AWS Security Hub
Centralized security and compliance monitoring across AWS accounts
Security Hub is like a security dashboard that shows you everything wrong with your AWS security in one place. Instead of checking 20 different services for security issues (GuardDuty for threats, Config for compliance, IAM Access Analyzer for permissions), Security Hub aggregates findings from all of them. It's like having a security manager who collects reports from all departments and gives you a single prioritized to-do list. Security Hub also runs continuous compliance checks against standards like CIS AWS Foundations Benchmark, PCI DSS, and AWS Best Practices, telling you exactly what needs fixing.
Security Hub aggregates security findings from AWS services (GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager) and third-party tools (Palo Alto, Trend Micro, etc.). Findings are normalized into AWS Security Finding Format (ASFF) for consistent analysis. Security Hub runs automated compliance checks against security standards (CIS, PCI DSS, AWS Foundational Security Best Practices) and assigns severity scores.
Key Capabilities
Key features: custom insights (filter and group findings), automated remediation (integrate with EventBridge and Lambda), cross-region aggregation (view findings from all regions), and multi-account support (via AWS Organizations).
Gotchas & Constraints
Gotcha #1: Security Hub doesn't fix issues; it identifies them. You must implement remediation (manually or via automation). Gotcha #2: Security Hub charges per finding per month and per compliance check; costs can add up in large environments. Constraints: Maximum 10,000 member accounts per administrator account, findings are retained for 90 days, and some compliance checks are region-specific.
A financial services company operates 100 AWS accounts across 5 regions with strict compliance requirements. Monitoring security across all accounts is overwhelming; each account has GuardDuty, Config, and IAM findings scattered across services. They enable Security Hub in all accounts and regions, designating a central security account as the aggregator. Security Hub collects findings from all accounts and regions into a single dashboard. They enable CIS AWS Foundations Benchmark and PCI DSS compliance checks; Security Hub identifies 500 compliance violations (public S3 buckets, overly permissive security groups, disabled CloudTrail). They prioritize findings by severity and create automated remediation: EventBridge triggers Lambda functions to fix common issues (enable MFA, remove public access from S3). For critical findings (GuardDuty detects compromised credentials), Security Hub sends SNS notifications to the security team. They generate weekly compliance reports for auditors showing progress toward 100% compliance.
The Result
centralized security visibility, automated remediation, and continuous compliance monitoring.