Benefits of Security Hub Accessing Security Hub Related services Security Hub free trial, usage, and pricing

What is Amazon Security Hub?

Amazon Security Hub provides you with a comprehensive view of your security state in Amazon and helps you assess your Amazon environment against security industry standards and best practices.

Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Foundational Security Best Practices (FSBP) standard developed by Amazon, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.

In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services—such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie— and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Services services and supported third-party products.

Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.

Benefits of Security Hub

Here are some of the key ways that Security Hub helps you monitor your compliance and security posture across your Amazon environment.

Reduced effort to collect and prioritize findings: Security Hub reduces the effort to collect and prioritize security findings across accounts from integrated Amazon Web Services services and Amazon partner products. Security Hub processes finding data using the Amazon Security Finding Format (ASFF), a standard finding format. This eliminates the need to manage findings from myriad sources in multiple formats. Security Hub also correlates findings across providers to help you prioritize the most important ones.
Automatic security checks against best practices and standards: Security Hub automatically runs continuous, account-level configuration and security checks based on Amazon best practices and industry standards. Security Hub uses the results of these checks to calculate security scores, and identifies specific accounts and resources that require attention.
Consolidated view of findings across accounts and providers: Security Hub consolidates your security findings across accounts and provider products and displays results on the Security Hub console. You can also retrieve findings through the Security Hub API, Amazon CLI, or SDKs. With a holistic view of your current security status, you can spot trends, identify potential issues, and take necessary remediation steps.
Ability to automate finding updates and remediation: You can create automation rules that modify or suppress findings based on your defined criteria. Security Hub also supports an integration with Amazon EventBridge. To automate the remediation of specific findings, you can define custom actions to take when a finding is generated. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system.

Accessing Security Hub

Security Hub is available in most Amazon Web Services Regions. For a list of Regions where Security Hub is currently available, see Amazon Security Hub endpoints and quotas in the Amazon Web Services General Reference. For information about managing Amazon Web Services Regions for your Amazon Web Services account, see Specifying which Amazon Web Services Regions your account can use in the Amazon Account Management Reference Guide.

In each Region, you can access and use Security Hub in any of the following ways:

Security Hub console: The Amazon Web Services Management Console is a browser-based interface that you can use to create and manage Amazon resources. As part of that console, the Security Hub console provides access to your Security Hub account, data, and resources. You can perform Security Hub tasks by using the Security Hub console—view findings, create automation rules, create an aggregation Region, and more.
Security Hub API: The Security Hub API gives you programmatic access to your Security Hub account, data, and resources. With the API, you can send HTTPS requests directly to Security Hub. For information about the API, see the Amazon Security Hub API Reference.
Amazon CLI: With the Amazon CLI, you can run commands at your system's command line to perform Security Hub tasks. In some cases, using the command line can be faster and more convenient than using the console. The command line is also useful if you want to build scripts that perform tasks. For information about installing and using the Amazon CLI, see the Amazon Command Line Interface User Guide.
Amazon SDKs: Amazon provides SDKs that consist of libraries and sample code for various programming languages and platforms—for example, Java, Go, Python, C++, and .NET. The SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Services services in your preferred language. They also handle tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon SDKs, see Tools to Build on Amazon.

Important

Security Hub only detects and consolidates findings that are generated after you enable Security Hub. It doesn't retroactively detect and consolidate security findings that were generated before you enabled Security Hub.

Security Hub only receives and processes findings in the Region where you enabled Security Hub in your account.

For full compliance with CIS Amazon Foundations Benchmark security checks, you must enable Security Hub in all supported Amazon Regions.

To further secure your Amazon environment, consider using other Amazon Web Services services in combination with Security Hub. Some Amazon Web Services services send their findings to Security Hub, and Security Hub normalizes the findings into a standard format. Some Amazon Web Services services can also receive findings from Security Hub.

For a list of other Amazon Web Services services that send or receive Security Hub findings, see Amazon Web Services service integrations with Security Hub.

Security Hub uses service-linked rules from Amazon Config to run security checks for most controls. Controls refer to specific Amazon Web Services services and Amazon resources. For a list of Security Hub controls, see Security Hub controls reference. You must enable Amazon Config and record resources in Amazon Config for Security Hub to generate most control findings. For more information, see Considerations before enabling and configuring Amazon Config.

Security Hub free trial and pricing

When you enable Security Hub in an Amazon Web Services account for the first time, that account is automatically enrolled in a 30-day Security Hub free trial.

When you use Security Hub during the free trial, you are charged for usage of other services that Security Hub interacts with, such as Amazon Config items. You are not charged for Amazon Config rules that are activated only by Security Hub security standards.

You are not charged for using Security Hub until your free trial ends.

Viewing usage details and estimated cost

Security Hub provides usage information, including an estimated 30-day cost for using Security Hub. The usage details include the time remaining in the free trial. The usage information can help you to understand what your Security Hub costs may be after the free trial ends. The usage information is also available after the free trial ends.

To display usage information (console)

Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.
In the navigation pane, choose Usage under Settings.

The estimated monthly cost is based on your account's Security Hub usage for findings and security checks projected over a 30-day period.

The usage information and estimated cost are only for the current account and current Region. In an aggregation Region, the usage information and estimated cost don't include linked Regions. For more information about linked Regions, see Types of data that are aggregated.

Pricing details

For more information about how Security Hub charges for ingested findings and security checks, see Security Hub pricing.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Security Hub concepts