Why AWS Security Hub is Essential for Security
AWS Security Hub is a cloud security posture management (CSPM) service that aggregates, organizes, and prioritizes security findings from multiple AWS services and third-party tools. It provides a centralized view of your security state across all AWS accounts and regions.
- Aggregates findings from GuardDuty, Inspector, Macie, Config, IAM Access Analyzer, and more
- Continuously evaluates your environment against security standards like CIS and PCI DSS
- Provides a unified security score across all accounts and regions
- Enables automated remediation workflows through EventBridge integration
- Reduces alert fatigue with automation rules that suppress or prioritize findings
- Supports multi-account management through AWS Organizations integration
The Four Critical Blind Spots Security Hub Addresses
Alert Fatigue and Critical Finding Suppression
Security teams receive thousands of low-priority alerts daily. Without proper correlation and prioritization, critical threats get buried in noise, leading to delayed response times that attackers exploit.
Lack of Cross-Service Attack Pattern Recognition
Modern attacks span multiple AWS services. An attacker might compromise an EC2 instance (GuardDuty alert), escalate privileges (IAM Access Analyzer finding), and access S3 buckets (Macie detection). Without correlation, each appears as an isolated incident.
Compliance Blind Spots Across Standards
Organizations must comply with multiple frameworks (SOC 2, PCI DSS, NIST, CIS). Manual compliance checking across dozens of services is error-prone and creates audit failures.
Multi-Region and Multi-Account Visibility Gaps
Without cross-region aggregation, threats that span multiple regions in your infrastructure go undetected. Centralized monitoring is essential for comprehensive security visibility.
Enable Security Hub Across Your Organization
8 minutesPrerequisites
- AWS Organizations with centralized management enabled
- Administrative access to the management account
- AWS Config enabled in all target regions (Security Hub requirement)
- Permissions:
AWSSecurityHubFullAccessandAWSSecurityHubOrganizationsAccess
1.1 Designate Security Hub Administrator
First, designate a delegated administrator account that will manage Security Hub across your organization:
# Set delegated administrator for Security Hub
aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal securityhub.amazonaws.com
# Verify the delegation
aws organizations list-delegated-administrators \
--service-principal securityhub.amazonaws.com1.2 Enable Security Hub with Default Standards
From the delegated administrator account, enable Security Hub:
# Enable Security Hub with default standards (CIS and FSBP)
aws securityhub enable-security-hub \
--enable-default-standards \
--region us-east-1
# Verify Security Hub is enabled
aws securityhub describe-hub --region us-east-11.3 Create Central Configuration Policy
Central configuration lets you manage Security Hub settings across all accounts and regions from one place:
# Create central configuration policy for organization
aws securityhub create-configuration-policy \
--name "Organization-Security-Policy" \
--description "Centralized Security Hub configuration for all accounts" \
--configuration-policy '{
"SecurityHub": {
"ServiceEnabled": true,
"EnabledStandardIdentifiers": [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
],
"SecurityControlsConfiguration": {
"EnabledSecurityControlIdentifiers": []
}
}
}' \
--region us-east-11.4 Configure Cross-Region Aggregation
Set up finding aggregation to centralize security data from all regions:
# Set up cross-region aggregation (run from your home region)
aws securityhub create-finding-aggregator \
--region-linking-mode ALL_REGIONS \
--region us-east-1
# Verify aggregation is active
aws securityhub list-finding-aggregators \
--region us-east-1Configure Compliance Standards and Controls
5 minutesSecurity Hub supports multiple compliance frameworks. Configure the standards most relevant to your industry and security requirements.
2.1 Enable AWS Foundational Security Best Practices (FSBP)
This is AWS's core security standard with controls across all major AWS services:
# Enable AWS Foundational Security Best Practices
aws securityhub batch-enable-standards \
--standards-subscription-requests \
StandardsArn="arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0" \
--region us-east-1
# List enabled standards
aws securityhub get-enabled-standards --region us-east-12.2 Enable CIS AWS Foundations Benchmark
Industry-standard baseline security configuration based on Center for Internet Security guidelines:
# Enable CIS AWS Foundations Benchmark v1.2.0
aws securityhub batch-enable-standards \
--standards-subscription-requests \
StandardsArn="arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" \
--region us-east-1
# For CIS v1.4.0 (includes region in ARN)
aws securityhub batch-enable-standards \
--standards-subscription-requests \
StandardsArn="arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0" \
--region us-east-12.3 Enable PCI DSS (For Payment Processing)
If you handle payment card data, enable PCI DSS compliance monitoring:
# Enable PCI DSS standard
aws securityhub batch-enable-standards \
--standards-subscription-requests \
StandardsArn="arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1" \
--region us-east-12.4 Disable Non-Applicable Controls
Customize specific controls based on your architecture:
# Disable a control that's not applicable to your architecture
aws securityhub update-standards-control \
--standards-control-arn "arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/S3.8" \
--control-status DISABLED \
--disabled-reason "Not applicable - we don't use S3 Object Lock" \
--region us-east-1Set Up Finding Aggregation and Filtering
7 minutesConfigure intelligent finding aggregation to reduce alert fatigue and focus on critical security issues.
3.1 Create Custom Insights for Threat Prioritization
Insights group related findings to identify attack patterns and priority areas:
# Create insight for critical findings on internet-facing resources
aws securityhub create-insight \
--name "Critical Internet-Facing Resources" \
--filters '{
"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}],
"ResourceType": [
{"Value": "AwsEc2Instance", "Comparison": "EQUALS"},
{"Value": "AwsElbv2LoadBalancer", "Comparison": "EQUALS"}
]
}' \
--group-by-attribute "ResourceType" \
--region us-east-1
# Create insight for IAM privilege escalation risks
aws securityhub create-insight \
--name "IAM Privilege Escalation Risks" \
--filters '{
"ProductName": [{"Value": "IAM Access Analyzer", "Comparison": "EQUALS"}],
"SeverityLabel": [
{"Value": "HIGH", "Comparison": "EQUALS"},
{"Value": "CRITICAL", "Comparison": "EQUALS"}
]
}' \
--group-by-attribute "ResourceId" \
--region us-east-13.2 Set Up Automated Finding Suppression
Use automation rules to suppress known false positives and low-priority findings:
# Create automation rule to suppress low-severity findings in dev accounts
aws securityhub create-automation-rule \
--rule-name "Suppress-Dev-Low-Severity" \
--rule-order 1 \
--rule-status "ENABLED" \
--description "Auto-suppress low severity findings in development accounts" \
--criteria '{
"SeverityLabel": [{"Value": "LOW", "Comparison": "EQUALS"}],
"AwsAccountId": [{"Value": "111122223333", "Comparison": "EQUALS"}]
}' \
--actions '[{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Workflow": {"Status": "SUPPRESSED"},
"Note": {
"Text": "Auto-suppressed: Low severity in dev environment",
"UpdatedBy": "automation-rule"
}
}
}]' \
--region us-east-1
# Create rule to elevate critical resource findings
aws securityhub create-automation-rule \
--rule-name "Elevate-Critical-Resources" \
--rule-order 2 \
--rule-status "ENABLED" \
--description "Elevate severity for findings on critical resources" \
--is-terminal \
--criteria '{
"SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}],
"ResourceId": [{"Value": "arn:aws:s3:::production-data", "Comparison": "PREFIX"}]
}' \
--actions '[{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {"Label": "CRITICAL"},
"Note": {
"Text": "Elevated: Critical production resource at risk",
"UpdatedBy": "automation-rule"
}
}
}]' \
--region us-east-13.3 Configure Finding Export to SIEM
Stream findings to your SIEM or ticketing system for integrated workflows:
# Create EventBridge rule for high/critical Security Hub findings
aws events put-rule \
--name "SecurityHub-Critical-Findings" \
--event-pattern '{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Severity": {
"Label": ["HIGH", "CRITICAL"]
}
}
}
}' \
--state ENABLED \
--region us-east-1
# Add SNS target for notifications
aws events put-targets \
--rule "SecurityHub-Critical-Findings" \
--targets "Id"="1","Arn"="arn:aws:sns:us-east-1:123456789012:security-alerts" \
--region us-east-1Create Compliance Dashboards
5 minutesBuild comprehensive dashboards that provide real-time visibility into your security posture and compliance status.
4.1 Create CloudWatch Dashboard for Security Metrics
# Create CloudWatch dashboard for Security Hub metrics
aws cloudwatch put-dashboard \
--dashboard-name "Security-Hub-Overview" \
--dashboard-body '{
"widgets": [
{
"type": "metric",
"x": 0,
"y": 0,
"width": 12,
"height": 6,
"properties": {
"metrics": [
["AWS/SecurityHub", "FindingsBySeverity", "Severity", "CRITICAL"],
[".", ".", ".", "HIGH"],
[".", ".", ".", "MEDIUM"],
[".", ".", ".", "LOW"]
],
"period": 300,
"stat": "Sum",
"region": "us-east-1",
"title": "Security Findings by Severity"
}
},
{
"type": "text",
"x": 12,
"y": 0,
"width": 12,
"height": 6,
"properties": {
"markdown": "# Security Hub Dashboard\n\nThis dashboard shows the current security posture across all accounts.\n\n**Quick Links:**\n- [Security Hub Console](https://console.aws.amazon.com/securityhub)\n- [Findings](https://console.aws.amazon.com/securityhub/home#/findings)"
}
}
]
}' \
--region us-east-14.2 Set Up Compliance Score Monitoring
# Create alarm for compliance score degradation
aws cloudwatch put-metric-alarm \
--alarm-name "Security-Compliance-Score-Low" \
--alarm-description "Alert when compliance findings increase significantly" \
--namespace "AWS/SecurityHub" \
--metric-name "FindingsBySeverity" \
--dimensions Name=Severity,Value=CRITICAL \
--statistic Sum \
--period 3600 \
--threshold 10 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 1 \
--alarm-actions "arn:aws:sns:us-east-1:123456789012:security-alerts" \
--region us-east-14.3 Generate Compliance Summary Reports
# Get current compliance summary
aws securityhub get-findings \
--filters '{
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}],
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}]
}' \
--max-items 100 \
--query 'Findings[].{Title:Title,Severity:Severity.Label,Resource:Resources[0].Id}' \
--output table \
--region us-east-1
# Get security score summary by standard
aws securityhub get-enabled-standards \
--query 'StandardsSubscriptions[].{Standard:StandardsArn,Status:StandardsStatus}' \
--output table \
--region us-east-1Validate Your Security Hub Configuration
Complete these validation steps to ensure Security Hub is properly configured and functioning:
Security Hub Health Check Script
Run this validation script to verify your Security Hub deployment:
#!/bin/bash
# Security Hub Configuration Validation Script
REGION="${1:-us-east-1}"
echo "Validating Security Hub configuration in $REGION..."
# Check Security Hub status
echo -e "\n[1/6] Checking Security Hub enablement status..."
HUB_STATUS=$(aws securityhub describe-hub --region $REGION --query 'HubArn' --output text 2>/dev/null)
if [ -n "$HUB_STATUS" ] && [ "$HUB_STATUS" != "None" ]; then
echo "Security Hub is enabled: $HUB_STATUS"
else
echo "Security Hub is not enabled"
exit 1
fi
# Check enabled standards
echo -e "\n[2/6] Checking enabled security standards..."
STANDARDS=$(aws securityhub get-enabled-standards --region $REGION \
--query 'StandardsSubscriptions[].StandardsArn' --output text 2>/dev/null)
if [ -n "$STANDARDS" ]; then
echo "Enabled standards:"
echo "$STANDARDS" | tr '\t' '\n' | sed 's/^/ - /'
else
echo "No standards are enabled"
fi
# Check finding aggregation
echo -e "\n[3/6] Checking cross-region aggregation..."
AGGREGATOR=$(aws securityhub list-finding-aggregators --region $REGION \
--query 'FindingAggregators[0].FindingAggregatorArn' --output text 2>/dev/null)
if [ -n "$AGGREGATOR" ] && [ "$AGGREGATOR" != "None" ]; then
echo "Finding aggregation is configured"
else
echo "No finding aggregation configured"
fi
# Check recent findings
echo -e "\n[4/6] Checking for recent findings..."
FINDINGS_COUNT=$(aws securityhub get-findings --region $REGION \
--max-items 100 --query 'length(Findings)' --output text 2>/dev/null)
echo "Recent findings count: $FINDINGS_COUNT"
# Check automation rules
echo -e "\n[5/6] Checking automation rules..."
RULES_COUNT=$(aws securityhub list-automation-rules --region $REGION \
--query 'length(AutomationRulesMetadata)' --output text 2>/dev/null)
echo "Automation rules configured: ${RULES_COUNT:-0}"
# Check member accounts
echo -e "\n[6/6] Checking member account status..."
MEMBERS=$(aws securityhub list-members --region $REGION \
--query 'Members[?MemberStatus==`Enabled`].AccountId' --output text 2>/dev/null)
if [ -n "$MEMBERS" ]; then
MEMBER_COUNT=$(echo "$MEMBERS" | wc -w)
echo "Member accounts enabled: $MEMBER_COUNT"
else
echo "No member accounts (single-account deployment)"
fi
echo -e "\nSecurity Hub validation complete!"Common Security Hub Configuration Mistakes
Mistake #1: Enabling Too Many Controls Without Filtering
Enabling all standards without proper automation rules leads to alert fatigue. Focus on critical and high-severity findings first, and use automation rules to suppress or prioritize findings based on your risk profile.
Mistake #2: Not Configuring Cross-Region Aggregation
Without cross-region aggregation, you miss threats that span multiple regions. Always configure a home region with aggregation from all regions where you have resources.
Mistake #3: Forgetting to Enable AWS Config
Security Hub requires AWS Config to be enabled for compliance checks. Without Config, most security controls won't generate findings. Enable Config in all accounts and regions before enabling Security Hub.
Mistake #4: Not Integrating with SIEM or Ticketing Systems
Security Hub findings need to flow into your existing security operations workflow. Configure EventBridge rules to send findings to your SIEM, ticketing system, or notification channels.
Mistake #5: Using Incorrect Standard ARN Formats
Different standards have different ARN formats. Some include the region (FSBP, PCI DSS), while others don't (CIS v1.2). Always verify the correct ARN format using aws securityhub describe-standards.
Want Comprehensive AWS Security Monitoring?
Security Hub is one layer of protection. AWSight automatically monitors your AWS environment against 500+ security best practices daily—providing unified visibility across Security Hub findings, configuration issues, and compliance gaps.