By using AWS re:Post, you agree to the Terms of Use
/Why do SecurityHub detection results show both PASSED and FAILED for the same resource?/

Why do SecurityHub detection results show both PASSED and FAILED for the same resource?


The SecurityHub detection results have the following titles:

4.3 Ensure the default security group of every VPC restricts all traffic

In response, we have removed the default security group inbound and outbound rules. After that, I re-evaluated with Config.

After re-evaluation, the SecurityHub detection results show both PASSED and FAILED with the above title.

The update date and time of PASSED is the time when it was re-evaluated by Config. On the other hand, the update date and time of FAILED is 19 hours ago.

Why are both PASSED and FAILED displayed for the same detection result?

asked 3 months ago44 views
2 Answers

Thank you for answering.

We have confirmed that all results with compliance status = FAILED are detection results for the default security group. After my research, I'm guessing that the content of the following document is the answer.

For examples, the workflow status tracks the progress of your investigation into a finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.

Archived finding

A finding that has a RecordState set to ARCHIVED. Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. The record state is separate from the workflow status, which tracks the status of an investigation into a finding.

Finding providers can use the BatchImportFindings operation of the Security Hub API to archive findings that they created. Security Hub automatically archives findings for controls if the control is disabled or the associated resource is deleted, based on one of the following criteria.

・ The finding is not updated in three to five days (note that this is best effort and not guaranteed).

In other words, it is speculated that similar detection results for similar resources are separate results and will not be overwritten. In addition, I'm guessing that the archived results will continue to be displayed for some time.

If this perception is wrong, please point it out.

answered 3 months ago
  • Your perception is correct. You can add a filter to to not show ARCHIVED findings in the findings page. Our default views in SecHub all filter out ARCHIVED findings.


Are you sure the finding with Compliance Status = FAILED is the same Security Group as the other? If you have more than one VPC (e.g. the Default one may still be there) you may have more than one default security group.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions