Security

Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated Response

Aggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.

約 3 分で読めます

Overview of Security Hub

Security Hub is a service that aggregates security findings across your AWS environment and provides centralized management of your security posture. It unifies results from multiple security services - GuardDuty threat detection, Inspector vulnerability scanning, Macie sensitive data discovery, and Config compliance evaluation - into the AWS Security Finding Format (ASFF) for consistent management.

Security Standards and Automated Response

Enabling security standards triggers automated checks based on Config rules. AWS Foundational Security Best Practices covers AWS-recommended security configurations, automatically evaluating S3 bucket public access, RDS encryption, IAM password policies, and more. The security score displays the compliance rate across all check items as a percentage, enabling quantitative tracking of improvement progress. Automation rules let you configure automatic status changes for specific findings and notifications via EventBridge.

Automated Remediation and Integration

Security Hub's automated remediation works by defining custom actions for findings and executing Lambda or Systems Manager Automation via EventBridge. For example, you can set up an action that automatically enables public access block when a "publicly accessible S3 bucket" finding is detected. Integration with third-party security tools (Splunk, PagerDuty, Jira) automatically routes findings into your incident management workflow. Using Organizations delegated administrator, you can aggregate findings across all accounts and track security scores at the organization level. Cross-region aggregation consolidates findings from multiple regions into a single region, simplifying management. To deepen your understanding of security management, specialized books on Amazon can also be helpful.

Security Hub Pricing

Security Hub pricing consists of security check volume (Config rule evaluations) and finding ingestion volume. Security checks cost approximately 0.001 USD per check for the first 100,000 checks/month. Finding ingestion is free for the first 10,000 findings/month, then approximately 0.00003 USD per finding. Limit the security standards you enable to only those you need, rather than enabling all standards uniformly, to manage check volume. Use the 30-day free trial to assess actual costs before production deployment.

Summary

Security Hub is a service that provides finding aggregation and automated security standard evaluation. It quantifies security scores through AWS Foundational Security Best Practices and CIS Benchmark checks, and enables automated remediation actions via EventBridge. Cross-region aggregation provides centralized management of findings across multiple regions, and integration with third-party SIEMs streamlines incident response.

Related Services

AWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesAmazon GuardDutyA machine learning-powered threat detection serviceAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors compliance

Related Articles

Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsAutomatically build a best-practice multi-account environment and maintain continuous compliance with over 400 guardrails. Learn extension techniques using Account Factory and Customizations for Control Tower.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Security Posture Management - Building a Unified Security Monitoring Foundation with AWS Security HubLearn about unified security monitoring with AWS Security Hub and automated threat detection through GuardDuty integration. This guide covers visualizing compliance with security best practices and security governance for multi-account environments.AWS Security HubA service that provides centralized visibility into the security posture of your entire AWS environment, performing automated assessments against industry-standard security benchmarks and aggregating findings.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.Vulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDutyLearn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.