This chapter covers AWS Security Hub, a centralized security service that aggregates, organizes, and prioritizes security alerts from multiple AWS services and third-party tools. Understanding Security Hub is critical for the CLF-C02 exam as it falls under Domain 2: Security and Compliance (approximately 25% of the exam). This objective tests your ability to identify the right service for centralized security management and compliance monitoring. You'll learn how Security Hub works, its key features, and how it differs from other security services.
Jump to a section
Imagine your company has multiple security systems: an alarm on each door, motion sensors in hallways, cameras in the parking lot, and a separate fire alarm system. Each system works independently, but they all generate alerts. Without a central command center, security guards must check each system separately, leading to missed threats and alert fatigue. AWS Security Hub acts as that central command center. It aggregates security findings from various AWS services (like GuardDuty, Inspector, Macie) and third-party tools into one unified dashboard. It also applies automated compliance checks against standards like CIS AWS Foundations and PCI DSS. Just as a command center correlates a broken window sensor with a camera feed to confirm a break-in, Security Hub correlates findings to reduce noise and highlight critical issues. It also provides a single place to take action, like automatically triggering a Lambda function to remediate a threat. Without it, you'd be overwhelmed by scattered alerts and miss the big picture of your security posture.
What is AWS Security Hub and the Problem It Solves
AWS Security Hub is a cloud security posture management (CSPM) service that provides a comprehensive view of your security state across AWS accounts and regions. It solves the problem of fragmented security visibility. In a typical AWS environment, you might enable multiple security services: Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scans, Amazon Macie for sensitive data discovery, AWS Firewall Manager for firewall rules, and AWS Health for service health events. Each service generates findings (security alerts) independently. Without a central aggregator, security teams waste time switching between consoles, miss correlations between findings, and struggle to prioritize remediation.
Security Hub centralizes these findings into a single dashboard. It also runs continuous automated compliance checks against industry standards and best practices, such as the Center for Internet Security (CIS) AWS Foundations Benchmark, AWS Foundational Security Best Practices, and Payment Card Industry Data Security Standard (PCI DSS). It provides a consolidated score (a percentage) that measures your overall security posture against these standards.
How Security Hub Works
Security Hub works through a multi-step mechanism:
Enablement: You enable Security Hub in each AWS Region where you want centralized visibility. It is a regional service, but you can use AWS Organizations to enable it across all accounts in your organization automatically.
Finding Ingestion: Security Hub ingests findings from enabled AWS services and third-party partners. For AWS services, findings are sent via a cross-service integration. For example, when GuardDuty detects an EC2 instance communicating with a known malicious IP, it automatically sends that finding to Security Hub. For third-party tools (e.g., Palo Alto Networks, Check Point, Trend Micro), findings are sent via the AWS Security Finding Format (ASFF) – a JSON schema that standardizes findings.
Compliance Checks: Security Hub runs automated compliance checks based on enabled standards. For example, the CIS AWS Foundations Benchmark includes checks like "Ensure IAM password policy requires at least one uppercase letter" or "Ensure S3 buckets are not publicly accessible." Each check passes or fails, and results are stored as findings.
Finding Aggregation: All findings, whether from integrated services or compliance checks, are aggregated in Security Hub. They are normalized into a consistent format (ASFF) with fields like Severity (0.0 to 10.0), Resource, Region, Timestamp, and Remediation recommendations.
Prioritization and Correlation: Security Hub uses the severity score to prioritize findings. It also provides insights – automated queries that highlight common patterns, like all findings from a specific resource type. You can create custom insights to filter findings by any attribute.
Response and Remediation: Security Hub integrates with AWS Lambda and Amazon EventBridge to automate responses. For example, you can create a rule that triggers a Lambda function to isolate an EC2 instance when a critical finding appears. You can also send findings to ticketing systems like Jira or SIEM tools like Splunk via EventBridge.
Key Tiers, Configurations, and Pricing
Security Hub has two tiers: Free Tier and Paid Tier.
Free Tier: Includes 30 days of findings history, basic compliance checks for one standard (CIS AWS Foundations), and up to 10,000 finding ingestion events per account per month. No cost for the first 30 days.
Paid Tier: After the free tier, you pay per finding ingestion event ($0.000026 per finding event per region, as of 2025). Compliance checks are charged per check per account per region (e.g., $0.001 per check for CIS). The cost is typically low for small environments but can scale with many accounts and regions.
Configurations: - Standards: You can enable or disable specific compliance standards. By default, the AWS Foundational Security Best Practices standard is enabled. You can also add CIS and PCI DSS. - Insights: Pre-built and custom insights help you analyze findings. You can create up to 100 custom insights per region. - Integration: You can enable or disable specific integrations (e.g., GuardDuty, Inspector, Macie). All integrations are enabled by default. - Cross-Region Aggregation: You can designate a single region (e.g., us-east-1) as an aggregation region to view findings from all regions in one place. This is critical for multi-region deployments.
Comparison to On-Premises or Competing Approaches
On-premises, you might use a SIEM like Splunk or an open-source tool like ELK stack to aggregate logs and alerts. However, those require significant setup, maintenance, and custom parsing. Security Hub is a managed service that automatically ingests findings from AWS services without custom connectors. It also includes built-in compliance checks that map to AWS best practices, which on-premises tools lack without manual configuration.
Competing cloud-native options include: - Azure Security Center: Similar CSPM for Azure. - Google Cloud Security Command Center: Similar for GCP. - Third-party CSPM tools like Prisma Cloud or CrowdStrike Falcon: These can also aggregate findings but require agent installation and additional licensing.
Security Hub’s advantage is its deep integration with AWS services and its pay-per-use pricing. However, it is not a SIEM; it does not store raw logs. For log analytics, you need Amazon GuardDuty (for threat detection) and Amazon CloudWatch Logs or Amazon Athena for querying. Security Hub focuses on findings, not raw data.
When to Use Security Hub vs Alternatives
Use Security Hub when you need centralized security visibility across multiple AWS accounts and regions, automated compliance checks against industry standards, and a single pane of glass for AWS security findings. It is ideal for organizations with many accounts (e.g., 50+) or regulatory requirements like PCI DSS.
Do not use Security Hub as a replacement for GuardDuty (threat detection), Inspector (vulnerability scanning), or Macie (data classification). Those services generate findings that Security Hub consumes. You still need them for their specific purposes.
Use AWS Config for resource configuration history and compliance rules (e.g., S3 bucket encryption). Security Hub and AWS Config complement each other: Security Hub checks are higher-level (CIS, PCI), while AWS Config rules are custom or AWS-managed rules for specific resource configurations.
Use Amazon Detective for deep investigation of security findings, not for aggregation. Security Hub gives you the alert; Detective helps you analyze the root cause.
Limits and Defaults
Findings are retained for 90 days in the paid tier (30 days in free tier).
Security Hub can ingest up to 1,000 findings per second per account per region.
Maximum 100 custom insights per region.
Maximum 10,000 findings in a single API response.
Compliance checks run every 12 hours by default (can be triggered on-demand via API).
Example CLI Command to Enable Security Hub
aws securityhub enable-security-hub --region us-east-1 --enable-default-standardsThis enables Security Hub in the specified region with the default standards (AWS Foundational Security Best Practices). To add CIS standard:
aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.2.0"}'Summary of Core Mechanism
Security Hub is not a detection service; it is a central aggregator and compliance checker. It makes security manageable by reducing noise, providing context, and enabling automated actions. For the CLF-C02 exam, remember: Security Hub = central dashboard for security findings + compliance checks.
Enable Security Hub in AWS Console
Navigate to the AWS Security Hub console and click 'Get started'. Choose the region where you want to centralize findings. You can enable it in multiple regions, but for cross-region aggregation, designate one aggregation region. During setup, you select which compliance standards to enable (default is AWS Foundational Security Best Practices). AWS then creates a service-linked role (AWSServiceRoleForSecurityHub) that allows Security Hub to access findings from other services. This step takes about 5 minutes. Behind the scenes, Security Hub sets up internal queues and databases to store findings and check results. After enablement, it immediately starts ingesting findings from any already-enabled integrated services in that region.
Configure Integrated Services to Send Findings
Security Hub automatically integrates with several AWS services: GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, and AWS Health. No manual configuration is needed for these – once you enable Security Hub, it subscribes to the findings stream. For third-party tools, you need to configure the tool to send findings in ASFF format via API. For example, you might configure a Palo Alto Networks firewall to forward security events to Security Hub. To verify integration, go to the 'Integrations' page in Security Hub console. You can also disable specific integrations if you don't want findings from a particular service. AWS periodically updates the list of integrated services.
Review Findings in the Security Hub Dashboard
Once findings start flowing, the Security Hub dashboard shows a summary: total findings, severity breakdown (critical, high, medium, low), and compliance scores. The 'Findings' page lists individual findings with details like resource ID, region, and remediation steps. You can filter by severity, status (new, in progress, resolved), and integration. Each finding has a unique ARN. The dashboard also shows the 'Security Hub Score' – a percentage based on the pass/fail rate of enabled compliance checks. For example, if you have 100 checks and 80 pass, the score is 80%. This score is a key metric for executives. You can also create custom insights to group findings by common attributes, like all findings from a specific account or resource type.
Set Up Automated Response Using EventBridge
To automate remediation, create an Amazon EventBridge rule that matches Security Hub findings. For example, a rule that triggers on any finding with severity 'CRITICAL' from GuardDuty. The target can be an AWS Lambda function that isolates the EC2 instance, or an SNS topic to notify the security team. EventBridge receives findings in near-real time (within minutes). You can also send findings to a third-party SIEM via EventBridge. This step reduces manual effort. For example, a common pattern is to trigger a Lambda function that automatically applies a security group to block malicious traffic. The CLF-C02 exam tests understanding that Security Hub integrates with EventBridge for automated responses.
Review Compliance Results and Remediate Failing Checks
Security Hub runs compliance checks every 12 hours by default. You can view results under 'Security standards' in the console. Each standard has a list of controls (e.g., CIS 1.1 – avoid root user usage). For each control, you see status: passed, failed, or unknown. Clicking a failed control shows affected resources. Remediation steps are provided, often with links to AWS Config rules or direct fixes. For example, if a control fails because an S3 bucket is public, the remediation might suggest blocking public access. After fixing the resource, the next check cycle (or manual re-run) updates the status. Security Hub sends findings for both pass and fail results, but only failures are typically reviewed.
Scenario 1: Multi-Account Enterprise Compliance
A financial services company with 50 AWS accounts and 5 regions needs to comply with PCI DSS. They enable Security Hub across all accounts and regions using AWS Organizations. They enable the PCI DSS standard and CIS AWS Foundations Benchmark. The security team uses the Security Hub dashboard to view the overall compliance score (e.g., 85%). They drill down to see which accounts have the most failures. For example, Account A has 10 failing controls related to IAM password policies. They assign remediation tickets to the account owner. Security Hub's cross-region aggregation allows them to see all findings from one region (e.g., us-east-1). Without Security Hub, they would have to manually check each account and region, which is impractical. Cost: ~$0.001 per check per account per region, so for 50 accounts and 100 checks, that's $5 per check cycle (but actually charged per finding event). Total monthly cost might be a few hundred dollars, far less than a dedicated compliance team.
Scenario 2: Incident Response Automation
A tech startup uses GuardDuty, Inspector, and Security Hub. They set up an EventBridge rule that triggers a Lambda function when Security Hub receives a critical finding from GuardDuty (e.g., 'UnauthorizedAccess:EC2/SSHBruteForce'). The Lambda function automatically creates a new security group that blocks all inbound traffic to the affected EC2 instance and attaches it, effectively isolating the instance. It also sends a notification to the security team via Slack (using SNS). This automation reduces response time from hours to minutes. The team also uses Security Hub's custom insights to see all findings related to EC2 instances with public IPs. This helps them prioritize patching. Without Security Hub, they would have to manually correlate GuardDuty alerts with Inspector findings.
Scenario 3: Misconfiguration Leading to Alert Fatigue
A small business enables Security Hub but does not configure integrations properly. They forget to enable GuardDuty, so Security Hub shows no findings from threat detection. They also enable all compliance standards, including PCI DSS (even though they don't handle credit cards). This generates hundreds of failing checks for irrelevant controls, leading to alert fatigue. The security team ignores Security Hub because it's too noisy. To fix this, they should disable unnecessary standards and enable only relevant ones (e.g., AWS Foundational Security Best Practices). They should also ensure GuardDuty and Inspector are enabled to get meaningful findings. This scenario highlights the importance of proper configuration – Security Hub is only as good as the data it receives.
What CLF-C02 Tests on Security Hub
The CLF-C02 exam tests your understanding of Security Hub as a centralized security service for aggregating findings and performing compliance checks. Specifically, you should know:
Service purpose: Security Hub provides a comprehensive view of security alerts and compliance status across accounts and regions.
Integration: It integrates with GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, and AWS Health. It also supports third-party tools via ASFF.
Compliance standards: CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, and PCI DSS.
Pricing: Free tier (30 days, limited), then pay per finding event and per compliance check.
Automation: Integrates with EventBridge and Lambda for automated responses.
Cross-region aggregation: Can designate one aggregation region.
Common Wrong Answers and Why Candidates Choose Them
"Security Hub replaces GuardDuty." – Wrong. GuardDuty is a threat detection service that generates findings. Security Hub consumes those findings. You need both.
"Security Hub stores raw logs." – Wrong. Security Hub stores findings (alerts), not raw logs. For raw logs, use CloudWatch Logs or S3.
"Security Hub is free forever." – Wrong. Only the first 30 days and limited usage are free. After that, you pay per finding event and check.
"Security Hub only works in one account." – Wrong. It supports multi-account via AWS Organizations.
Specific Service Names and Terms That Appear on Exam
ASFF (AWS Security Finding Format) – the standard format for findings.
CIS AWS Foundations Benchmark – a specific compliance standard.
PCI DSS – Payment Card Industry Data Security Standard.
EventBridge – for automation.
Cross-region aggregation – a key feature.
Security Hub Score – percentage from compliance checks.
Tricky Distinctions
Security Hub vs. AWS Config: AWS Config tracks resource configuration changes and allows custom rules. Security Hub runs built-in compliance checks against standards. They complement each other; Security Hub can import findings from AWS Config.
Security Hub vs. GuardDuty: GuardDuty detects threats; Security Hub aggregates findings. A question might ask: "Which service provides a centralized view of security alerts?" Answer: Security Hub.
Security Hub vs. Inspector: Inspector scans for vulnerabilities; Security Hub aggregates findings from Inspector. Again, complementary.
Decision Rule for Multiple-Choice Questions
If the question asks about "centralized security dashboard," "aggregating findings from multiple services," or "compliance checks against CIS or PCI," the answer is Security Hub. If it asks about "threat detection" or "malicious IP detection," the answer is GuardDuty. If it asks about "vulnerability scanning," the answer is Inspector. If it asks about "resource configuration compliance," the answer is AWS Config.
Security Hub is a central security dashboard that aggregates findings from AWS services like GuardDuty, Inspector, and Macie.
It performs automated compliance checks against CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, and PCI DSS.
Findings are stored for 90 days in the paid tier; free tier retains for 30 days.
Security Hub integrates with Amazon EventBridge to trigger automated remediation via Lambda.
Cross-region aggregation allows you to view findings from multiple regions in a single region.
Security Hub is not a replacement for GuardDuty or Inspector; it consumes their findings.
Pricing is based on finding ingestion events and compliance checks, with a free tier for the first 30 days.
These come up on the exam all the time. Here's how to tell them apart.
AWS Security Hub
Aggregates findings from multiple services
Performs compliance checks against standards
Provides a unified security dashboard
Integrates with EventBridge for automation
Pricing per finding event and compliance check
Amazon GuardDuty
Detects threats using machine learning and threat intelligence
Analyzes VPC Flow Logs, DNS logs, and CloudTrail events
Generates findings for malicious activity
Sends findings to Security Hub and CloudWatch Events
Pricing per volume of log data analyzed
AWS Security Hub
Focuses on security findings and compliance standards
Runs built-in checks (CIS, PCI, AWS Foundational)
Aggregates findings from other services
Provides a security score
Findings retained for 90 days
AWS Config
Tracks resource configuration changes over time
Allows custom rules (AWS Config Rules)
Evaluates resources against desired configurations
Provides configuration history and snapshots
Stores configuration items indefinitely (if recording enabled)
Mistake
Security Hub automatically remediates security issues.
Correct
Security Hub does not automatically remediate. It provides findings and recommendations. You must set up automation using EventBridge and Lambda, or manually act on findings.
Mistake
Security Hub is only for large enterprises.
Correct
Security Hub is useful for any AWS customer, regardless of size. The free tier makes it accessible for small accounts. It scales to thousands of accounts.
Mistake
Security Hub stores all your security logs indefinitely.
Correct
Security Hub retains findings for 90 days in the paid tier. For long-term retention, you must export findings to S3 or another storage service.
Mistake
You must enable Security Hub in every account separately.
Correct
If you use AWS Organizations, you can enable Security Hub for all accounts in the organization with a single action from the management account.
Mistake
Security Hub can replace your SIEM.
Correct
Security Hub is a CSPM tool, not a full SIEM. It aggregates findings, not raw logs. For log analysis and correlation, you need a SIEM like Splunk or Amazon OpenSearch Service.
Security Hub is a central aggregation service for security findings and compliance checks. GuardDuty is a threat detection service that analyzes logs to identify malicious activity. GuardDuty sends its findings to Security Hub, but Security Hub does not replace GuardDuty. For the exam, remember: GuardDuty detects threats; Security Hub centralizes and prioritizes them.
Security Hub has a free tier that includes 30 days of findings and up to 10,000 finding ingestion events per month. After that, you pay $0.000026 per finding event per region. Compliance checks cost $0.001 per check per account per region. For example, enabling CIS (about 50 checks) for 10 accounts would cost $0.50 per check cycle. Costs are low but can add up with many accounts and regions.
No, Security Hub does not automatically remediate. However, you can use Amazon EventBridge to trigger AWS Lambda functions when specific findings appear, enabling automated remediation. For example, you can create a rule that isolates an EC2 instance when a critical GuardDuty finding is received. Security Hub provides the finding; you build the automation.
Security Hub supports three main standards: CIS AWS Foundations Benchmark (v1.2.0 and v1.4.0), AWS Foundational Security Best Practices, and PCI DSS v3.2.1. You can enable one or more standards. The free tier includes only CIS. The exam may ask which standard is used for a specific requirement; CIS is the most commonly referenced.
In the free tier, findings are retained for 30 days. In the paid tier, findings are retained for 90 days. After that, they are automatically deleted. For long-term retention, you must export findings to Amazon S3 using an EventBridge rule or the Security Hub API. The exam may test this limit.
Yes, Security Hub supports multi-account environments via AWS Organizations. You can enable Security Hub for all accounts in the organization from the management account. Findings from all accounts are aggregated in the management account's Security Hub dashboard. This is a key feature for enterprises.
ASFF is a JSON format used by Security Hub to standardize findings from different sources. It includes fields like SchemaVersion, Id, ProductArn, GeneratorId, AwsAccountId, Types, FirstObservedAt, LastObservedAt, CreatedAt, UpdatedAt, Severity, Remediation, Resources, and Compliance. Third-party tools must send findings in ASFF to integrate with Security Hub.
You've just covered AWS Security Hub — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?