This chapter covers AWS Security Hub, a cloud security posture management (CSPM) service that aggregates and prioritizes security findings from multiple AWS services and third-party tools. For the SOA-C02 exam, Security Hub is a key topic under Domain 4: Security (Objective 4.2 - Implement and manage security services). You can expect 2-4 questions related to Security Hub, focusing on its integration with AWS Config, GuardDuty, Inspector, and IAM Access Analyzer, as well as its use in compliance standards like CIS and PCI DSS. Understanding how Security Hub normalizes findings, applies severity levels, and enables automated remediation is critical for passing the exam.
Jump to a section
Imagine a large corporate building with multiple security systems: a badge reader at the main entrance, motion sensors in hallways, fire alarms, and a separate CCTV system. Each system generates its own alerts and logs, but there is no single view of all security events. Security Hub acts like a centralized security operations center (SOC) where all these systems feed their alerts into a single pane of glass. The SOC analysts (Security Hub) correlate events from different sources, apply severity ratings, and prioritize critical incidents. For example, if the badge reader logs an entry at 2 AM (unusual) and the motion sensor detects movement in a restricted area at the same time, Security Hub can combine these into a single finding with higher severity. It also provides a standardized format (AWS Security Finding Format - ASFF) so that alerts from different services are normalized. Just as a SOC might have a ticketing system to track incidents, Security Hub allows you to update findings, suppress known benign patterns, and automatically trigger remediation workflows via AWS Lambda or other services. Without Security Hub, you would have to manually check each system's dashboard, missing correlations and wasting time on low-priority noise.
What is AWS Security Hub?
AWS Security Hub is a cloud security posture management (CSPM) service that provides a comprehensive view of your security state across your AWS accounts. It collects and aggregates security findings from various AWS services (such as Amazon GuardDuty, Amazon Inspector, AWS IAM Access Analyzer, AWS Firewall Manager, and AWS Systems Manager Patch Manager) and from over 50 third-party partner products (e.g., CrowdStrike, Palo Alto Networks, Trend Micro). These findings are normalized into the AWS Security Finding Format (ASFF), which is a JSON structure. Security Hub then applies a severity score (0.0 to 10.0) and generates an overall security score based on compliance standards like CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices.
How Security Hub Works Internally
Security Hub operates as a regional service. When you enable it, it automatically begins ingesting findings from enabled integrated services in the same region. For cross-region aggregation, you must enable cross-region aggregation. The service uses the concept of a "finding" — a record of a security issue or a potential misconfiguration. Each finding has a unique identifier (Id) and is stored in the ASFF format. The ASFF includes fields such as:
AwsAccountId
ProductArn (identifies the source)
GeneratorId
Id (unique per finding)
Types (e.g., "Software and Configuration Checks/Industry and Regulatory Standards/CIS")
CreatedAt, UpdatedAt
Severity (Label: INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL; Normalized: 0, 1-39, 40-69, 70-89, 90-100)
Workflow (Status: NEW, NOTIFIED, RESOLVED, SUPPRESSED)
Compliance (Status: PASSED, WARNING, FAILED, NOT_AVAILABLE)
Security Hub continuously evaluates your environment against security standards. For each standard, it runs security checks (rules) and generates findings for non-compliant resources. For example, the CIS AWS Foundations Benchmark includes checks like "Ensure IAM password policy requires at least one uppercase letter" — if your password policy does not meet this requirement, Security Hub generates a finding with severity MEDIUM.
Key Components and Defaults
Security Standards: When you enable Security Hub, you can enable one or more security standards. The default standards are CIS AWS Foundations Benchmark v1.2.0 (or v1.4.0), PCI DSS v3.2.1, and AWS Foundational Security Best Practices. Each standard has a set of controls (individual checks). You can disable individual controls if needed.
Insights: Insights are collections of related findings that help you identify patterns. Security Hub provides several managed insights (e.g., "Top 10 most critical findings", "Findings by severity"). You can create custom insights using filters (e.g., all findings with severity HIGH and resource type AWS::EC2::Instance).
Custom Actions: You can define custom actions to send findings to other services (e.g., Amazon EventBridge, AWS Lambda, or a ticketing system). When you configure a custom action, Security Hub publishes an event to EventBridge when you take that action on a finding (e.g., "Send to Slack").
Integration with AWS Organizations: Security Hub can be enabled across all accounts in an AWS Organization using a delegated administrator account. The delegated admin can view findings from all member accounts, manage standards, and configure cross-region aggregation.
Finding Updates: When a finding is updated (e.g., severity changed, workflow status changed), Security Hub sends an event to EventBridge, enabling automated responses.
Configuration and Verification Commands
You can manage Security Hub using the AWS Management Console, AWS CLI, or SDK. Key CLI commands:
# Enable Security Hub
aws securityhub enable-security-hub --enable-default-standards
# Enable a specific standard
aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.2.0"}'
# List enabled standards
aws securityhub get-enabled-standards
# Get findings
aws securityhub get-findings --filters '{"SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}]}'
# Update finding workflow status
aws securityhub batch-update-findings --finding-identifiers '{"Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/.../finding/..."}' --workflow '{"Status": "RESOLVED"}'
# Create a custom insight
aws securityhub create-insight --name "High Severity EC2 Findings" --filters '{"SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}], "ResourceType": [{"Value": "AwsEc2Instance", "Comparison": "EQUALS"}]}'Interaction with Related Technologies
Security Hub integrates deeply with: - Amazon GuardDuty: GuardDuty findings automatically appear in Security Hub. Security Hub normalizes them (e.g., GuardDuty severity HIGH becomes Security Hub severity HIGH). - Amazon Inspector: Inspector findings (vulnerabilities in EC2 or container images) are sent to Security Hub. - AWS IAM Access Analyzer: Findings about external access to resources (e.g., S3 buckets) appear in Security Hub. - AWS Config: Security Hub uses AWS Config as a data source for resource configuration checks (e.g., checking if S3 bucket has public access blocked). - AWS Firewall Manager: Firewall Manager findings (e.g., WAF rule violations) are aggregated. - AWS Systems Manager Patch Manager: Patch compliance data is sent to Security Hub. - Amazon EventBridge: Security Hub sends all finding events to the default event bus. You can create rules to trigger Lambda functions, send to SNS, or integrate with third-party SIEMs. - AWS Lambda: You can write custom remediation functions triggered by Security Hub events. - Third-party integrations: Over 50 partners send findings via the ASFF. Examples include CrowdStrike Falcon, Palo Alto Networks Prisma Cloud, and Trend Micro Cloud One.
Severity and Scoring
Security Hub calculates a security score for each standard. The score is a percentage of passed checks versus total applicable checks. For example, if CIS has 43 controls and 30 pass, the score is 69.77%. The exam may ask about how severity is normalized: GuardDuty severity of 7 (HIGH) becomes Security Hub severity HIGH with normalized score of 70-89. The normalized score is an integer between 0 and 100.
Cross-Region Aggregation
By default, Security Hub operates per region. To view findings from multiple regions in one place, you must enable cross-region aggregation. You designate a "linking region" that aggregates findings from other regions. This is important for global compliance monitoring. The exam may test that cross-region aggregation is optional and must be explicitly configured.
Pricing
Security Hub charges based on the number of findings ingested per account per region (first 100,000 findings per month free) and for compliance checks (first 10,000 checks per month free). The exam may ask about cost considerations, but typically not in depth.
Common Use Cases
Compliance monitoring: Continuously check against CIS, PCI DSS, and AWS best practices.
Centralized alerting: Aggregate findings from multiple accounts and services into a single dashboard.
Automated remediation: Use EventBridge and Lambda to automatically respond to critical findings (e.g., isolate an EC2 instance with a critical vulnerability).
Security score tracking: Track security posture over time and report to management.
Limitations
Security Hub does not prevent security issues; it only detects and reports.
It is regional by default; cross-region aggregation must be enabled.
Some findings may take up to 15 minutes to appear after the event occurs.
Not all AWS services are integrated by default; some require manual enablement (e.g., Firewall Manager).
Enable Security Hub in the Region
To start using Security Hub, you must enable it in each AWS Region where you want to collect findings. You can enable it via the console, CLI, or API. When you enable Security Hub, you can optionally enable the default security standards (CIS, PCI DSS, AWS Foundational Security Best Practices). If you disable default standards, no compliance checks run, but you can still ingest findings from integrated services. The enablement process takes a few seconds. For multi-account setups, you use AWS Organizations and designate a delegated administrator account to manage Security Hub across member accounts. The delegated admin can enable Security Hub for all accounts in the organization automatically.
Enable Integrated Services and Third-Party Tools
After Security Hub is enabled, you must enable the integrations with other AWS services (e.g., GuardDuty, Inspector) and third-party tools. Some services, like GuardDuty, are automatically integrated when both are enabled in the same region. Others, like Firewall Manager, require manual configuration. For third-party partners, you typically subscribe to their product in AWS Marketplace and configure the integration. Once enabled, findings flow into Security Hub within minutes. Security Hub normalizes each finding into the ASFF format, mapping source-specific fields to standard ASFF fields. For example, GuardDuty's 'severity' (0-8.9) is translated to Security Hub's 'Severity.Label' and 'Severity.Normalized'.
Review Findings in the Console or via API
Findings appear in the Security Hub console under 'Findings'. You can filter by severity, resource type, account, region, and more. Each finding shows the source (e.g., GuardDuty), a description, resource details, and recommended remediation. You can update the workflow status (NEW, NOTIFIED, RESOLVED, SUPPRESSED) to track progress. The exam may test that SUPPRESSED findings are hidden from the default view but can be seen if you remove the suppression filter. You can also create custom insights to group findings by common criteria, such as all findings of a certain type or from a specific account.
Configure Automated Remediation with EventBridge
Security Hub automatically sends all finding events to the default EventBridge event bus. You can create EventBridge rules to match specific finding patterns (e.g., severity CRITICAL and resource type AWS::EC2::Instance) and trigger a Lambda function, send a notification to SNS, or invoke a Systems Manager Automation document. For example, you can create a rule that triggers a Lambda function to isolate an EC2 instance by modifying its security group when a critical vulnerability is found. This step is optional but recommended for real-time response. The exam may ask about the integration between Security Hub and EventBridge for automated remediation.
Monitor Compliance Scores and Generate Reports
Security Hub provides a compliance score for each enabled standard. The score is updated continuously as findings change. You can view the score in the console under 'Compliance'. You can also generate reports by exporting findings to Amazon S3 or by using the Security Hub API. For compliance audits, you can download a CSV of all findings for a given standard. The exam may test that the compliance score is based on the number of passed controls versus total applicable controls. Note that some controls may be marked as 'NOT_AVAILABLE' if the required resource does not exist (e.g., no EC2 instances). Those controls are excluded from the score calculation.
Enterprise Scenario 1: Multi-Account Compliance Monitoring
A large enterprise with 200 AWS accounts needs to monitor compliance with the CIS AWS Foundations Benchmark across all accounts. They enable Security Hub in each region where they have workloads, using a delegated administrator account in their AWS Organization. The delegated admin configures cross-region aggregation to a central region (us-east-1) so that all findings are visible in a single dashboard. They enable the CIS standard for all accounts. Security Hub runs compliance checks and generates findings for non-compliant resources. The security team uses custom insights to group findings by account and severity. They set up EventBridge rules to send critical findings to a Slack channel and create Jira tickets for high-severity issues. One common problem is that some accounts have resources in regions where Security Hub is not enabled, leading to incomplete compliance coverage. The solution is to enable Security Hub in all regions using AWS Organizations policies.
Enterprise Scenario 2: Integrating Third-Party Vulnerability Scanner
A company uses a third-party vulnerability scanner (e.g., Qualys) to scan their EC2 instances. They subscribe to the Qualys integration in AWS Marketplace and configure it to send findings to Security Hub. Now, alongside GuardDuty and Inspector findings, they see vulnerability findings from Qualys in the same console. They create a custom action that sends findings to a Security Information and Event Management (SIEM) system via Amazon Kinesis Firehose. A challenge is that the severity from Qualys may not map perfectly to Security Hub's severity labels. For example, Qualys might have a severity of '4' (medium) but Security Hub maps it to 'MEDIUM' with a normalized score of 40-69. The security team must adjust their SIEM rules to account for this mapping.
Performance and Scale Considerations
Security Hub can handle a high volume of findings. The free tier includes 100,000 findings per month per account per region. Beyond that, you pay per finding. For large enterprises, finding counts can easily exceed millions per month. It is important to use filters and insights to manage noise. Also, cross-region aggregation can incur data transfer costs. The exam may not test pricing details, but you should know that Security Hub has a free tier and that costs scale with finding volume.
What the SOA-C02 Exam Tests (Objective 4.2)
The exam covers Security Hub under 'Implement and manage security services'. You should know:
How to enable Security Hub and enable security standards.
How to integrate with GuardDuty, Inspector, IAM Access Analyzer, and AWS Config.
How to interpret findings (severity labels, normalized scores, workflow status).
How to use custom actions and EventBridge for automated remediation.
How to configure cross-region aggregation.
How to manage Security Hub in an AWS Organization (delegated administrator).
The difference between Security Hub and other services like GuardDuty (threat detection vs. posture management).
Common Wrong Answers and Why Candidates Choose Them
Security Hub can block traffic or remediate issues automatically without additional configuration. This is wrong because Security Hub is a detection and aggregation service; it does not take action on its own. You must use EventBridge and Lambda to automate remediation. Candidates often confuse Security Hub with services like AWS WAF or Shield that can block traffic.
Security Hub findings are automatically sent to all accounts in an organization. This is wrong; you must designate a delegated administrator and enable cross-region aggregation. By default, each account sees only its own findings in its own region. Candidates may assume that AWS Organizations automatically shares findings.
The compliance score is based on all controls in a standard, including those that are not applicable. This is wrong; controls marked as NOT_AVAILABLE are excluded. Candidates may not realize that Security Hub intelligently excludes non-applicable controls.
You must manually enable GuardDuty integration after enabling Security Hub. This is wrong; if GuardDuty is enabled in the same region, findings automatically appear in Security Hub. No additional configuration is needed. Candidates may think they need to set up a separate integration.
Specific Numbers and Terms to Memorize
Severity normalized scores: 0 (INFORMATIONAL), 1-39 (LOW), 40-69 (MEDIUM), 70-89 (HIGH), 90-100 (CRITICAL).
Workflow status values: NEW, NOTIFIED, RESOLVED, SUPPRESSED.
Default standards: CIS AWS Foundations Benchmark v1.2.0 (or v1.4.0), PCI DSS v3.2.1, AWS Foundational Security Best Practices.
Cross-region aggregation: you designate a linking region; findings from linked regions are viewable in the linking region.
Security Hub is regional; you must enable it per region.
Edge Cases and Exceptions
If you disable a standard, existing findings for that standard are retained but no new checks are run.
When you enable Security Hub in a new region, it does not retroactively ingest past findings from integrated services.
Some third-party integrations may require you to enable the integration in both Security Hub and the partner console.
If you suppress a finding, it is hidden from the default view but still exists; you can unsuppress it later.
How to Eliminate Wrong Answers
If a question asks about automatic remediation, eliminate any answer that says Security Hub itself performs the action. Look for answers involving EventBridge and Lambda.
If a question asks about cross-account visibility, ensure the answer mentions a delegated administrator and cross-region aggregation.
For severity questions, remember the normalized score ranges. If an answer says a GuardDuty severity of 4 maps to Security Hub HIGH, it is wrong (4 maps to MEDIUM).
Security Hub is a regional service; enable it in each region where you need visibility.
Findings are normalized into ASFF with severity labels and normalized scores (0-100).
Security Hub integrates automatically with GuardDuty, Inspector, IAM Access Analyzer, and AWS Config when enabled in the same region.
Default security standards: CIS AWS Foundations Benchmark, PCI DSS, and AWS Foundational Security Best Practices.
Cross-region aggregation must be explicitly configured; designate a linking region.
Automated remediation requires EventBridge and Lambda (or Systems Manager).
Compliance score excludes controls marked as NOT_AVAILABLE.
Suppressed findings are hidden but not deleted; you can unsuppress them.
These come up on the exam all the time. Here's how to tell them apart.
AWS Security Hub
Aggregates and normalizes findings from multiple sources (AWS services and third-party).
Focuses on security posture and compliance (CIS, PCI DSS).
Provides a compliance score and dashboard.
Does not generate its own findings; relies on integrated services.
Uses AWS Security Finding Format (ASFF).
Amazon GuardDuty
Generates its own findings based on threat detection (e.g., anomaly detection, threat intelligence).
Focuses on threat detection (e.g., suspicious API calls, compromised instances).
Does not provide compliance scores.
Does not aggregate findings from other services.
Uses its own finding format (though normalized by Security Hub).
Mistake
Security Hub can automatically remediate security issues without additional configuration.
Correct
Security Hub is a detection and aggregation service; it does not take remediation actions on its own. You must use Amazon EventBridge to trigger AWS Lambda functions or Systems Manager Automation documents to perform remediation.
Mistake
Security Hub findings are automatically shared across all accounts in an AWS Organization.
Correct
By default, each account sees only its own findings in its own region. To view findings from multiple accounts centrally, you must designate a delegated administrator account and enable cross-region aggregation.
Mistake
You must manually enable each integration (e.g., GuardDuty) after enabling Security Hub.
Correct
Many integrations are automatic when both services are enabled in the same region. For example, if GuardDuty is enabled, its findings automatically appear in Security Hub. No manual integration is required.
Mistake
Security Hub compliance score includes all controls, even those that are not applicable.
Correct
Controls marked as NOT_AVAILABLE (e.g., no EC2 instances for an EC2-related check) are excluded from the score calculation. Only applicable controls are counted.
Mistake
Security Hub is a global service; you enable it once and it covers all regions.
Correct
Security Hub is a regional service. You must enable it in each region where you want to collect findings. You can use cross-region aggregation to view findings from multiple regions in one dashboard.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Designate a delegated administrator account in Security Hub (via the console or API). The delegated admin can then enable Security Hub for all member accounts in the organization automatically. This ensures consistent configuration and central visibility. You must also enable cross-region aggregation if you want to view findings from all regions in one place.
AWS Config is a resource inventory and configuration tracking service that evaluates resources against rules. Security Hub aggregates findings from AWS Config (and other services) and provides a security posture dashboard with compliance scores. While AWS Config can generate compliance findings, Security Hub normalizes and prioritizes them alongside findings from other sources.
Typically within 5-15 minutes. For example, if GuardDuty detects a threat, the finding appears in Security Hub after a short delay. There is no way to speed this up; it is the normal propagation time.
No, Security Hub does not allow you to change the severity of findings that come from integrated services. The severity is set by the source service. However, you can create custom insights or use filters to prioritize findings differently. You can also update the workflow status to track your response.
Existing findings for that standard are retained, but Security Hub stops running new compliance checks for that standard. The compliance score for that standard becomes unavailable. You can re-enable the standard later, and checks will resume.
You can export findings to Amazon S3 using the Security Hub console (export to CSV) or via the API (get-findings). For continuous export, you can use EventBridge to send findings to a Kinesis Firehose delivery stream that writes to S3 or a SIEM. There is also a built-in integration with Amazon Athena for querying findings in S3.
No, Security Hub only supports the built-in standards (CIS, PCI DSS, AWS Foundational Security Best Practices) and any additional standards provided by AWS or partners. You cannot upload your own custom standard. For custom compliance, you can use AWS Config rules and aggregate those findings manually.
You've just covered AWS Security Hub and Findings — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?