Security Hub concepts - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Hub concepts

In Security Hub, we build on common Amazon concepts and terminology and use these additional terms.

Account

The standard Amazon account containing your Amazon resources. Sign in to Amazon with your Amazon account to enable Security Hub.

If your account is enrolled in Amazon Organizations, your organization designates a Security Hub administrator account. This account can enable other organization accounts as member accounts.

An organization can only have one administrator account. An account cannot be an administrator account and a member account simultaneously.

Security Hub supports the following accounts:

  • Organization management account — an Amazon account that administers an Amazon organization.

  • Delegated administrator account — an Amazon account that manages the use of an Amazon Web Services service for an Amazon organization.

  • Member account — an Amazon account that is a member of an Amazon organization.

  • Standalone account — an Amazon account without Amazon Organizations enabled

Administrator account

This type of Amazon account can view findings for associated member accounts.

This type of Amazon account becomes an administrator account when the account is designated by an organization management account as the Security Hub administrator account. The Security Hub administrator account can enable any organization account as a member account and can also invite other accounts to be member accounts.

An organization can only have one administrator account. An account cannot be an administrator account and a member account simultaneously.

Aggregation Region

An aggregation Region allows you to view security findings from multiple Amazon Web Services Regions in a single pane of glass.

The aggregation Region is the Amazon Web Services Region where you view and manage findings. Findings are aggregated in the aggregation Region from linked Regions. Updated findings are replicated across Regions.

In the aggregation Region, the dashboard and inventory pages include data from all linked Regions. The automations page can only be used to define automation rules in the aggregation region. Third-party ticketing integrations can only be configured in the aggregation region.

Archived finding

A finding with a status of ARCHIVED. These findings indicate the finding provider or customer investigating the finding believes the finding is no longer relevant.

Finding providers can archive findings they create. Customers can archive any findings that they believe are no longer relevant using the BatchUpdateFindingsV2 operation of the Security Hub API or by updating the status in the Security Hub console.

In the Security Hub console, default filter settings exclude archived findings from finding lists and tables. You can update the filters to include archived findings. If you retrieve findings by using the GetFindingsV2 operation, the operation retrieves both archived and active findings. The following example shows how to exclude archived findings in the results. 

{
    "StringFilters":
    [
        {
            "FieldName": "status",
            "Filter":
            {
                "Value": "Archived",
                "Comparison": "EQUALS"
            }
        }
    ]
}
Cross-Region aggregation

The aggregation of findings and resources from linked Regions to an aggregation Region. You can view all of your data from the aggregation Region and update findings from the aggregation Region.

Delegated administrator account

In Amazon Organizations, the delegated administrator account for a service is able to manage the use of a service for the organization.

In Security Hub, the Security Hub administrator account is also the delegated administrator account for Security Hub. When the organization management account first designates the Security Hub administrator account, Security Hub calls Organizations to make that account the delegated administrator account.

The organization management account must then choose the delegated administrator account as the Security Hub administrator account in all Regions.

Exposure

Exposures are broader weaknesses in security controls, misconfigurations, or other areas that could be exploited by active threats.

Examples of exposures include:

  • Mis-configured control plane for a resource.

  • Presence of a software vulnerability that has a high potential for exploitability.

  • Publicly accessible resource (network or API).

Exposure finding

A type of finding that describes an exposure present in your environment. An exposure finding includes traits and signals. A signal can include one or more types of exposure traits. Amazon Security Hub generates an exposure finding when signals from Amazon Security Hub CSPM, Amazon Inspector, Amazon GuardDuty, Amazon Macie, or other Amazon services, indicate the presence of an exposure. A resource can be involved in one or more exposure findings. If a resource doesn't have any exposure traits or has insufficient traits, Security Hub doesn't generate an exposure finding for that resource.

An example of an exposure finding is: An EC2 instance that is reachable from the internet and has software vulnerabilities which have a high liklihood of exploitation.

Finding

The observable record of a security check or security-related detection. Security Hub generates and updates findings through the correlation of other security findings. These are called exposure findings. Findings can also come from integrations with other Amazon Web Services services and third-party products.

Finding ingestion

The import of findings into Security Hub . Finding ingestion events include both new findings and updates to existing findings.

Linked Region

When you enable cross-Region aggregation, a linked Region is a region that aggregates findings and resource inventory to the aggregation Region.

In a linked Region, the dashboard and inventory pages only contain findings for that Amazon Web Services Region.

Open cybersecurity schema framework (OCSF)

The Open Cybersecurity Schema Framework (OCSF) is a collaborative, open-source effort by Amazon and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. For more information, see OCSF findings in Security Hub.

Member account

An Amazon Web Services account that granted permission to an administrator account to view and take action on their findings. This kind of Amazon Web Services account becomes a member account when the Security Hub administrator account enables it as a member account.

Signal

A finding that contributes to an exposure finding. A signal can be referred to as a contributing finding. A signal can originate in Security Hub CSPM, Amazon Config, or other Amazon Web Services services, such as Amazon Inspector.

Trait

A security deviation that results in an exposure finding. Trait types include Assumability, Misconfiguration, Reachability, Sensitive Data, and Vulnerability. A trait is associated with one signal, and a signal can contain multiple traits. For example, a Security Hub CSPM control indicates a customer-managed policy allows administrative access control. This signal contains a misconfiguration trait.