Security and billingSecurity and complianceIntermediate45 min read

What Is Security Hub? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
CLF-C02SAA-C03SOA-C02CompTIA A+ Core 2Google CDLISC2 CCCompTIA CySA+MS-102AZ-104SC-900CompTIA Security+CISSPMD-102
On This Page

Quick Definition

Security Hub is a tool that gathers security findings from your AWS accounts and services like GuardDuty, Inspector, and Macie, and shows them in one dashboard. It also runs automated compliance checks against standards like CIS and PCI DSS. This helps you see your overall security posture and fix issues faster.

Common Commands & Configuration

aws securityhub enable-security-hub --region us-east-1 --enable-default-standards

Enables Security Hub in the specified region with the default security standards (CIS, FSBP, PCI DSS). This is the first command to run after creating a new account.

Tested in AWS Cloud Practitioner and SysOps exams. Often a scenario question asks which command initializes Security Hub. The --enable-default-standards flag is important to set.

aws securityhub batch-update-findings --finding-identifiers '[{"Id":"arn:aws:securityhub:us-east-1:123456789012:findings/..."}]' --workflow '{"Status":"SUPPRESSED"}'

Suppresses a specific finding by ID. This is used to reduce noise for known false positives or accepted risks.

The CySA+ and Security+ exams test the concept of suppressing findings rather than deleting them. The command uses batch-update-findings with workflow status SUPPRESSED.

aws securityhub get-findings --filters '{"SeverityLabel":[{"Value":"HIGH","Comparison":"EQUALS"}]}' --region us-west-2

Retrieves all findings with a severity of HIGH in the us-west-2 region. Useful for quick triage of critical issues.

Filters are a common exam task. You must know that filters use JSON syntax with Comparison types such as EQUALS or PREFIX.

aws securityhub update-finding-aggregator --region us-east-1 --region-linking-mode ALL_REGIONS --finding-aggregator-arn arn:aws:securityhub:us-east-1:123456789012:finding-aggregator/default

Configures Security Hub to aggregate findings from all linked regions into the us-east-1 region (default aggregator). This provides a single view of findings across multiple regions.

Crucial for the AWS SAA and SysOps exams. Cross-region aggregation reduces the need to check each region separately. The command updates the finding aggregator.

aws securityhub disable-security-hub --region eu-central-1

Disables Security Hub in the specified region. This stops all checks and deletes findings after 90 days.

Exam questions may ask how to reduce costs: disable Security Hub in regions with no workloads. This command accomplishes that.

aws securityhub list-enabled-products-for-import --region us-east-1

Lists all third-party product integrations that are currently enabled to send findings to Security Hub, like GuardDuty or Inspector.

The Cloud Practitioner exam may ask how to verify that a third-party tool is sending findings. Use this command to see the list of integrated products.

aws securityhub get-insights --region us-west-2

Retrieves all custom and managed insights in the region. Insights are groupings of findings by common criteria (e.g., all findings with severity CRITICAL).

Insights are a feature that helps organize findings for reporting. This command appears in the SysOps exam to query pre-built security views.

aws securityhub accept-administrator-invitation --administrator-id 123456789012 --region ap-southeast-1

Used by a member account to accept an invitation from a Security Hub administrator to join a central monitoring account.

Related to multi-account management and AWS Organizations. The SysOps and SAA exams test the invitation process for centralized security management.

Security Hub appears directly in 13exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CLF-C02. Practise them →

Must Know for Exams

Security Hub appears heavily across multiple certification exams because it is a core part of the AWS security ecosystem. For the AWS Cloud Practitioner exam, you need to understand Security Hub as a security and compliance service that gives a single view of security alerts and compliance status. Questions may ask you to identify which service provides a centralised view of security findings, or which service runs automated compliance checks. The exam objectives include “Security and Compliance” as a domain, and Security Hub is a key service in that domain.

For the AWS Solutions Architect Associate (SAA-C03) exam, Security Hub is part of the design for a secure, multi-account architecture. You could see scenario questions where you need to choose the best service to aggregate security findings across accounts. The correct answer is often Security Hub. You should also know how it integrates with AWS Organizations to enable central administration. Questions may ask about cross-Region aggregation or how to export findings to an external SIEM.

For the AWS SysOps Administrator Associate exam, you need to know how to configure Security Hub, enable standards, and troubleshoot integration issues. Questions might present a scenario where findings from GuardDuty are not appearing in Security Hub. The solution might be to confirm that Security Hub is enabled in the same Region, or that the member accounts have accepted the invitation.

For the CompTIA Security+ and CySA+ exams, Security Hub is useful background knowledge. These exams focus more on the concepts of centralised logging and alert aggregation, but you may not need to know the exact AWS configuration. However, scenario questions about “security information and event management” or “compliance monitoring in the cloud” could use Security Hub as an example. Knowing the term will help you eliminate wrong answers and understand the broader landscape.

For the ISC2 CISSP exam, Security Hub is relevant to the domain of Security Operations. It exemplifies the concept of automated security monitoring and compliance checking in a cloud environment. While CISSP is vendor-neutral, questions may use AWS as a specific example of a cloud service provider that offers such a capability.

For Microsoft exams like AZ-104, MD-102, MS-102, and SC-900, Security Hub is not directly examinable because it is an AWS service. However, the concept of centralised security management exists in Azure with Azure Security Center (now Microsoft Defender for Cloud). If you understand Security Hub, you will understand Microsoft Defender for Cloud more easily because the concepts are very similar. For the SC-900 specifically, the exam covers principles of cloud security posture management, and knowing how AWS does it can provide comparative insight.

Common question patterns include: comparing Security Hub to other AWS security services (GuardDuty, Inspector, Macie), identifying the purpose of Security Hub in a multi-account setup, and determining which standard is being checked. You should also be aware of the term “finding” as it is used in the context of Security Hub, a finding is a record of a security issue or compliance failure.

Simple Meaning

Imagine you are the security manager for a large apartment building. Each apartment has its own security system, some have door sensors, others have cameras, and some have motion detectors. Every day, each system produces its own set of alerts: a broken lock here, a suspicious visitor there, a window left open. If you had to look at each system separately, you would be overwhelmed and likely miss something important. That is what it is like managing security for a cloud environment without Security Hub.

Security Hub is like a central security command center for your building. It collects all alerts from every security system into one big screen. It also runs a checklist against industry-standard safety rules, for example, it checks if every apartment door has a deadbolt, if all fire alarms are working, and if the emergency exits are clear. If something fails the checklist, Security Hub highlights it as a problem that needs attention.

In technical terms, Security Hub ingests findings from AWS security services such as GuardDuty (which detects unusual activity), Inspector (which scans for vulnerabilities), Macie (which protects sensitive data), and Firewall Manager (which manages firewall rules). It can also integrate with third-party security tools from partners like Palo Alto Networks, CrowdStrike, and Qualys. Once all these findings are in one place, Security Hub uses a feature called cross-Region aggregation so you can see everything even if your resources are spread across different geographic regions.

Another critical part is compliance. Security Hub can run continuous automated compliance checks against popular frameworks such as the Center for Internet Security (CIS) AWS Foundations Benchmark, the Payment Card Industry Data Security Standard (PCI DSS), and the AWS Foundational Security Best Practices standard. Every time you make a change in your environment, Security Hub rechecks those rules. If something is out of compliance, the service generates a new finding with details about what failed, which resource is involved, and how to fix it.

Importantly, Security Hub does not just dump all findings on you with the same priority. It uses a system of severity levels, critical, high, medium, and low, so you can focus on the most dangerous issues first. It also has a feature called insights that can automatically group related findings together, such as all findings for a specific S3 bucket or for a particular EC2 instance.

For someone new to cloud security, Security Hub provides a single pane of glass. Instead of logging into five different services, you log into one. Instead of memorizing dozens of compliance rules, you let Security Hub check them for you. This dramatically reduces the time to detect and respond to security issues. It is fundamental to a well-architected security strategy on AWS.

Full Technical Definition

Security Hub is a Regional AWS service that provides a comprehensive view of your security state across your AWS accounts and workloads. It functions as a central aggregation point for security findings, using a standardised finding format defined by the AWS Security Finding Format (ASFF). This format includes fields such as AwsAccountId, ProductArn, GeneratorId, Id, Types, CreatedAt, UpdatedAt, Severity, and Resources. By normalising findings into ASFF, Security Hub enables correlation, prioritisation, and automated response across disparate security tools.

The architecture of Security Hub is built around two core functions: ingestion and compliance. On the ingestion side, Security Hub consumes findings from both AWS services and partner integrations. For AWS-native services, the integration is seamless, for example, when GuardDuty detects a crypto mining activity, it sends a finding directly to Security Hub via an internal integration. Similarly, Amazon Inspector sends vulnerability findings, Amazon Macie sends sensitive data findings, and AWS Firewall Manager sends policy violation findings. Third-party integrations use the Security Hub API (BatchImportFindings) or AWS CloudFormation stack sets to push findings.

On the compliance side, Security Hub runs automated security checks against defined standards. The most commonly used standards are: CIS AWS Foundations Benchmark v1.2.0 and v1.4.0, PCI DSS v3.2.1, and AWS Foundational Security Best Practices. Each standard contains a set of controls (e.g., CIS 1.1, avoid the use of root user). Security Hub evaluates the configuration of your AWS resources against each control and produces a PASS or FAIL status. These checks are performed periodically (every 6–12 hours by default) and also on demand via the API. A failed check generates a finding with severity based on the potential impact.

Security Hub uses a concept called the Administrator and Member account model. In AWS Organizations, you designate one account as the Security Hub administrator account. This administrator account can view and manage findings from all member accounts in the organisation. It can also enable or disable standards and integrations across the entire organisation in a single action. This is critical for enterprises with hundreds or thousands of accounts, as it eliminates the need to configure Security Hub individually in each account.

Another key technical feature is the ability to create custom actions and integrate with AWS EventBridge. When a finding meets certain criteria (e.g., severity is CRITICAL and the finding type is unauthorised access), Security Hub can send an event to EventBridge. That event can trigger a Lambda function, an SNS notification, or an AWS Step Functions workflow. This enables automated remediation, for example, automatically isolating an EC2 instance that has a critical vulnerability.

Security Hub also supports cross-Region aggregation. You can designate one aggregation Region and send all findings from other Regions to that central Region. This provides a single dashboard view even if your workloads span multiple AWS Regions. However, note that findings are still generated locally and then forwarded, so latency is minimal.

From a security perspective, Security Hub itself integrates with AWS Identity and Access Management (IAM). You can use IAM policies to control who can view findings, enable standards, or configure integrations. The managed policy AWS managed SecurityHubReadOnlyAccess is commonly used for auditors, while SecurityHubFullAccess is for administrators.

Data storage follows AWS standard encryption practices. Findings are encrypted at rest using AWS managed keys (by default) or customer managed keys (CMK) via AWS Key Management Service. Data retention is automatic, findings older than 90 days are automatically deleted. You can also export findings to Amazon S3 for long-term retention or for use with external SIEM tools.

For performance, Security Hub is designed to handle millions of findings across thousands of accounts. It uses a tiered pricing model based on the number of compliance checks run and the number of findings ingested. The first 10,000 findings per account per month are free, and the first 100,000 compliance checks per account per month are free, making it accessible for small and large organisations alike.

In real IT implementations, Security Hub often serves as the central nervous system for a Security Operations Center (SOC). A typical deployment involves enabling Security Hub in all accounts via AWS Organizations, enabling the AWS Foundational Security Best Practices standard, integrating with GuardDuty and Inspector, and setting up automated response via EventBridge and Lambda. Security teams then use the Security Hub console or API to triage findings, track remediation, and generate compliance reports for auditors. Security Hub also integrates with AWS Security Lake for even deeper analytics.

Security Hub is not a threat detection service itself, it does not scan your network or logs. Instead, it is a collector and organiser. The actual detection comes from services like GuardDuty or Inspector. Security Hub’s value is in centralisation, prioritisation, and compliance automation. Without it, security teams would struggle to maintain visibility across multiple accounts and services, leading to missed threats and compliance gaps.

Real-Life Example

Think of Security Hub as the security dashboard in a large office building. The building has many different security systems: a key card system for the doors, a camera system in the hallways, a fire alarm system, a glass break detector, and a visitor log system. Each of these systems works independently and has its own screen. The security guard would have to walk from one monitor to another to check everything, which is slow and error-prone.

Now imagine the building installs a single, centralised security command center. All the different systems feed their data into one large screen. The screen shows a single list of events with colour-coded severity. Red means a critical alarm, like a door forced open. Yellow means a medium issue, like a camera that stopped recording. Green means everything is fine. The screen also shows a checklist of building safety standards, fire exits clear, sprinklers operational, emergency lights working. If any standard fails, a red indicator appears next to it.

This is exactly what Security Hub does for your AWS cloud environment. Instead of logging into GuardDuty to see threat alerts, into Inspector to see vulnerabilities, and into Macie to see data leaks, Security Hub brings them all into one screen. It colour-codes findings by severity and runs automatic compliance checks against industry standards like CIS and PCI DSS. Just like the building security guard can respond faster with a central dashboard, your cloud security team can respond faster to security issues with Security Hub.

the command center can be configured to automatically alert the police (in the real world) or trigger a Lambda function (in AWS) when a critical alarm goes off. For example, if a door sensor reports a breach, the central system can lock all other doors. Similarly, if Security Hub receives a finding of severity CRITICAL from GuardDuty, it can trigger an automatic action to isolate the compromised EC2 instance. This ability to automate response based on aggregated findings is one of the most powerful features of Security Hub.

Why This Term Matters

Security Hub matters because modern cloud environments are complex and distributed. A typical enterprise may have dozens or even hundreds of AWS accounts, each running multiple services across multiple Regions. Without a central tool, security teams would have to manually check each account and each service for threats and compliance. This is not only time-consuming but also dangerous, important findings can be missed, and compliance gaps can go unnoticed for months.

In practice, Security Hub solves three critical problems. First, it provides a single pane of glass for all security findings. This dramatically reduces the cognitive load on security analysts. Instead of switching between consoles, they work from one unified dashboard. This directly improves mean time to resolution (MTTR) because findings are seen sooner and prioritised correctly.

Second, it automates compliance monitoring. Auditors often require organisations to prove they meet standards like PCI DSS or CIS. Security Hub runs continuous checks and generates detailed reports. When an auditor asks, “Show me that your S3 buckets are not publicly accessible,” you can pull a report from Security Hub that shows the compliance status for every bucket across all accounts. This saves days of manual audit preparation.

Third, Security Hub enables automated response. By connecting Security Hub to EventBridge and Lambda, you can create automated workflows that respond to threats in real time. For example, if a finding indicates that an EC2 instance is communicating with a known malicious IP address, you can automatically quarantine the instance by applying a security group. This reduces the window of exposure from hours to seconds.

For IT professionals, failing to use Security Hub is like flying a plane without an instrument panel, you might be fine for a while, but eventually you will crash. It is a fundamental tool for any organisation serious about cloud security.

How It Appears in Exam Questions

Exam questions about Security Hub typically fall into three categories: identification, scenario-based, and integration.

In identification questions, the exam gives a description and asks which service it describes. For example: “Which AWS service provides a centralised view of security alerts and automates compliance checks against industry standards?” The answer is Security Hub. Another variant: “A company wants to aggregate security findings from multiple AWS accounts. Which service should they use?” Again, Security Hub.

Scenario-based questions are more complex. A typical scenario: “A security team manages 50 AWS accounts. They want to view all security findings from GuardDuty, Inspector, and Macie in a single dashboard. They also need to run compliance checks against the CIS AWS Foundations Benchmark. Which solution meets these requirements?” The answer usually involves enabling Security Hub, designating an administrator account, and enabling the CIS standard.

Another scenario: “A company wants automatically to isolate an EC2 instance when a critical vulnerability is detected. Which combination of AWS services should they use?” The answer: Security Hub (to aggregate the finding), EventBridge (to trigger an event), and Lambda (to run the remediation).

Troubleshooting-style questions: “A company enabled Security Hub but findings from GuardDuty are not appearing. What is the most likely cause?” Possible answers: Security Hub and GuardDuty are not enabled in the same Region; the member accounts have not accepted the invitation; or the GuardDuty integration is disabled in Security Hub settings.

You may also see questions about compliance. For example: “A company must comply with PCI DSS. Which Security Hub standard should they enable?” The answer is the PCI DSS standard. Another question: “How often does Security Hub run compliance checks?” The default is every 6 to 12 hours.

Finally, there are questions about the Administrator and Member model. For instance: “In a multi-account AWS Organization, who can view findings from all accounts?” The answer is the Security Hub administrator account. Be careful not to confuse this with the AWS Organizations management account, which may not automatically be the Security Hub administrator unless configured.

Some questions may try to confuse Security Hub with GuardDuty. Remember: GuardDuty detects threats, Security Hub aggregates and prioritises them. Do not mix them up.

Practise Security Hub Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: A company named BrightCloud operates an e-commerce platform on AWS. They have 20 AWS accounts: one for production, one for staging, one for development, and 17 for individual project teams. They also use AWS services like GuardDuty for threat detection, Inspector for vulnerability scanning, and Macie for sensitive data discovery. The security team is overwhelmed because each service has its own console, and they often miss critical alerts because they do not have time to check all of them.

Solution: The team decides to implement AWS Security Hub. They first designate the security account as the Security Hub administrator account. Then, using AWS Organizations, they enable Security Hub for all 20 accounts in a single action. They enable the CIS AWS Foundations Benchmark standard and the AWS Foundational Security Best Practices standard. They also enable the integrations with GuardDuty, Inspector, and Macie.

Now, the security team logs into the Security Hub console in the administrator account. They see a single dashboard showing all findings from all accounts, sorted by severity. They see that three EC2 instances have critical vulnerabilities from Inspector, one S3 bucket has a public access issue from GuardDuty, and two CloudTrail logs have misconfigured logging from the compliance checks. They can drill into each finding to see the specific resource, the account it belongs to, and the recommended remediation steps.

They also set up an EventBridge rule that triggers a Lambda function whenever a finding of severity CRITICAL is generated. The Lambda function automatically applies a quarantine security group to the affected EC2 instance. This reduces response time from hours to seconds.

Finally, when auditors arrive for a quarterly review, the team generates a compliance report from Security Hub that shows a 98% pass rate for the CIS benchmark. They can show which controls failed and what actions were taken. The audit goes smoothly because they have continuous, automated evidence.

This scenario demonstrates how Security Hub transforms a chaotic, multi-account security environment into a manageable, automated, and compliant one.

Common Mistakes

Thinking Security Hub is a threat detection service like GuardDuty.

Security Hub does not detect threats; it only aggregates findings from other services. It relies on GuardDuty, Inspector, Macie, and partners to generate the actual findings.

Remember: Security Hub is a collector and organiser, not a detector. It is the dashboard, not the camera.

Enabling Security Hub in only one account while expecting to see findings from all accounts in an AWS Organization.

Without designating a Security Hub administrator account and enabling member accounts, each account will only see its own findings. You must configure the administrator/member model to see cross-account findings.

Enable Security Hub in the management account or a delegated administrator account, then use AWS Organizations to enable it across all member accounts.

Assuming Security Hub automatically remediates all critical findings by default.

Security Hub does not take automated action by itself. You must manually configure EventBridge rules and Lambda functions (or other targets) to automate response.

Security Hub only provides the finding. For automation, you must build the workflow using EventBridge and Lambda or use third-party SOAR tools.

Believing that Security Hub checks compliance only once after you enable a standard.

Security Hub runs compliance checks continuously, every 6 to 12 hours by default, and also on demand. It rechecks resources whenever changes are made.

Security Hub provides ongoing compliance monitoring, not a one-time audit.

Confusing Security Hub with AWS Config.

AWS Config tracks resource configuration changes and can trigger rules, but it does not aggregate findings from multiple security services. Security Hub is specifically for security findings and compliance checks against security standards.

AWS Config is for configuration history and compliance, while Security Hub is for security findings and security-centric compliance. They complement each other.

Thinking Security Hub works in all Regions automatically.

Security Hub is a Regional service. You must enable it in each Region where you want to collect findings. However, you can use cross-Region aggregation to centralise all findings in one Region.

Enable Security Hub in the desired Regions, then configure cross-Region aggregation if you want a single dashboard.

Exam Trap — Don't Get Fooled

{"trap":"The exam asks: 'Which service provides a single view of security alerts and compliance status?' The answer choices include GuardDuty, Inspector, Security Hub, and AWS Config. A learner might choose GuardDuty because it is familiar, but GuardDuty only provides threat alerts, not compliance checks."

,"why_learners_choose_it":"Learners often confuse GuardDuty and Security Hub because both deal with security information. GuardDuty is widely promoted and its name suggests security monitoring. Many learners do not realise that Security Hub is specifically designed to be the central aggregator."

,"how_to_avoid_it":"Remember the key differentiator: GuardDuty is a detection service, Security Hub is an aggregation and compliance service. If the question mentions 'compliance standards' (CIS, PCI DSS) or 'multiple sources of findings', the answer is always Security Hub. If it mentions 'threat detection' or 'unusual behaviour', it is GuardDuty."

Commonly Confused With

Security HubvsGuardDuty

GuardDuty is a threat detection service that uses machine learning to identify suspicious activity. Security Hub is an aggregation service that collects findings from GuardDuty and other tools. GuardDuty produces findings, Security Hub consumes them. Think of GuardDuty as a security camera and Security Hub as the central monitoring station.

A GuardDuty finding says 'EC2 instance is communicating with a known malicious IP'. That finding appears in Security Hub alongside findings from other services.

Security HubvsAWS Config

AWS Config tracks resource configuration changes and evaluates them against rules, but it is not specific to security threats. Security Hub focuses solely on security findings and compliance with security standards like CIS and PCI DSS. AWS Config can feed into Security Hub via its own conformance packs, but they serve different primary purposes.

AWS Config might detect that an S3 bucket changed from private to public. Security Hub would then pick up that finding and classify it as a security issue against the CIS benchmark.

Security HubvsAmazon Inspector

Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and network reachability issues. Security Hub does not perform scans; it only collects the scan results from Inspector. Inspector is a detection tool, Security Hub is an aggregation tool.

Inspector finds a critical CVE in an EC2 instance. It sends that finding to Security Hub, where it appears alongside other security alerts.

Security HubvsAWS Security Lake

AWS Security Lake is a data lake service that centralises security logs and data from multiple sources for long-term storage and analysis. Security Hub centralises real-time findings and compliance status. Security Lake is for deep analytics and forensic investigation, while Security Hub is for operational monitoring and response.

Security Hub shows a current alert about a compromised instance. Security Lake stores the historical logs from that instance for later forensic analysis.

Microsoft Defender for Cloud is the equivalent service in Azure. It provides centralised security management and compliance monitoring for Azure resources. The concept is the same, but it is specific to the Azure ecosystem. Security Hub is for AWS.

If you manage both AWS and Azure, you would use Security Hub for AWS and Defender for Cloud for Azure. There is no single cross-cloud tool that does both natively.

Step-by-Step Breakdown

1

Enable Security Hub

You start by enabling Security Hub in your AWS account (or administrator account). This activates the service and creates a default finding history. You can do this via the console, CLI, or API.

2

Designate an Administrator Account

If you manage multiple accounts via AWS Organizations, you designate one account as the Security Hub administrator. This account can view and manage findings from all member accounts. Member accounts must accept the invitation or be auto-enabled.

3

Enable Compliance Standards

Security Hub offers several standards: CIS AWS Foundations Benchmark, PCI DSS, and AWS Foundational Security Best Practices. You enable the ones relevant to your organisation. Security Hub then runs automated checks against these standards.

4

Enable Service Integrations

You enable integrations with AWS services like GuardDuty, Inspector, Macie, and Firewall Manager. These services will automatically send findings to Security Hub. For third-party integrations, you may need to configure API access.

5

Review Findings in the Dashboard

Once integrations are active, findings appear in the Security Hub dashboard. You can filter by severity, account, Region, or finding type. You can also create insights to group related findings (e.g., all findings for a particular resource).

6

Set Up Automated Response (Optional)

You can create custom actions in Security Hub that trigger EventBridge events. For example, when a finding of severity CRITICAL arrives, an EventBridge rule can invoke a Lambda function to quaranatine the resource or send a notification to the security team via SNS.

7

Configure Cross-Region Aggregation (Optional)

If you operate in multiple AWS Regions, you can configure cross-Region aggregation. You designate one Region as the aggregation Region, and all findings from other Regions are forwarded to it. This gives you a single global view.

8

Export Findings for Archival or SIEM

Security Hub findings are retained for 90 days. For longer retention or integration with external SIEM tools, you can export findings to an S3 bucket. You can also use AWS Security Lake for more advanced analytics.

9

Generate Compliance Reports

For audits or internal reviews, you can generate compliance reports from Security Hub that show pass/fail status for each control in the enabled standards. These reports can be exported as CSV or PDF.

10

Continuously Monitor and Improve

Security Hub runs compliance checks automatically and continues to receive findings. You should regularly review the dashboard, address failed controls, and refine your incident response procedures.

Practical Mini-Lesson

As a security professional, deploying Security Hub is often one of the first steps you take when setting up a secure AWS environment. The real-world implementation involves more than just clicking “enable”, you need to plan your multi-account strategy, choose the right standards, and build a response workflow.

First, decide which account will be the Security Hub administrator. This should be a security-dedicated account that has privileged access to all member accounts. You do not want to use the root management account of your AWS Organization because that account has too much power and should not be used for daily operations. Instead, you delegate security administration to a separate account using AWS Organizations.

Second, when enabling Security Hub at scale, use AWS CloudFormation StackSets or the AWS Organizations API to enable Security Hub across all accounts in all Regions you care about. Doing this manually for hundreds of accounts is error-prone. Automate it using Infrastructure as Code.

Third, choose your compliance standards wisely. If your organisation is not subject to PCI DSS, do not enable that standard, it will generate findings for resources that are not relevant, creating noise. Start with the AWS Foundational Security Best Practices standard, which covers the most common security issues like S3 bucket public access, encryption, and IAM usage. Then add CIS if you need a more rigorous framework.

Fourth, integrate with GuardDuty and Inspector immediately. These are the two most common sources of findings. Also consider integrating Macie if you handle sensitive data. For third-party tools, ensure they use the ASFF format for findings; otherwise, you may need a custom integration.

Fifth, build a response plan. Even the best findings are useless if nobody acts on them. Use EventBridge to route critical findings to a ticketing system, a security chatbot, or an automated remediation function. Start with the most critical findings (severity CRITICAL) and expand over time. Test your automation in a non-production environment before rolling out.

Common pitfalls: forgetting to enable cross-Region aggregation leads to a fragmented view. Not enabling the administrator/member model leaves each account isolated. Over-enabling standards creates too many low-severity findings that desensitise the security team. Failing to monitor Security Hub itself means you might not know if the service stops receiving findings.

Troubleshooting: if findings are missing, check that both Security Hub and the source service (like GuardDuty) are enabled in the same Region. Verify that the integrations are enabled in Security Hub settings. Check IAM permissions, the source service must have permission to write findings to Security Hub. If you use cross-Region aggregation, verify that aggregation is configured correctly and that the destination Region is active.

Finally, remember that Security Hub is not a replacement for a proper SIEM. For long-term analysis, threat hunting, and correlation across months or years, you need a SIEM like Splunk or Azure Sentinel, or a specialised data lake like AWS Security Lake. Security Hub is for real-time operational security, not deep historical analysis.

How Security Hub Cost and Billing Consolidation Works

Security Hub is a cloud security posture management (CSPM) service that aggregates and prioritizes security findings from multiple AWS services, third-party tools, and integrated partner solutions. Understanding the cost structure of Security Hub is critical for both the AWS Cloud Practitioner and AWS SysOps Administrator exams, as well as for broader cost-management discussions in security and billing contexts.

Security Hub pricing is based on the number of security checks performed per account per region, along with the ingestion of findings. AWS offers a free trial of 30 days, after which you are billed per 100,000 checks per month. The exact rate varies by region and is published on the AWS pricing page. Importantly, there is a tiered discount structure: the first 100,000 checks are free (for the free tier or as part of the default included checks), and then you pay a flat rate per 100,000 checks thereafter. This means organizations with many accounts and heavy security configuration scanning can incur significant costs.

One key exam-relevant point is that Security Hub can be integrated with AWS Organizations, allowing you to enable Security Hub across all accounts in an organization using a single delegated administrator account. This dramatically reduces operational overhead, but it also centralizes billing. When using Organizations, the billing is still per account per region, but the delegated admin can view all findings from a single pane of glass. From a billing perspective, the consolidated billing feature of AWS Organizations does not necessarily aggregate Security Hub usage into a single bill line item per service; each member account's usage is still tracked and billed to the payer account. However, the payer account can see the aggregated spend in the Billing and Cost Management console.

For cost optimization, candidates should know that you can disable Security Hub in regions where you have no workload, or you can limit its integration to only essential findings. Also, you can set up AWS Budgets to alert you when costs exceed a threshold. Another cost-control mechanism is the ability to selectively enable or disable specific security standards (such as CIS, PCI DSS, or AWS Foundational Security Best Practices). Each standard runs checks, and disabling unnecessary standards reduces the number of checks performed, thus lowering costs. This is tested in the AWS SysOps Administrator exam where you must balance compliance requirements with cost.

Security Hub offers a finding aggregation feature across regions (cross-region aggregation) for an additional cost because it involves data transfer and reprocessing. You should evaluate whether this is truly needed for your compliance reporting. The AWS Cloud Practitioner exam often includes questions about which AWS service provides a single dashboard for security findings (Security Hub) and how costs are incurred per check.

Finally, remember that Security Hub does not have a separate charge for the storage of findings beyond the 90-day default retention. However, if you choose to export findings to Amazon S3, Amazon CloudWatch, or third-party SIEMs, you incur standard storage and data transfer costs. The exam may present scenario where you must recommend a cost-saving measure such as reducing the retention period of findings in S3 or using S3 lifecycle policies. Understanding these cost drivers is essential for the Security and Billing category.

Security Hub Finding States and Lifecycle Management

Security Hub findings go through a defined lifecycle, and understanding these states is crucial for both the CompTIA Security+ and CySA+ exams, as well as the AWS Security specialty exams. Each finding has a workflow status that helps security teams track its remediation progress. The primary states are NEW, NOTIFIED, SUPPRESSED, and RESOLVED.

When a security check first detects an issue, the finding is created with a status of NEW. This is the initial state and indicates that the finding has not been reviewed. Security analysts then typically review the finding and can update the workflow status. The NOTIFIED status is used when the analyst has acknowledged the finding and has notified the responsible team or ticketed it. This is a transitional state to avoid re-review of the same issue. The RESOLVED status is set when the underlying issue has been fixed and verified. Security Hub automatically re-evaluates the security check; if the issue is resolved, the finding stays RESOLVED, but if the issue persists, the finding may be left as NEW again or the status can be manually set back.

A very important state for the exam is SUPPRESSED. Suppressed findings are those that you have decided to ignore or consider acceptable risks. This is a powerful feature to reduce noise. You can create suppression rules based on criteria like finding type, severity, or resource ID. When a finding is suppressed, it is hidden from the default findings list, but it still exists in the database and can be viewed if you filter for suppressed findings. However, note that suppressed findings do not contribute to the security score or to compliance reports. This is a common exam scenario: a customer wants to ignore low-severity findings from a specific internal test account, and the solution is to create a suppression rule.

Another lifecycle element is the finding record update. When a security check runs again (e.g., every 12 or 24 hours depending on the standard), Security Hub updates the finding if the compliance status has changed. For example, if a resource previously failed a CIS check but is now compliant, the finding's status changes to PASSED and the workflow status can be set to RESOLVED. This automatic update is part of the continuous compliance monitoring feature.

For the Security+ exam, you need to know that findings can be exported to AWS Security Lake or to a third-party SIEM like Splunk for long-term retention and analysis. The lifecycle also relates to the 90-day retention policy for findings in Security Hub. After 90 days, findings are automatically deleted unless you have configured an export to S3. This is tested in the MS-102 and SC-900 exams where you might need to set up retention policies.

The state of a finding also impact the overall security score. Security Hub aggregates findings into a security score that is calculated based on the number of passed versus failed checks. Suppressed and resolved findings are excluded from the failure count, thus improving the score. This score is a key metric for compliance dashboards and is covered in the CISSP exam where the concept of metrics-driven security management is emphasized.

mastering finding states and their lifecycle allows administrators to efficiently manage security alerts, prioritize remediation, and maintain accurate compliance reporting. The exam questions often ask which status to apply when a finding is acknowledged but not yet fixed (NOTIFIED) or when you want to permanently ignore a finding (SUPPRESSED).

Security Hub Integration with AWS Services for Compliance

Security Hub is a central hub for security findings and compliance. It integrates deeply with other AWS services to provide a unified view of your security posture. This integration is a core topic for the AWS Solutions Architect Associate (SAA), SysOps, and the Microsoft security exams (SC-900, MS-102) where cross-platform security management is examined.

The most fundamental integration is with AWS Config. Security Hub uses AWS Config as the underlying resource configuration recorder. Security Hub runs security checks that evaluate AWS Config rules and resource configurations. When a resource fails a rule, AWS Config sends an event to Security Hub, which then creates or updates a finding. Without AWS Config enabled, many Security Hub checks will fail to run. This is a common troubleshooting point in exams: if Security Hub reports no findings or a standard shows "error" status, it often indicates that AWS Config is not enabled or is not recording resources in that region.

Another key integration is with Amazon GuardDuty. GuardDuty provides threat detection findings such as suspicious API calls, unauthorized access, or compromised instances. These findings are automatically ingested into Security Hub as Security Hub findings. This allows you to see both compliance-related issues (from Security Hub checks) and threat-related findings in one dashboard. The exam often tests that GuardDuty findings appear in Security Hub without additional configuration.

Similarly, Amazon Inspector findings (vulnerability scans on EC2 instances and container images) are integrated. When Inspector detects a software vulnerability or network reachability issue, the finding is sent to Security Hub. The SysOps exam may ask you to correlate a failed compliance check with a vulnerability reported by Inspector.

For the billing and cost management angle, Security Hub integrates with AWS Budgets and AWS Cost Explorer. Security Hub does not directly have a cost API, but you can create budgets that track the spend on Security Hub itself by using the service name. Also, Security Hub findings related to billing (e.g., finding for unused resources) are possible through custom integrations.

Third-party integrations are also supported via the AWS Security Finding Format (ASFF). Many popular security tools like Palo Alto Networks Cortex XSOAR, Splunk, and ServiceNow can receive findings from Security Hub or send findings to it. This is important for the CISSP and Security+ exams because the concept of a security information and event management (SIEM) or security orchestration automation and response (SOAR) system integrates with Security Hub.

In the AWS environment, the integration with AWS Lambda is also important for automated remediation. You can set up EventBridge rules that trigger a Lambda function whenever a specific finding is created. For example, if a finding says an S3 bucket is publicly accessible, you can automate remediation to block public access. This is a common scenario in the Security Specialty and SAA exams.

Finally, Security Hub integrates with AWS Organizations to enable multi-account management. The delegated administrator can enable Security Hub for all accounts with a single API call. This is essential for exam questions about centralized security management across hundreds of accounts. Without this integration, you would need to manually enable Security Hub in each account and region, which is operationally prohibitive.

Understanding these integrations is vital for compliance frameworks such as PCI DSS or HIPAA, where you must demonstrate that you have a central monitoring system. The exam may present a scenario where you need to choose which services to integrate to get a complete picture of security (answer: GuardDuty, Inspector, and AWS Config).

Interpreting the Security Hub Security Score for Compliance Reporting

The Security Hub security score is a numeric representation of your overall compliance posture across enabled standards. It is calculated as the percentage of passed security checks out of all applicable checks (excluding suppressed findings). For example, if you have 200 checks that apply to your account and 150 pass, the score is 75%. This score is updated every time a check runs or a finding changes status.

The score is not a simple average across standards; each standard has its own score, and the overall score is an aggregate. The exam (AWS Cloud Practitioner and SAA) often tests that the score is based on the number of passed checks divided by the total number of checks that were actually evaluated. Note that not all checks apply to every resource; for instance, a check for RDS encryption might only apply if you have RDS instances. Unapplicable checks are excluded from the denominator.

A low security score indicates a high number of failures, which can impact compliance certification audits. The exam may ask how to improve the score: you must address the failed findings by either remediating the underlying resource configuration, suppressing the finding if it is a false positive, or resolving it. Simply changing the workflow status to RESOLVED without fixing the resource does not permanently improve the score because the next check will revert the status unless the resource is actually compliant.

For the CySA+ and Security+ exams, you might need to interpret a scenario where the security score drops suddenly. This could happen if a new standard is enabled (increasing the number of checks) or if a large number of resources are created without proper security configurations. Another reason could be that a previous suppression rule was removed, causing old findings to become active again.

In the context of compliance reporting, the security score can be exported as a metric to Amazon CloudWatch, allowing you to set up alarms when the score drops below a threshold (e.g., below 90%). This is common in SOC environments. The SC-900 exam (Microsoft Security, Compliance, and Identity Fundamentals) often contrasts AWS Security Hub's security score with Microsoft 365 Secure Score, but the concept is similar.

One nuance is that the security score does not include findings from third-party integrations by default-only checks from the enabled AWS security standards (CIS, PCI DSS, FSBP) are counted. However, third-party findings can be manually included if you use custom insights, but they won't affect the score directly.

For the CISSP exam, the security score is an example of a key performance indicator (KPI) for security governance. You should be able to explain that it measures the percentage of compliance, not absolute risk. A high score does not guarantee that there are no security vulnerabilities; it only indicates that the configured security checks have passed. Therefore, a defense-in-depth approach is still necessary.

The exam frequently features a question where you must choose the right action to increase the score: usually, you either remediate the failed resources or adjust the suppression rules. Understanding the scoring algorithm is key: using the automatic remediation with AWS Config rules or Lambda functions is the best long-term solution. Also note that disabling a standard in Security Hub will remove those checks from the score calculation entirely, which can artificially inflate the score if you disable a strict standard. But that is not a recommended practice unless the standard is not required.

Ultimately, the security score is a powerful communication tool for management and auditors. Candidates for the AWS SAA and SysOps exams should be comfortable interpreting the score dashboard and recommending actions to improve it.

Troubleshooting Clues

No findings appear in Security Hub dashboard

Symptom: After enabling Security Hub, the findings list remains empty even though resources exist.

Security Hub requires AWS Config to be enabled in the same region and recording resources. If AWS Config is off, security checks cannot run and no findings are generated. Also, the security standards need to be enabled (default enabled). Another possibility is that you are looking at a region where Security Hub is not enabled.

Exam clue: The exam often presents this exact scenario and asks why no findings appear. The answer is 'AWS Config is not enabled'.

Security Hub shows 'Error' status for a security standard

Symptom: One or more security standards (e.g., CIS, FSBP) show status 'Error' instead of 'Active' or 'Enabled'.

This happens when the underlying AWS Config rules or resources needed to run the checks are missing. For example, the CIS standard requires AWS Config advanced queries enabled. If the region does not support AWS Config advanced queries, the standard fails to initialize. Another cause: the service-linked role for Security Hub is missing or has insufficient permissions.

Exam clue: A troubleshooting question might ask how to fix a standard showing error. You should re-enable the standard or verify AWS Config setup.

Security score calculated as 0%

Symptom: The security score shows 0% even though there are many findings.

The security score is calculated only for checks that have been evaluated. If no checks have run (e.g., newly enabled Security Hub within the first hour), the score will display 0% temporarily. Also, if all findings are suppressed, the score excludes them, but the denominator might be zero, leading to 0% calculation. Alternatively, if no security standards are enabled, there are no checks to score.

Exam clue: Exam may ask why the security score is 0% despite many findings. The answer is often that no standards are enabled, or the initial evaluation hasn't completed.

Cross-region aggregation not working

Symptom: After enabling cross-region aggregation, findings from other regions are still not visible in the aggregator region.

Cross-region aggregation must be configured using the Security Hub console or API (update-finding-aggregator). It requires that Security Hub is enabled in all regions you want to aggregate. All regions must be part of the same AWS Organization or the member accounts must have accepted the admin invitation. Region linking mode must be set to ALL_REGIONS or SPECIFIC_REGIONS.

Exam clue: The SAA exam may test that you need to enable Security Hub in all regions first before aggregation works. A common distractor is thinking it works automatically.

Findings from GuardDuty or Inspector not appearing in Security Hub

Symptom: GuardDuty shows findings in its own console, but those same findings are not visible in Security Hub.

Security Hub automatically receives findings from GuardDuty and Inspector only if those services are enabled in the same region and account, and if Security Hub has permissions to ingest them. The integration is automatic, but occasionally the service-linked role may have been modified or deleted. Refresh the integration by disabling and re-enabling the integration in the Security Hub console for that product.

Exam clue: A common error in the SysOps exam: GuardDuty enabled but no findings in Security Hub. You should check the integration status or re-enable it.

Unable to suppress findings - suppression rule not working

Symptom: After creating a suppression rule, the finding still appears in the default findings list.

Suppression rules must be created at the account and region level. A common mistake is using a wrong filter criteria (e.g., misspelling the finding type). Also, suppression rules only suppress new findings created after the rule was saved; existing findings might still be visible unless you manually update them. Suppression rules do not affect findings that were already created with a workflow status of NEW or NOTIFIED.

Exam clue: The Security+ exam may test that suppression rules apply only to new findings unless you batch-update existing ones. You must use batch-update-findings to suppress existing findings.

Security Hub causing high bill unexpectedly

Symptom: Monthly bill shows a large increase attributed to Security Hub without a proportional increase in account numbers.

High costs typically come from a high number of security checks, which can happen if you enabled all standards across many regions, or if many resources are being evaluated. Another cause is excessive finding ingestion from third-party tools (which have their own cost per finding). Also, cross-region aggregation incurs data transfer costs. Further, if you have many member accounts, each pays per check, but aggregated to payer account.

Exam clue: The Cloud Practitioner exam may ask for a cost-reduction strategy: disable unnecessary standards, or reduce the number of regions where Security Hub is enabled.

Memory Tip

Think of the acronym SHIELD: Security Hub Is Everyone's Logical Dashboard. It collects from other services.

Learn This Topic Fully

This glossary page explains what Security Hub means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.Which AWS service must be enabled in a region for Security Hub to successfully run its security checks and generate findings?

2.An administrator wants to reduce the number of false positive findings in Security Hub without deleting the findings. Which workflow status should they use?

3.A company has enabled Security Hub in the us-east-1 region and wants to see security findings from all other regions in a single dashboard. What must be configured?

4.Which of the following is an accurate statement about Security Hub pricing?

5.An organization uses AWS Organizations with 100 member accounts. They want to enable Security Hub centrally with minimal operational overhead. Which approach should they use?

6.A Security Hub finding is marked as RESOLVED by an analyst after the resource was temporarily fixed. However, the next day the finding re-appears as NEW. What is the most likely cause?

Frequently Asked Questions

Is Security Hub free to use?

Security Hub has a free tier that includes the first 10,000 findings per account per month and the first 100,000 compliance checks per account per month. Beyond that, there are costs based on additional findings and checks. Check the current AWS pricing page for exact rates.

Can Security Hub aggregate findings from on-premises resources?

Not directly. Security Hub is designed for AWS resources. However, if you have a third-party security tool that runs on-premises and can send findings using the AWS Security Finding Format (ASFF) via the API, then those findings can appear in Security Hub.

How do I enable Security Hub in multiple accounts?

If you use AWS Organizations, you can enable Security Hub for all accounts from the administrator account. Alternatively, you can use AWS CloudFormation StackSets to deploy Security Hub across accounts. Each member account must accept the invitation to join.

Can Security Hub automatically fix compliance issues?

Security Hub does not auto-remediate by itself. However, you can use EventBridge to trigger Lambda functions that perform remediation actions based on findings. For example, you can automatically remove public access from an S3 bucket if a compliance check fails.

What is the difference between a finding and an insight?

A finding is a single security issue or compliance failure. An insight is a grouping of related findings, such as all findings for a particular resource type or account. Insights help you see patterns and prioritise.

How long does Security Hub retain findings?

Security Hub retains findings for 90 days. After that, they are automatically deleted. If you need longer retention, you must export findings to Amazon S3 or to a SIEM tool.

Does Security Hub work in all AWS Regions?

Security Hub is available in most commercial AWS Regions, but not all. You should check the AWS Regional Services list. In Regions where it is not available, you cannot use it. Use the cross-Region aggregation feature to centralise data from supported Regions.

Do I need to enable Security Hub in every Region separately?

Yes, Security Hub is a Regional service. You must enable it in each Region where you want to collect findings. You can use cross-Region aggregation to send all findings to a central Region for a unified view.

Summary

Security Hub is a fundamental AWS service for any organisation serious about cloud security. It solves the critical problem of visibility in multi-account, multi-service environments by providing a single dashboard for all security findings and automated compliance checks. It is not a detection tool itself; instead, it aggregates from services like GuardDuty, Inspector, and Macie, as well as third-party partners. It supports major compliance frameworks including CIS, PCI DSS, and AWS Foundational Security Best Practices, running continuous checks to keep you audit-ready.

From an exam perspective, Security Hub appears in AWS Cloud Practitioner, Solutions Architect, and SysOps exams, often in questions about centralised security management, compliance automation, and multi-account architectures. Understanding the difference between Security Hub and other security services (GuardDuty for detection, Inspector for vulnerability scanning) is crucial to avoid common traps.

For IT professionals, the practical takeaway is this: if your organisation uses AWS, enable Security Hub as soon as possible. Designate an administrator account, enable the appropriate compliance standards, integrate with your existing security services, and set up automated response for critical findings. This will dramatically reduce the time to detect and respond to threats, keep you compliant with industry standards, and simplify the work of your security team. Security Hub is not just a nice-to-have, it is a best practice core to the AWS Well-Architected Framework.

Remember the central role of Security Hub: it is the control tower for your cloud security, giving you the visibility and control you need to protect your assets.