セキュリティ

AWS Security Hub

A service that provides centralized visibility into the security posture of your entire AWS environment, performing automated assessments against industry-standard security benchmarks and aggregating findings.

About 4 min read

Overview

AWS Security Hub aggregates findings from multiple security services - GuardDuty, Inspector, Macie, Firewall Manager, and others - into a unified format called ASFF (AWS Security Finding Format) and manages them centrally through a dashboard. It automatically runs security checks based on industry standards such as CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, and PCI DSS, visualizing the compliance status of each resource as a score. When integrated with AWS Organizations, you can monitor and manage the security posture across hundreds of accounts from a single administrator account.

How ASFF Solves the Fragmented Findings Problem

AWS security services each output findings in their own format. GuardDuty produces threat intelligence-based detections, Inspector performs vulnerability scans, and Macie detects sensitive data - each with different purposes and output formats. Security Hub normalizes all of these into a common schema called ASFF (AWS Security Finding Format). ASFF provides a unified structure for describing finding severity, affected resources, and remediation steps, and can also integrate findings from third-party products in the same format. This normalization enables cross-service filtering, sorting, and aggregation of findings from different sources. For example, you can extract all findings with CRITICAL severity detected within the past 24 hours across all services. Microsoft Defender for Cloud, the corresponding Azure service, also provides centralized security posture management, but Security Hub's publication of an open format specification like ASFF is a distinguishing characteristic.

Selecting Security Standards and Managing Scores in Practice

Security Hub includes multiple built-in security standards that trigger automated checks based on AWS Config rules when enabled. AWS Foundational Security Best Practices (FSBP) is the AWS-recommended baseline, covering fundamental security items such as S3 bucket public access settings, RDS encryption status, and IAM root account MFA configuration. CIS AWS Foundations Benchmark is a more stringent standard that extends to CloudTrail log file validation and password policy complexity requirements. In practice, enabling all standards at once generates a flood of findings, making it difficult to see priorities. A realistic approach is to first enable FSBP and raise the score above 90%, then add CIS afterward. The score is calculated from the ratio of PASSED, FAILED, and NOT_AVAILABLE controls, and improves as you address FAILED controls one by one. Related books on cloud security (Amazon) provide systematic coverage of security standard selection and operational processes.

Organizations Integration and Automated Remediation Pipelines

In multi-account environments, Security Hub's Organizations integration is essential. When you designate a delegated administrator for Security Hub in the management account, Security Hub is automatically enabled across all accounts under the organization, and findings are aggregated to the administrator account. When new accounts are added, Security Hub is automatically enabled, preventing configuration gaps. To implement automated remediation for aggregated findings, you combine EventBridge with Lambda (or Systems Manager Automation). For example, you can define rules such as automatically enabling block public access settings when public S3 bucket access is detected, or automatically removing security group rules that allow SSH from 0.0.0.0/0. However, automated remediation carries the risk of unintended service impact, so the safe approach is to start with notifications only and switch to automated remediation after thorough testing. Custom actions can also be defined to enable a semi-automated workflow where you manually select findings and trigger remediation.

共有するXB!

Related Terms

Amazon GuardDutyAmazon InspectorAWS ConfigAWS OrganizationsAmazon Macie

Related Services

Amazon GuardDutyAmazon InspectorAWS ConfigAWS Organizations

Related Articles

Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Continuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-RemediationLearn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.

Similar Terms and Articles

Security Posture Management - Building a Unified Security Monitoring Foundation with AWS Security HubLearn about unified security monitoring with AWS Security Hub and automated threat detection through GuardDuty integration. This guide covers visualizing compliance with security best practices and security governance for multi-account environments.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.AWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesAWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.Vulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDutyLearn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.