# Understanding security checks and scores in Security Hub CSPM
For each control that you enable, AWS Security Hub CSPM runs security checks. A security check produces a finding that tells you whether a specific AWS resource is in compliance with the rules that the control includes.
Some checks run on a periodic schedule. Other checks only run when there is a change to the resource state. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md).
Many security checks use AWS Config managed or custom rules to establish the compliance requirements. To run these checks, you must set up AWS Config and turn on resource recording for required resources. For more information on setting up AWS Config, see [Enabling and configuring AWS Config for Security Hub CSPM](securityhub-setup-prereqs.md). For a list of AWS Config resources that you must record for each standard, see [Required AWS Config resources for control findings](controls-config-resources.md). Other controls use custom Lambda functions, which are managed by Security Hub CSPM and don't require any prerequisites.
As Security Hub CSPM runs security checks, it generates findings and assigns them a compliance status. For more information about compliance status, see [Evaluating the compliance status of Security Hub CSPM findings](controls-overall-status.md#controls-overall-status-compliance-status).
Security Hub CSPM uses the compliance status of control findings to determine an overall control status. Based on the control status, Security Hub CSPM also calculates a security score across all enabled controls and for specific standards. For more information, see [Evaluating compliance status and control status](controls-overall-status.md) and [Calculating security scores](standards-security-score.md).
If you've turned on consolidated control findings, Security Hub CSPM generates a single finding even when a control is associated with more than one standard. For more information, see [Consolidated control findings](controls-findings-create-update.md#consolidated-control-findings).
**Topics**
+ [
# Required AWS Config resources for control findings
](controls-config-resources.md)
+ [
# Schedule for running security checks
](securityhub-standards-schedule.md)
+ [
# Generating and updating control findings
](controls-findings-create-update.md)
+ [
# Evaluating compliance status and control status
](controls-overall-status.md)
+ [
# Calculating security scores
](standards-security-score.md)
# Required AWS Config resources for control findings
In AWS Security Hub CSPM, some controls use service-linked AWS Config rules that detect configuration changes in your AWS resources. For Security Hub CSPM to generate accurate findings for these controls, you must enable AWS Config and turn on resource recording in AWS Config. For information about how Security Hub CSPM uses AWS Config rules and how to enable and configure AWS Config, see [Enabling and configuring AWS Config for Security Hub CSPM](securityhub-setup-prereqs.md). For detailed information about resource recording, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the *AWS Config Developer Guide*.
To receive accurate control findings, you must turn on AWS Config resource recording for enabled controls with a *change triggered* schedule type. Some controls with a *periodic* schedule type also require resource recording. This page lists the required resources for these Security Hub CSPM controls.
Security Hub CSPM controls can rely on managed AWS Config rules or custom Security Hub CSPM rules. Make sure there aren't any AWS Identity and Access Management (IAM) policies or AWS Organizations managed policies that prevent AWS Config from having permission to record your resources. Security Hub CSPM controls evaluate resource configurations directly and don’t take AWS Organizations policies into account.
**Note**
In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of these limits, see [Regional limits on Security Hub CSPM controls](regions-controls.md).
**Topics**
+ [
## Required resources for all Security Hub CSPM controls
](#all-controls-config-resources)
+ [
## Required resources for the AWS Foundational Security Best Practices standard
](#securityhub-standards-fsbp-config-resources)
+ [
## Required resources for the CIS AWS Foundations Benchmark
](#securityhub-standards-cis-config-resources)
+ [
## Required resources for the NIST SP 800-53 Revision 5 standard
](#nist-config-resources)
+ [
## Required resources for the NIST SP 800-171 Revision 2 standard
](#nist-800-171-config-resources)
+ [
## Required resources for PCI DSS v3.2.1
](#securityhub-standards-pci-config-resources)
+ [
## Required resources for the AWS Resource Tagging standard
](#tagging-config-resources)
## Required resources for all Security Hub CSPM controls
For Security Hub CSPM to generate findings for change triggered controls that are enabled and use an AWS Config rule, you must record the following types of resources in AWS Config. This table also indicates which controls evaluate a particular type of resource. A single control might evaluate more than one type of resource.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/securityhub/latest/userguide/controls-config-resources.html)
## Required resources for the AWS Foundational Security Best Practices standard
For Security Hub CSPM to accurately report findings for change triggered controls that apply to the AWS Foundational Security Best Practices standard (v.1.0.0), are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [AWS Foundational Security Best Practices standard in Security Hub CSPM](fsbp-standard.md).
| AWS service | Resource types |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::DomainName`, `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::ApiCache`, `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CodeBuild | `AWS::CodeBuild::Project`, `AWS::CodeBuild::ReportGroup` |
| Amazon Cognito | `AWS::Cognito::IdentityPool`, `AWS::Cognito::UserPool` |
| AWS CloudTrail | `AWS::CloudTrail::EventDataStore` |
| Amazon Connect | `AWS::Connect::Instance` |
| AWS DataSync | `AWS::DataSync::Task` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SnapshotBlockPublicAccess`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::CapacityProvider`, `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`, `AWS::ECS::TaskSet` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint`, `AWS::EFS::FileSystem` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::Nodegroup` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| AWS Glue | `AWS::Glue::Job`, `AWS::Glue::MLTransform` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Key` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster`, `AWS::KafkaConnect::Connector` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBProxy`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Redshift Serverless | `AWS::RedshiftServerless::Workgroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`, `AWS::S3::MultiRegionAccessPoint`, `AWS::S3Express::DirectoryBucket` |
| Amazon SageMaker AI | `AWS::SageMaker::FeatureGroup`, `AWS::SageMaker::Model`, `AWS::SageMaker::NotebookInstance` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Step Functions | `AWS::StepFunctions::StateMachine` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
| Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |
## Required resources for the CIS AWS Foundations Benchmark
To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark, Security Hub CSPM either runs through the exact audit steps prescribed for the checks or uses specific AWS Config managed rules. For information about this standard in Security Hub CSPM, see [CIS AWS Foundations Benchmark in Security Hub CSPM](cis-aws-foundations-benchmark.md).
### Required resources for CIS v5.0.0
For Security Hub CSPM to accurately report findings for enabled CIS v5.0.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
| AWS service | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::FileSystem` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance`, `AWS::RDS::DBCluster` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### Required resources for CIS v3.0.0
For Security Hub CSPM to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
| AWS service | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### Required resources for CIS v1.4.0
For Security Hub CSPM to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
| AWS service | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### Required resources for CIS v1.2.0
For Security Hub CSPM to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
| AWS service | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
## Required resources for the NIST SP 800-53 Revision 5 standard
For Security Hub CSPM to accurately report findings for change triggered controls that apply to the NIST SP 800-53 Revision 5 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-53 Revision 5 in Security Hub CSPM](standards-reference-nist-800-53.md).
| AWS service | Resource types |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| Amazon ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| Amazon EventBridge | `AWS::Events::Endpoint`, `AWS::Events::EventBus` |
| AWS Glue | `AWS::Glue::Job` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| AWS Service Catalog | `AWS::ServiceCatalog::Portfolio` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| Amazon SageMaker AI | `AWS::SageMaker::NotebookInstance` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
## Required resources for the NIST SP 800-171 Revision 2 standard
For Security Hub CSPM to accurately report findings for change triggered controls that apply to the NIST SP 800-171 Revision 2 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-171 Revision 2 in Security Hub CSPM](standards-reference-nist-800-171.md).
| AWS service | Resource types |
| --- | --- |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| Amazon API Gateway | `AWS::ApiGateway::Stage` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| AWS Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| AWS Systems Manager (SSM) | `AWS::SSM::PatchCompliance` |
| AWS WAF | `AWS::WAFv2::RuleGroup` |
## Required resources for PCI DSS v3.2.1
For Security Hub CSPM to accurately report findings for controls that apply to v3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS), are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [PCI DSS in Security Hub CSPM](pci-standard.md).
| AWS service | Resource types |
| --- | --- |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::SecurityGroup` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot` |
| Amazon Redshift | `AWS::Redshift::Cluster` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
## Required resources for the AWS Resource Tagging standard
All the controls that apply to the AWS Resource Tagging standard are change triggered and use an AWS Config rule. For Security Hub CSPM to accurately report findings for these controls, you must record the following types of resources in AWS Config. For information about this standard, see [AWS Resource Tagging standard in Security Hub CSPM](standards-tagging.md).
| AWS service | Resource types |
| --- | --- |
| AWS Amplify | `AWS::Amplify::App`, `AWS::Amplify::Branch` |
| Amazon AppFlow | `AWS::AppFlow::Flow` |
| AWS App Runner | `AWS::AppRunner::Service`, `AWS::AppRunner::VpcConnector` |
| AWS AppConfig | `AWS::AppConfig::Application`, `AWS::AppConfig::ConfigurationProfile`, `AWS::AppConfig::Environment`, `AWS::AppConfig::ExtensionAssociation` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| Amazon Athena | `AWS::Athena::DataCatalog`, `AWS::Athena::WorkGroup` |
| AWS Backup | `AWS::Backup::BackupPlan`, `AWS::Backup::BackupVault`, `AWS::Backup::RecoveryPlan`, `AWS::Backup::ReportPlan` |
| AWS Batch | `AWS::Batch::ComputeEnvironment`, `AWS::Batch::JobQueue`, `AWS::Batch::SchedulingPolicy` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CloudTrail | `AWS::CloudTrail::Trail` |
| AWS CodeArtifact | `AWS::CodeArtifact::Repository` |
| Amazon CodeGuru | `AWS::CodeGuruProfiler::ProfilingGroup`, `AWS::CodeGuruReviewer::RepositoryAssociation` |
| Amazon Connect | `AWS::CustomerProfiles::ObjectType` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Certificate`, `AWS::DMS::EventSubscription` `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationSubnetGroup` |
| AWS DataSync | `AWS::DataSync::Task` |
| Amazon Detective | `AWS::Detective::Graph` |
| Amazon DynamoDB | `AWS::DynamoDB::Trail` |
| Amazon Elastic Compute Cloud (EC2) | `AWS::EC2::CustomerGateway`, `AWS::EC2::DHCPOptions`, `AWS::EC2::EIP`, `AWS::EC2::FlowLog`, `AWS::EC2::Instance`, `AWS::EC2::InternetGateway`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NatGateway`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::PrefixList`, `AWS::EC2::RouteTable`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TrafficMirrorFilter`, `AWS::EC2::TrafficMirrorSession`, `AWS::EC2::TrafficMirrorTarget`, `AWS::EC2::TransitGateway`, `AWS::EC2::TransitGatewayAttachment`, `AWS::EC2::TransitGatewayRouteTable`, `AWS::EC2::Volume`, `AWS::EC2::VPC`, `AWS::EC2::VPCEndpointService`, `AWS::EC2::VPCPeeringConnection`, `AWS::EC2::VPNGateway` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::PublicRepository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::IdentityProviderConfig` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EventBridge | `AWS::Events::EventBus` |
| Amazon Fraud Detector | `AWS::FraudDetector::EntityType`, `AWS::FraudDetector::Label` `AWS::FraudDetector::Outcome`, `AWS::FraudDetector::Variable` |
| AWS Global Accelerator | `AWS::GlobalAccelerator::Accelerator` |
| AWS Glue | `AWS::Glue::Job` |
| Amazon GuardDuty | `AWS::GuardDuty::Detector`, `AWS::GuardDuty::Filter`, `AWS::GuardDuty::IPSet` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) | `AWS::AccessAnalyzer::Analyzer` |
| AWS IoT | `AWS::IoT::Authorizer`, `AWS::IoT::Dimension`, `AWS::IoT::MitigationAction`, `AWS::IoT::Policy`, `AWS::IoT::RoleAlias`, `AWS::IoT::SecurityProfile` |
| AWS IoT Events | `AWS::IoTEvents::AlarmModel`, `AWS::IoTEvents::DetectorModel`, `AWS::IoTEvents::Input` |
| AWS IoT SiteWise | `AWS::IoTSiteWise::Dashboard`, `AWS::IoTSiteWise::Gateway`, `AWS::IoTSiteWise::Portal`, `AWS::IoTSiteWise::Project` |
| AWS IoT TwinMaker | `AWS::IoTTwinMaker::Entity`, `AWS::IoTTwinMaker::Scene`, `AWS::IoTTwinMaker::SyncJob`, `AWS::IoTTwinMaker::Workspace` |
| AWS IoT Wireless | `AWS::IoTWireless::FuotaTask`, `AWS::IoTWireless::MulticastGroup`, `AWS::IoTWireless::ServiceProfile` |
| Amazon Interactive Video Service (Amazon IVS) | `AWS::IVS::Channel`, `AWS::IVS::PlaybackKeyPair`, `AWS::IVS::RecordingConfiguration` |
| Amazon Keyspaces (for Apache Cassandra) | `AWS::Cassandra::Keyspace` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| AWS Private Certificate Authority | `AWS::ACMPCA::CertificateAuthority` |
| Amazon Relational Database Service | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSecurityGroup`, `AWS::RDS::DBSnapshot`, `AWS::RDS::DBSubnetGroup` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterParameterGroup`, `AWS::Redshift::ClusterSnapshot`, `AWS::Redshift::ClusterSubnetGroup`, `AWS::Redshift::EventSubscription` |
| Amazon Route 53 | `AWS::Route53::HealthCheck` |
| Amazon SageMaker AI | `AWS::SageMaker::AppImageConfig`, `AWS::SageMaker::Image` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| Amazon Simple Email Service (Amazon SES) | `AWS::SES::ConfigurationSet`, `AWS::SES::ContactList` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Step Functions | `AWS::StepFunctions::Activity` |
| AWS Systems Manager (SSM) | `AWS::SSM::Document` |
| AWS Transfer Family | `AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`, `AWS::Transfer::Connector`, `AWS::Transfer::Profile`, `AWS::Transfer::Workflow` |
# Schedule for running security checks
After you enable a security standard, AWS Security Hub CSPM begins to run all checks within two hours. Most checks begin to run within 25 minutes. Security Hub CSPM runs checks by evaluating the rule underlying a control. Until a control completes its first run of checks, its status is **No data**.
When you enable a new standard, it might take up to 24 hours for Security Hub CSPM to generate findings for controls that use the same underlying AWS Config service-linked rule as enabled controls from other enabled standards. For example, if you enable the [Lambda.1](lambda-controls.md#lambda-1) control in the AWS Foundational Security Best Practices (FSBP) standard, Security Hub CSPM creates the service-linked rule and typically generates findings within minutes. After this, if you enable the Lambda.1 control in the Payment Card Industry Data Security Standard (PCI DSS), it might take up to 24 hours for Security Hub CSPM to generate findings for the control because it uses the same service-linked rule.
After the initial check, the schedule for each control can be either periodic or change triggered. For a control that is based on a managed AWS Config rule, the control description includes a link to the rule description in the *AWS Config Developer Guide*. That description specifies whether the rule is change triggered or periodic.
## Periodic security checks
Periodic security checks run automatically within 12 or 24 hours after the most recent run. Security Hub CSPM determines the periodicity, and you can't change it. Periodic controls reflect an evaluation at the moment the check runs.
If you update the workflow status of a periodic control finding, and then in the next check the compliance status of the finding stays the same, the workflow status remains in its modified state. For example, if you have a failed finding for the [KMS.4](kms-controls.md#kms-4) control (*AWS KMS key rotation should be enabled*), and then remediate the finding, Security Hub CSPM changes the workflow status from `NEW` to `RESOLVED`. If you disable KMS key rotation before the next periodic check, the workflow status of the finding remains `RESOLVED`.
Checks that use Security Hub CSPM custom Lambda functions are periodic.
## Change-triggered security checks
Change-triggered security checks run when the associated resource changes state. AWS Config lets you choose between *continuous recording* of changes in resource state and *daily recording*. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub CSPM findings until a 24-hour period is complete. Regardless of your chosen recording period, Security Hub CSPM checks at least once every 24 hours to ensure no resource updates from AWS Config were missed.
In general, Security Hub CSPM uses change-triggered rules whenever possible. For a resource to use a change-triggered rule, it must support AWS Config configuration items.
# Generating and updating control findings
AWS Security Hub CSPM generates and updates control findings when it runs checks against security controls. Control findings use the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md).
Security Hub CSPM normally charges for each security check for a control. However, if multiple controls use the same AWS Config rule, Security Hub CSPM charges only once for each check against the rule. For example, the AWS Config `iam-password-policy` rule is used by multiple controls in the CIS AWS Foundations Benchmark standard and the AWS Foundational Security Best Practices standard. Each time Security Hub CSPM runs a check against that rule, it generates a separate control finding for each related control, but charges only once for the check.
If the size of a control finding exceeds the maximum of 240 KB, Security Hub CSPM removes the `Resource.Details` object from the finding. For controls that are backed by AWS Config resources, you can review resource details by using the AWS Config console.
**Topics**
+ [
## Consolidated control findings
](#consolidated-control-findings)
+ [
## Generating, updating, and archiving control findings
](#securityhub-standards-results-updating)
+ [
## Automation and suppression of control findings
](#automation-control-findings)
+ [
## Compliance details for control findings
](#control-findings-asff-compliance)
+ [
## ProductFields details for control findings
](#control-findings-asff-productfields)
+ [
## Severity levels for control findings
](#control-findings-severity)
## Consolidated control findings
If consolidated control findings is enabled for your account, Security Hub CSPM generates a single finding or finding update for each security check of a control, even if a control applies to multiple enabled standards. For a list of controls and the standards that they apply to, see the [Control reference for Security Hub CSPM](securityhub-controls-reference.md). We recommend enabling consolidated control findings to reduce finding noise.
If you enabled Security Hub CSPM for an AWS account before February 23, 2023, you can enable consolidated control findings by following the instructions later in this section. If you enable Security Hub CSPM on or after February 23, 2023, consolidated control findings is enabled automatically for your account.
If you use the [Security Hub CSPM integration with AWS Organizations](securityhub-accounts-orgs.md) or invited member accounts through a [manual invitation process](account-management-manual.md), consolidated control findings is enabled for member accounts only if it's enabled for the administrator account. If the feature is disabled for the administrator account, it's disabled for member accounts. This behavior applies to new and existing member accounts. In addition, if the administrator uses [central configuration](central-configuration-intro.md) to manage Security Hub CSPM for multiple accounts, they cannot use central configuration policies to enable or disable consolidated control findings for the accounts.
If you disable consolidated control findings for your account, Security Hub CSPM generates or updates a separate control finding for each enabled standard that includes a control. For example, if you enable four standards that share a control, you receive four separate findings after a security check for the control. If you enable consolidated control findings, you receive only one finding.
When you enable consolidated control findings, Security Hub CSPM creates new standard-agnostic findings and archives the original standard-based findings. Some control finding fields and values will change, which might impact your existing workflows. For information about these changes, see [Consolidated control findings – ASFF changes](asff-changes-consolidation.md#securityhub-findings-format-consolidated-control-findings). Enabling consolidated control findings might also affect findings that integrated third-party products receive from Security Hub CSPM. If you use the [Automated Security Response on AWS v2.0.0](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) solution, note that it supports consolidated control findings.
To enable or disable consolidated control findings, you must be signed in to an administrator account or a standalone account.
**Note**
After you enable consolidated control findings, it can take up to 24 hours for Security Hub CSPM to generate new consolidated findings and archive the existing standard-based findings. Similarly, after disabling consolidated control findings, it can take up to 24 hours for Security Hub CSPM to generate new standard-based findings and archive the existing consolidated findings. During these times, you might see a mix of standard-agnostic and standard-based findings in your account.
------
#### [ Security Hub CSPM console ]
**To enable or disable consolidated control findings**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, under **Settings**, choose **General**.
1. In the **Controls** section, choose **Edit**.
1. Use the **Consolidated control findings** switch to enable or disable consolidated control findings.
1. Choose **Save**.
------
#### [ Security Hub CSPM API ]
To enable or disable consolidated control findings programmatically, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html) operation of the Security Hub CSPM API. Or, if you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-security-hub-configuration.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-security-hub-configuration.html) command.
For the `control-finding-generator` parameter, specify `SECURITY_CONTROL` to enable consolidated control findings. To disable consolidated control findings, specify `STANDARD_CONTROL`.
For example, the following AWS CLI command enables consolidated control findings.
```
$ aws securityhub --region us-east-1 update-security-hub-configuration --control-finding-generator SECURITY_CONTROL
```
The following AWS CLI command disables consolidated control findings.
```
$ aws securityhub --region us-east-1 update-security-hub-configuration --control-finding-generator STANDARD_CONTROL
```
------
## Generating, updating, and archiving control findings
Security Hub CSPM runs security checks on a [schedule](securityhub-standards-schedule.md). The first time Security Hub CSPM runs a security check for a control, it generates a new finding for each AWS resource that the control checks. Each time Security Hub CSPM subsequently runs a security check for the control, it updates existing findings to report the results of the check. This means that you can use the data provided by individual findings to track compliance changes for particular resources against particular controls.
For example, if the compliance status of a resource changes from `FAILED` to `PASSED` for a particular control, Security Hub CSPM doesn't generate a new finding. Instead, Security Hub CSPM updates the existing finding for the control and resource. In the finding, Security Hub CSPM changes the value for the compliance status (`Compliance.Status`) field to `PASSED`. Security Hub CSPM also updates the values for additional fields to reflect the results of the check—for example, the severity label, workflow status, and timestamps that indicate when Security Hub CSPM most recently ran the check and updated the finding.
When reporting changes to compliance status, Security Hub CSPM might update any of the following fields in a control finding:
+ `Compliance.Status` – The new compliance status of the resource for the specified control.
+ `FindingProviderFields.Severity.Label` – The new qualitative representation of the severity of the finding, such as `LOW`, `MEDIUM`, or `HIGH`.
+ `FindingProviderFields.Severity.Original` – The new quantitative representation of the severity of the finding, such as `0` for a compliant resource.
+ `FirstObservedAt` – When the compliance status of the resource most recently changed.
+ `LastObservedAt` – When Security Hub CSPM most recently ran the security check for the specified control and resource.
+ `ProcessedAt` – When Security Hub CSPM most recently began processing the finding.
+ `ProductFields.PreviousComplianceStatus` – The previous compliance status (`Compliance.Status`) of the resource for the specified control.
+ `UpdatedAt` – When Security Hub CSPM most recently updated the finding.
+ `Workflow.Status` – The status of the investigation into the finding, based on the new compliance status of the resource for the specified control.
Whether Security Hub CSPM updates a field depends primarily on the results of the latest security check for the applicable control and resource. For example, if the compliance status of a resource changes from `PASSED` to `FAILED` for a particular control, Security Hub CSPM changes the workflow status of the finding to `NEW`. To track updates to individual findings, you can refer to the history of a finding. For details about individual fields in findings, see [AWS Security Finding Format (ASFF)](securityhub-findings-format.md).
In certain cases, Security Hub CSPM generates new findings for subsequent checks by a control, instead of updating existing findings. This can occur if there's an issue with the AWS Config rule that backs a control. If this happens, Security Hub CSPM archives the existing finding and generates a new finding for each check. In the new findings, the compliance status is `NOT_AVAILABLE` and the record state is `ARCHIVED`. After you address the issue with the AWS Config rule, Security Hub CSPM generates new findings and begins updating them to track subsequent changes to the compliance status of individual resources.
In addition to generating and updating control findings, Security Hub CSPM automatically archives control findings that meet certain criteria. Security Hub CSPM archives a finding if the control is disabled, the specified resource is deleted, or the specified resource no longer exists. A resource might not exist anymore because the associated service is no longer used. More specifically, Security Hub CSPM automatically archives a control finding if the finding meets one of the following criterion:
+ The finding hasn't been updated for 3‐5 days. Note that archival based on this time frame is on a best-effort basis and is not guaranteed.
+ The associated AWS Config evaluation returned `NOT_APPLICABLE` for the compliance status of the specified resource.
To determine whether a finding is archived, you can refer to the record state (`RecordState`) field of the finding. If a finding is archived, the value for this field is `ARCHIVED`.
Security Hub CSPM stores archived control findings for 30 days. After 30 days, the findings expire and Security Hub CSPM permanently deletes them. To determine whether an archived control finding has expired, Security Hub CSPM bases its calculation on the value for the `UpdatedAt` field of the finding.
To store archived control findings for more than 30 days, you can export the findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md).
**Note**
Prior to July 3, 2025, Security Hub CSPM generated and updated control findings differently when the compliance status of a resource changed for a control. Previously, Security Hub CSPM created a new control finding and archived the existing finding for a resource. Therefore, you might have multiple archived findings for a particular control and resource until those findings expire (after 30 days).
## Automation and suppression of control findings
You can use Security Hub CSPM automation rules to update or suppress specific control findings. If you suppress a finding, you can continue to access it. However, suppression indicates your belief that no action is needed to address the finding.
By suppressing findings, you can reduce finding noise. For example, you might suppress control findings that are generated in test accounts. Or, you might suppress findings related to specific resources. To learn more about updating or suppressing findings automatically, see [Understanding automation rules in Security Hub CSPM](automation-rules.md).
Automation rules are appropriate when you want to update or suppress specific control findings. However, if a control isn't relevant to your organization or use case, we recommend [disabling the control](disable-controls-overview.md). If you disable a control, Security Hub CSPM doesn't run security checks for it and you aren't charged for it.
## Compliance details for control findings
In findings generated by security checks for controls, the [Compliance](asff-top-level-attributes.md#asff-compliance) object and fields in the AWS Security Finding Format (ASFF) provide compliance details for individual resources that a control checked. This includes the following information:
+ `AssociatedStandards` – The enabled standards that the control is enabled in.
+ `RelatedRequirements` – The related requirements for the control in all enabled standards. These requirements derive from third-party security frameworks for the control, such as the Payment Card Industry Data Security Standard (PCI DSS) or the NIST SP 800-171 Revision 2 standard.
+ `SecurityControlId` – The identifier for the control across the standards that Security Hub CSPM supports.
+ `Status` – The result of the most recent check that Security Hub CSPM ran for the control. The results of previous checks are retained in the history of the finding.
+ `StatusReasons` – An array that lists reasons for the value specified by the `Status` field. For each reason, this includes a reason code and a description.
The following table lists reason codes and descriptions that a finding might include in the `StatusReasons` array. The remediation steps vary based on which control generated a finding with a specified reason code. To review the remediation guidance for a control, refer to the [Control reference for Security Hub CSPM](securityhub-controls-reference.md).
| Reason code | Compliance status | Description |
| --- | --- | --- |
| `CLOUDTRAIL_METRIC_FILTER_NOT_VALID` | `FAILED` | The multi-Region CloudTrail trail does not have a valid metric filter. |
| `CLOUDTRAIL_METRIC_FILTERS_NOT_PRESENT` | `FAILED` | Metric filters are not present for the multi-Region CloudTrail trail. |
| `CLOUDTRAIL_MULTI_REGION_NOT_PRESENT` | `FAILED` | The account does not have a multi-Region CloudTrail trail with the required configuration. |
| `CLOUDTRAIL_REGION_INVAILD` | `WARNING` | Multi-Region CloudTrail trails are not in the current Region. |
| `CLOUDWATCH_ALARM_ACTIONS_NOT_VALID` | `FAILED` | No valid alarm actions are present. |
| `CLOUDWATCH_ALARMS_NOT_PRESENT` | `FAILED` | CloudWatch alarms do not exist in the account. |
| `CONFIG_ACCESS_DENIED` | `NOT_AVAILABLE` AWS Config status is `ConfigError` | AWS Config access denied. Verify that AWS Config is enabled and has been granted sufficient permissions. |
| `CONFIG_EVALUATIONS_EMPTY` | `PASSED` | AWS Config evaluated your resources based on the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted. |
| `CONFIG_RECORDER_CUSTOM_ROLE` | `FAILED` (for Config.1) | The AWS Config recorder uses a custom IAM role instead of the AWS Config service-linked role, and the `includeConfigServiceLinkedRoleCheck` custom parameter for Config.1 isn't set to `false`. |
| `CONFIG_RECORDER_DISABLED` | `FAILED` (for Config.1) | AWS Config isn't enabled with the configuration recorder turned on. |
| `CONFIG_RECORDER_MISSING_REQUIRED_RESOURCE_TYPES` | `FAILED` (for Config.1) | AWS Config isn't recording all resource types that correspond to enabled Security Hub CSPM controls. Turn on recording for the following resources: *Resources that aren't being recorded*. |
| `CONFIG_RETURNS_NOT_APPLICABLE` | `NOT_AVAILABLE` | The compliance status is `NOT_AVAILABLE` because AWS Config returned a status of **Not Applicable**. AWS Config does not provide the reason for the status. Here are some possible reasons for the **Not Applicable** status: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html) |
| `CONFIG_RULE_EVALUATION_ERROR` | `NOT_AVAILABLE` AWS Config status is `ConfigError` | This reason code is used for several different types of evaluation errors. The description provides the specific reason information. The type of error can be one of the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html) |
| `CONFIG_RULE_NOT_FOUND` | `NOT_AVAILABLE` AWS Config status is `ConfigError` | The AWS Config rule is in the process of being created. |
| `INTERNAL_SERVICE_ERROR` | `NOT_AVAILABLE` | An unknown error occurred. |
| `LAMBDA_CUSTOM_RUNTIME_DETAILS_NOT_AVAILABLE` | `FAILED` | Security Hub CSPM is unable to perform a check against a custom Lambda runtime. |
| `S3_BUCKET_CROSS_ACCOUNT_CROSS_REGION` | `WARNING` | The finding is in a `WARNING` state because the S3 bucket that is associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located. |
| `SNS_SUBSCRIPTION_NOT_PRESENT` | `FAILED` | The CloudWatch Logs metric filters do not have a valid Amazon SNS subscription. |
| `SNS_TOPIC_CROSS_ACCOUNT` | `WARNING` | The finding is in a `WARNING` state. The SNS topic associated with this rule is owned by a different account. The current account cannot obtain the subscription information. The account that owns the SNS topic must grant to the current account the `sns:ListSubscriptionsByTopic` permission for the SNS topic. |
| `SNS_TOPIC_CROSS_ACCOUNT_CROSS_REGION` | `WARNING` | The finding is in a `WARNING` state because the SNS topic that is associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located. |
| `SNS_TOPIC_INVALID` | `FAILED` | The SNS topic associated with this rule is invalid. |
| `THROTTLING_ERROR` | `NOT_AVAILABLE` | The relevant API operation exceeded the allowed rate. |
## ProductFields details for control findings
In findings generated by security checks for controls, the [ProductFields](asff-top-level-attributes.md#asff-productfields) attribute in the AWS Security Finding Format (ASFF) can include the following fields.
`ArchivalReasons:0/Description`
Describes why Security Hub CSPM archived a finding.
For example, Security Hub CSPM archives existing findings when you disable a control or standard, or you enable or disable [consolidated control findings](#consolidated-control-findings).
`ArchivalReasons:0/ReasonCode`
Specifies why Security Hub CSPM archived a finding.
For example, Security Hub CSPM archives existing findings when you disable a control or standard, or you enable or disable [consolidated control findings](#consolidated-control-findings).
`PreviousComplianceStatus`
The previous compliance status (`Compliance.Status`) of the resource for the specified control, as of the most recent update to the finding. If the compliance status of the resource didn't change during the most recent update, this value is the same as the value for the `Compliance.Status` field of the finding. For a list of possible values, see [Evaluating compliance status and control status](controls-overall-status.md).
`StandardsGuideArn` or `StandardsArn`
The ARN of the standard associated with the control.
For the CIS AWS Foundations Benchmark standard, the field is `StandardsGuideArn`. For the PCI DSS and AWS Foundational Security Best Practices standards, the field is `StandardsArn`.
These fields are removed in favor of `Compliance.AssociatedStandards` if you enable [consolidated control findings](#consolidated-control-findings).
`StandardsGuideSubscriptionArn` or `StandardsSubscriptionArn`
The ARN of the account's subscription to the standard.
For the CIS AWS Foundations Benchmark standard, the field is `StandardsGuideSubscriptionArn`. For the PCI DSS and AWS Foundational Security Best Practices standards, the field is `StandardsSubscriptionArn`.
These fields are removed if you enable [consolidated control findings](#consolidated-control-findings).
`RuleId` or `ControlId`
The identifier for the control.
For version 1.2.0 of the CIS AWS Foundations Benchmark standard, the field is `RuleId`. For other standards, including subsequent versions of the CIS AWS Foundations Benchmark standard, the field is `ControlId`.
These fields are removed in favor of `Compliance.SecurityControlId` if you enable [consolidated control findings](#consolidated-control-findings).
`RecommendationUrl`
The URL for remediation information for the control. This field is removed in favor of `Remediation.Recommendation.Url` if you enable [consolidated control findings](#consolidated-control-findings).
`RelatedAWSResources:0/name`
The name of the resource associated with the finding.
`RelatedAWSResource:0/type`
The type of resource associated with the control.
`StandardsControlArn`
The ARN of the control. This field is removed if you enable [consolidated control findings](#consolidated-control-findings).
`aws/securityhub/ProductName`
For control findings, the product name is `Security Hub`.
`aws/securityhub/CompanyName`
For control findings, the company name is `AWS`.
`aws/securityhub/annotation`
A description of the issue uncovered by the control.
`aws/securityhub/FindingId`
The identifier for the finding.
This field doesn't reference a standard if you enable [consolidated control findings](#consolidated-control-findings).
## Severity levels for control findings
The severity assigned to a Security Hub CSPM control indicates the importance of the control. The severity of a control determines the severity label assigned to the control findings.
### Severity criteria
The severity of a control is determined based on an assessment of the following criteria:
+ **How difficult is it for a threat actor to take advantage of the configuration weakness associated with the control?** The difficulty is determined by the amount of sophistication or complexity that is required to use the weakness to carry out a threat scenario.
+ **How likely is it that the weakness will lead to a compromise of your AWS accounts or resources?** A compromise of your AWS accounts or resources means that confidentiality, integrity, or availability of your data or AWS infrastructure is damaged in some way. The likelihood of compromise indicates how likely it is that the threat scenario will result in a disruption or breach of your AWS services or resources.
As an example, consider the following configuration weaknesses:
+ User access keys are not rotated every 90 days.
+ IAM root user key exists.
Both weaknesses are equally difficult for an adversary to take advantage of. In both cases, the adversary can use credential theft or some other method to acquire a user key. They can then use it to access your resources in an unauthorized way.
However, the likelihood of a compromise is much higher if the threat actor acquires the root user access key because this gives them greater access. As a result, the root user key weakness has a higher severity.
The severity does not take into account the criticality of the underlying resource. Criticality is the level of importance of the resources that are associated with the finding. For example, a resource that is associated with a mission critical application is more critical than one that is associated with non-production testing. To capture resource criticality information, use the `Criticality` field of the AWS Security Finding Format (ASFF).
The following table maps the difficulty to exploit and the likelihood of compromise to the security labels.
| | | | | |
| --- |--- |--- |--- |--- |
| | **Compromise highly likely** | **Compromise likely** | **Compromise unlikely** | **Compromise highly unlikely** |
| **Very easy to exploit** | Critical | Critical | High | Medium |
| **Somewhat easy to exploit** | Critical | High | Medium | Medium |
| **Somewhat difficult to exploit** | High | Medium | Medium | Low |
| **Very difficult to exploit** | Medium | Medium | Low | Low |
### Severity definitions
The severity labels are defined as follows.
**Critical – The issue should be remediated immediately to avoid it escalating.**
For example, an open S3 bucket is considered a critical severity finding. Because so many threat actors scan for open S3 buckets, data in exposed S3 buckets is likely to be discovered and accessed by others.
In general, resources that are publicly accessible are considered critical security issues. You should treat critical findings with the utmost urgency. You also should consider the criticality of the resource.
**High – The issue must be addressed as a near-term priority.**
For example, if a default VPC security group is open to inbound and outbound traffic, it is considered high severity. It is somewhat easy for a threat actor to compromise a VPC using this method. It is also likely that the threat actor will be able to disrupt or exfiltrate resources once they are in the VPC.
Security Hub CSPM recommends that you treat a high severity finding as a near-term priority. You should take immediate remediation steps. You also should consider the criticality of the resource.
**Medium – The issue should be addressed as a mid-term priority.**
For example, lack of encryption for data in transit is considered a medium severity finding. It requires a sophisticated man-in-the-middle attack to take advantage of this weakness. In other words, it is somewhat difficult. It is likely that some data will be compromised if the threat scenario is successful.
Security Hub CSPM recommends that you investigate the implicated resource at your earliest convenience. You also should consider the criticality of the resource.
**Low – The issue does not require action on its own.**
For example, failure to collect forensics information is considered low severity. This control can help to prevent future compromises, but the absence of forensics does not lead directly to a compromise.
You do not need to take immediate action on low severity findings, but they can provide context when you correlate them with other issues.
**Informational – No configuration weakness was found.**
In other words, the status is `PASSED`, `WARNING`, or `NOT AVAILABLE`.
There is no recommended action. Informational findings help customers to demonstrate that they are in a compliant state.
# Evaluating compliance status and control status
The `Compliance.Status` field of the AWS Security Finding Format describes the result of a control finding. AWS Security Hub CSPM uses the compliance status of control findings to determine an overall control status. The control status is displayed on the details page of a control on the Security Hub CSPM console.
## Evaluating the compliance status of Security Hub CSPM findings
The compliance status for each finding is assigned one of the following values:
+ `PASSED` – Indicates that the control passed the security check for the finding. This automatically sets the Security Hub CSPM `Workflow.Status` to `RESOLVED`.
+ `FAILED` – Indicates that the control didn't pass the security check for the finding.
+ `WARNING` – Indicates that Security Hub CSPM can't determine whether the resource is in a `PASSED` or `FAILED` state. For example, [AWS Config resource recording](securityhub-setup-prereqs.md#config-resource-recording) isn't turned on for the corresponding resource type.
+ `NOT_AVAILABLE` – Indicates that the check can't be completed because a server failed, the resource was deleted, or the result of the AWS Config evaluation was `NOT_APPLICABLE`. If the AWS Config evaluation result was `NOT_APPLICABLE`, Security Hub CSPM automatically archives the finding.
If the compliance status for a finding changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`, and `Workflow.Status` was either `NOTIFIED` or `RESOLVED`, Security Hub CSPM automatically changes `Workflow.Status` to `NEW`.
If you don't have resources corresponding to a control, Security Hub CSPM produces a `PASSED` finding at the account level. If you have a resource corresponding to a control but then delete the resource, Security Hub CSPM creates a `NOT_AVAILABLE` finding and archives it immediately. After 18 hours, you receive a `PASSED` finding because you no longer have resources corresponding to the control.
## Deriving control status from compliance status
Security Hub CSPM derives an overall control status from the compliance status of the control findings. When determining control status, Security Hub CSPM ignores findings that have a `RecordState` of `ARCHIVED` and findings that have a `Workflow.Status` of `SUPPRESSED`.
Control status is assigned one of the following values:
+ **Passed** – Indicates that all findings have a compliance status of `PASSED`.
+ **Failed** – Indicates that at least one finding has a compliance status of `FAILED`.
+ **Unknown** – Indicates that at least one finding has a compliance status of `WARNING` or `NOT_AVAILABLE`. No findings have a compliance status of `FAILED`.
+ **No data** – Indicates that there are no findings for the control. For example, a newly enabled control has this status until Security Hub CSPM starts to generate findings for it. A control also has this status if all of its findings are `SUPPRESSED` or it's unavailable in the current AWS Region.
+ **Disabled** – Indicates that the control is disabled in the current account and Region. No security checks are currently being performed for this control in the current account and Region. However, the findings of a disabled control may have a value for compliance status for up to 24 hours after disablement.
For an administrator account, control status reflects the control status for the administrator account and the member accounts. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the administrator account or any of the member accounts. If you have set an aggregation Region, the control status in the aggregation Region reflects the control status in the aggregation Region and the linked Regions. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the aggregation Region or any of the linked Regions.
Security Hub CSPM typically generates the initial control status within 30 minutes after your first visit to the **Summary** page or the **Security standards** page on the Security Hub CSPM console. You must have [AWS Config resource recording](controls-config-resources.md) configured for the control status to appear. After control statuses are generated for the first time, Security Hub CSPM updates control statuses every 24 hours based on the findings from the previous 24 hours. A timestamp on the control details page indicates when control status was last updated.
**Note**
After enabling a control for first time, it can take up to 24 hours for control statuses to be generated in the China Regions and the AWS GovCloud (US) Region.
# Calculating security scores
On the AWS Security Hub CSPM console, the **Summary** page and the **Controls** page display a summary security score across all of your enabled standards. On the **Security standards** page, Security Hub CSPM also displays a security score from 0–100 percent for each enabled standard.
When you first enable Security Hub CSPM, Security Hub CSPM calculates the summary security score and standard security scores within 30 minutes of your first visit to the **Summary** or **Security standards** page on the console. Scores are generated only for standards that are enabled when you visit those pages on the console. In addition, AWS Config resource recording must be configured for the scores to appear. The summary security score is the average of the standard security scores. To review a list of standards that are currently enabled, you can use the [GetEnabledStandards](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub CSPM API.
After first-time score generation, Security Hub CSPM updates security scores every 24 hours. Security Hub CSPM displays a timestamp to indicate when a security score was last updated. Note that it can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Regions.
If you turn on [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings), it can take up to 24 hours for your security scores to update. In addition, enabling a new aggregation Region or updating linked Regions resets existing security scores. It can take up to 24 hours for Security Hub CSPM to generate new security scores that include data from the updated Regions.
## Method of calculating security scores
Security scores represent the proportion of **Passed** controls to enabled controls. The score is displayed as a percentage rounded up or down to the nearest whole number.
Security Hub CSPM calculates a summary security score across all of your enabled standards. Security Hub CSPM also calculates a security score for each enabled standard. For purposes of score calculation, enabled controls include controls with a status of **Passed**, **Failed**, and **Unknown**. Controls with a status of **No data** are excluded from the score calculation.
Security Hub CSPM ignores archived and suppressed findings when calculating control status. This can impact security scores. For example, if you suppress all failed findings for a control, its status becomes **Passed**, which can in turn improve your security scores. For more information about control status, see [Evaluating compliance status and control status](controls-overall-status.md).
**Scoring example:**
| Standard | Passed controls | Failed controls | Unknown controls | Standard score |
| --- | --- | --- | --- | --- |
| AWS Foundational Security Best Practices v1.0.0 | 168 | 22 | 0 | 88% |
| CIS AWS Foundations Benchmark v1.4.0 | 8 | 29 | 0 | 22% |
| CIS AWS Foundations Benchmark v1.2.0 | 6 | 35 | 0 | 15% |
| NIST Special Publication 800-53 Revision 5 | 159 | 56 | 0 | 74% |
| PCI DSS v3.2.1 | 28 | 17 | 0 | 62% |
When calculating the summary security score, Security Hub CSPM counts each control only once across standards. For example, if you have enabled a control that applies to three enabled standards, it only counts as one enabled control for scoring purposes.
In this example, although the total number of enabled controls across enabled standards is 528, Security Hub CSPM counts each unique control only once for scoring purposes. The number of unique enabled controls is likely lower than 528. If we assume the number of unique enabled controls is 515, and the number of unique passed controls is 357, the summary score is 69%. This score is calculated by dividing the number of unique passed controls by the number of unique enabled controls.
You might have a summary score that differs from the standard security score, even if you've enabled only one standard in your account in the current Region. This can occur if you're signed in to an administrator account and member accounts have additional standards or different standards enabled. This can also occur if you're viewing the score from the aggregation Region and additional standards or different standards are enabled in linked Regions.
## Security scores for administrator accounts
If you're signed in to an administrator account, the summary security score and standard scores account for control statuses in the administrator account and all of the member accounts.
If the status of a control is **Failed** in even one member account, its status is **Failed** in the administrator account and impacts the administrator account scores.
If you're signed in to an administrator account and are viewing scores in an aggregation Region, security scores account for control statuses in all member accounts *and* all linked Regions.
## Security scores if you have set an aggregation Region
If you have set an aggregation AWS Region, the summary security score and standard scores account for control statuses in all
linked Regions.
If the status of a control is **Failed** in even one linked Region, its status is **Failed** in the aggregation Region and impacts the aggregation Region scores.
If you're signed in to an administrator account and are viewing scores in an aggregation Region, security scores account for control statuses in all member accounts *and* all linked Regions.