Security Hub. Where noted, the integrated service may also update findings. In this case, finding updates that you make in the integrated service will also be reflected in Security Hub.
Amazon Audit Manager (Receives findings)
Amazon Audit Manager receives findings from Security Hub. These findings help Audit Manager users to prepare for audits.
To learn more about Audit Manager, see the Amazon Audit Manager User Guide. Amazon Security Hub checks supported by Amazon Audit Manager lists the controls for which Security Hub sends findings to Audit Manager.
Amazon Chatbot (Receives findings)
Amazon Chatbot is an interactive agent that helps you to monitor and interact with your Amazon resources in your Slack channels and Amazon Chime chat rooms.
Amazon Chatbot receives findings from Security Hub.
To learn more about the Amazon Chatbot integration with Security Hub, see the Security Hub integration overview in the Amazon Chatbot Administrator Guide.
Amazon Detective (Receives findings)
Detective automatically collects log data from your Amazon resources and uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations.
The Security Hub integration with Detective allows you to pivot from Amazon GuardDuty findings in Security Hub into Detective. You can then use the Detective tools and visualizations to investigate them. The integration does not require any additional configuration in Security Hub or Detective.
For findings received from other Amazon Web Services, the finding details panel on the Security Hub console includes an Investigate in Detective subsection. That subsection contains a link to Detective where you can further investigate the security issue that the finding flagged. You can also build a behavior graph in Detective based on Security Hub findings to conduct more effective investigations. For more information, see Amazon security findings in the Amazon Detective Administration Guide.
If cross-Region aggregation is enabled, then when you pivot from the aggregation Region, Detective opens in the Region where the finding originated.
If a link does not work, then for troubleshooting advice, see Troubleshooting the pivot.
Amazon Security Lake (Receives findings)
Security Lake is a fully-managed security data lake service. You can use Security Lake to automatically centralize security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. Subscribers can consume data from Security Lake for investigative and analytics use cases.
To activate this integration, you must enable both services and add Security Hub as a source in the Security Lake console, Security Lake API, or Amazon CLI. Once you complete these steps, Security Hub begins to send all findings to Security Lake.
Security Lake automatically normalizes Security Hub findings and converts them to a standardized open-source schema called Open Cybersecurity Schema Framework (OCSF). In Security Lake, you can add one or more subscribers to consume Security Hub findings.
For more information about this integration, including instructions on adding Security Hub as a source and creating subscribers, see Integration with Amazon Security Hub in the Amazon Security Lake User Guide.
Amazon Systems Manager Explorer and OpsCenter (Receives and updates findings)
Amazon Systems Manager Explorer and OpsCenter receive findings from Security Hub, and update those findings in Security Hub.
Explorer provides you with a customizable dashboard, providing key insights and analysis into the operational health and performance of your Amazon environment.
OpsCenter provides you with a central location to view, investigate, and resolve operational work items.
For more information about Explorer and OpsCenter, see Operations management in the Amazon Systems Manager User Guide.
Amazon Trusted Advisor (Receives findings)
Trusted Advisor draws upon best practices learned from serving hundreds of thousands of Amazon customers. Trusted Advisor inspects your Amazon environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.
When you enable both Trusted Advisor and Security Hub, the integration is updated automatically.
Security Hub sends the results of its Amazon Foundational Security Best Practices checks to Trusted Advisor.
For more information about the Security Hub integration with Trusted Advisor, see Viewing Amazon Security Hub controls in Amazon Trusted Advisor in the Amazon Support User Guide.