What is Amazon Security Hub? - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon Security Hub?

Amazon Security Hub provides you with a comprehensive view of your security state in Amazon and helps you assess your Amazon environment against security industry standards and best practices.

Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Foundational Security Best Practices (FSBP) standard developed by Amazon, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.

In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services—such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie— and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Services and supported third-party products.

Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.

Benefits of Security Hub

Here are some of the key ways that Security Hub helps you monitor your compliance and security posture across your Amazon environment.

Reduced effort to collect and prioritize findings

Security Hub reduces the effort to collect and prioritize security findings across accounts from integrated Amazon Web Services and Amazon partner products. Security Hub processes finding data using the Amazon Security Finding Format (ASFF), a standard finding format. This eliminates the need to manage findings from myriad sources in multiple formats. Security Hub also correlates findings across providers to help you prioritize the most important ones.

Automatic security checks against best practices and standards

Security Hub automatically runs continuous, account-level configuration and security checks based on Amazon best practices and industry standards. Security Hub uses the results of these checks to calculate security scores, and identifies specific accounts and resources that require attention.

Consolidated view of findings across accounts and providers

Security Hub consolidates your security findings across accounts and provider products and displays results on the Security Hub console. You can also retrieve findings through the Security Hub API, Amazon CLI, or SDKs. With a holistic view of your current security status, you can spot trends, identify potential issues, and take necessary remediation steps.

Ability to automate finding updates and remediation

You can create automation rules that modify or suppress findings based on your defined criteria. Security Hub also supports an integration with Amazon EventBridge. To automate the remediation of specific findings, you can define custom actions to take when a finding is generated. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system.

Accessing Security Hub

Security Hub is available in most Amazon Web Services Regions. For a list of Regions where Security Hub is currently available, see Amazon Security Hub endpoints and quotas in the Amazon Web Services General Reference. For information about managing Amazon Web Services Regions for your Amazon Web Services account, see Specifying which Amazon Web Services Regions your account can use in the Amazon Account Management Reference Guide.

In each Region, you can access and use Security Hub in any of the following ways:

Security Hub console

The Amazon Web Services Management Console is a browser-based interface that you can use to create and manage Amazon resources. As part of that console, the Security Hub console provides access to your Security Hub account, data, and resources. You can perform Security Hub tasks by using the Security Hub console—view findings, create automation rules, create an aggregation Region, and more.

Security Hub API

The Security Hub API gives you programmatic access to your Security Hub account, data, and resources. With the API, you can send HTTPS requests directly to Security Hub. For information about the API, see the Amazon Security Hub API Reference.

Amazon CLI

With the Amazon CLI, you can run commands at your system's command line to perform Security Hub tasks. In some cases, using the command line can be faster and more convenient than using the console. The command line is also useful if you want to build scripts that perform tasks. For information about installing and using the Amazon CLI, see the Amazon Command Line Interface User Guide.

Amazon SDKs

Amazon provides SDKs that consist of libraries and sample code for various programming languages and platforms—for example, Java, Go, Python, C++, and .NET. The SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Services in your preferred language. They also handle tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon SDKs, see Tools to Build on Amazon.


Security Hub only detects and consolidates findings that are generated after you enable Security Hub. It doesn't retroactively detect and consolidate security findings that were generated before you enabled Security Hub.

Security Hub only receives and processes findings in the Region where you enabled Security Hub in your account.

For full compliance with CIS Amazon Foundations Benchmark security checks, you must enable Security Hub in all supported Amazon Regions.

To further secure your Amazon environment, consider using other Amazon Web Services in combination with Security Hub.

For a list of other Amazon Web Services that send or receive Security Hub findings, see Amazon Web Service integrations with Amazon Security Hub.

Security Hub uses service-linked rules from Amazon Config to run security checks for most controls. You must enable Amazon Config and record resources in Amazon Config for Security Hub to generate most control findings. For more information, see Configuring Amazon Config.

Security Hub free trial and pricing

When you enable Security Hub in an Amazon Web Services account for the first time, that account is automatically enrolled in a 30-day Security Hub free trial.

When you use Security Hub during the free trial, you are charged for usage of other services that Security Hub interacts with, such as Amazon Config items. You are not charged for Amazon Config rules that are activated only by Security Hub security standards.

You are not charged for using Security Hub until your free trial ends.


The Security Hub free trial is not supported in the China (Beijing) Region.

Viewing usage details and estimated cost

Security Hub provides usage information, including an estimated 30-day cost for using Security Hub. The usage details include the time remaining in the free trial. The usage information can help you to understand what your Security Hub costs may be after the free trial ends. The usage information is also available after the free trial ends.

To display usage information (console)
  1. Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

  2. In the navigation pane, choose Usage under Settings.

The estimated monthly cost is based on your account's Security Hub usage for findings and security checks projected over a 30-day period.

The usage information and estimated cost are only for the current account and current Region. In an aggregation Region, the usage information and estimated cost don't include linked Regions. For more information about linked Regions, see How cross-Region aggregation works.

Pricing details

For more information about how Security Hub charges for ingested findings and security checks, see Security Hub pricing.