Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Security Hub automatic severity change

0

Hello,

I have been noticing some unusual behavious in Security Hub. I have a the Security best practice standard deployed, In certain times when a High severity finding is detected, after a while it severity changes automaticly to Informational. The status is updated from failed to passed but why is the severity also changing. I am basing some behavious based on the severity so this change is breaking my process.

Is this related to the latest changes and the introduction of the new Security Hub public preview console? This only started after the announcment.

Thank you

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS Security HubSecurity
Language
English
asked 10 months ago120 views
1 Answer
1

This behavior is expected and by design—but it can be confusing. Here's why:

  1. Severity in Security Hub findings is dynamic.

    • The severity reflects the current risk posed by the resource's compliance state.

    • When a control status is FAILED, severity is based on how critical that control is.

    • When the same control flips to PASSED, the finding is still kept (for visibility), but:

      • Its status becomes PASSED.
      • Its severity drops to INFORMATIONAL.

  2. This is documented behavior.

    • From AWS Docs:

      If a finding is resolved, the record is retained with a severity of INFORMATIONAL and a compliance status of PASSED.

  3. Impact of the New Console (Preview)

    • While the preview console itself didn't change this core logic, the recent update may have made these transitions more visible or highlighted finding state transitions in new ways.
    • The finding history UI and filters are now more granular, which may be why you're only noticing it post-preview.

Use Compliance.Status + Severity together

Instead of relying solely on severity, use both in your logic:

{
  "Compliance.Status": "FAILED",
  "Severity.Label": "HIGH"
}

This ensures you only act on active, high-risk issues.

answered 10 months ago
  • Firas
    10 months ago

    Thank you for you response, I am already using compliance status + severity as filter, but based on what you have just explained i think what is going on that is when switched to pass, the severity drops to informational at the same time, this will not trigger my process as now the severity changed. Will do some more testing about this subject.

    thank you for your answer

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content