Mastering AWS Security Specialty — Post 6: AWS Security Hub – Unified Monitoring and Remediation


What is AWS Security Hub?
AWS Security Hub is a cloud security posture management (CSPM) service that gives you a comprehensive view of your security state in AWS. It aggregates, organizes, and prioritizes security findings from various AWS services and partner tools.
Think of it as your security control tower — watching over services like:
Amazon GuardDuty
AWS Config
Amazon Inspector
Macie
Third-party security tools (like Trend Micro, Palo Alto, etc.)
Architecture – How It Works
1. Data Sources Feed into Security Hub
Security Hub collects findings from multiple sources:
AWS Services like GuardDuty (threat detection), Inspector (vulnerability scans), Macie (sensitive data detection), and AWS Config (compliance).
Third-party integrations such as Palo Alto, Trend Micro, Splunk, and others via AWS Marketplace or custom APIs.
Custom sources using the
BatchImportFindings
API.
All findings are normalized into a consistent format called AWS Security Finding Format (ASFF).
2. Security Hub Normalizes and Analyzes Findings
Once data arrives:
Security Hub deduplicates, normalizes, and correlates the findings.
It evaluates them against enabled security standards (e.g., CIS, AWS Best Practices).
Insights help identify patterns or high-priority risks (like repeated open S3 buckets or unpatched EC2s).
This forms a unified security posture view across your AWS accounts and regions.
3. Findings Trigger Automated Responses (via EventBridge)
Every new or updated finding emits an event to Amazon EventBridge, which you can route to:
AWS Lambda for automated remediation (e.g., isolate EC2, revoke access).
SNS to send alerts via email or chat.
Ticketing systems or SIEM tools via integrations.
This enables real-time, scalable automated security operations without manual intervention.
Key Concepts
1. Findings
Findings are security alerts from AWS and third-party tools, formatted in a standard JSON structure (ASFF). They help identify risks like misconfigurations, threats, or vulnerabilities in your AWS environment.
2. Insights
Insights are pre-built or custom groupings of related findings based on defined filters like severity or resource type. Think of them as saved searches or dashboards that help prioritize recurring security issues and focus remediation efforts effectively.
3. Standards
Security standards in AWS Security Hub are predefined collections of controls mapped to widely accepted compliance frameworks like CIS Benchmarks and AWS Foundational Security Best Practices.. These standards run automated checks and highlight compliance gaps in your AWS accounts.
4. Integrations
Security Hub integrates with AWS services (e.g., GuardDuty, Macie) and third-party tools to collect findings centrally, offering unified security visibility and control.
5. Automation via EventBridge
Each finding generates an EventBridge event, allowing automated responses like sending alerts, tagging resources, or triggering Lambda functions for remediation.
Security Standards and Covered Services
Standard | Description | Covers Services |
CIS AWS Foundations Benchmark v1.2.0 | Based on Center for Internet Security (CIS) best practices for secure AWS setup. | IAM, S3, CloudTrail, Config, VPC, CloudWatch |
AWS Foundational Security Best Practices (FSBP) | AWS-recommended security settings across services to reduce risk. | IAM, S3, EC2, Lambda, RDS, EKS, Secrets Manager, CloudTrail, VPC |
PCI DSS v3.2.1 | Helps align with Payment Card Industry standards for handling cardholder data. | IAM, S3, EC2, RDS, CloudTrail, Config |
NIST SP 800-53 Rev. 5 | U.S. federal cybersecurity controls based on NIST recommendations. | IAM, EC2, S3, KMS, CloudTrail, VPC, Config |
NIST CSF (Cybersecurity Framework) | Best practices for identifying, protecting, and recovering from cyber threats. | IAM, S3, CloudTrail, Config |
ISO/IEC 27001 | Maps to global information security management standards. | IAM, S3, CloudTrail, Config |
Getting Started with AWS Security Hub
1. Enable Security Hub in your AWS Account
aws securityhub enable-security-hub
Tip: Enable it in all regions you use, or automate multi-region setup using a script.
2. Enable Security Standards
aws securityhub batch-enable-standards --standards-subscription-requests '[{
"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}, {
"StandardsArn": "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0"
}]'
3. Multi-Account and Multi-Region Strategy
Use AWS Organizations integration to manage security posture across accounts:
Delegate Administrator
aws organizations register-delegated-administrator \
--account-id <SecurityAdminAccountId> \
--service-principal securityhub.amazonaws.com
Then in the delegated account
aws securityhub enable-organization-admin-account \
--admin-account-id <SecurityAdminAccountId>
Understanding Findings
Each finding in Security Hub is in the AWS Security Finding Format (ASFF) — a JSON document with standard fields such as:
Title
Description
Severity
ProductArn
Remediation
Resources
Example: List All High Severity Findings
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"HIGH","Comparison":"EQUALS"}]}'
Using Insights to Visualize Risk
Security Hub provides managed insights and allows you to create custom insights.
Example: Create a Custom Insight for Open Security Groups
aws securityhub create-insight \
--name "Open Security Groups" \
--filters '{"Title":[{"Value":"Security group allows unrestricted access", "Comparison":"EQUALS"}]}' \
--group-by-attribute "ResourceId"
Tip: Use insights to create executive dashboards or compliance reports.
Integration with Other AWS Services
Service | Integration |
GuardDuty | Sends threat intelligence findings (e.g., crypto mining, port scans). |
Inspector | Delivers vulnerability scan results for EC2, Lambda, and containers. |
Macie | Flags sensitive data (like PII) exposed in S3 buckets. |
AWS Config | Detects compliance drift using managed and custom rules. |
CloudTrail + EventBridge | Enables automation workflows on new findings. |
Automating Response with EventBridge and Lambda
Security Hub emits events when new findings arrive. You can create an EventBridge rule to trigger actions — such as tagging, isolating, or notifying.
Example: Event Rule to Trigger Lambda on Critical Finding
aws events put-rule \
--name "SecurityHub-Critical-Finding" \
--event-pattern '{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Severity": {
"Label": ["CRITICAL"]
}
}
}
}'
Then attach a Lambda function to this rule using:
aws events put-targets \
--rule "SecurityHub-Critical-Finding" \
--targets "Id"="1","Arn"="arn:aws:lambda:REGION:ACCOUNT:function:yourSecurityFunction"
Best Practices
Enable in all regions. Threats can emerge from unexpected places.
Automate remediation. Use EventBridge + Lambda for quick response.
Integrate with third-party tools. Use partner integrations for advanced insights.
Review insights weekly. Monitor trends and recurring misconfigurations.
Continuously improve. Use Security Hub as a feedback loop to tighten security.
Final Words
Whether you're managing one AWS account or a hundred, AWS Security Hub is your central nervous system for security visibility. Mastering it means you're serious about building secure, auditable, and automated cloud environments.
Use the CLI, automate your responses, and let Security Hub evolve from a dashboard to a defense system.
Thank you for taking the time to read my post. If you found it helpful, a like or share would go a long way in helping others discover and benefit from it too. Your support is genuinely appreciated. 🙏
Subscribe to my newsletter
Read articles from Suman Thallapelly directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Suman Thallapelly
Suman Thallapelly
Hey there! I’m a seasoned Solution Architect with a strong track record of designing and implementing enterprise-grade solutions. I’m passionate about leveraging technology to solve complex business challenges, guiding organizations through digital transformations, and optimizing cloud and enterprise architectures. My journey has been driven by a deep curiosity for emerging technologies and a commitment to continuous learning. On this space, I share insights on cloud computing, enterprise technologies, and modern software architecture. Whether it's deep dives into cloud-native solutions, best practices for scalable systems, or lessons from real-world implementations, my goal is to make complex topics approachable and actionable. I believe in fostering a culture of knowledge-sharing and collaboration to help professionals navigate the evolving tech landscape. Beyond work, I love exploring new frameworks, experimenting with side projects, and engaging with the tech community. Writing is my way of giving back—breaking down intricate concepts, sharing practical solutions, and sparking meaningful discussions. Let’s connect, exchange ideas, and keep pushing the boundaries of innovation together!