Benefits of Security Hub CSPM Accessing Security Hub CSPM Related services Security Hub CSPM free trial, usage, and pricing

What is AWS Security Hub CSPM?

AWS Security Hub Cloud Security Posture Management (CSPM) provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices.

Security Hub CSPM collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

To help you manage the security state of your organization, Security Hub CSPM supports multiple security standards. These include the AWS Foundational Security Best Practices (FSBP) standard developed by AWS, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub CSPM runs checks against security controls and generates control findings to help you assess your compliance against security best practices.

In addition to generating control findings, Security Hub CSPM also receives findings from other AWS services—such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie— and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub CSPM findings to other AWS services and supported third-party products.

Security Hub CSPM offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.

Benefits of Security Hub CSPM

Here are some of the key ways that Security Hub CSPM helps you monitor your compliance and security posture across your AWS environment.

Reduced effort to collect and prioritize findings: Security Hub CSPM reduces the effort to collect and prioritize security findings across accounts from integrated AWS services and AWS partner products. Security Hub CSPM processes finding data using the AWS Security Finding Format (ASFF), a standard finding format. This eliminates the need to manage findings from myriad sources in multiple formats. Security Hub CSPM also correlates findings across providers to help you prioritize the most important ones.
Automatic security checks against best practices and standards: Security Hub CSPM automatically runs continuous, account-level configuration and security checks based on AWS best practices and industry standards. Security Hub CSPM uses the results of these checks to calculate security scores, and identifies specific accounts and resources that require attention.
Consolidated view of findings across accounts and providers: Security Hub CSPM consolidates your security findings across accounts and provider products and displays results on the Security Hub CSPM console. You can also retrieve findings through the Security Hub CSPM API, AWS CLI, or SDKs. With a holistic view of your current security status, you can spot trends, identify potential issues, and take necessary remediation steps.
Ability to automate finding updates and remediation: You can create automation rules that modify or suppress findings based on your defined criteria. Security Hub CSPM also supports an integration with Amazon EventBridge. To automate the remediation of specific findings, you can define custom actions to take when a finding is generated. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system.

Accessing Security Hub CSPM

Security Hub CSPM is available in most AWS Regions. For a list of Regions where Security Hub CSPM is currently available, see AWS Security Hub Cloud Security Posture Management (CSPM) endpoints and quotas in the AWS General Reference. For information about managing AWS Regions for your AWS account, see Specifying which AWS Regions your account can use in the AWS Account Management Reference Guide.

In each Region, you can access and use Security Hub CSPM in any of the following ways:

Security Hub CSPM console: The AWS Management Console is a browser-based interface that you can use to create and manage AWS resources. As part of that console, the Security Hub CSPM console provides access to your Security Hub CSPM account, data, and resources. You can perform Security Hub CSPM tasks by using the Security Hub CSPM console—view findings, create automation rules, create an aggregation Region, and more.
Security Hub CSPM API: The Security Hub CSPM API gives you programmatic access to your Security Hub CSPM account, data, and resources. With the API, you can send HTTPS requests directly to Security Hub CSPM. For information about the API, see the AWS Security Hub Cloud Security Posture Management (CSPM) API Reference.
AWS CLI: With the AWS CLI, you can run commands at your system's command line to perform Security Hub CSPM tasks. In some cases, using the command line can be faster and more convenient than using the console. The command line is also useful if you want to build scripts that perform tasks. For information about installing and using the AWS CLI, see the AWS Command Line Interface User Guide.
AWS SDKs: AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms—for example, Java, Go, Python, C++, and .NET. The SDKs provide convenient, programmatic access to Security Hub CSPM and other AWS services in your preferred language. They also handle tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about installing and using the AWS SDKs, see Tools to Build on AWS.

Important

Security Hub CSPM only detects and consolidates findings that are generated after you enable Security Hub CSPM. It doesn't retroactively detect and consolidate security findings that were generated before you enabled Security Hub CSPM.

Security Hub CSPM only receives and processes findings in the Region where you enabled Security Hub CSPM in your account.

For full compliance with CIS AWS Foundations Benchmark security checks, you must enable Security Hub CSPM in all supported AWS Regions.

To further secure your AWS environment, consider using other AWS services in combination with Security Hub CSPM. Some AWS services send their findings to Security Hub CSPM, and Security Hub CSPM normalizes the findings into a standard format. Some AWS services can also receive findings from Security Hub CSPM.

For a list of other AWS services that send or receive Security Hub CSPM findings, see AWS service integrations with Security Hub CSPM.

Security Hub CSPM uses service-linked rules from AWS Config to run security checks for most controls. Controls refer to specific AWS services and AWS resources. For a list of Security Hub CSPM controls, see Control reference for Security Hub CSPM. You must enable AWS Config and record resources in AWS Config for Security Hub CSPM to generate most control findings. For more information, see Considerations before enabling and configuring AWS Config.

Security Hub CSPM free trial and pricing

When you enable Security Hub CSPM in an AWS account for the first time, that account is automatically enrolled in a 30-day Security Hub CSPM free trial.

When you use Security Hub CSPM during the free trial, you are charged for usage of other services that Security Hub CSPM interacts with, such as AWS Config items. You are not charged for AWS Config rules that are activated only by Security Hub CSPM security standards.

You are not charged for using Security Hub CSPM until your free trial ends.

Viewing usage details and estimated cost

Security Hub CSPM provides usage information, including an estimated 30-day cost for using Security Hub CSPM. The usage details include the time remaining in the free trial. The usage information can help you to understand what your Security Hub CSPM costs may be after the free trial ends. The usage information is also available after the free trial ends.

To display usage information (console)

Open the AWS Security Hub Cloud Security Posture Management (CSPM) console at https://console.aws.amazon.com/securityhub/.
In the navigation pane, choose Usage under Settings.

The estimated monthly cost is based on your account's Security Hub CSPM usage for findings and security checks projected over a 30-day period.

The usage information and estimated cost are only for the current account and current Region. In an aggregation Region, the usage information and estimated cost don't include linked Regions. For more information about linked Regions, see Types of data that are aggregated.

Pricing details

For more information about how Security Hub CSPM charges for ingested findings and security checks, see Security Hub CSPM pricing.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Disabling Security Hub

Security Hub CSPM concepts