AWS Security Hub

AWS Security Hub is the central security-posture service for AWS accounts. It aggregates findings from native services (GuardDuty, Inspector, Macie, Config, IAM Access Analyzer, Firewall Manager) and third-party tools into the AWS Security Finding Format (ASFF), evaluates accounts against industry standards (CIS, PCI-DSS, NIST, AWS Foundational Security Best Practices), and serves as the routing point for automated response.

1. Overview & Hub-and-Spoke

Security Hub sits at the centre of an AWS security posture — findings flow in from many sources, are normalised and deduplicated, and flow out to response actions and external SIEMs. Enabling a delegated administrator account in AWS Organizations gives a single pane of glass over every member account and every region.

┌──────────────────────────────────────────────────────────────────────────────────────────┐
│                              FINDING SOURCES                                             │
│ ┌────────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────────────┐                 │
│ │ GuardDuty  │ │Inspector │ │  Macie   │ │  Config  │ │ IAM Access     │                 │
│ │  Threats   │ │   CVE    │ │   PII    │ │  Drift   │ │ Analyzer       │                 │
│ └────────────┘ └──────────┘ └──────────┘ └──────────┘ └────────────────┘                 │
│ ┌────────────┐ ┌──────────┐ ┌──────────────────────────────────────────┐                 │
│ │ Firewall   │ │ Health   │ │  Third-Party (Wiz, Prisma, Snyk, Splunk) │                 │
│ │  Manager   │ │  Mgr.    │ │  via ASFF Format                         │                 │
│ └────────────┘ └──────────┘ └──────────────────────────────────────────┘                 │
└──────────────────────────────────────────────────────────────────────────────────────────┘
                                             │
                                             ▼
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│                       SECURITY HUB (CENTRAL HUB)                                         │
│  ┌────────────────────┐  ┌────────────────────┐  ┌──────────────────┐                    │
│  │  Standards Engine  │  │  ASFF Normaliser   │  │  Insights /      │                    │
│  │ CIS / PCI / NIST   │  │  Dedup, Severity   │  │  Custom Filters  │                    │
│  └────────────────────┘  └────────────────────┘  └──────────────────┘                    │
│         (Delegated Administrator: Org-wide aggregation, cross-region)                    │
└──────────────────────────────────────────────────────────────────────────────────────────┘
                                             │
                                             ▼
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│                       RESPONSE & OUTPUT                                                  │
│  ┌────────────────────┐  ┌────────────────────┐  ┌──────────────────┐                    │
│  │   EventBridge      │  │  SSM Automation    │  │   SNS / Slack /  │                    │
│  │  Custom Actions    │  │  Auto-Remediate    │  │   PagerDuty      │                    │
│  └────────────────────┘  └────────────────────┘  └──────────────────┘                    │
│  ┌────────────────────┐  ┌────────────────────┐  ┌──────────────────┐                    │
│  │  Lambda Workflow   │  │  Jira / ServiceNow │  │  S3 Audit Bucket │                    │
│  └────────────────────┘  └────────────────────┘  └──────────────────┘                    │
└──────────────────────────────────────────────────────────────────────────────────────────┘

2. Standards (CIS, PCI-DSS, NIST, AWS FSBP)

Security Hub runs continuous compliance checks against these built-in standards (each control maps to a Config rule under the hood):

AWS Foundational Security Best Practices (FSBP): the default-on AWS-curated baseline — ~250 controls covering encryption, public access, logging, IMDSv2, etc. Start here.
CIS AWS Foundations Benchmark v1.4 / v3.0: the industry-standard hardening baseline (root MFA, password policies, CloudTrail in all regions, no 0.0.0.0/0 SG rules).
PCI-DSS v3.2.1 / v4.0: credit-card-handling controls — encryption in transit, key rotation, network segmentation.
NIST SP 800-53 Rev. 5: US federal control catalog, mapped to a substantial subset of AWS services.
NIST SP 800-171: Controlled Unclassified Information (CUI) controls for federal contractors.
Service-Managed Standards: standards consumed via Control Tower, applied org-wide.

Each control reports a status (PASSED / FAILED / NOT_AVAILABLE) and a workflow status (NEW / NOTIFIED / SUPPRESSED / RESOLVED). The org-wide compliance score is the percentage of enabled controls passing.

3. Findings Aggregation (ASFF)

Every finding — whether from GuardDuty, a third-party scanner, or a hand-written custom action — is normalised into the AWS Security Finding Format (ASFF). Key fields:

SchemaVersion, Id, ProductArn, GeneratorId: identity of the finding and the producer.
Types: taxonomy strings like "Software and Configuration Checks/Vulnerabilities/CVE".
Severity: a normalized 0–100 score plus Label (INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL).
Resources: array of affected AWS resources with ARN and per-type details.
Workflow: NEW / NOTIFIED / SUPPRESSED / RESOLVED — the analyst-controlled state.
Compliance: for control findings, the Status (PASSED / FAILED) and related requirements.
RecordState: ACTIVE / ARCHIVED — producer-controlled deduplication.


SchemaVersion: "2018-10-08"
Id: "arn:aws:securityhub:us-east-1:111111111111:finding/abcd-1234"
ProductArn: "arn:aws:securityhub:us-east-1::product/aws/inspector"
GeneratorId: "AWSInspector"
AwsAccountId: "111111111111"
Types: ["Software and Configuration Checks/Vulnerabilities/CVE"]
Severity: { Label: "CRITICAL", Normalized: 95 }
Resources:
  - Type: "AwsEc2Instance"
    Id: "arn:aws:ec2:us-east-1:111111111111:instance/i-0abc123"
    Region: "us-east-1"
Workflow: { Status: "NEW" }
RecordState: "ACTIVE"
Title: "CVE-2025-XXXX in openssl"
Description: "EC2 instance has unpatched CRITICAL CVE in openssl."

4. Integrations

AWS-native (auto-on): GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, AWS Health, Config rule failures.
Third-party send-to-Hub: 100+ partner products including Wiz, Prisma Cloud, Snyk, Tenable, Qualys, Trend Micro, CrowdStrike. Each sends ASFF directly via the BatchImportFindings API.
Receive-from-Hub: SIEM integrations like Splunk, Datadog, Sumo Logic, IBM QRadar. They subscribe via EventBridge or pull via API.
Ticketing: Jira, ServiceNow, PagerDuty, Slack via EventBridge → Lambda or AWS Chatbot.

5. Automated Response

The standard pattern: Hub finding → EventBridge rule → Lambda or SSM Automation document → remediation. Custom Actions add a manual button on the finding for analyst-driven one-click response.


aws events put-rule \
  --name "SecHub-Critical-Auto-Remediate" \
  --event-pattern '{
    "source": ["aws.securityhub"],
    "detail-type": ["Security Hub Findings - Imported"],
    "detail": {
      "findings": {
        "Severity": { "Label": ["CRITICAL"] },
        "Workflow": { "Status": ["NEW"] }
      }
    }
  }'

aws events put-targets --rule "SecHub-Critical-Auto-Remediate" \
  --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:111111111111:function:RemediateSecHub"

The Automated Security Response on AWS solution (formerly AWS SHARR) ships pre-built playbooks for CIS / PCI / NIST findings — deploy with one CloudFormation stack and the common remediations work out of the box.

6. Multi-Account Architecture

The recommended deployment uses AWS Organizations with a delegated administrator:

Delegated Admin Account (typically the Security or Audit account): receives all findings, runs cross-account insights, owns standards configuration.
Member Accounts: Security Hub enabled in every region in every account (use AWS Organizations “auto-enable” so new accounts inherit it on creation).
Cross-Region Aggregation: designate one home region as the aggregation region; all other regions replicate findings into it for unified analyst dashboards.
Service-Linked Roles: AWSServiceRoleForSecurityHub in each account allows Hub to read Config rules, GuardDuty findings, etc.

Pricing scales with finding volume and security-check count: roughly $0.0010 per finding ingested and $0.0010 per security check per month, tiered down. Common cost driver: noisy CIS controls in chatty accounts. Suppress accepted-risk failures to avoid paying for findings you've decided to live with.