AWS Security & Identity
Security Hub
Aggregated security posture management with findings from GuardDuty, Inspector, and more
AWS Security Hub provides a centralized view of your AWS security posture by aggregating findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party tools. It runs continuous compliance checks against security standards like CIS AWS Foundations, AWS Foundational Security Best Practices, and PCI DSS. Security Hub is the single pane of glass for cloud security operations.
How Security Hub Aggregates Findings
Security Hub uses the AWS Security Finding Format (ASFF) as a normalized schema for all findings regardless of source. This allows findings from different services to be correlated, filtered, and routed consistently.
| Finding source | Type |
|---|---|
| Amazon GuardDuty | AWS native - automatic integration |
| Amazon Inspector | AWS native - automatic integration |
| Amazon Macie | AWS native - automatic integration |
| IAM Access Analyzer | AWS native - automatic integration |
| AWS Firewall Manager | AWS native - automatic integration |
| AWS Config (via Security Hub rules) | AWS native - runs compliance checks |
| Third-party (Splunk, Palo Alto, CrowdStrike) | Partner integration via ASFF |
| Custom (your tools) | BatchImportFindings API - any tool can send ASFF findings |
Security Hub does NOT collect logs itself. It only receives processed findings (security events of interest) from integrated services. For raw logs, you still need CloudTrail, VPC Flow Logs, and similar services.
Security Standards and Compliance Checks
Security Hub runs automated compliance checks against enabled standards. Each check maps to a specific AWS Config rule and produces a pass/fail result with a severity.
| Standard | Focus | Controls |
|---|---|---|
| AWS Foundational Security Best Practices (FSBP) | AWS-specific security hygiene | ~200 controls across 30+ services |
| CIS AWS Foundations Benchmark v1.4 | CIS community benchmark for AWS | ~60 controls - MFA, logging, key rotation, networking |
| PCI DSS v3.2.1 | Payment card industry compliance | ~100 controls relevant to cardholder data environments |
| NIST SP 800-53 Rev. 5 | US federal security controls | ~300 controls for government/regulated industries |
# List all failed controls in the AWS FSBP standard
aws securityhub get-findings \
--filters '{
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}],
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}]
}' \
--query 'Findings[].{Title:Title,Severity:Severity.Label,Resource:Resources[0].Id}'Every Security Hub check runs an AWS Config rule evaluation. AWS Config charges per rule evaluation. In a large account with many resources, enabling all Security Hub standards can significantly increase your AWS Config costs. Review your Config pricing before enabling all standards in a 1000+ resource account.
Multi-Account Security Hub with Organizations
Security Hub supports a delegated administrator that aggregates all findings from across the organization. Cross-region aggregation is supported to consolidate findings from all regions into a single home region.
# Enable cross-region aggregation (all regions -> us-east-1)
aws securityhub create-finding-aggregator \
--region-linking-mode ALL_REGIONS
# Get aggregated findings from all regions and accounts
aws securityhub get-findings \
--filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}'
# Enable auto-enable for new Organization accounts
aws securityhub update-organization-configuration \
--auto-enable --auto-enable-standards DEFAULTCross-region aggregation makes Security Hub much more useful in multi-region architectures. Without it, you must switch regions in the console to see findings from each region separately. With aggregation, you see everything in one view.
Automating Responses with Security Hub Automation Rules
Security Hub Automation Rules (newer feature) let you update finding fields automatically based on criteria - without requiring custom Lambda functions. For complex responses, EventBridge integration triggers Lambda or Step Functions.
| Automation method | When to use |
|---|---|
| Security Hub Automation Rules | Suppressing known false positives, updating severity, setting workflow status |
| EventBridge + Lambda | Triggering remediation actions (e.g., isolate EC2, disable access key) |
| EventBridge + SNS | Alerting the security team or sending to PagerDuty |
| EventBridge + Step Functions | Multi-step investigation and remediation workflows |
# Create an automation rule to suppress low-severity GuardDuty port probe findings
# (common in test environments with known scanners)
aws securityhub create-automation-rule \
--rule-name "Suppress-PortProbe-TestEnv" \
--rule-order 1 \
--criteria '{
"ProductName": [{"Value": "GuardDuty", "Comparison": "EQUALS"}],
"Title": [{"Value": "Recon:EC2/PortProbeUnprotectedPort", "Comparison": "EQUALS"}],
"ResourceTags": [{"Key": "Env", "Value": "test", "Comparison": "EQUALS"}]
}' \
--actions '[{"Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": {"Workflow": {"Status": "SUPPRESSED"}}}]'Interview Focus Points
- 1What is AWS Security Hub and how is it different from GuardDuty?
- 2What is ASFF and why does it matter for Security Hub integrations?
- 3How do Security Hub security standards work? What AWS Config resource is created when you enable a standard?
- 4How do you aggregate Security Hub findings from 20 accounts in 3 regions into a single view?
- 5What is the difference between Security Hub Automation Rules and EventBridge-triggered Lambda for automated remediation?
- 6A PCI DSS audit requires you to show that all S3 buckets have encryption at rest enabled. How would you use Security Hub to generate this evidence?
- 7What drives AWS Config cost when Security Hub is enabled at scale?
- 8How would you integrate a third-party SIEM like Splunk with Security Hub?