Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated Response
Aggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.
Overview of Security Hub
Security Hub is a service that aggregates security findings across your AWS environment and provides centralized management of your security posture. It unifies results from multiple security services - GuardDuty threat detection, Inspector vulnerability scanning, Macie sensitive data discovery, and Config compliance evaluation - into the AWS Security Finding Format (ASFF) for consistent management. ASFF is a JSON format that structures findings with approximately 50 fields, normalizing the different alert formats from each service to enable cross-cutting prioritization, filtering, and trend analysis.
Security Standards and Automated Response
Enabling security standards triggers automated checks based on Config rules. AWS Foundational Security Best Practices (FSBP) covers AWS-recommended security configurations, automatically evaluating S3 bucket public access, RDS encryption, IAM password policies, CloudTrail enablement status, and more. CIS AWS Foundations Benchmark v1.4.0/v3.0.0, NIST 800-53 Rev.5, and PCI DSS v3.2.1 are also available, allowing you to run multiple standards in parallel according to your compliance requirements. The security score displays the compliance rate across all check items as a percentage, enabling quantitative tracking of improvement progress. Automation rules let you configure automatic status changes, severity overrides, and notifications via EventBridge for specific findings, and you can automatically transition noisy low-risk findings to SUPPRESSED status.
Automated Remediation and Integration
Security Hub's automated remediation works by defining custom actions for findings and executing Lambda or Systems Manager Automation via EventBridge. For example, you can set up an action that automatically enables public access block when a "publicly accessible S3 bucket" finding is detected. AWS publishes the Automated Security Response on AWS (ASR) solution template, which lets you deploy remediation runbooks for major CIS/FSBP controls with a single CloudFormation deployment. Integration with third-party security tools (Splunk, PagerDuty, Jira) automatically routes findings into your incident management workflow. Using Organizations delegated administrator, you can aggregate findings across all accounts and track security scores at the organization level. Cross-region aggregation consolidates findings from multiple regions into a single region, simplifying management. To deepen your understanding of security management, specialized books on Amazon can also be helpful.
Design Best Practices and Pitfalls
To operate Security Hub effectively, start by setting the delegated administrator account to your organization's dedicated security account and enabling automatic member account enrollment. Manual enablement for new accounts leads to gaps. For security standards, using FSBP as the baseline and adding CIS or PCI DSS only when regulatory requirements demand it provides the best balance of management overhead and cost. Enabling all standards uniformly creates overlapping controls, displaying multiple FAILED statuses for the same resource and hindering prioritization. Establish a unified workflow status protocol (NEW/NOTIFIED/RESOLVED/SUPPRESSED) across your organization with defined SLAs to prevent findings from becoming stale. A common pitfall is that regions where the Config recorder is disabled produce no check results, causing the score to appear as 100% - a false positive. You need to either enable Config in all regions or use SCPs to prohibit resource creation in unused regions.
Comparison with Other Services
Security Hub specializes in finding aggregation and posture management, complementing GuardDuty (threat detection), Inspector (vulnerability management), and Config (configuration compliance). GuardDuty analyzes VPC Flow Logs, DNS logs, and CloudTrail in real time to detect anomalies but does not perform posture scoring. Config tracks configuration changes for individual resources and detects rule violations but lacks the ability to aggregate findings across multiple services. Security Hub normalizes these findings into ASFF, aggregates them, and provides organization-wide scoring and workflow management as a "central command center." Compared to third-party CSPM (Cloud Security Posture Management) tools, Security Hub is AWS-native, requiring no additional agents, offers deep integration with AWS services, and pricing is event-volume-based starting from small amounts. However, it has limitations in multi-cloud support and advanced custom rule creation with proprietary policy languages.
Security Hub Pricing
Security Hub pricing consists of security check volume (Config rule evaluations) and finding ingestion volume. Security checks cost approximately $0.001 per check for the first 100,000 checks/month, with volume discounts applied thereafter. Finding ingestion is free for the first 10,000 findings/month, then approximately $0.00003 per finding. Practical cost management tips include limiting enabled security standards to only necessary ones, noting that Config rule evaluations are also billed separately on the Config side creating potential double-counting confusion, and disabling Security Hub in unused regions. Use the 30-day free trial to assess actual costs before production deployment. For Organizations with all accounts running FSBP only, costs typically remain at a few dollars per account per month.
Summary
Security Hub is a central management service providing finding aggregation and automated security standard evaluation. It quantifies security scores through AWS Foundational Security Best Practices and CIS Benchmark checks, and reduces operational burden through EventBridge-linked automated remediation actions and the ASR solution. Cross-region aggregation and Organizations integration provide centralized management of findings across multiple accounts and regions, while third-party SIEM integration streamlines incident response.