Assess and prioritize security findings

A critical component of an effective vulnerability management program is the ability to assess and prioritize security findings. This is where pulling in context, organizational history, and tuning detection systems comes into place. Prioritization of security findings helps establish the appropriate speed for response level.

For Amazon Inspector, AWS Security Hub, and Amazon GuardDuty, findings contain a severity label or score. We recommend prioritizing the investigation of all critical and high severity findings in Security Hub, including findings related to the Foundational Security Best Practices (FSBP) standard, Amazon Inspector, and GuardDuty. Finding severity labels are scores are determined as follows:

The Amazon Inspector score is a highly contextualized score for each finding. It's calculated by correlating Common Vulnerability Scoring System (CVSS) base score information with network reachability results and exploitability data. Using this score, you can prioritize findings to focus on the most critical findings and vulnerable resources. In addition to the score, Amazon Inspector also provides enhanced vulnerability intelligence about Common Vulnerabilities and Exposures (CVE). This is a summary of the available intelligence about the CVE from Amazon as well as industry-standard security intelligence sources, such as Recorded Future and Cybersecurity and Infrastructure Security Agency (CISA). For example, Amazon Inspector can provide the names of known malware kits used to exploit a vulnerability. For more information, see Vulnerability Intelligence.
Each GuardDuty finding has an assigned severity level and value that reflects the finding's potential risk to your environment. This level and value are determined by AWS security engineers. For example, a High severity level indicates that a resource is compromised and is actively being used for unauthorized purposes. We recommend that you treat a High severity GuardDuty finding as a priority and immediately remediate to prevent further unauthorized use.
The severity of an Security Hub control finding is determined by the difficulty to exploit and the likelihood of compromise. The difficulty is determined by the amount of sophistication or complexity that is required to use the weakness to carry out a threat scenario. The likelihood of compromise indicates how likely it is that the threat scenario will result in a disruption or breach of your AWS services or resources.

In order to tune findings, you can suppress or archive specific findings directly in the respective service console or by using the service's API. In addition, you can make changes to findings in Security Hub by using automation rules. GuardDuty and Amazon Inspector findings are automatically sent to Security Hub. You can use automation rules to automatically update (such as changing the severity) or suppress findings in near real-time, based on criteria that you define. As you create automation rules, we recommend adding context to the rule description, such as the date of creation or modification, who created it, and why the rule is needed. This information is often helpful for future reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Assign findings

Remediate findings