Services or capabilities described in this page might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China Regions. Only “Region Availability” and “Feature Availability and Implementation Differences” sections for specific services (in each case exclusive of content referenced via hyperlink) in Getting Started with Amazon Web Services in China Regions form part of the Documentation under the agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China (Beijing) Region or Amazon Web Services China (Ningxia) Region (the “Agreement”). Any other content contained in the Getting Started pages does not form any part of the Agreement.

Amazon Security Hub Documentation

Amazon Security Hub is a cloud security posture management service that is designed to performs continuous security best practice checks against your Amazon Web Services resources. Security Hub is designed to aggregate your security alerts (i.e., findings) from various services of Amazon Web Services China Regions and partner products in a standardized format so that you can more easily take action on them. To help you understand your security posture in Amazon Web Services, you need to integrate multiple tools and services including threat detections from Amazon GuardDuty, vulnerabilities from Amazon Inspector, sensitive data classifications from Amazon Macie, resource configuration issues from Amazon Config, and Amazon Partner Network Products. Security Hub helps simplify how you understand and improve your security posture with security best practice checks powered by Amazon Config rules and integrations with other services of Amazon Web Services China Regions and partner products.

Security Hub can help you to understand your overall security posture via a consolidated security score across your Amazon Web Services accounts, and assesses the security of your Amazon Web Services accounts' resources via the Amazon Foundational Security Best Practices standard and other compliance frameworks. It also aggregates all of your security findings from other Amazon Web Services security services and APN products in a single place and format via the Amazon Security Finding Format, and helps reduce your Mean Time To Remediation (MTTR) with response and remediation support. Security Hub has out-of-the-box integrations with ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), threat investigation, Governance Risk and Compliance (GRC), and incident management tools to provide your users with a complete security operations workflow.

Security best practice checks

Security Hub provides you with a set of security controls called the Amazon Foundational Security Best Practices standard. This is a curated set of recommended security practices vetted by our Amazon Web Services security experts that either run continuously whenever there are changes to the associated resources or on a set periodic schedule. Each control has a specific severity score to help you prioritize your remediation efforts. Security Hub is regularly updated with new controls and additional service coverage. We recommend that you enable the Amazon Foundational Security Best Practices standard across all of your accounts and regions.

Consolidated findings across services of Amazon Web Services China Regions and partner integrations

Security Hub is designed to collect and consolidate findings from Amazon Web Services security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, Amazon Simple Storage Service (Amazon S3) bucket policy findings from Amazon Macie, publicly-accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from Amazon Firewall Manager. Amazon Security Hub is also designed to consolidate findings from other integrated Amazon Partner Network (APN) security solutions. All findings are stored in Security hub for 90 days after last update date.

A single, standardized data format for your findings

Traditionally, when combining security alerts into a single system, you would need to parse and normalize each data source to get it into a common format for search, analytics, and response and remediation actions. Security Hub helps eliminate these time-consuming and resource-intensive processes by introducing the Amazon Security Findings Format (ASFF). With the ASFF, all of Security Hub’s integration partners (including both services of Amazon Web Services China Regions and external partners) are required to send their findings to Security Hub in JSON format consisting of over 1,000 available fields. This means that these security findings should be normalized before they are ingested into Security Hub, and helps eliminate the need to do any parsing and normalization yourself. The findings identify resources, severities, and timestamps in a consistent way, so that you can more easily search and take action on them.

Security standards aligned to regulatory and industry compliance frameworks

In addition to the Amazon Foundational Security Best Practices standard, Security Hub also offers additional standards aligned to industry and regulatory frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Center for Internet Security (CIS) Amazon Foundations Benchmark. These standards are also powered by continuous security checks.

Response, remediation, and enrichment actions

You can create custom response, remediation, and enrichment workflows using Security Hub’s integration with Amazon EventBridge. All of Security Hub findings are sent to EventBridge, and you can create EventBridge rules that have Amazon Lambda functions, Amazon Step Function functions, or Amazon Systems Manager Automation runbooks as their targets. These functions and runbooks can help enrich findings with additional data or take response and remediation actions on the findings. Security Hub also supports sending findings to EventBridge on demand via custom actions, so that you can have an analyst decide when to trigger a response or remediation action. The Security Hub Automated Response and Remediation (SHARR) solution provides you with prepackaged EventBridge rules for you to deploy via Amazon CloudFormation.

Multi-account and Amazon Organizations support

You can connect multiple Amazon Web Services accounts and consolidate findings across those accounts in the Amazon Security Hub console. By designating an administrator account, you can enable your security team to see consolidated findings for your organization’s accounts, while individual account owners see only findings associated with their account. Integration with Amazon Organizations allows you to enable any account in your organization with Security Hub and the Amazon Foundational Security Best Practices standard.

Cross-Region aggregation of findings

Amazon Security Hub allows you to designate an aggregator Region and link some or all Regions to that aggregator Region to give you a centralized view of all your findings across all your accounts and all your linked Regions. After linking a Region to the aggregator Region, your findings are continuously synced between the Regions, so that any update made to a finding in one Region is replicated to the other Region. Your Security Hub administrator or delegated administrator account in your aggregator Region can view and manage all of your findings. Individual Security Hub member accounts in the aggregator Region can also view and manage all of their findings across all linked Regions. Your Amazon EventBridge feed in your administrator account and aggregator Region now also includes all your findings across all member accounts and linked Regions, which allows you to simplify integrations with ticketing, chat, incident management, logging, and auto-remediation tools by consolidating those integrations into your aggregator Region.

Integrations with ticketing, chat, incident management, investigation, GRC, SOAR, and SIEM tools

In addition to integrating with a selection of other Amazon Web Services security services and partner products that send Security Hub findings, Security Hub also has integrations with various ticketing, chat, incident management, threat investigation, Governance Risk and Compliance (GRC), Security Orchestration Automation and Response (SOAR), and Security Information and Event Management (SIEM) tools that can receive findings from Security Hub. These integrations include services of Amazon Web Services China Regions such as Amazon Detective (threat investigations), Amazon Audit Manager, and various partner tools such as Splunk, Slack, PagerDuty, Sumo Logic, ServiceNow ITSM, and Atlassian’s Jira Service Management. The integration with ServiceNow and Jira are bi-directional, so that any updates to tickets are synced with the findings in Security Hub.

Security scores and summary dashboards

Security Hub provides a simple 0-100 security score for each standard, for each account across all enabled standards, and a total score for all accounts associated with your administrator account. This score is based on the number of controls that have passed vs. failed for a standard, account, and/or organization. To help you monitor your security posture, security score information is presented along with other key insights, such as which resources have the most failed security checks, in summary dashboards.

Filtering, grouping, and saved searches for your findings

You can filter findings based on fields in the Amazon Security Finding Format and use GroupBy statements to aggregate findings into buckets. For example, you can filter findings to show only Critical or High severity findings and then group them by resource IDs to see which resources have the most critical or high findings. Security Hub calls these types of searches “insights”, and provides prepackaged managed insights and lets you define your own custom insights. Each insight includes a time series sparkline to show the trend over time in findings that match the insight.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us/. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.