Security controls and standards in Amazon Security Hub

Amazon Security Hub consumes, aggregates, and analyzes security findings from various supported Amazon and third-party products.

Security Hub also generates its own findings by running automated and continuous security checks against rules. The rules are represented by security controls. The controls may, in turn, be enabled in one or more security standards. The controls help you determine whether the requirements in a standard are being met.

Security checks against controls generate findings that you can use to monitor your security posture and identify specific Amazon Web Services accounts or resources that require attention. Each control is related to an Amazon service and resource. For example, security checks against the CloudTrail.4 control determine whether you have configured log file validation on your Amazon CloudTrail logs. For more information about controls, see Viewing and managing security controls.

You can enable a control in one or more enabled Security Hub standards. When you enable a standard, Security Hub automatically enables the controls that apply to the standard. Security standards allow you to focus on a specific compliance framework. Security Hub defines the controls that apply to each standard. For more information about security standards, see Viewing and managing security standards.

Based on the results of security checks, Security Hub calculates an overall security score and standard-specific security scores. These scores help you understand your security posture. For more information about scores, see How security scores are calculated.

For information about Security Hub pricing for security checks, see Security Hub pricing.

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Using custom product integrations

IAM permissions for standards and controls