Skip to main content

AWS Security Hub Documentation

Overview 

AWS Security Hub is designed to help prioritize security issues and support response at scale. It is designed to centralize visibility across your enterprise and correlate and enrich signals from threat detection and vulnerability management to help surface and prioritize active risks in your environment. Security Hub is designed to transform security signals into insights through visualizations and risk analytics. For example, it is designed to help identify when a publicly exposed resource with a vulnerability also has access to storage with sensitive data. 

Security Hub is designed to provide automated response workflows to help streamline remediation at scale. Security Hub is designed to provide visibility into your security posture. It is designed to streamline procurement through a single-vendor experience. 

Unified Security Capabilities 

Prioritized risk summary 

Security Hub is designed to correlate and enrich security findings to help prioritize security issues across your accounts and AWS Regions. The integrated dashboard is designed to provide visualizations through customizable widgets showing exposure summaries, threat trends, and security coverage, including risk analytics and trends. Through automated analysis and risk-based prioritization, you can understand which issues may require attention, helping you make decisions about risk remediation in your environment. 

Automated correlation and enhanced risk context 

Security Hub is designed to provide automated correlation and enhanced risk context by analyzing resource associations, potential impact, and relationships between security issues. This automated analysis is designed to offer insights into security risks. By correlating related threats, vulnerabilities, and misconfigurations, Security Hub is designed to surface security scenarios that might otherwise go unnoticed, helping you enhance your security posture. 

Exposure findings 

Security Hub is designed to correlate security findings to help prioritize issues in your environment. By analyzing signals from services such as Amazon Inspector, AWS Security Hub Cloud Security Posture Management (CSPM), Amazon GuardDuty, and Amazon Macie, Security Hub is designed to connect related vulnerabilities, threats, and misconfigurations to help you understand potential exposures. Security Hub is designed to generate exposure findings to help you identify, prioritize, and respond to security issues. Through this correlation, you can triage security issues and understand how different findings combine to create potential attack paths. You can get insights into potentially exploitable resources and make decisions about which issues to address first, helping you identify security scenarios that may be missed when viewing findings in isolation. 

Attack path analysis 

Visualize potential attack paths by understanding how an adversary could chain together vulnerabilities and misconfigurations to compromise resources. By mapping these connections, Security Hub is designed to help you understand possible routes an adversary could take through your environment and identify which resources could be impacted. You can see the scope of a potential compromise, helping you prioritize remediation efforts and protect resources. 

Security-focused resource inventory 

Access a consolidated view of your AWS resources that brings together security posture, configuration details, and application context in one solution. Security Hub resource inventory is designed to allow you to see a summarized view of your resources, their configuration, and related security findings without switching between different tools or consoles. You can streamline your security analysis by viewing findings by resource type and filtering based on key security criteria, helping you make decisions about where to focus your security efforts. 

Trends and analysis 

Track security posture changes through analytics capabilities that identify patterns and trends in your security data across your environment. Security Hub is designed to provide pre-built managed insights with visualizations that show trends over time, enabling you to monitor the changes in your security posture and focus on areas of interest. You can leverage dashboard widgets to analyze threat trends, exposure patterns, active resources, and security coverage metrics, enabling you to make data-driven decisions for security strategies and demonstrate security improvements to stakeholders. 

Streamlined pricing and cost estimation 

Security Hub consolidates charges under a streamlined pricing model. Use the integrated cost estimator to plan and forecast your security investments across your AWS accounts and Regions before deployment, helping you make decisions about your security infrastructure and optimize costs at scale. 

Automated response 

Security Hub is designed to support automated workflows that integrate with your existing ticketing systems, including Jira Cloud and ServiceNow, helping you streamline remediation at scale. By integrating with your tools and processes, Security Hub is designed to let you focus on responding to security issues rather than managing administrative tasks. 

Analytics with OCSF 

Security Hub uses the Open Cybersecurity Schema Framework (OCSF), a standardized format for security data, designed to help enable advanced security analytics that help you identify issues before they impact your operations. OCSF provides formatting for security findings across various AWS services and partner integrations. By leveraging OCSF, Security Hub is designed to integrate with your security tools and workflows. This standardized approach is designed to enhance your ability to identify patterns, trends, and anomalies across your cloud environment, designed to help support security management. 

Managing Security Alerts 

Standardized security data format 

Security Hub uses OCSF to support the ingestion and processing of security data from various AWS services and partner integrations. This unified data format is designed to enable integration with your existing security tools and workflows. OCSF is designed to provide consistent formatting for security findings, including details such as resource identifiers, severity levels, and timestamps. 

Multi-account and AWS Organizations support 

Security Hub is designed to provide centralized deployment and management across AWS Organizations. By designating an administrator account, your security team can view correlated security findings across accounts through a consolidated view, while individual account owners see findings associated with their account. Integration with AWS Organizations is designed to provide unified enablement, allowing you to enable Security Hub for accounts in your organization. 

Cross-Region aggregation of findings 

Designate an aggregator Region to centralize security findings across your accounts and Regions. Findings are designed to be synced between the Regions so that updates made to a finding in one Region are replicated to other Regions. Your Amazon EventBridge event bus in your administrator account and aggregator Region publishes events for your findings across member accounts and linked Regions, which is designed to allow you to simplify integrations with ticketing, chat, incident management, logging, and auto-remediation tools by consolidating those integrations into your aggregator Region where events are published. 

Advanced analytics and insights 

The analytics capabilities in Security Hub are designed to let you filter, group, and create saved searches across your security findings. Leveraging the standardized OCSF format, you can create custom views and insights that help surface risks across your environment. For example, you can filter findings to focus on high-severity issues and group them by resource type to identify which systems are at risk. 

Automation and Response 

Seamless integration with security tools 

Security Hub leverages the standardized OCSF format to support integration with your existing security tools, including ticketing, chat, incident management, threat investigation, GRC (Governance Risk and Compliance), SOAR (Security, Orchestration, Automation, and Response), and SIEM (Security Information and Event Management) tools. These integrations, combined with automated workflows, are designed to help streamline your security operations and enable response at scale. 

Curated Partner Solutions 

Endpoint 

CrowdStrike — Falcon for Endpoint 

CrowdStrike is designed to protect areas of enterprise risk across endpoints, cloud workloads, identity, and data. By unifying next-generation antivirus (NGAV), endpoint detection and response (EDR), and cloud workload protection (CWP), customers can gain protection for workstations, servers, VMs, containers, and serverless workloads. CrowdStrike is designed to provide AI-powered prevention and indicators of attack (IOAs) to help stop threats before damage occurs. Continuous event telemetry is designed to enable automated detection and response across operating systems. A single lightweight sensor is designed to deploy in minutes, securing AWS, Azure, OCI, and GCP with visibility and scalable protection. 

Identity Access Management / IAM 

Okta — Workforce Identity for AWS 

Okta Workforce Identity Foundations for AWS is designed to deliver a unified identity solution to help secure employees, contractors, and partners across your cloud ecosystem. By integrating with AWS, it is designed to help eliminate password silos and strengthen your security posture through Single Sign-On (SSO) for centralized application access, Phishing-Resistant MFA for authentication, and Universal Directory for a single source of truth across AD or HR systems. This foundational package includes Silver Support and five automated Workflows. 

Privileged Access Management / PAM 

Britive — Privilege Access Management 

Britive Unified Privileged Access Management (PAM) is designed as a native identity security control plane for human, agentic AI, and non-human identities across AWS and multicloud environments. Britive is designed to operate without endpoint software or architecture changes. Instead of static credentials, Britive is designed to enforce zero standing privileges through dynamic, ephemeral access minted at execution. Access is designed to revoke when tasks complete. The API-first design is designed to integrate with CI/CD pipelines and AWS infrastructure, applying one common policy across actors. 

Identity Governance and Administration / IGA 

SailPoint — Identity Security Accelerator 

SailPoint Identity Security Accelerator is designed as a unified, AI-powered solution for growing organizations. It combines a foundational governance engine with application discovery, risk-based prioritization, and zero-touch onboarding. Powered by the SailPoint Platform, it is designed to deliver control and foundational identity security. The AI is designed to transform your application landscape into a prioritized roadmap, enabling you to bring apps under governance. This is designed to reduce risk and cost, establishing a scalable identity program. 

Opti — AI-Native Identity 

Opti is designed as an AI-native identity platform that monitors, analyzes, and remediates excessive permissions across enterprise environments. Opti is designed to deliver detection and remediation of excessive permissions. Available through AWS Security Hub Extended, Opti is designed to integrate into your existing security operations with OCSF-compliant findings consolidated in AWS Security Hub. Enterprises can use Opti to enforce least privilege, support compliance, and reduce the manual effort of periodic access reviews. 

Email 

Proofpoint — Collaboration Protection 

Proofpoint Collaboration Protection is designed to help stop email threats before they become compromises. It is designed to protect against advanced, targeted attacks while providing a user experience for managing spam and graymail. Coaching is designed to empower users to recognize and report suspicious messages. Powered by the Nexus AI threat detection stack, Proofpoint is designed to stop threats. This includes business email compromise (BEC), AI-driven exploits such as hidden prompt injection, ransomware, email bombing, callback phishing, and other advanced social engineering techniques. 

Network 

Zscaler SSE — Private Access Platform 

Zscaler ZPA is designed as a cloud-native solution that delivers zero trust access for users with connectivity to private applications while minimizing the attack surface by hiding apps behind the Zero Trust Exchange, eliminating lateral movement using AI-powered user-to-app segmentation, and protecting against attacks with integrated traffic inspection, application and data protection. 

Data 

Cyera — DSPM + DataWatcher 

Cyera Data Security Posture Management (DSPM) is designed to deliver data intelligence across IaaS and DBaaS, discovering and classifying sensitive data, correlating access and exposure risk, and driving prioritized remediation of data security risks at scale. For organizations seeking additional help, Cyera Managed Service: DataWatcher is an optional add-on that is designed to monitor, optimize, and operationalize Cyera's DSPM. Expert-led risk analysis, remediation guidance, and ongoing support are designed to support outcomes without adding internal burden. 

Browser 

Island — Safe Browsing and AI Protection 

Island Safe Browsing & AI Protection is designed to transform consumer browsers like Chrome and Edge into secure work environments through a lightweight extension that deploys in minutes and enforces policy locally. Safe Browsing is designed to deliver inline URL categorization, malware inspection, and anti-phishing protection that blocks malicious sites, stops harmful downloads, and prevents credential theft. AI Protection is designed to provide visibility into AI apps and extensions, with policy controls over prompts and behavior. 

Cloud 

Upwind — Cloud Security 

Upwind is designed as a cloud-native application protection solution that leverages runtime context to help identify risks across your cloud infrastructure, helping security teams prioritize and respond. Upwind brings together cloud security posture management, cloud detection and response, vulnerability and exposure management, data security, and AI security with protection in AWS, across other clouds, and on-premises. 

Artificial Intelligence 

Noma — AI-SPM + Discovery, Noma Red Teaming, Noma Runtime Protection 

Noma is designed as an AI security platform for AI and agents. As organizations scale AI adoption across development, deployment, and production, Noma is designed to deliver visibility, protection, and governance. The platform is designed to secure AI types, including homegrown applications, SaaS agents, and local developer environments. Noma offers capabilities: AI Security Posture Management discovers assets and surfaces misconfigurations; Red Teaming tests systems against adversarial attacks before production; and Runtime Protection detects and blocks threats like prompt injection and data exfiltration. 

Oligo — AI Runtime Security 

Oligo Runtime AI Security is designed to protect AI workloads at runtime. Its unified sensor combines AI Security Posture Management (AI-SPM) and AI Detection & Response (AI-DR) to provide visibility into model behavior, supply chain risks, and runtime anomalies across AWS environments. AI-SPM is designed to identify misconfigurations, exposed models, and policy violations before incidents occur. AI-DR is designed to monitor agent tool calls and behavior to detect adversarial manipulation and hallucination. Available through AWS Security Hub Extended, Oligo is designed to integrate with AWS infrastructure. 

Security Operations 

Splunk — Enterprise Security Essentials 

This integration brings together AWS Security Hub with Splunk Enterprise Security Essentials in a unified, AI-powered SecOps solution. This native integration, available via Security Hub Extended, is designed to fuse AWS insights with Splunk's security monitoring and analytics for coverage and streamlined operations across hybrid environments. Splunk is designed to elevate AWS security findings as native findings, bypassing parsing and surfacing high-priority incidents to analysts. Splunk is designed to enrich findings with a correlation engine, AI, and threat intelligence, embedded into unified analyst workflows. 

7AI — Agentic Security Platform 

7AI is designed to deliver security operations through dynamic AI agents that ingest findings from cloud, identity, endpoint, network, and DLP sources to assess risk, investigate threats, and execute remediation actions. Purpose-built for AWS Security Hub Extended, 7AI is designed to integrate with Security Hub, GuardDuty, and CloudTrail to investigate findings, assess blast radius, and take action across AWS environments. AI agents are designed to run investigations with reasoning, execute response actions, optimize detection rules to reduce false positives, and surface risks before they escalate. 

Additional Information 

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS's services.