Managed insights
Amazon Security Hub provides several managed insights.
You cannot edit or delete Security Hub managed insights. You can view and take action on the insight results and findings. You can also use a managed insight as the basis for a new custom insight.
As with all insights, a managed insight only returns results if you have enabled product integrations or security standards that can produce matching findings.
For insights that are grouped by resource identifier, the results include the identifiers of all of the resources in the matching findings. This includes resources that have a different type from the resource type in the filter criteria. For example, insight 2 identifies findings that are associated with Amazon S3 buckets. If a matching finding contains both an S3 bucket resource and an IAM access key resource, then the insight results include both resources.
Security Hub offers the following managed insights:
- 1. Amazon resources with the most findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/1Grouped by: Resource identifier
Finding filters:
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 2. S3 buckets with public write or read permissions
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/10Grouped by: Resource identifier
Finding filters:
-
Type starts with
Effects/Data Exposure -
Resource type is
AwsS3Bucket -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 3. AMIs that are generating the most findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/3Grouped by: EC2 instance image ID
Finding filters:
-
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 4. EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/14Grouped by: Resource ID
Finding filters:
-
Type starts with
TTPs -
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 5. Amazon principals with suspicious access key activity
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/9Grouped by: IAM access key principal name
Finding filters:
-
Resource type is
AwsIamAccessKey -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 6. Amazon resources instances that don't meet security standards / best practices
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/6Grouped by: Resource ID
Finding filters:
-
Type is
Software and Configuration Checks/Industry and Regulatory Standards/Amazon Security Best Practices -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 7. Amazon resources associated with potential data exfiltration
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/7Grouped by:: Resource ID
Finding filters:
-
Type starts with Effects/Data Exfiltration/
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 8. Amazon resources associated with unauthorized resource consumption
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/8Grouped by: Resource ID
Finding filters:
-
Type starts with
Effects/Resource Consumption -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 9. S3 buckets that don't meet security standards / best practice
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/11Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsS3Bucket -
Type is
Software and Configuration Checks/Industry and Regulatory Standards/Amazon Security Best Practices -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 10. S3 buckets with sensitive data
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/12Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsS3Bucket -
Type starts with
Sensitive Data Identifications/ -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 11. Credentials that may have leaked
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/13Grouped by: Resource ID
Finding filters:
-
Type starts with
Sensitive Data Identifications/Passwords/ -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 12. EC2 instances that have missing security patches for important vulnerabilities
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/16Grouped by: Resource ID
Finding filters:
-
Type starts with
Software and Configuration Checks/Vulnerabilities/CVE -
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 13. EC2 instances with general unusual behavior
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/17Grouped by: Resource ID
Finding filters:
-
Type starts with
Unusual Behaviors -
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 14. EC2 instances that have ports accessible from the Internet
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/18Grouped by: Resource ID
Finding filters:
-
Type starts with
Software and Configuration Checks/Amazon Security Best Practices/Network Reachability -
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 15. EC2 instances that don't meet security standards / best practices
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/19Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
Software and Configuration Checks/Industry and Regulatory Standards/ -
Software and Configuration Checks/Amazon Security Best Practices
-
-
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 16. EC2 instances that are open to the Internet
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/21Grouped by: Resource ID
Finding filters:
-
Type starts with
Software and Configuration Checks/Amazon Security Best Practices/Network Reachability -
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 17. EC2 instances associated with adversary reconnaissance
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/22Grouped by: Resource ID
Finding filters:
-
Type starts with TTPs/Discovery/Recon
-
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 18. Amazon resources that are associated with malware
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/23Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
Effects/Data Exfiltration/Trojan -
TTPs/Initial Access/Trojan -
TTPs/Command and Control/Backdoor -
TTPs/Command and Control/Trojan -
Software and Configuration Checks/Backdoor -
Unusual Behaviors/VM/Backdoor
-
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 19. Amazon resources associated with cryptocurrency issues
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/24Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
Effects/Resource Consumption/Cryptocurrency -
TTPs/Command and Control/CryptoCurrency
-
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 20. Amazon resources with unauthorized access attempts
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/25Grouped by: Resource ID
Finding filters:
-
Type starts with one of the following:
-
TTPs/Command and Control/UnauthorizedAccess -
TTPs/Initial Access/UnauthorizedAccess -
Effects/Data Exfiltration/UnauthorizedAccess -
Unusual Behaviors/User/UnauthorizedAccess -
Effects/Resource Consumption/UnauthorizedAccess
-
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 21. Threat Intel indicators with the most hits in the last week
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/26Finding filters:
-
Created within the last 7 days
-
- 22. Top accounts by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/27Grouped by: Amazon Web Services account ID
Finding filters:
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 23. Top products by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/28Grouped by: Product name
Finding filters:
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 24. Severity by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/29Grouped by: Severity label
Finding filters:
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 25. Top S3 buckets by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/30Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsS3Bucket -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 26. Top EC2 instances by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/31Grouped by: Resource ID
Finding filters:
-
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 27. Top AMIs by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/32Grouped by: EC2 instance image ID
Finding filters:
-
Resource type is
AwsEc2Instance -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 28. Top IAM users by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/33Grouped by: IAM access key ID
Finding filters:
-
Resource type is
AwsIamAccessKey -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 29. Top resources by counts of failed CIS checks
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/34Grouped by: Resource ID
Finding filters:
-
Generator ID starts with
arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule -
Updated in the last day
-
Compliance status is
FAILED -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 30. Top integrations by counts of findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/35Grouped by: Product ARN
Finding filters:
-
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 31. Resources with the most failed security checks
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/36Grouped by: Resource ID
Finding filters:
-
Updated in the last day
-
Compliance status is
FAILED -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 32. IAM users with suspicious activity
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/37Grouped by: IAM user
Finding filters:
-
Resource type is
AwsIamUser -
Record state is
ACTIVE -
Workflow status is
NEWorNOTIFIED
-
- 33. Resources with the most Amazon Health findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/38Grouped by: Resource ID
Finding filters:
-
ProductNameequalsHealth
-
- 34. Resources with the most Amazon Config findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/39Grouped by: Resource ID
Finding filters:
-
ProductNameequalsConfig
-
- 35. Applications with the most findings
-
ARN:
arn:aws-cn:securityhub:::insight/securityhub/default/40Grouped by: ResourceApplicationArn
Finding filters:
-
RecordStateequalsACTIVE -
Workflow.StatusequalsNEWorNOTIFIED
-