Cargando...
Cargando...
Centralized security findings aggregation, compliance scoring, and cross-account visibility — all in one pane of glass.
AWS Security Hub is a cloud security posture management (CSPM) service that aggregates, normalizes, and prioritizes security findings from AWS services and third-party tools across your entire AWS environment. It continuously evaluates your environment against security best practices using automated compliance checks mapped to standards like CIS AWS Foundations, AWS Foundational Security Best Practices (FSBP), and PCI DSS. Security Hub does NOT perform investigation, behavior analysis, or threat hunting — it is a findings aggregator and compliance scorer, not a detective or investigator.
Aggregate and prioritize security findings from GuardDuty, Macie, Inspector, Config, Firewall Manager, IAM Access Analyzer, and third-party tools into a single, normalized view with automated compliance scoring.
Use When
Avoid When
AWS Foundational Security Best Practices (FSBP) standard
AWS-managed standard covering 200+ controls across EC2, S3, IAM, RDS, Lambda, and more. Automatically enabled by default when Security Hub is enabled.
CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
Industry-recognized benchmark for AWS account hardening. Both versions available; v1.4.0 includes additional controls.
PCI DSS v3.2.1
Payment Card Industry standard. Useful for organizations processing cardholder data.
NIST SP 800-53 Rev. 5
Federal security standard. Relevant for US government and regulated industries.
Cross-region aggregation
Designate an aggregation region to pull findings from all linked regions into a single view. Critical for multi-region architectures.
AWS Organizations integration (delegated administrator)
Designate a member account as the Security Hub delegated administrator to centrally manage all org accounts without using the management account.
Automated security checks via AWS Config rules
Security Hub compliance controls run as AWS Config rules under the hood. AWS Config must be enabled for Security Hub compliance checks to function.
Amazon Security Lake integration
Security Hub can send findings to Amazon Security Lake in OCSF format for long-term storage and analytics.
ASFF (Amazon Security Finding Format)
All findings in Security Hub are normalized to ASFF — a standardized JSON schema. This enables consistent querying regardless of finding source.
Custom insights
Saved filtered views of findings grouped by an attribute (e.g., findings by resource type, by severity, by account).
Custom actions with EventBridge
Manually trigger EventBridge events for selected findings to invoke Lambda, Step Functions, or other remediation workflows.
Automated response and remediation via EventBridge
All Security Hub findings are automatically sent to EventBridge, enabling event-driven automation without manual custom action triggers.
Behavior graph / entity relationship visualization
This is Amazon Detective's capability. Security Hub does NOT provide behavior graphs, timeline views, or entity relationship maps.
Threat intelligence generation
Security Hub does not generate threat intelligence. It aggregates findings from services that do (GuardDuty, Macie, etc.).
Compliance report generation / audit evidence
Use AWS Audit Manager for generating compliance reports and collecting audit evidence. Security Hub provides compliance scores, not downloadable reports.
Third-party product integrations
100+ third-party security products can send findings to Security Hub (e.g., Splunk, Palo Alto, CrowdStrike). Bidirectional integrations also supported.
Suppression rules
Automatically suppress findings that match defined criteria to reduce noise (e.g., suppress findings for known-accepted configurations).
Security score / compliance score
Provides a percentage score per security standard showing what fraction of controls are passing. Higher = better security posture.
Threat Detection → Findings Aggregation
high freqGuardDuty detects threats from CloudTrail, VPC Flow Logs, and DNS logs, then automatically sends findings to Security Hub in ASFF format. Security Hub provides the centralized view and compliance context; GuardDuty does the actual detection. Enable GuardDuty first, then enable the Security Hub integration in both services.
Compliance Checks via Config Rules
high freqSecurity Hub compliance controls (CIS, FSBP, PCI DSS) run as AWS Config managed rules. AWS Config MUST be enabled in every account and region where Security Hub compliance checks are needed. Without Config, Security Hub can still aggregate findings but cannot run compliance checks.
Multi-Account Centralized Security Management
high freqDesignate a Security Hub delegated administrator account (best practice: a dedicated security account, NOT the management account). The delegated admin can enable Security Hub for all org accounts, aggregate findings centrally, and manage standards/controls organization-wide. New accounts joining the org can be auto-enrolled.
Event-Driven Automated Remediation
high freqAll Security Hub findings are automatically published to EventBridge as events. Create EventBridge rules to trigger Lambda functions, Step Functions workflows, or SNS notifications for automated remediation (e.g., auto-isolate an EC2 instance when a critical GuardDuty finding appears in Security Hub). This is the primary automation pattern.
Data Security Findings Aggregation
high freqMacie discovers sensitive data (PII, credentials) in S3 buckets and sends findings to Security Hub. Security Hub provides the unified view alongside other findings. Macie findings in Security Hub help correlate data exposure risks with other security events.
API Activity Context for Findings
high freqCloudTrail logs API calls and feeds them to GuardDuty (which detects anomalies and sends findings to Security Hub). CloudTrail itself does NOT send findings to Security Hub — it is the data source for services like GuardDuty and Detective. Security Hub does not directly integrate with CloudTrail for findings.
Finding Triage → Deep Investigation
high freqSecurity Hub surfaces a finding (e.g., a critical GuardDuty alert). The analyst clicks 'Investigate in Detective' to launch Amazon Detective's behavior graph for deep root cause analysis. Security Hub = triage and aggregation. Detective = investigation and visualization. These services are complementary, not redundant.
Network Security Policy Compliance
medium freqFirewall Manager sends findings about non-compliant WAF rules, Security Groups, and Shield Advanced protections to Security Hub. Enables a unified view of network security policy violations alongside other findings.
Vulnerability Management Findings Aggregation
medium freqInspector scans EC2 instances and ECR container images for software vulnerabilities (CVEs) and sends findings to Security Hub. Security Hub aggregates these with other findings for a complete security posture view. Inspector does the scanning; Security Hub does the aggregation.
Long-Term Security Data Lake
medium freqSecurity Hub sends findings to Amazon Security Lake in OCSF (Open Cybersecurity Schema Framework) format. Security Lake stores findings long-term in S3 for analytics with Athena, OpenSearch, or third-party SIEM tools. Solves the 90-day finding retention limit in Security Hub.
Resource Policy Risk Findings
medium freqIAM Access Analyzer detects resource policies that grant external access (S3 buckets, KMS keys, IAM roles, etc.) and sends findings to Security Hub. Helps identify unintended public or cross-account access in the centralized Security Hub dashboard.
Security Hub AGGREGATES findings — it does NOT generate them. GuardDuty detects threats, Inspector scans vulnerabilities, Macie finds sensitive data. Security Hub is the aggregation layer. If a question asks what DETECTS something, the answer is never Security Hub.
AWS Config MUST be enabled for Security Hub compliance checks to work. If a question describes Security Hub compliance checks failing or not running, check whether Config is enabled. This is the #1 prerequisite that candidates overlook.
Security Hub does NOT provide behavior graphs, entity timelines, or attack path visualization — that is Amazon Detective. When a question mentions 'investigating' a security incident with relationship graphs or visualizing how an attacker moved through the environment, the answer is Detective, not Security Hub.
For multi-account Security Hub deployments, always recommend a DELEGATED ADMINISTRATOR account (not the management/root account). The delegated admin should be a dedicated security account. This follows AWS best practices and is the expected answer for enterprise architecture questions.
Security Hub AGGREGATES findings — it never DETECTS threats, INVESTIGATES incidents, or GENERATES compliance reports. Detection = GuardDuty/Inspector/Macie. Investigation = Detective. Compliance reports = Audit Manager. Security Hub = the central aggregation and scoring layer only.
AWS Config MUST be enabled for Security Hub compliance checks to function. Security Hub compliance controls run as Config rules under the hood. No Config = no compliance checks, even if Security Hub is enabled.
For multi-account deployments, use a dedicated security account as the Security Hub DELEGATED ADMINISTRATOR via AWS Organizations — never use the management account as the Security Hub admin.
Findings are retained for only 90 days in Security Hub. For compliance audits or long-term analysis, findings must be exported to S3 (via EventBridge + Kinesis Firehose) or sent to Amazon Security Lake. If a question asks about retaining security findings beyond 90 days, the answer involves exporting, not a Security Hub setting.
All Security Hub findings are normalized to ASFF (Amazon Security Finding Format). This is why Security Hub can display findings from 100+ different products in a consistent format. ASFF is the glue that makes multi-vendor aggregation possible.
EventBridge is the primary automation mechanism for Security Hub. All findings are automatically sent to EventBridge — you do NOT need to configure custom actions for automated responses. Custom actions are for MANUAL, on-demand triggering of specific findings. Know the difference between automatic (EventBridge rules on all findings) and manual (custom actions on selected findings).
Security Hub provides compliance SCORES and control STATUSES — it does NOT generate compliance reports or collect audit evidence. For generating compliance reports and audit evidence packages, use AWS Audit Manager. This distinction is heavily tested.
Cross-region aggregation in Security Hub requires designating an aggregation region. Findings from linked regions are replicated to the aggregation region. This is separate from AWS Organizations integration — you can have both, and they work together for complete multi-account, multi-region visibility.
The BatchImportFindings API is for PROVIDERS (third-party tools, custom integrations sending findings INTO Security Hub). The BatchUpdateFindings API is for CUSTOMERS (your team updating workflow status, notes, severity on existing findings). Never confuse who calls which API.
Common Mistake
Security Hub includes behavior graph capabilities that let you visualize how an attacker moved through your environment and investigate the root cause of security incidents.
Correct
Security Hub has NO behavior graph or investigation visualization features. It is purely a findings aggregator and compliance scorer. Amazon Detective provides behavior graphs, entity timelines, and root cause investigation. Security Hub and Detective are complementary — Security Hub surfaces the finding, Detective investigates it.
This is the most common trap in SCS-C02 questions. Exam scenarios describe an analyst needing to 'investigate' or 'visualize' an attack path after a GuardDuty alert appears in Security Hub. The correct next step is Amazon Detective, not staying in Security Hub. Memory trick: Hub = collect and score. Detective = investigate and solve.
Common Mistake
Security Hub generates compliance reports that can be downloaded and submitted to auditors, proving compliance with PCI DSS or CIS benchmarks.
Correct
Security Hub provides compliance SCORES (e.g., '78% of PCI DSS controls are passing') and shows which specific controls are failing — but it does NOT generate downloadable audit reports or collect evidence artifacts. AWS Audit Manager is the service that generates audit-ready reports and collects evidence for compliance frameworks. Security Hub is a posture monitor, not an audit documentation system.
Exam questions often present scenarios where a compliance officer needs to 'provide evidence of compliance' or 'generate a compliance report for auditors.' Candidates who think Security Hub handles this will choose the wrong answer. The correct answer involves AWS Audit Manager. Memory trick: Security Hub = your security dashboard score. Audit Manager = the report you hand to the auditor.
Common Mistake
You can use AWS Security Hub instead of AWS Config because Security Hub monitors compliance and resource configurations.
Correct
Security Hub DEPENDS on AWS Config — it cannot run compliance checks without it. Security Hub's compliance controls execute as AWS Config managed rules under the hood. If Config is disabled, Security Hub compliance checks will not function. These are not alternatives; Config is a prerequisite for Security Hub compliance functionality.
This misconception causes candidates to recommend disabling Config to save costs while keeping Security Hub. In reality, doing so breaks Security Hub compliance checks entirely. Any exam question about Security Hub compliance not working should prompt you to verify Config is enabled. Memory trick: Security Hub compliance = Config rules in disguise.
Common Mistake
GuardDuty and Security Hub are redundant — enabling both is unnecessary because they both detect threats and show security findings.
Correct
GuardDuty DETECTS threats by analyzing CloudTrail, VPC Flow Logs, and DNS logs using ML and threat intelligence. Security Hub AGGREGATES findings from GuardDuty (and many other services) into a centralized dashboard and runs compliance checks. They serve completely different purposes and are designed to work together. GuardDuty without Security Hub means findings are siloed per account. Security Hub without GuardDuty means no threat detection findings.
Exam scenarios that ask you to 'centralize findings from GuardDuty across 50 accounts' require Security Hub — not just GuardDuty alone. And scenarios asking 'what detects compromised EC2 instances' require GuardDuty — not Security Hub. Memory trick: GuardDuty = the smoke detector. Security Hub = the alarm panel showing all detectors in the building.
Common Mistake
Security Hub automatically remediates security findings when it detects policy violations.
Correct
Security Hub does NOT automatically remediate anything on its own. It aggregates and displays findings, and it can trigger EventBridge events — but the actual remediation logic must be built separately using Lambda functions, Step Functions, or Systems Manager Automation documents triggered by EventBridge. Security Hub is the notification layer; remediation is your responsibility to implement.
Exam questions about 'automatically remediating' Security Hub findings always require an additional service (EventBridge + Lambda is the most common pattern). If an answer says 'Security Hub will automatically fix the issue,' it is wrong. Memory trick: Security Hub tells you the problem. You (via EventBridge + Lambda) fix it.
Common Mistake
Enabling Security Hub in the AWS Organizations management account is the best practice for centralized multi-account security management.
Correct
AWS best practice is to designate a DEDICATED SECURITY ACCOUNT as the Security Hub delegated administrator — NOT the management account. The management account should have minimal workloads and permissions. The delegated admin account can manage Security Hub across all org accounts, aggregate findings, and configure standards without needing management account privileges.
This is tested in enterprise architecture scenarios. Answers that recommend using the management account for Security Hub administration are wrong per AWS best practices. Memory trick: Management account = org governance only. Security account = security tooling including Security Hub admin.
GAIDS = GuardDuty Aggregated In Detective's Shadow: GuardDuty (detects) → Security Hub (aggregates) → Detective (investigates). Three different services, three different jobs, always in this order.
Security Hub = The SCOREBOARD: It shows your compliance score and all the findings on the board, but it doesn't play the game (no detection) and doesn't coach you to fix it automatically (no auto-remediation).
Config is the ENGINE, Security Hub is the DASHBOARD: The Config rules do the compliance checking work (engine), Security Hub displays the results (dashboard). Remove the engine and the dashboard shows nothing.
ASFF = All Security Findings Formatted: Every finding in Security Hub, regardless of source, is normalized to ASFF — the universal language of Security Hub.
CertAI Tutor · SCS-C02, SAA-C03, SAP-C02, DOP-C02, CLF-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns