AWS Security Hub¶

What Is This Service?¶

Centralized cloud security posture management (CSPM) and security findings aggregation service.

Mental model:

Security Hub = Collect → Normalize → Correlate → Prioritize → Automate

Primary purpose:

Provide a unified operational security layer across AWS accounts, Regions, AWS security services, and third-party security products.

Security Hub centralizes findings.

Security Hub is not the primary detector.

Why It Matters for Security¶

Large AWS environments suffer from:

fragmented alerts
duplicated investigations
inconsistent compliance
poor prioritization
alert fatigue

Security Hub exists to:

aggregate findings
centralize compliance posture
reduce investigation time
automate remediation workflows
provide organization-wide visibility

Security outcomes:

faster incident response
improved governance
centralized operations
reduced operational complexity

MOST TESTED:

Security Hub = findings + compliance posture.

Not logging.

Not a SIEM.

Architecture Example¶

flowchart LR

subgraph Detection Sources
GuardDuty[GuardDuty]
Inspector[Inspector]
Macie[Macie]
Config[AWS Config]
AccessAnalyzer[Access Analyzer]
Detective[Detective]
FirewallManager[Firewall Manager]
Partner[Third Party Tools]
end

subgraph Security Hub
ASFF[ASFF Normalization]
Findings[Findings Engine]
Controls[Security Controls]
Insights[Insights]
Score[Security Score]
end

subgraph Response
EventBridge[EventBridge]
Lambda[Lambda]
SSM[Systems Manager]
Jira[Jira]
ServiceNow[ServiceNow]
end

GuardDuty --> ASFF
Inspector --> ASFF
Macie --> ASFF
Config --> ASFF
AccessAnalyzer --> ASFF
Detective --> ASFF
FirewallManager --> ASFF
Partner --> ASFF

ASFF --> Findings

Findings --> Controls
Findings --> Insights
Findings --> Score

Findings --> EventBridge
Findings --> Jira
Findings --> ServiceNow

EventBridge --> Lambda
EventBridge --> SSM

Architecture goals:

centralized findings
normalized security operations
automated remediation
reduced alert fatigue

Workflow(s)¶

Findings Aggregation¶

sequenceDiagram

participant Service
participant SecurityHub
participant ASFF
participant Analyst

Service->>SecurityHub: Send findings

SecurityHub->>ASFF: Normalize

ASFF->>SecurityHub: Correlate

SecurityHub->>Analyst: Present findings

Compliance Evaluation Workflow¶

sequenceDiagram

participant SecurityHub
participant Config
participant Rules
participant Findings

SecurityHub->>Config: Request evaluation

Config->>Rules: Execute managed rules

Rules->>SecurityHub: Compliance results

SecurityHub->>Findings: Create findings

Automated Remediation Workflow¶

sequenceDiagram

participant SecurityHub
participant EventBridge
participant Lambda
participant Resource

SecurityHub->>EventBridge: Finding

EventBridge->>Lambda: Trigger remediation

Lambda->>Resource: Correct issue

Resource->>SecurityHub: Updated finding

Core Concepts¶

Findings Aggregation¶

Security Hub centralizes findings from:

AWS sources:

GuardDuty
Inspector
Macie
IAM Access Analyzer
Firewall Manager
Config
Detective

External tools:

SIEM
EDR
ticketing platforms

Output:

Unified security operations view.

AWS Security Finding Format (ASFF)¶

MOST TESTED

Security Hub standardizes findings using:

AWS Security Finding Format (ASFF)

Benefits:

normalized severity
standardized schema
automated processing

Examples:

severity.label
workflow.status
resources
compliance.status

MASSIVE EXAM TRAP:

Security Hub → ASFF

Security Lake → OCSF

Security Standards¶

Security Hub evaluates environments against:

AWS Foundational Security Best Practices (FSBP)
CIS AWS Foundations Benchmark
PCI DSS

Outputs:

pass
fail
suppressed

Security Hub reports posture.

It does not enforce controls.

AWS Config Prerequisite¶

MASSIVE EXAM TRAP

Security Hub compliance checks rely on:

AWS Config

Requirements:

Config enabled
recording enabled
resources tracked
all required Regions configured

Under the hood:

Security Hub uses managed AWS Config evaluations.

Common exam scenario:

Security standard enabled
↓
No compliance results appear
↓
AWS Config not configured

Rule:

Compliance controls → Config dependency.

Security Score¶

Security posture measurement.

Tracks:

control coverage
remediation progress
compliance improvements

Exam trap:

Security Score is informational.

Not threat severity.

Insights¶

Insights provide:

filtered findings
grouping
prioritization

Examples:

Critical findings
Findings by account
Findings by Region

Purpose:

Accelerate investigation.

Workflow Status¶

Lifecycle:

NEW
NOTIFIED
SUPPRESSED
RESOLVED

Purpose:

Track operational response.

Workflow status does not equal remediation.

Important Integrations¶

Service	Purpose
GuardDuty	Threat findings
Inspector	Vulnerabilities
Macie	Sensitive data
Config	Compliance
Detective	Investigation
Security Lake	Telemetry
EventBridge	Automation
Lambda	Remediation
Systems Manager	Runbooks
Organizations	Governance
Jira	Ticketing
ServiceNow	ITSM

Security Features¶

Continuous Findings Collection¶

Security Hub continuously:

receives findings
updates findings
tracks state

Correlation Engine¶

Correlates:

resources
Regions
findings
accounts

Goal:

Reduce operational noise.

Cross-Region Aggregation¶

HIGH VALUE

Pattern:

All Regions
      ↓
Aggregation Region
      ↓
Security Operations Account

Benefits:

centralized dashboards
fewer consoles

Suppression Rules¶

Used for:

accepted risk
false positives
operational exceptions

Exam trap:

Suppression does not fix infrastructure.

Advanced Security and Operational Concepts¶

Control Plane vs Data Plane¶

Control Plane:

findings
standards
automation
governance

Data Plane:

source services generate telemetry

Security Hub consumes.

It does not inspect traffic.

Multi-Account Architecture¶

MOST TESTED

flowchart TB

Organizations

Organizations --> DelegatedAdmin

DelegatedAdmin --> SecurityHub

MemberA --> SecurityHub
MemberB --> SecurityHub
MemberC --> SecurityHub

Central security account manages:

findings
controls
automation

Delegated Administrator¶

Best practice:

Dedicated security account.

Benefits:

governance
isolation
centralized operations

Bidirectional Integration¶

HIGH VALUE

Security Hub supports two-way integrations.

Example:

flowchart LR

SecurityHub --> Jira

Jira --> SecurityHub

SecurityHub --> ServiceNow

ServiceNow --> SecurityHub

Workflow:

Finding created
Ticket generated
Analyst resolves ticket
Workflow status updated automatically

Benefits:

eliminate duplicate work
preserve operational truth

Exam trap:

Updates can flow back into Security Hub.

Consolidated Controls View¶

HIGH VALUE

Historical problem:

Single misconfiguration generated:

CIS failure
PCI failure
FSBP failure

Multiple findings.

Consolidated Controls View:

Maps duplicate controls into unified control reporting.

Benefits:

reduced alert fatigue
cleaner dashboards
simpler remediation

Exam scenario:

Reduce duplicate compliance alerts → Consolidated Controls.

Security Hub vs Security Lake¶

Capability	Security Hub	Security Lake
Stores findings	Yes
Stores telemetry	No	Yes
Detection	Limited	No
Analytics	Limited	External
Schema	ASFF	OCSF

Rule:

Security Lake → telemetry

Security Hub → findings

Security Hub vs GuardDuty¶

MASSIVE EXAM TRAP

Capability	Security Hub	GuardDuty
Detect threats	No	Yes
Aggregate findings	Yes	No
Compliance	Yes	No
Investigation	Limited	Limited

Rule:

GuardDuty detects.

Security Hub centralizes.

Security Hub vs Detective¶

Capability	Security Hub	Detective
Findings	Native
Investigation	Limited	Deep
Root Cause	No	Yes

Flow:

GuardDuty → Security Hub → Detective

Security Hub vs Config¶

Capability	Security Hub	Config
Compliance dashboard	Yes
Rules	Uses Config
Resource history	No	Yes
Drift detection	No	Yes

Config evaluates.

Security Hub presents.

Event-Driven Remediation¶

MOST TESTED

flowchart LR

SecurityHub

SecurityHub --> EventBridge

EventBridge --> Lambda

Lambda --> SSM

SSM --> Resource

Examples:

quarantine EC2
remove S3 public access
revoke IAM permissions

Automation Rules¶

Automation Rules can:

suppress findings
update severity
assign workflow

Cannot:

repair infrastructure

Exam trap:

Automation Rules ≠ remediation.

Findings Retention (90 Days)¶

MASSIVE EXAM TRAP

Security Hub findings retention:

90 days after last update

Security Hub is not long-term storage.

Long retention architecture:

flowchart LR

SecurityHub --> EventBridge

EventBridge --> Lambda

Lambda --> S3

Use for:

audits
evidence retention
historical analytics

Exam scenario:

Need 7-year finding retention → export to S3.

Cost Model¶

Costs driven by:

findings ingestion
security checks
controls evaluation

Optimization:

suppress noise
consolidate Regions
scope standards

Exam trap:

Security Hub pricing is not S3 storage based.

Comparisons¶

Service	Primary Role
Security Hub	Findings aggregation
GuardDuty	Threat detection
Security Lake	Telemetry
Detective	Investigation
Config	Compliance engine
SIEM	Detection + analytics
EventBridge	Automation

Common Exam Traps¶

Security Hub is not a SIEM.
Security Hub is not a logging service.
ASFF ≠ OCSF.
GuardDuty generates findings.
Security Hub aggregates findings.
Config is required for standards.
Workflow status ≠ remediation.
Suppression ≠ remediation.
Findings retention is 90 days.
Export findings to S3 for long retention.
Consolidated Controls reduces duplicates.
Bidirectional ticket updates are supported.
Security Score is informational.
Multi-account delegated admin is preferred.
Security Hub does not inspect traffic.
EventBridge commonly drives remediation.

5-Second Recall¶

Security Hub = centralized findings
ASFF = finding schema
Config = compliance engine
GuardDuty = detection
Detective = investigation
Security Lake = telemetry
EventBridge = automation
90-day retention
Consolidated Controls reduces duplicates

Quick Revision Notes¶

Aggregate findings centrally
Normalize with ASFF
Compliance depends on Config
Use delegated admin model
EventBridge automates response
Export findings for long retention
Security Score measures posture
Consolidated Controls reduces noise
Bidirectional ITSM integration supported
Security Hub orchestrates visibility