This chapter covers AWS Security Hub, a cloud security posture management (CSPM) service that provides a unified view of security alerts and compliance status across your AWS accounts. For the SAA-C03 exam, Security Hub appears in roughly 5-8% of questions, typically integrated with other security services. Understanding its architecture, aggregation logic, and integration points is essential for designing secure, compliant multi-account environments.
Jump to a section
Imagine a large office building with multiple security systems: card readers on doors, motion sensors in corridors, CCTV cameras, and fire alarms. Each system generates its own alerts and logs. Without a central monitoring station, security guards would have to check each system separately, missing correlations like a door propped open while a motion sensor detects movement in a restricted area. Security Hub is that central monitoring station. It aggregates findings from all integrated security services (GuardDuty, Inspector, Macie, Firewall Manager, etc.) into a single console. It applies a common finding format (the AWS Security Finding Format) so that alerts from different services look consistent. Security Hub also runs continuous compliance checks against standards like CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices. When a new finding comes in, Security Hub normalizes it, checks it against your compliance standards, and optionally forwards it to AWS Systems Manager OpsCenter or to custom actions via Amazon EventBridge. This centralization allows security teams to prioritize and respond to threats efficiently, just as a guard at a central console can dispatch officers to the exact location of an incident based on correlated data.
What is AWS Security Hub and Why Does It Exist?
AWS Security Hub is a cloud security posture management (CSPM) service that gives you a comprehensive view of your security state across AWS accounts and regions. It aggregates, organizes, and prioritizes security findings from multiple AWS services (like Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and AWS IAM Access Analyzer) and from third-party partners (like CrowdStrike, Palo Alto Networks, and Trend Micro). It also performs automated compliance checks against industry standards and best practices.
The primary problem Security Hub solves is alert fatigue and siloed security data. Without Security Hub, a security team would need to log into each service's console (GuardDuty, Inspector, etc.) to see findings, making it nearly impossible to correlate threats across services. Security Hub normalizes all findings into a consistent format called the AWS Security Finding Format (ASFF), which includes fields like Id, ProductArn, GeneratorId, Types, Severity, Title, Description, Resources, Compliance, and Workflow. This normalization enables automated response and integration with other tools via Amazon EventBridge.
How Security Hub Works Internally
Security Hub operates as a regional service. When you enable it in a region, it begins aggregating findings from enabled security services in that same region. The core mechanism involves:
Finding Ingestion: Integrated services (e.g., GuardDuty) send findings to Security Hub via the BatchImportFindings API. Security Hub stores these findings in a regional repository. Each finding has a unique Id and ProductArn that identifies the source.
Finding Deduplication: If the same finding is reported multiple times (e.g., a recurring GuardDuty finding), Security Hub updates the existing finding instead of creating a duplicate. It uses the combination of ProductArn and Id to identify existing findings.
Compliance Checks: Security Hub runs continuous, automated compliance checks based on enabled standards. For example, the CIS AWS Foundations Benchmark v1.4.0 includes 153 controls. Each control is a rule (e.g., "Ensure IAM password policy requires at least one uppercase letter"). Security Hub evaluates the rule against your account resources and generates a PASS/FAIL finding. These checks run every 6-12 hours (configurable) or when triggered by resource changes via AWS Config.
Insights: Insights are collections of related findings grouped by specific criteria. For example, the built-in insight "S3 buckets with public read access" groups all findings where an S3 bucket has public read access. You can create custom insights using filters on ASFF fields.
Key Components, Values, Defaults, and Timers
Standards: Security Hub supports multiple standards:
- CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 - PCI DSS v3.2.1 - AWS Foundational Security Best Practices (FSBP) - NIST SP 800-53 Rev. 5 (via integration with AWS Audit Manager) - Controls: Each standard has controls. For example, CIS 1.1 is "Maintain current contact details." Each control has a severity (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL). - Severity: Findings have severity labels: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL. The severity can be overridden by the user. - Workflow Status: Findings have a workflow status: NEW, NOTIFIED, RESOLVED, SUPPRESSED. You can update this manually or via automation. - Finding Aggregation: By default, Security Hub operates per region. You can enable cross-region aggregation by designating a single aggregation region. All findings from enabled regions are copied to the aggregation region. This is configured in the Security Hub console under "Settings" -> "Region configuration." - Multi-Account Architecture: Security Hub integrates with AWS Organizations. The management account (delegated administrator) can enable Security Hub for all member accounts automatically. Findings from member accounts are visible in the management account's Security Hub console if cross-account aggregation is enabled. - Integration with AWS Config: Security Hub uses AWS Config rules for some compliance checks. You must enable AWS Config in each account and region where Security Hub runs compliance checks. - Pricing: Security Hub charges per finding ingestion and per compliance check. The first 10,000 findings per month are free. After that, it's $0.00003 per finding. Compliance checks are $0.001 per control per account per region per month. - EventBridge Integration: Security Hub sends all findings to the default EventBridge bus. You can create rules to trigger automated responses (e.g., send to SNS, invoke Lambda, create OpsItem in Systems Manager).
Configuration and Verification Commands
Enable Security Hub via AWS CLI:
aws securityhub enable-security-hub --region us-east-1 --enable-default-standardsThis enables Security Hub with default standards (CIS and FSBP). To disable default standards, use --no-enable-default-standards.
Enable a standard:
aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'List findings:
aws securityhub get-findings --filters '{"SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}]}' --region us-east-1Update finding workflow status:
aws securityhub batch-update-findings --finding-identifiers '[{"Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/...", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty"}]' --workflow '{"Status": "RESOLVED"}'Verify integration with GuardDuty:
aws guardduty list-detectors --region us-east-1
aws guardduty get-detector --detector-id <detector-id> --region us-east-1
# Check that Security Hub integration is enabled (DataSources: S3Logs, Kubernetes, etc.)Interaction with Related Technologies
GuardDuty: Sends threat detection findings (e.g., unusual API calls, crypto mining) to Security Hub.
Inspector: Sends vulnerability findings (e.g., CVEs in EC2) to Security Hub.
Macie: Sends findings about sensitive data exposure in S3.
Firewall Manager: Sends findings about security group violations, WAF rule violations.
IAM Access Analyzer: Sends findings about external access to resources.
AWS Config: Provides resource configuration snapshots used by Security Hub for compliance checks.
Systems Manager OpsCenter: Security Hub can automatically create OpsItems for findings.
EventBridge: Enables custom automation (e.g., send high-severity findings to Slack, create Jira tickets).
AWS Organizations: Allows centralized management of Security Hub across accounts.
Security Hub is not a threat prevention tool; it is a monitoring and compliance tool. It does not block attacks or enforce policies; it only reports and aggregates findings.
Enable Security Hub in a Region
The first step is to enable Security Hub in a region. You can do this via the AWS Management Console, AWS CLI, or AWS CloudFormation. When you enable Security Hub, it automatically enables the default security standards (CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices) unless you specify otherwise. Security Hub begins aggregating findings from enabled integrated services in that region. You must enable Security Hub in each region where you want to monitor security findings. For multi-account setups, the management account enables Security Hub and then invites member accounts or enables them automatically via AWS Organizations.
Enable Integrated Security Services
Security Hub itself does not generate findings; it aggregates them from other services. You must enable and configure integrated services like GuardDuty, Inspector, Macie, Firewall Manager, and IAM Access Analyzer in the same region. For example, to get GuardDuty findings in Security Hub, you must first enable GuardDuty in that region. Security Hub automatically detects when these services are enabled and begins receiving findings. Some services require explicit integration, such as enabling the Security Hub integration in GuardDuty (which is automatic when both are enabled).
Aggregate Findings from Multiple Accounts
When using AWS Organizations, you can designate a Security Hub delegated administrator account. This account can enable Security Hub for all member accounts in the organization automatically. Member accounts do not need to individually enable Security Hub; the delegated administrator can enable it on their behalf. Findings from member accounts are sent to the delegated administrator's Security Hub instance in each region. For cross-region aggregation, you can enable a single aggregation region where findings from all other regions are copied. This allows you to view all findings in one place.
Enable Compliance Standards and Run Checks
Security Hub continuously runs compliance checks against enabled standards. You can enable or disable specific standards at any time. Each standard has a set of controls. When a control is evaluated, Security Hub checks the current state of your AWS resources against the control's requirements. For example, CIS control 2.1 checks if S3 buckets have block public access enabled. The check runs every 6-12 hours by default, but you can trigger an immediate check by updating the resource via AWS Config or by using the `BatchEnableStandards` API. Results are stored as findings with PASS or FAIL status.
View Findings and Create Insights
All findings are visible in the Security Hub console under 'Findings'. You can filter by severity, status, resource, etc. Insights are pre-built or custom views that group related findings. For example, the 'Top security issues' insight shows findings grouped by type. You can create custom insights using filters on ASFF fields. Insights are useful for identifying trends and prioritizing remediation. You can also take actions on findings, such as updating the workflow status (NEW, NOTIFIED, RESOLVED, SUPPRESSED) or sending them to EventBridge for automated response.
Automate Response with EventBridge
Security Hub sends all findings to the default EventBridge bus. You can create EventBridge rules that match specific finding patterns (e.g., high-severity findings from GuardDuty). These rules can trigger actions like sending a notification to an SNS topic, invoking a Lambda function to remediate the issue, or creating an OpsItem in Systems Manager OpsCenter. This automation is critical for reducing response time. For example, you can create a rule that automatically isolates an EC2 instance if a GuardDuty finding indicates it is compromised. The EventBridge rule must be created in the same region as Security Hub.
Enterprise Scenario 1: Multi-Account Compliance Monitoring
A large enterprise with 200 AWS accounts needs to demonstrate compliance with PCI DSS for their payment processing workloads. They enable Security Hub in the management account and use AWS Organizations to automatically enroll all member accounts. They enable the PCI DSS v3.2.1 standard in Security Hub. Security Hub runs continuous checks across all accounts and regions. The security team creates custom insights to track PCI DSS failures by account. They use EventBridge rules to automatically create Jira tickets for any FAIL finding with HIGH severity. One common misconfiguration: forgetting to enable AWS Config in all accounts and regions. Security Hub compliance checks rely on AWS Config rules; without Config, many controls will show 'NO DATA' or fail. The team must ensure AWS Config is enabled with recording of global resources (for IAM checks) and that the appropriate AWS Config rules are in place.
Enterprise Scenario 2: Centralized Threat Detection
A SaaS company uses GuardDuty, Inspector, and Macie across their development, staging, and production accounts. They enable Security Hub in the us-east-1 region as the aggregation region. All findings from other regions (eu-west-1, ap-southeast-1) are copied to us-east-1. The security operations center (SOC) monitors the Security Hub console 24/7. They have a custom insight that groups all findings of type 'TTPs' (tactics, techniques, procedures) from GuardDuty. When a high-severity finding appears, an EventBridge rule triggers a Lambda function that sends a Slack notification to the on-call engineer. The Lambda function also updates the finding's workflow status to 'NOTIFIED'. One challenge: cross-region aggregation introduces latency of up to 15 minutes. For real-time response, the SOC must also monitor individual regional Security Hub instances. Additionally, if a member account disables Security Hub, findings from that account stop flowing, which can create blind spots.
Enterprise Scenario 3: Third-Party SIEM Integration
A financial services company uses Splunk as their SIEM. They want to send all Security Hub findings to Splunk for correlation with other logs. They enable Security Hub and create an EventBridge rule that sends all findings to a custom Lambda function. The Lambda function formats the findings as JSON and sends them to Splunk's HTTP Event Collector (HEC). They also enable third-party partner integrations (e.g., CrowdStrike) to send findings directly to Security Hub. A common pitfall: the Lambda function must handle throttling and retries for the Splunk endpoint. Also, Security Hub has a default limit of 30 findings per second per account per region for the BatchImportFindings API. If the third-party product sends too many findings, they may be throttled. The team must monitor CloudWatch metrics for ThrottledRequests and set up appropriate backoff.
What SAA-C03 Tests on Security Hub
The SAA-C03 exam focuses on Security Hub's role in centralizing security findings and automating compliance. Specific objectives include:
Domain 1: Design Secure Architectures (Objective 1.4: Design a secure infrastructure)
Domain 4: Design Cost-Optimized Architectures (Objective 4.1: Design cost-optimized storage) – less directly, but cost implications of Security Hub are tested.
Key exam topics: 1. Integration with other services: You must know which services send findings to Security Hub (GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer). A common question asks: "Which AWS service can be used to aggregate findings from GuardDuty and Inspector?" Answer: Security Hub. 2. Compliance standards: Know the supported standards: CIS, PCI DSS, AWS Foundational Security Best Practices. The exam may ask which standard to enable for PCI compliance. 3. Multi-account architecture: Understand that Security Hub can be enabled across accounts using AWS Organizations. The delegated administrator can view findings from member accounts. Cross-region aggregation requires designating an aggregation region. 4. EventBridge integration: Security Hub sends findings to EventBridge for automation. You may be asked how to trigger a Lambda function for high-severity findings. 5. Cost considerations: Security Hub charges per finding and per compliance check. The first 10,000 findings per month are free. This is a cost-optimization point.
Common Wrong Answers
Choosing AWS Config instead of Security Hub: AWS Config evaluates resource configurations but does not aggregate security findings from multiple services. Security Hub is the correct answer for centralizing findings.
Thinking Security Hub is a threat prevention tool: Security Hub does not block attacks. It only reports. For prevention, use GuardDuty (threat detection) or AWS WAF/Shield.
Assuming cross-region aggregation is automatic: You must explicitly enable a single aggregation region. Without it, findings are per-region.
Confusing with Amazon Detective: Detective analyzes root cause of findings, but Security Hub aggregates them. They work together.
Specific Numbers and Terms
Finding retention: 90 days (findings older than 90 days are automatically deleted).
Default standards: CIS AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices.
Severity labels: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL.
Workflow status: NEW, NOTIFIED, RESOLVED, SUPPRESSED.
ASFF: AWS Security Finding Format.
Insights: Pre-built or custom groupings of findings.
Edge Cases
If you disable a standard, existing findings for that standard are retained but new checks stop.
If you disable Security Hub, all findings are deleted after 90 days. Re-enabling does not restore them.
Third-party integrations require the partner to send findings via the BatchImportFindings API.
How to Eliminate Wrong Answers
If the question mentions "aggregate findings from multiple AWS services," the answer is Security Hub.
If the question mentions "continuous compliance checks against CIS or PCI DSS," the answer is Security Hub.
If the question mentions "centralized view of security alerts," the answer is Security Hub.
If the question asks for a service that integrates with EventBridge for automated response, Security Hub is correct.
Eliminate AWS Config if the question is about security findings from GuardDuty; Config does not ingest GuardDuty findings.
Security Hub aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and IAM Access Analyzer.
It performs automated compliance checks against CIS, PCI DSS, and AWS Foundational Security Best Practices.
Security Hub is regional; enable it per region. Use cross-region aggregation to centralize findings.
Findings are stored for 90 days. Export to S3 for long-term retention.
Use EventBridge to automate response to Security Hub findings (e.g., trigger Lambda).
Security Hub integrates with AWS Organizations for multi-account management.
The first 10,000 findings per month are free; after that, pay per finding and per compliance check.
These come up on the exam all the time. Here's how to tell them apart.
AWS Security Hub
Aggregates security findings from multiple services (GuardDuty, Inspector, etc.)
Performs compliance checks against industry standards (CIS, PCI DSS)
Provides a unified console for security alerts and posture
Integrates with EventBridge for automated response
Charges per finding ingestion and compliance check
AWS Config
Evaluates resource configurations against rules (e.g., required tags)
Tracks configuration changes over time (configuration history)
Provides configuration snapshots and compliance against custom rules
Can trigger Lambda functions on configuration changes
Charges per configuration item recorded and per rule evaluation
Mistake
Security Hub automatically enables all AWS security services.
Correct
Security Hub only aggregates findings from services you have already enabled. You must enable GuardDuty, Inspector, Macie, etc., separately. Security Hub does not enable them.
Mistake
Security Hub is a global service.
Correct
Security Hub is a regional service. You must enable it per region. Cross-region aggregation is optional and requires explicit configuration to copy findings to a single aggregation region.
Mistake
Security Hub can block malicious traffic.
Correct
Security Hub is a monitoring and compliance service. It does not block traffic. Use AWS WAF, Shield, or Network Firewall for blocking.
Mistake
Security Hub findings are stored indefinitely.
Correct
Findings are retained for 90 days. After that, they are automatically deleted. You can export findings to S3 or other storage for long-term retention.
Mistake
Security Hub is free.
Correct
Security Hub has a free tier (first 10,000 findings per month), but beyond that, you pay per finding ingestion and per compliance check. See pricing page for details.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use AWS Organizations. Designate a Security Hub delegated administrator account. The delegated administrator can enable Security Hub for all member accounts automatically. Member accounts do not need to enable it individually. Findings from member accounts are visible in the delegated administrator's Security Hub console. You can also manually invite member accounts if not using Organizations.
GuardDuty is a threat detection service that identifies malicious activity (e.g., unusual API calls, crypto mining). Security Hub is a central aggregation service that collects findings from GuardDuty and other services. GuardDuty generates findings; Security Hub organizes them. You need both for a complete security posture.
Yes. Security Hub integrates with third-party partners like CrowdStrike, Palo Alto Networks, and Trend Micro. They send findings via the AWS Security Finding Format (ASFF) using the BatchImportFindings API. You can also use custom integrations via EventBridge.
Findings are retained for 90 days from the last update. After 90 days, they are automatically deleted. To keep findings longer, export them to Amazon S3 using EventBridge or the API, or use a SIEM tool.
Security Hub itself does not remediate. However, you can use EventBridge to trigger automated remediation actions, such as invoking a Lambda function to fix a misconfiguration (e.g., enable S3 block public access).
Insights are collections of related findings grouped by specific criteria. For example, 'S3 buckets with public read access' groups all findings where an S3 bucket is publicly readable. You can create custom insights using filters on finding fields like severity, resource type, or compliance status.
Security Hub charges per finding ingestion and per compliance check. The first 10,000 findings per month are free. After that, it's $0.00003 per finding. Compliance checks are $0.001 per control per account per region per month. There is no charge for the first 10,000 checks per month per account per region.
You've just covered AWS Security Hub — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?