Working with the dashboard in Security Hub CSPM - AWS Security Hub
The risk summary widget The threat summary widget The security coverage widget Available widgets for the Summary dashboard

Working with the dashboard in Security Hub CSPM

The Summary page in the Security Hub console shows a summary of your risks, attack sequences, and security coverage. This page helps you identify risks and attack sequences based on their severity and the account coverage for different security capabilities. You can customize this page by adding and removing different security widgets and setting a filter criteria to retrieve specific types of data.

Customizations to this page are saved for future use. If users in your account customize this page, their customization preferences are saved independently from your customization preferences.

If your account is the delegated administrator account for an organization, the data includes findings for your account and member accounts. If you your account is a member account or a standalone account, the data only includes findings for your account.

If you configure cross-Region aggregation in Security Hub CSPM, this page shows findings from your aggregation

Note

Every time you open this page, it automatically refreshes. However, security scores and control statuses refresh every 24 hours.

The risk summary widget

This widget shows all of your risks based on severity. Risks with greater severity appear first. Risks are based on an analysis of findings and traits from Security Hub CSPM and other AWS services.

The threat summary widget

This widget shows all of your attack sequences based on severity. Attack sequences with greater severity appear first. Attack sequences are related to a series of events and identify potential threats in your environment. They also originate in GuardDuty.

The security coverage widget

Available widgets for the Summary dashboard

The Summary dashboard includes widgets that reflect the modern cloud security threat landscape, guided by the security operations and experiences of AWS customers. Some widgets are shown by default while others are not. You can customize your view of the dashboard by adding or removing widgets.

To add them, choose Add widget at the top right of the Summary page. In the search bar, enter the title of the widget. Drag and drop the widget on to the dashboard.

Widgets shown by default

By default, the Summary dashboard includes the following widgets:

Top threat sequences

Displays the highest severity threat sequences. Threat sequence findings, known as attack sequence findings in Amazon GuardDuty, correlate multiple events to identify potential threats to your AWS environment. Threat sequences may include in-progress or recent attack behaviors (within a 24-hour time window) in your environment, which may in turn lead to further compromise. You must have GuardDuty and GuardDuty S3 Protection enabled to receive threat sequence findings in Security Hub CSPM.

Top risks

Displays a summary of the top risks in your environment. The top of the widget shows you the count of risks at each severity level. You can choose a severity level to go to the Risks page with risks filtered to the selected severity level. Risks that have the most occurrences in your environment appear first. This widget helps you prioritize which risks to mitigate.

Security coverage

Summarizes the extent of your security coverage, based on coverage control findings. Coverage controls check whether a specific AWS service and its capabilities are enabled (for example, [Macie.1] Amazon Macie should be enabled). This widget helps you ensure that you have PASSED findings for coverage controls. The Security Hub CSPM console provides links from this widget to help you enable missing security capabilities. We recommend using central configuration to enable missing security capabilities across multiple AWS accounts and AWS Regions. For more information, see Understanding central configuration in Security Hub CSPM.

Security standards

Displays your most recent summary security score and the security score for each Security Hub CSPM standard. Security scores, which range from 0–100 percent, represent the proportion of passed controls relative to all of your enabled controls. For more information about these scores, see Method of calculating security scores. This widget helps you understand your overall security posture.

Security standards

Displays your most recent summary security score and the security score for each Security Hub CSPM standard. Security scores, which range from 0–100 percent, represent the proportion of passed controls relative to all of your enabled controls. For more information about these scores, see Method of calculating security scores. This widget helps you understand your overall security posture.

Assets with the most findings

Provides an overview of the resources, accounts, and applications that have the most findings. The list is sorted in descending order by the number of findings. In the widget, each tab shows the top six items in that category, grouped by severity and resource type. If you choose a number in the Total findings column, Security Hub CSPM opens a page that shows the findings for the asset. This widget helps you quickly identify which of your core assets have potential security threats.

Findings by Region

Shows the total number of findings, grouped by severity, in each AWS Region in which Security Hub CSPM is enabled. This widget helps you identify security issues that potentially affect particular Regions. If you open the dashboard in your aggregation Region, this widget helps you monitor potential security issues in each linked Region.

Most common threat types

Provides a breakdown of the 10 most common types of threats in your AWS environment. This includes threats such as escalation of privileges, use of exposed credentials, or communication with malicious IP addresses.

To view this data, Amazon GuardDuty must be enabled. If it is, choose a threat type in this widget to open the GuardDuty console and review findings related to this threat. This widget helps you evaluate potential threats in the context of other security issues.

Software vulnerabilities with exploits

Provides a summary of software vulnerabilities that exist in your AWS environment and have known exploits. You can also review a breakdown of vulnerabilities that do and don't have fixes available.

To view this data, Amazon Inspector must be enabled. If it is, choose a statistic in this widget to open the Amazon Inspector console and review more details about the vulnerability. This widget helps you evaluate software vulnerabilities in the context of other security issues.

New findings over time

Shows trends in the number of new daily findings during the past 90 days. You can break down the data by severity or by provider for additional context. This widget helps you understand if finding volume spiked or dropped at specific times during the past 90 days.

Resources with the most findings

Provides a summary of the resources that have generated the most findings, broken down by the following resource types: Amazon Simple Storage Service (Amazon S3) buckets, Amazon Elastic Compute Cloud (Amazon EC2) instances, and AWS Lambda functions.

In the widget, each tab focuses on one of the preceding resource types, listing the 10 resource instances that generated the most findings. To review the findings for a specific resource, choose the resource instance. This widget helps you triage security findings that are associated with common AWS resources.

Widgets hidden by default

The following widgets are also available for the Summary dashboard, but they are hidden by default:

AMIs with the most findings

Provides a list of the 10 Amazon Machine Images (AMIs) that have generated the most findings. This data is available only if Amazon EC2 enabled for your account. It helps you identify which AMIs pose potential security risks.

IAM principals with the most findings

Provides a list of the 10 AWS Identity and Access Management (IAM) users that have generated the most findings. This widget helps you perform administrative and billing tasks. It shows you which users contribute to Security Hub CSPM usage the most.

Accounts with the most findings (by severity)

Shows a graph of the 10 accounts that have generated the most findings, grouped by severity. This widget helps you determine which accounts to focus analysis and remediation efforts on.

Accounts with the most findings (by resource type)

Shows a graph of the 10 accounts that have generated the most findings, grouped by resource type. This widget helps you determine which accounts and resource types to prioritize for analysis and remediation.

Insights

Lists five Security Hub CSPM managed insights and the number of findings that they generated. Insights identify a specific security area that requires attention.

Latest findings from AWS integrations

Shows the number of findings that you received in Security Hub CSPM from integrated AWS services. It also shows when you most recently received findings from each integrated service. This widget provides consolidated findings data from multiple AWS services. To drill down, choose an integrated service. Security Hub CSPM then opens the console for that service.