AWS Security Hub

You can configure your Check Point Security Management Servers to send Threat Prevention events to the AWS Security Hub.

The AWS Security Hub service gives you a comprehensive view of your security alerts and security posture across your AWS accounts.

For more information, see the AWS Security Hub documentation.


  • This feature is for Check Point Security Management Server version R80.30 with Jumbo Hotfix Accumulator 226 and higher.

  • CME installed on the Security Management Server with support for AWS Security Hub, see sk157492.

  • Supports only the Security Management Server (or Security Management Server High Availability) with Log Server. There is no support for Multi-Domain Security Management Servers or for a dedicated Log Server.

Note - To use the AWS Security Hub APIs, the Security Management Server must have outbound internet connectivity.

Subscribing to the Check Point CloudGuard Network in AWS Security Hub

Configuring the Check Point Security Management Server to Send Events to the AWS Security Hub

Use these steps to configure the Check Point Security Management Server to send findings to your AWS Security Hub account.

Enabling Security Hub on the Security Management Server

You can activate the Security Hub feature only after the configuration is complete.

After the Security Hub is configured and enabled on the Security Management Server, it is possible to make sure that the status shows "Security Hub Service is currently enabled and sending logs to AWS". See Displaying the Security Hub Integration Status.

Disabling Security Hub on the Security Management Server

If you disable the feature, it stops the Security Management Server from sending logs to AWS Security Hub service.

Displaying the Security Hub Integration Status

You can see the status of Security Hub integration on the Security Management Server.

Configuring Debug Mode

When Debug mode is activated, detailed logs of the Security Hub internal state are generated and saved to a file.

Note - The Debug mode is disabled by default.

Additional Information about CloudGuard Network in Security Hub

Only logs from these Software Blades and features are sent to AWS Security Hub:

  • IPS

  • Anti-Bot

  • Anti-Virus

  • Threat Emulation

  • Threat Extraction

  • MTA

For more information about Finding, select the Finding ID and see ProductFields.


  • GeneratorId represents the Security Management Server's host name.

  • CreatedAt time is concurrent to the host time.

  • To filter in AWS, use: Product name is "CloudGuard Network" to see all Check Point CloudGuard Network findings.

  • For Security Management Server High Availability:

    • The configuration is synched between the Active and Standby servers.

    • After failover, enable the Security Hub feature in the Active Security Management Server.

Accessing Security Hub Logs for Troubleshooting

These are the log files on the Management Server:


Log Exporter

As part of the configuration to send security events, the Log Exporter feature is used.

A new Log Exporter instance is added and monitored by the cpwd with the name: EXPORTER.CME_LOG_REPORTER

For more information about the Log Exporter, see sk122323.


  • Multi-Domain Security Management Servers or dedicated Log Servers are not supported.

  • Only Active states are reported.

  • The feature does not work with manual modifications. Use the "cme_menu" command for all modifications.

  • AWS limitations:

    • The maximum allowed size for a Finding is 240 kilobytes.

      A Finding larger than 240 kilobytes is dropped.

    • The Findings are uploaded to AWS in bulks.

      A bulk is up to 100 Findings.

    • AWS limits the ProductFields to 50 elements only.

      To view the full log, use SmartConsole.

  • For CME limitations, see sk157492.

  • For Log Exporter limitations, see sk122323.