Concepts and terminology in Security Hub CSPM

A standard Amazon Web Services (AWS) account that contains your AWS resources. You can sign in to AWS with your account and enable Security Hub CSPM.

An account can invite other accounts to enable Security Hub CSPM and become associated with that account in Security Hub CSPM. Accepting a membership invitation is optional. If the invitations are accepted, the account becomes an administrator account, and the added accounts are member accounts. Administrator accounts can view findings in their member accounts.

If you are enrolled in AWS Organizations, then your organization designates a Security Hub CSPM administrator account for the organization. The Security Hub CSPM administrator account can enable other organization accounts as member accounts.

An account cannot be both an administrator account and a member account at the same time. An account can only have one administrator account.

For more information, see Managing administrator and member accounts in Security Hub CSPM.

An account in Security Hub CSPM that is granted access to view findings for associated member accounts.

An account becomes an administrator account in one of the following ways:

An account can only have one administrator account. An account cannot be both an administrator account and a member account at the same time.

Setting an aggregation Region allows you to view security findings from multiple AWS Regions in a single pane of glass.

The aggregation Region is the Region from which you view and manage findings. Findings are aggregated to the aggregation Region from linked Regions. Updates to findings are replicated across Regions.

In the aggregation Region, the Security standards, Insights, and Findings pages include data from all linked Regions.

For more information, see Understanding cross-Region aggregation in Security Hub CSPM.

A finding whose record state (RecordState) is ARCHIVED. Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. Record state is different from workflow status, which tracks the status of the investigation into a finding.

Finding providers can use the BatchImportFindings operation of the Security Hub CSPM API to archive findings that they created. Security Hub CSPM automatically archives control findings that meet certain criteria. For more information, see Generating, updating, and archiving control findings.

On the Security Hub CSPM console, default filter settings exclude archived findings from finding lists and tables. You can update the settings to include archived findings. If you retrieve findings by using the GetFindings operation of the Security Hub CSPM API, the operation retrieves both archived and active findings. To exclude archived findings, you can filter the results. For example:

"RecordState": [ 
    { 
        "Comparison": "EQUALS",
        "Value": "ARCHIVED"
    }
],

A standardized format for the contents of findings that Security Hub CSPM aggregates or generates. The AWS Security Finding Format enables you to use Security Hub CSPM to view and analyze findings that are generated by AWS security services, third-party solutions, or Security Hub CSPM itself from running security checks. For more information, see AWS Security Finding Format (ASFF).

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. A security standard is associated with a collection of controls.

The term security control refers to controls that have a single control ID and title across standards. The term standard control refers to controls that have standard-specific control IDs and titles. Currently, Security Hub CSPM supports standard controls only in the China Regions and AWS GovCloud (US) Regions. Security controls are supported in all other Regions.

A Security Hub CSPM mechanism for sending selected findings to EventBridge. A custom action is created in Security Hub CSPM. It is then linked to an EventBridge rule. The rule defines a specific action to take when a finding is received that is associated with the custom action ID. Custom actions can be used, for example, to send a specific finding, or a small set of findings, to a response or remediation workflow. For more information, see Creating a custom action.

In AWS Organizations, the delegated administrator account for a service is able to manage the use of a service for the organization.

In Security Hub CSPM, the Security Hub CSPM administrator account is also the delegated administrator account for Security Hub CSPM. When the organization management account first designates a Security Hub CSPM administrator account, Security Hub CSPM calls Organizations to make that account the delegated administrator account.

The organization management account must then choose the delegated administrator account as the Security Hub CSPM administrator account in all Regions.

The observable record of a security check or security-related detection. Security Hub CSPM generates findings after completing security checks for controls. These are called control findings. Findings can also come from integrations with other AWS services and third-party products.

For more information, see Creating and updating findings in Security Hub CSPM.

The aggregation of findings, insights, control compliance statuses, and security scores from linked Regions to an aggregation Region. You can then view all of your data from the aggregation Region and update findings and insights from the aggregation Region.

For more information, see Understanding cross-Region aggregation in Security Hub CSPM.

The import of findings into Security Hub CSPM from other AWS services and from third-party partner providers.

Finding ingestion events include both new findings and updates to existing findings.

A collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub CSPM offers several managed (default) insights that you can't modify. You can also create custom Security Hub CSPM insights to track security issues that are unique to your AWS environment and usage. For more information, see Viewing insights in Security Hub CSPM.

When you enable cross-Region aggregation, a linked Region is a region that aggregates findings, insights, control compliance statuses, and security scores to the aggregation Region.

In a linked Region, the Findings and Insights pages contain findings only from that Region.

For more information, see Understanding cross-Region aggregation in Security Hub CSPM.

An account that has granted permission to an administrator account to view and take action on their findings.

An account becomes a member account in one of the following ways:

A set of industry or regulatory requirements that are mapped to a control.

A set of automated criteria that is used to assess whether a control is being adhered to. When a rule is evaluated, it can pass or fail. If the evaluation cannot determine whether rule passes or fails, then the rule is in a warning state. If the rule cannot be evaluated, then it is in a not available state.

A specific point-in-time evaluation of a rule against a single resource resulting in a PASSED, FAILED, WARNING, or NOT_AVAILABLE state. Running a security check produces a finding.

An organization account that manages Security Hub CSPM membership for an organization.

The organization management account designates the Security Hub CSPM administrator account in each Region. The organization management account must choose the same Security Hub CSPM administrator account in all Regions.

The Security Hub CSPM administrator account is also the delegated administrator account for Security Hub CSPM in Organizations.

The Security Hub CSPM administrator account can enable any organization account as a member account. The Security Hub CSPM administrator account can also invite other accounts to be member accounts.

A published statement on a topic specifying the characteristics, usually measurable and in the form of controls, that must be satisfied or achieved for compliance. Security standards can be based on regulatory frameworks, best practices, or internal company policies. A control may be associated with one or more supported standards in Security Hub CSPM. To learn more about security standards in Security Hub CSPM, see Understanding security standards in Security Hub CSPM.

The severity assigned to a Security Hub CSPM control identifies the importance of the control. The severity of a control can be Critical, High, Medium, Low, or Informational. The severity assigned to control findings is equal to the severity of the control itself. To learn about how Security Hub CSPM assigns severity to a control, see Severity levels for control findings.

The status of an investigation into a finding. This is tracked using the Workflow.Status attribute.

The workflow status is initially NEW. If you notified the resource owner to take action on the finding, you can set the workflow status to NOTIFIED. If the finding is not an issue, and does not require any action, set the workflow status to SUPPRESSED. After you review and remediate a finding, set the workflow status to RESOLVED.

By default, most finding lists only include findings with a workflow status of NEW or NOTIFIED. Finding lists for controls also include RESOLVED findings.

For the GetFindings operation, you can include a filter for the workflow status.

"WorkflowStatus": [ 
    { 
        "Comparison": "EQUALS",
        "Value": "RESOLVED"
    }
],

The Security Hub CSPM console provides an option to set the workflow status for findings. Customers (or SIEM, ticketing, incident management, or SOAR tools working on behalf of a customer to update findings from finding providers) can also use BatchUpdateFindings to update the workflow status.