AWS Security Hub

AWS Security Hub: Complete Guide for AWS Security Specialty Exam

Why AWS Security Hub Is Important

In modern cloud environments, organizations deploy dozens of AWS security services — Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, IAM Access Analyzer, and more. Each of these services generates its own findings in its own format and its own console. Without a centralized mechanism, security teams face fragmented visibility, inconsistent prioritization, and slow response times. AWS Security Hub solves this by providing a single pane of glass for security findings, automated compliance checks, and cross-account aggregation. For the AWS Security Specialty (SCS-C02) exam, Security Hub is a cornerstone topic that intersects with threat detection, incident response, and compliance — making it one of the most testable services in the domain.

What Is AWS Security Hub?

AWS Security Hub is a cloud security posture management (CSPM) service that:

• Aggregates security findings from multiple AWS services and supported third-party partner products into a standardized format called the AWS Security Finding Format (ASFF).
• Runs automated compliance checks against industry standards and best practices such as CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices (FSBP), PCI DSS, and NIST 800-53.
• Provides a centralized dashboard with severity-based prioritization so security teams can focus on the most critical issues first.
• Enables cross-account and cross-Region aggregation via integration with AWS Organizations, allowing a delegated administrator account to view findings from all member accounts and Regions in one place.
• Supports automated remediation workflows through integration with Amazon EventBridge, AWS Lambda, AWS Systems Manager Automation, and custom actions.

How AWS Security Hub Works

1. Enabling Security Hub
Security Hub must be explicitly enabled in each Region you want to monitor. When you enable it, you can choose which security standards to activate. Enabling Security Hub also automatically enables AWS Config (a prerequisite), because many compliance checks rely on AWS Config rules under the hood.

2. Finding Ingestion
Once enabled, Security Hub automatically imports findings from integrated AWS services:
- Amazon GuardDuty — threat detection findings (e.g., compromised EC2, cryptocurrency mining, credential exfiltration)
- Amazon Inspector — vulnerability assessment findings (CVEs, network reachability)
- Amazon Macie — sensitive data discovery findings (PII in S3)
- AWS Firewall Manager — policy compliance findings
- IAM Access Analyzer — external access findings
- AWS Systems Manager Patch Manager — patch compliance findings
- Third-party products — partners like CrowdStrike, Palo Alto Networks, Splunk, etc. can send findings via the BatchImportFindings API

All findings are normalized into ASFF (AWS Security Finding Format), a JSON schema that includes fields like AwsAccountId, Severity, Types, Resources, Compliance, Workflow, and ProductArn.

3. Security Standards and Controls
Security Hub evaluates your environment against enabled standards by running security controls (backed by AWS Config rules). Each control produces a finding with a status:
- PASSED — resource is compliant
- FAILED — resource is non-compliant
- WARNING — check could not be completed
- NOT_AVAILABLE — control is disabled or not applicable

Examples of controls:
- Ensure MFA is enabled for the root account
- Ensure S3 buckets do not allow public read access
- Ensure CloudTrail is enabled in all Regions
- Ensure VPC flow logging is enabled

The overall security score is calculated as the percentage of passed controls versus total enabled controls.

4. Cross-Account and Cross-Region Aggregation
With AWS Organizations integration, you designate a delegated administrator account for Security Hub. This account automatically receives findings from all member accounts. You can also configure a finding aggregation Region (aggregator Region) that pulls findings from all linked Regions into a single Region for unified visibility.

5. Insights
Security Hub provides managed insights — pre-built correlations that group findings by criteria such as:
- EC2 instances with the most findings
- S3 buckets with public access
- IAM users with the most findings
- AWS accounts with the most critical findings

You can also create custom insights using filter criteria on ASFF fields.

6. Automation and Remediation
Security Hub integrates with Amazon EventBridge. Every finding change generates an event on the default event bus. You can create EventBridge rules to:
- Trigger a Lambda function for auto-remediation (e.g., revoke a security group rule, enable encryption, quarantine an instance)
- Send notifications via SNS
- Invoke AWS Systems Manager Automation documents (runbooks)
- Forward findings to a SIEM (e.g., Splunk, Amazon OpenSearch)

Security Hub also supports custom actions: you define a custom action ARN, associate it with an EventBridge rule, and then trigger it manually from the Security Hub console for selected findings.

7. Automation Rules
A newer feature, automation rules, lets you automatically update or suppress findings based on criteria — for example, auto-archiving informational findings or auto-setting workflow status to SUPPRESSED for known false positives. This runs inside Security Hub without needing EventBridge.

Key Architectural Patterns

Pattern 1: Centralized Security Monitoring
Enable Security Hub across all accounts via AWS Organizations → designate a delegated admin → configure cross-Region aggregation → build dashboards in the aggregator Region.

Pattern 2: Automated Remediation Pipeline
Security Hub finding → EventBridge rule (filter by finding type, severity, compliance status) → Lambda function (remediate) → SNS notification (alert security team).

Pattern 3: Compliance Reporting
Enable CIS, FSBP, and PCI DSS standards → use Security Hub security score → export findings via EventBridge to S3 (for auditors) or to Amazon QuickSight for visualization.

Pattern 3: SIEM Integration
Security Hub → EventBridge → Kinesis Data Firehose → Amazon OpenSearch Service / Splunk for advanced correlation and long-term retention.

Important Details for the Exam

• AWS Config is a prerequisite. Security Hub requires AWS Config to be enabled for compliance checks to work. If Config is not enabled, controls will show NOT_AVAILABLE.
• ASFF is the standard format. All findings — whether from AWS services or third parties — are normalized to ASFF. Third-party providers use BatchImportFindings; finding providers use BatchUpdateFindings to update workflow state.
• Findings are retained for 90 days after the last update. After 90 days with no update, findings are automatically deleted. For long-term retention, export to S3 via EventBridge.
• Security Hub is Regional. You must enable it in each Region. Cross-Region aggregation consolidates findings in one designated Region.
• Delegated administrator is the recommended multi-account deployment model via AWS Organizations. The management account should not be the daily-use security account.
• Custom actions allow manual triggering of EventBridge rules from the Security Hub console — useful for ad-hoc response workflows.
• Security Hub does NOT replace GuardDuty, Inspector, or Macie. Those services must be independently enabled; Security Hub only aggregates their findings.
• Disabling a control suppresses findings for that control and removes it from the security score calculation.
• Integration with AWS Audit Manager can leverage Security Hub findings for audit evidence collection.

Exam Tips: Answering Questions on AWS Security Hub

Tip 1: Recognize the "single pane of glass" keyword. If the question asks about centralizing or aggregating security findings from multiple AWS services, the answer is almost always Security Hub. Do not confuse it with CloudWatch (metrics/logs), CloudTrail (API audit logs), or Amazon Detective (investigation/forensics).

Tip 2: Know the difference between Security Hub and its feeder services. Security Hub does NOT perform threat detection (that's GuardDuty), vulnerability scanning (that's Inspector), or sensitive data discovery (that's Macie). It aggregates and normalizes their findings. If a question asks how to detect a threat, the answer is the specific detection service. If it asks how to centrally view or act on findings, the answer is Security Hub.

Tip 3: AWS Config dependency is a common trap. If compliance checks are not working or showing NOT_AVAILABLE, think about whether AWS Config is enabled. Questions may describe this failure scenario to test your understanding of the prerequisite.

Tip 4: For automated remediation, think Security Hub → EventBridge → Lambda. This is the most tested automation pattern. The question may describe a scenario like "automatically remediate a non-compliant security group" — the answer involves Security Hub finding triggering an EventBridge rule that invokes a Lambda function.

Tip 5: Cross-account questions point to Organizations integration. If the scenario involves hundreds of accounts, look for answers mentioning delegated administrator and cross-Region finding aggregation. Manual invite-based member management is the legacy approach and not recommended at scale.

Tip 6: Know the retention limit. Findings are kept for 90 days. If the question asks about long-term storage of security findings for compliance or auditing, the answer involves exporting findings to S3 (via EventBridge + Firehose or Lambda).

Tip 7: Custom actions vs. automation rules. Custom actions require manual selection of findings and triggering. Automation rules run automatically based on criteria. If the question asks for fully automated suppression or enrichment, automation rules (or EventBridge rules) are the answer. If it asks for analyst-driven response, custom actions are the answer.

Tip 8: ASFF is the universal format. If a question mentions normalizing or standardizing finding formats across different security tools, ASFF is the key concept. Third parties use the BatchImportFindings API to send findings in ASFF.

Tip 9: Security Hub Insights questions. If the question asks about identifying which resource, account, or user has the most critical findings, think about Security Hub managed or custom insights — these are built-in aggregation queries.

Tip 10: Eliminate wrong answers systematically. Common distractors include:
- AWS Trusted Advisor — cost and basic security checks, not a finding aggregator
- Amazon Detective — investigation and root cause analysis, not aggregation
- AWS CloudTrail — API logging, not finding aggregation
- Amazon CloudWatch — monitoring and alerting on metrics/logs, not security findings

Summary

AWS Security Hub is the central nervous system for security posture management in AWS. It aggregates findings from multiple services into ASFF format, runs compliance checks against industry benchmarks, supports cross-account and cross-Region aggregation via AWS Organizations, and enables automated remediation through EventBridge integration. For the exam, focus on understanding its role as an aggregator (not a detector), its dependency on AWS Config, the EventBridge-based automation patterns, cross-account architecture with delegated administrators, and the 90-day finding retention limit. Mastering these concepts will help you confidently answer Security Hub questions on the AWS Security Specialty exam.