# AWS service integrations with Security Hub CSPM
AWS Security Hub CSPM supports integrations with several other AWS services. These integrations can help you get a comprehensive view of security and compliance across your AWS environment.
Unless indicated otherwise below, AWS service integrations that send findings to Security Hub CSPM are activated automatically after you enable Security Hub CSPM and the other service. Integrations that receive Security Hub CSPM findings might require additional steps for activation. Review the information about each integration to learn more.
Some integrations aren't available in all AWS Regions. On the Security Hub CSPM console, an integration doesn't appear on the **Integrations** page if it isn't supported in the current Region. For a list of integrations that are available in the China Regions and AWS GovCloud (US) Regions, see [Availability of integrations by Region](securityhub-regions.md#securityhub-regions-integration-support).
## Overview of AWS service integrations with Security Hub CSPM
The following table provides an overview of AWS services that send findings to Security Hub CSPM or receive findings from Security Hub CSPM.
| Integrated AWS service | Direction |
| --- | --- |
| [AWS Config](#integration-config) | Sends findings |
| [AWS Firewall Manager](#integration-aws-firewall-manager) | Sends findings |
| [Amazon GuardDuty](#integration-amazon-guardduty) | Sends findings |
| [AWS Health](#integration-health) | Sends findings |
| [AWS Identity and Access Management Access Analyzer](#integration-iam-access-analyzer) | Sends findings |
| [Amazon Inspector](#integration-amazon-inspector) | Sends findings |
| [AWS IoT Device Defender](#integration-iot-device-defender) | Sends findings |
| [Amazon Macie](#integration-amazon-macie) | Sends findings |
| [Amazon Route 53 Resolver DNS Firewall](#integration-amazon-r53rdnsfirewall) | Sends findings |
| [AWS Systems Manager Patch Manager](#patch-manager) | Sends findings |
| [AWS Audit Manager](#integration-aws-audit-manager) | Receives findings |
| [Amazon Q Developer in chat applications](#integration-chatbot) | Receives findings |
| [Amazon Detective](#integration-amazon-detective) | Receives findings |
| [Amazon Security Lake](#integration-security-lake) | Receives findings |
| [AWS Systems Manager Explorer and OpsCenter](#integration-ssm-explorer-opscenter) | Receives and updates findings |
| [AWS Trusted Advisor](#integration-trusted-advisor) | Receives findings |
## AWS services that send findings to Security Hub CSPM
The following AWS services integrate with and can send findings to Security Hub CSPM. Security Hub CSPM converts the findings to the [AWS Security Finding Format](securityhub-findings-format.md).
### AWS Config (Sends findings)
AWS Config is a service that allows you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
By using the integration with AWS Config, you can see the results of AWS Config managed and custom rule evaluations as findings in Security Hub CSPM. These findings can be viewed alongside other Security Hub CSPM findings, providing a comprehensive overview of your security posture.
AWS Config uses Amazon EventBridge to send AWS Config rule evaluations to Security Hub CSPM. Security Hub CSPM transforms the rule evaluations into findings that follow the [AWS Security Finding Format](securityhub-findings-format.md). Security Hub CSPM then enriches the findings on a best-effort basis by getting more information about the impacted resources, such as the Amazon Resource Name (ARN), resource tags, and creation date.
For more information about this integration, see the following sections.
#### How AWS Config sends findings to Security Hub CSPM
All findings in Security Hub CSPM use the standard JSON format of ASFF. ASFF includes details about the origin of the finding, the affected resource, and the current status of the finding. AWS Config sends managed and custom rule evaluations to Security Hub CSPM through EventBridge. Security Hub CSPM transforms the rule evaluations into findings that follow ASFF and enriches the findings on a best-effort basis.
##### Types of findings that AWS Config sends to Security Hub CSPM
After the integration is activated, AWS Config sends evaluations of all AWS Config managed rules and custom rules to Security Hub CSPM. Only evaluations that were performed after Security Hub CSPM was enabled are sent. For example, suppose that an AWS Config rule evaluation reveals five failed resources. If you enable Security Hub CSPM after that evaluation and the rule then reveals a sixth failed resource, AWS Config sends only the sixth resource evaluation to Security Hub CSPM.
Evaluations from [service-linked AWS Config rules](securityhub-setup-prereqs.md), such as those used to run checks for Security Hub CSPM controls, are excluded. The exception is findings generated by service-linked rules that AWS Control Tower creates and manages in AWS Config. Including findings for these rules helps ensure that your findings data includes the results of proactive checks performed by AWS Control Tower.
##### Sending AWS Config findings to Security Hub CSPM
When the integration is activated, Security Hub CSPM will automatically assign the permissions necessary to receive findings from AWS Config. Security Hub CSPM uses service-to-service level permissions that provide you with a safe way to activate this integration and import findings from AWS Config via Amazon EventBridge.
##### Latency for sending findings
When AWS Config creates a new finding, you can usually view the finding in Security Hub CSPM within five minutes.
##### Retrying when Security Hub CSPM is not available
AWS Config sends findings to Security Hub CSPM on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub CSPM, EventBridge retries delivery for up to 24 hours or 185 times, whichever comes first.
##### Updating existing AWS Config findings in Security Hub CSPM
After AWS Config sends a finding to Security Hub CSPM, it can send updates to the same finding to Security Hub CSPM to reflect additional observations of the finding activity. Updates are only sent for `ComplianceChangeNotification` events. If no compliance change occurs, updates aren't sent to Security Hub CSPM. Security Hub CSPM deletes findings 90 days after the most recent update or 90 days after creation if no update occurs.
Security Hub CSPM doesn't archive findings that are sent from AWS Config even if you delete the associated resource.
##### Regions in which AWS Config findings exist
AWS Config findings occur on a Regional basis. AWS Config sends findings to Security Hub CSPM in the same Region or Regions where the findings occur.
### Viewing AWS Config findings in Security Hub CSPM
To view your AWS Config findings, choose **Findings** from the Security Hub CSPM navigation pane. To filter the findings to display only AWS Config findings, choose **Product name** in the search bar drop down. Enter **Config**, and choose **Apply**.
#### Interpreting AWS Config finding names in Security Hub CSPM
Security Hub CSPM transforms AWS Config rule evaluations into findings that follow the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). AWS Config rule evaluations use a different event pattern compared to ASFF. The following table maps the AWS Config rule evaluation fields with their ASFF counterpart as they appear in Security Hub CSPM.
| Config rule evaluation finding type | ASFF finding type | Hardcoded value |
| --- | --- | --- |
| detail.awsAccountId | AwsAccountId | |
| detail.newEvaluationResult.resultRecordedTime | CreatedAt | |
| detail.newEvaluationResult.resultRecordedTime | UpdatedAt | |
| | ProductArn | "arn::securityhub:::product/aws/config" |
| | ProductName | "Config" |
| | CompanyName | "AWS" |
| | Region | "eu-central-1" |
| configRuleArn | GeneratorId, ProductFields | |
| detail.ConfigRuleARN/finding/hash | Id | |
| detail.configRuleName | Title, ProductFields | |
| detail.configRuleName | Description | "This finding is created for a resource compliance change for config rule: \$1\$1detail.ConfigRuleName\$1" |
| Configuration Item "ARN" or Security Hub CSPM computed ARN | Resources[i].id | |
| detail.resourceType | Resources[i].Type | "AwsS3Bucket" |
| | Resources[i].Partition | "aws" |
| | Resources[i].Region | "eu-central-1" |
| Configuration Item "configuration" | Resources[i].Details | |
| | SchemaVersion | "2018-10-08" |
| | Severity.Label | See "Interpreting Severity Label" below |
| | Types | ["Software and Configuration Checks"] |
| detail.newEvaluationResult.complianceType | Compliance.Status | "FAILED", "NOT\$1AVAILABLE", "PASSED", or "WARNING" |
| | Workflow.Status | "RESOLVED" if an AWS Config finding is generated with a Compliance.Status of "PASSED," or if the Compliance.Status changes from "FAILED" to "PASSED." Otherwise, Workflow.Status will be "NEW." You can change this value with the [BatchUpdateFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation. |
#### Interpreting severity label
All findings from AWS Config rule evaluations have a default severity label of **MEDIUM** in the ASFF. You can update the severity label of a finding with the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation.
#### Typical finding from AWS Config
Security Hub CSPM transforms AWS Config rule evaluations into findings that follow the ASFF. The following is an example of a typical finding from AWS Config in the ASFF.
**Note**
If the description is more than 1,024 characters, it will be truncated to 1,024 characters and will say "(truncated)" at the end.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/45g070df80cb50b68fa6a43594kc6fda1e517932",
"ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/config",
"ProductName": "Config",
"CompanyName": "AWS",
"Region": "eu-central-1",
"GeneratorId": "arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks"
],
"CreatedAt": "2022-04-15T05:00:37.181Z",
"UpdatedAt": "2022-04-19T21:20:15.056Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40
},
"Title": "s3-bucket-level-public-access-prohibited-config-integration-demo",
"Description": "This finding is created for a resource compliance change for config rule: s3-bucket-level-public-access-prohibited-config-integration-demo",
"ProductFields": {
"aws/securityhub/ProductName": "Config",
"aws/securityhub/CompanyName": "AWS",
"aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/config/arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/46f070df80cd50b68fa6a43594dc5fda1e517902",
"aws/config/ConfigRuleArn": "arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq",
"aws/config/ConfigRuleName": "s3-bucket-level-public-access-prohibited-config-integration-demo",
"aws/config/ConfigComplianceType": "NON_COMPLIANT"
},
"Resources": [{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::amzn-s3-demo-bucket",
"Partition": "aws",
"Region": "eu-central-1",
"Details": {
"AwsS3Bucket": {
"OwnerId": "4edbba300f1caa608fba2aad2c8fcfe30c32ca32777f64451eec4fb2a0f10d8c",
"CreatedAt": "2022-04-15T04:32:53.000Z"
}
}
}],
"Compliance": {
"Status": "FAILED"
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM"
},
"Types": [
"Software and Configuration Checks"
]
}
}
```
### Enabling and configuring the integration
After you enable Security Hub CSPM, this integration is activated automatically. AWS Config immediately begins to send findings to Security Hub CSPM.
### Stopping the publication of findings to Security Hub CSPM
To stop sending findings to Security Hub CSPM, you can use the Security Hub CSPM console or Security Hub CSPM API.
For instructions on stopping the flow of findings, see [Enabling the flow of findings from a Security Hub CSPM integration](securityhub-integration-enable.md).
### AWS Firewall Manager (Sends findings)
Firewall Manager sends findings to Security Hub CSPM when a web application firewall (WAF) policy for resources or a web access control list (web ACL) rule is not in compliance. Firewall Manager also sends findings when AWS Shield Advanced is not protecting resources, or when an attack is identified.
After you enable Security Hub CSPM, this integration is automatically activated. Firewall Manager immediately begins to send findings to Security Hub CSPM.
To learn more about the integration, view the **Integrations** page in the Security Hub CSPM console.
To learn more about Firewall Manager, see the [https://docs.aws.amazon.com/waf/latest/developerguide/](https://docs.aws.amazon.com/waf/latest/developerguide/).
### Amazon GuardDuty (Sends findings)
GuardDuty sends all of the finding types that it generates to Security Hub CSPM. Some finding types have prerequisites, enablement requirements, or Regional limitations. For more information, see [GuardDuty finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*.
New findings from GuardDuty are sent to Security Hub CSPM within five minutes. Updates to findings are sent based on the **Updated findings** setting for Amazon EventBridge in GuardDuty settings.
When you generate GuardDuty sample findings using the GuardDuty **Settings** page, Security Hub CSPM receives the sample findings and omits the prefix `[Sample]` in the finding type. For example, the sample finding type in GuardDuty `[SAMPLE] Recon:IAMUser/ResourcePermissions` is displayed as `Recon:IAMUser/ResourcePermissions` in Security Hub CSPM.
After you enable Security Hub CSPM, this integration is automatically activated. GuardDuty immediately begins to send findings to Security Hub CSPM.
For more information about the GuardDuty integration, see [Integrating with AWS Security Hub CSPM](https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html) in the *Amazon GuardDuty User Guide*.
### AWS Health (Sends findings)
AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and AWS accounts. You can use AWS Health events to learn how service and resource changes might affect your applications that run on AWS.
The integration with AWS Health does not use `BatchImportFindings`. Instead, AWS Health uses service-to-service event messaging to send findings to Security Hub CSPM.
For more information about the integration, see the following sections.
#### How AWS Health sends findings to Security Hub CSPM
In Security Hub CSPM, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub CSPM also has a set of rules that it uses to detect security issues and generate findings.
Security Hub CSPM provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view details for a finding. See [Reviewing finding details and history in Security Hub CSPM](securityhub-findings-viewing.md). You can also track the status of an investigation into a finding. See [Setting the workflow status of findings in Security Hub CSPM](findings-workflow-status.md).
All findings in Security Hub CSPM use a standard JSON format called the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). ASFF includes details about the source of the issue, the affected resources, and the current status of the finding.
AWS Health is one of the AWS services that sends findings to Security Hub CSPM.
##### Types of findings that AWS Health sends to Security Hub CSPM
After the integration is enabled, AWS Health sends findings that meet one or more of the listed specifications to Security Hub CSPM. Security Hub CSPM ingests the findings in the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md).
+ Findings that contain any of the following values for AWS service:
+ `RISK`
+ `ABUSE`
+ `ACM`
+ `CLOUDHSM`
+ `CLOUDTRAIL`
+ `CONFIG`
+ `CONTROLTOWER`
+ `DETECTIVE`
+ `EVENTS`
+ `GUARDDUTY`
+ `IAM`
+ `INSPECTOR`
+ `KMS`
+ `MACIE`
+ `SES`
+ `SECURITYHUB`
+ `SHIELD`
+ `SSO`
+ `COGNITO`
+ `IOTDEVICEDEFENDER`
+ `NETWORKFIREWALL`
+ `ROUTE53`
+ `WAF`
+ `FIREWALLMANAGER`
+ `SECRETSMANAGER`
+ `BACKUP`
+ `AUDITMANAGER`
+ `ARTIFACT`
+ `CLOUDENDURE`
+ `CODEGURU`
+ `ORGANIZATIONS`
+ `DIRECTORYSERVICE`
+ `RESOURCEMANAGER`
+ `CLOUDWATCH`
+ `DRS`
+ `INSPECTOR2`
+ `RESILIENCEHUB`
+ Findings with the words `security`, `abuse`, or `certificate` in the AWS Health `typeCode` field
+ Findings where the AWS Health service is `risk` or `abuse`
##### Sending AWS Health findings to Security Hub CSPM
When you choose to accept findings from AWS Health, Security Hub CSPM will automatically assign the permissions necessary to receive the findings from AWS Health. Security Hub CSPM uses service-to-service level permissions that provide you with a safe, easy way to enable this integration and import findings from AWS Health via Amazon EventBridge on your behalf. Choosing **Accept Findings** grants Security Hub CSPM permission to consume findings from AWS Health.
##### Latency for sending findings
When AWS Health creates a new finding, it is usually sent to Security Hub CSPM within five minutes.
##### Retrying when Security Hub CSPM is not available
AWS Health sends findings to Security Hub CSPM on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub CSPM, EventBridge retries sending the event for 24 hours.
##### Updating existing findings in Security Hub CSPM
After AWS Health sends a finding to Security Hub CSPM, it can send updates to the same finding to reflect additional observations of the finding activity to Security Hub CSPM.
##### Regions in which findings exist
For global events, AWS Health sends findings to Security Hub CSPM in us-east-1 (AWS partition), cn-northwest-1 (China partition), and gov-us-west-1 (GovCloud partition). AWS Health sends Region-specific events to Security Hub CSPM in the same Region or Regions where the events occur.
#### Viewing AWS Health findings in Security Hub CSPM
To view your AWS Health findings in Security Hub CSPM, choose **Findings** from the navigation panel. To filter the findings to display only AWS Health findings, choose **Health** from the **Product name** field.
##### Interpreting AWS Health finding names in Security Hub CSPM
AWS Health sends the findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). AWS Health finding uses a different event pattern compared to Security Hub CSPM ASFF format. The table below details all the AWS Health finding fields with their ASFF counterpart as they appear in Security Hub CSPM.
| Health finding type | ASFF finding type | Hardcoded value |
| --- | --- | --- |
| account | AwsAccountId | |
| detail.startTime | CreatedAt | |
| detail.eventDescription.latestDescription | Description | |
| detail.eventTypeCode | GeneratorId | |
| detail.eventArn (including account) \$1 hash of detail.startTime | Id | |
| "arn:aws:securityhub:::product/aws/health" | ProductArn | |
| account or resourceId | Resources[i].id | |
| | Resources[i].Type | "Other" |
| | SchemaVersion | "2018-10-08" |
| | Severity.Label | See "Interpreting Severity Label" below |
| “AWS Health -" detail.eventTypeCode | Title | |
| - | Types | ["Software and Configuration Checks"] |
| event.time | UpdatedAt | |
| URL of the event on Health console | SourceUrl | |
##### Interpreting severity label
The severity label in the ASFF finding is determined using the following logic:
+ Severity **CRITICAL** if:
+ The `service` field in the AWS Health finding has the value `Risk`
+ The `typeCode` field in the AWS Health finding has the value `AWS_S3_OPEN_ACCESS_BUCKET_NOTIFICATION`
+ The `typeCode` field in the AWS Health finding has the value `AWS_SHIELD_INTERNET_TRAFFIC_LIMITATIONS_PLACED_IN_RESPONSE_TO_DDOS_ATTACK`
+ The `typeCode` field in the AWS Health finding has the value `AWS_SHIELD_IS_RESPONDING_TO_A_DDOS_ATTACK_AGAINST_YOUR_AWS_RESOURCES`
Severity **HIGH** if:
+ The `service` field in the AWS Health finding has the value `Abuse`
+ The `typeCode` field in the AWS Health finding contains the value `SECURITY_NOTIFICATION`
+ The `typeCode` field in the AWS Health finding contains the value `ABUSE_DETECTION`
Severity **MEDIUM** if:
+ The `service` field in the finding is any of the following: `ACM`, `ARTIFACT`, `AUDITMANAGER`, `BACKUP`,`CLOUDENDURE`, `CLOUDHSM`, `CLOUDTRAIL`, `CLOUDWATCH`, `CODEGURGU`, `COGNITO`, `CONFIG`, `CONTROLTOWER`, `DETECTIVE`, `DIRECTORYSERVICE`, `DRS`, `EVENTS`, `FIREWALLMANAGER`, `GUARDDUTY`, `IAM`, `INSPECTOR`, `INSPECTOR2`, `IOTDEVICEDEFENDER`, `KMS`, `MACIE`, `NETWORKFIREWALL`, `ORGANIZATIONS`, `RESILIENCEHUB`, `RESOURCEMANAGER`, `ROUTE53`, `SECURITYHUB`, `SECRETSMANAGER`, `SES`, `SHIELD`, `SSO`, or `WAF`
+ The **typeCode** field in the AWS Health finding contains the value `CERTIFICATE`
+ The **typeCode** field in the AWS Health finding contains the value `END_OF_SUPPORT`
##### Typical finding from AWS Health
AWS Health sends findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). The following is an example of a typical finding from AWS Health.
**Note**
If the description is more than 1024 characters, it will be truncated to 1024 characters and will say *(truncated)* at the end.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:health:us-east-1:123456789012:event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96/101F7FBAEFC663977DA09CFF56A29236602834D2D361E6A8CA5140BFB3A69B30",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/health",
"GeneratorId": "AWS_SES_CMF_PENDING_TO_SUCCESS",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks"
],
"CreatedAt": "2022-01-07T16:34:04.000Z",
"UpdatedAt": "2022-01-07T19:17:43.000Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40
},
"Title": "AWS Health - AWS_SES_CMF_PENDING_TO_SUCCESS",
"Description": "Congratulations! Amazon SES has successfully detected the MX record required to use 4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com as a custom MAIL FROM domain for verified identity cmf.pinpoint.sysmon-iad.adzel.com in AWS Region US East (N. Virginia).\\n\\nYou can now use this MAIL FROM domain with cmf.pinpoint.sysmon-iad.adzel.com and any other verified identity that is configured to use it. For information about how to configure a verified identity to use a custom MAIL FROM domain, see http://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from-set.html .\\n\\nPlease note that this email only applies to AWS Region US East (N. Virginia).",
"SourceUrl": "https://phd.aws.amazon.com/phd/home#/event-log?eventID=arn:aws:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96",
"ProductFields": {
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/health/arn:aws:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96",
"aws/securityhub/ProductName": "Health",
"aws/securityhub/CompanyName": "AWS"
},
"Resources": [
{
"Type": "Other",
"Id": "4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com"
}
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM"
},
"Types": [
"Software and Configuration Checks"
]
}
}
]
}
```
#### Enabling and configuring the integration
After you enable Security Hub CSPM, this integration is automatically activated. AWS Health immediately begins to send findings to Security Hub CSPM.
#### Stopping the publication of findings to Security Hub CSPM
To stop sending findings to Security Hub CSPM, you can use the Security Hub CSPM console or Security Hub CSPM API.
For instructions on stopping the flow of findings, see [Enabling the flow of findings from a Security Hub CSPM integration](securityhub-integration-enable.md).
### AWS Identity and Access Management Access Analyzer (Sends findings)
With IAM Access Analyzer, all findings are sent to Security Hub CSPM.
IAM Access Analyzer uses logic-based reasoning to analyze resource-based policies that are applied to supported resources in your account. IAM Access Analyzer generates a finding when it detects a policy statement that lets an external principal access a resource in your account.
In IAM Access Analyzer, only the administrator account can see findings for analyzers that apply to an organization. For organization analyzers, the `AwsAccountId` ASFF field reflects the administrator account ID. Under `ProductFields`, the `ResourceOwnerAccount` field indicates the account in which the finding was discovered. If you enable analyzers individually for each account, Security Hub CSPM generates multiple findings, one that identifies the administrator account ID and one that identifies the resource account ID.
For more information, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-securityhub-integration.html) in the *IAM User Guide*.
### Amazon Inspector (Sends findings)
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images that reside in the Amazon Elastic Container Registry. The scan looks for software vulnerabilities and unintended network exposure.
After you enable Security Hub CSPM, this integration is automatically activated. Amazon Inspector immediately begins to send all of the findings that it generates to Security Hub CSPM.
For more information about the integration, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/inspector/latest/user/securityhub-integration.html) in the *Amazon Inspector User Guide*.
Security Hub CSPM can also receive findings from Amazon Inspector Classic. Amazon Inspector Classic sends findings to Security Hub CSPM that are generated through assessment runs for all supported rules packages.
For more information about the integration, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/inspector/latest/userguide/securityhub-integration.html) in the *Amazon Inspector Classic User Guide*.
Findings for Amazon Inspector and Amazon Inspector Classic use the same product ARN. Amazon Inspector findings have the following entry in `ProductFields`:
```
"aws/inspector/ProductVersion": "2",
```
**Note**
Security findings generated by [Amazon Inspector Code Security](https://docs.aws.amazon.com/inspector/latest/user/code-security-assessments.html) are not available for this integration. However, you can access these particular findings in the Amazon Inspector console and through the [Amazon Inspector API](https://docs.aws.amazon.com/inspector/v2/APIReference/Welcome.html).
### AWS IoT Device Defender (Sends findings)
AWS IoT Device Defender is a security service that audits the configuration of your IoT devices, monitors connected devices to detect abnormal behavior, and helps mitigate security risks.
After enabling both AWS IoT Device Defender and Security Hub CSPM, visit the [Integrations page of the Security Hub CSPM console](https://console.aws.amazon.com/securityhub/home#/integrations), and choose **Accept findings** for Audit, Detect, or both. AWS IoT Device Defender Audit and Detect begin to send all findings to Security Hub CSPM.
AWS IoT Device Defender Audit sends check summaries to Security Hub CSPM, which contain general information for a specific audit check type and audit task. AWS IoT Device Defender Detect sends violation findings for machine learning (ML), statistical, and static behaviors to Security Hub CSPM. Audit also sends finding updates to Security Hub CSPM.
For more information about this integration, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/iot/latest/developerguide/securityhub-integration.html) in the *AWS IoT Developer Guide*.
### Amazon Macie (Sends findings)
Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. A finding from Macie can indicate that a potential policy violation or sensitive data exists in your Amazon S3 data estate.
After you enable Security Hub CSPM, Macie automatically starts sending policy findings to Security Hub CSPM. You can configure the integration to also send sensitive data findings to Security Hub CSPM.
In Security Hub CSPM, the finding type for a policy or sensitive data finding is changed to a value that is compatible with ASFF. For example, the `Policy:IAMUser/S3BucketPublic` finding type in Macie is displayed as `Effects/Data Exposure/Policy:IAMUser-S3BucketPublic` in Security Hub CSPM.
Macie also sends generated sample findings to Security Hub CSPM. For sample findings, the name of the affected resource is `macie-sample-finding-bucket` and the value for the `Sample` field is `true`.
For more information, see [Evaluating Macie findings with Security Hub](https://docs.aws.amazon.com/macie/latest/user/securityhub-integration.html) in the *Amazon Macie User Guide*.
### Amazon Route 53 Resolver DNS Firewall (Sends findings)
With Amazon Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). You do this by creating reusable collections of filtering rules in DNS Firewall rule groups, associating the rule groups with your VPC, and then monitoring activity in DNS Firewall logs and metrics. Based on the activity, you can adjust DNS Firewall behavior. DNS Firewall is a feature of Route 53 Resolver.
Route 53 Resolver DNS Firewall can send several types of findings to Security Hub CSPM:
+ Findings related to queries blocked or alerted on for domains associated with AWS Managed Domain Lists, which are domain lists that AWS manages.
+ Findings related to queries blocked or alerted on for domains associated with a custom domain list that you define.
+ Findings related to queries blocked or alerted on by DNS Firewall Advanced, which is a Route 53 Resolver feature that can detect queries associated with advanced DNS threats such as Domain Generation Algorithms (DGAs) and DNS Tunneling.
After you enable Security Hub CSPM and Route 53 Resolver DNS Firewall, DNS Firewall automatically starts sending findings for AWS Managed Domain Lists and DNS Firewall Advanced to Security Hub CSPM. To also send findings for a custom domain list to Security Hub CSPM, manually enable the integration in Security Hub CSPM.
In Security Hub CSPM, all findings from Route 53 Resolver DNS Firewall have the following type: `TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation`.
For more information, see [Sending findings from Route 53 Resolver DNS Firewall to Security Hub](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/securityhub-integration.html) in the *Amazon Route 53 Developer Guide*.
### AWS Systems Manager Patch Manager (Sends findings)
AWS Systems Manager Patch Manager sends findings to Security Hub CSPM when instances in a customer's fleet go out of compliance with their patch compliance standard.
Patch Manager automates the process of patching managed instances with both security related and other types of updates.
After you enable Security Hub CSPM, this integration is automatically activated. Systems Manager Patch Manager immediately begins to send findings to Security Hub CSPM.
For more information about using Patch Manager, see [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html) in the *AWS Systems Manager User Guide*.
## AWS services that receive findings from Security Hub CSPM
The following AWS services are integrated with Security Hub CSPM and receive findings from Security Hub CSPM. Where noted, the integrated service may also update findings. In this case, finding updates that you make in the integrated service will also be reflected in Security Hub CSPM.
### AWS Audit Manager (Receives findings)
AWS Audit Manager receives findings from Security Hub CSPM. These findings help Audit Manager users to prepare for audits.
To learn more about Audit Manager, see the [https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html](https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html). [AWS Security Hub CSPM checks supported by AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-ash.html) lists the controls for which Security Hub CSPM sends findings to Audit Manager.
### Amazon Q Developer in chat applications (Receives findings)
Amazon Q Developer in chat applications is an interactive agent that helps you to monitor and interact with your AWS resources in your Slack channels and Amazon Chime chat rooms.
Amazon Q Developer in chat applications receives findings from Security Hub CSPM.
To learn more about the Amazon Q Developer in chat applications integration with Security Hub CSPM, see the [Security Hub CSPM integration overview](https://docs.aws.amazon.com/chatbot/latest/adminguide/related-services.html#security-hub) in the *Amazon Q Developer in chat applications Administrator Guide*.
### Amazon Detective (Receives findings)
Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations.
The Security Hub CSPM integration with Detective allows you to pivot from Amazon GuardDuty findings in Security Hub CSPM into Detective. You can then use the Detective tools and visualizations to investigate them. The integration does not require any additional configuration in Security Hub CSPM or Detective.
For findings received from other AWS services, the finding details panel on the Security Hub CSPM console includes an **Investigate in Detective** subsection. That subsection contains a link to Detective where you can further investigate the security issue that the finding flagged. You can also build a behavior graph in Detective based on Security Hub CSPM findings to conduct more effective investigations. For more information, see [AWS security findings ](https://docs.aws.amazon.com/detective/latest/adminguide/source-data-types-asff.html) in the *Amazon Detective Administration Guide*.
If cross-Region aggregation is enabled, then when you pivot from the aggregation Region, Detective opens in the Region where the finding originated.
If a link does not work, then for troubleshooting advice, see [Troubleshooting the pivot](https://docs.aws.amazon.com/detective/latest/userguide/profile-pivot-from-service.html#profile-pivot-troubleshooting).
### Amazon Security Lake (Receives findings)
Security Lake is a fully-managed security data lake service. You can use Security Lake to automatically centralize security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. Subscribers can consume data from Security Lake for investigative and analytics use cases.
To activate this integration, you must enable both services and add Security Hub CSPM as a source in the Security Lake console, Security Lake API, or AWS CLI. Once you complete these steps, Security Hub CSPM begins to send all findings to Security Lake.
Security Lake automatically normalizes Security Hub CSPM findings and converts them to a standardized open-source schema called Open Cybersecurity Schema Framework (OCSF). In Security Lake, you can add one or more subscribers to consume Security Hub CSPM findings.
For more information about this integration, including instructions on adding Security Hub CSPM as a source and creating subscribers, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/security-lake/latest/userguide/securityhub-integration.html) in the *Amazon Security Lake User Guide*.
### AWS Systems Manager Explorer and OpsCenter (Receives and updates findings)
AWS Systems Manager Explorer and OpsCenter receive findings from Security Hub CSPM, and update those findings in Security Hub CSPM.
Explorer provides you with a customizable dashboard, providing key insights and analysis into the operational health and performance of your AWS environment.
OpsCenter provides you with a central location to view, investigate, and resolve operational work items.
For more information about Explorer and OpsCenter, see [Operations management](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-ops-center.html) in the *AWS Systems Manager User Guide*.
### AWS Trusted Advisor (Receives findings)
Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.
When you enable both Trusted Advisor and Security Hub CSPM, the integration is updated automatically.
Security Hub CSPM sends the results of its AWS Foundational Security Best Practices checks to Trusted Advisor.
For more information about the Security Hub CSPM integration with Trusted Advisor, see [Viewing AWS Security Hub CSPM controls in AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/security-hub-controls-with-trusted-advisor.html) in the *AWS Support User Guide*.