AWS Security Hub

When you run several security tools in AWS, each one produces its own alerts in its own console. Checking GuardDuty in one tab, Inspector in another, and Macie in a third gets exhausting fast. AWS Security Hub is the single dashboard that pulls all of those alerts (called “findings”) into one place, removes duplicates, and gives you one overall security score. It also runs its own automated checks against well-known security rulebooks, so you can see at a glance how far your account drifts from best practice. This is what the industry calls CSPM (Cloud Security Posture Management — continuously checking whether your cloud setup is configured safely).

What Security Hub actually does

Think of Security Hub as a collector and a grader rolled into one.

• As a collector it ingests findings from other AWS services and third-party tools, normalizes them into a single format (the AWS Security Finding Format, or ASFF — a standard JSON shape so every alert looks the same), and shows them on one screen.
• As a grader it runs security standards. A standard is a checklist of rules; Security Hub evaluates your account against each rule and reports a pass/fail. It then rolls those results into a percentage score per standard.

The sources that feed Security Hub include:

• GuardDuty — threat detection from logs (e.g. crypto-mining, leaked credentials).
• Amazon Inspector — vulnerability scanning for EC2 instances and container images.
• Amazon Macie — sensitive-data discovery in Amazon S3 (Simple Storage Service).
• AWS Config, IAM Access Analyzer, Firewall Manager, and dozens of partner products.

Gotcha: Security Hub only aggregates and scores — it does not detect threats by itself. The underlying detectors must be enabled separately. If you open Security Hub and it looks empty, it almost always means nothing is feeding it: GuardDuty, Inspector, and Macie are off. Turn those on first.

The security standards

Standard	What it checks	When to use it
AWS Foundational Security Best Practices (FSBP)	AWS’s own baseline of secure-config rules across most services	Always — the broadest, AWS-maintained default
CIS AWS Foundations Benchmark	Industry-consensus rules from the Center for Internet Security	When auditors or policy require the CIS benchmark
PCI DSS	Payment Card Industry rules for handling card data	If you store or process credit-card data
NIST SP 800-53	US federal control catalog	Government / regulated workloads

When to use this: enable FSBP everywhere as your baseline. Add CIS or PCI DSS only in accounts that genuinely need them. When NOT to: do not blindly enable every standard in every account — each enabled check costs money (see cost note below), and the noise from controls you do not care about hides the findings you do.

Enabling Security Hub

Security Hub depends on AWS Config being turned on, because most controls read your resource configuration from Config. Enable Config first, or Security Hub controls will show as “no data.”

Console steps

1. Open the Security Hub console.
2. On the welcome screen, confirm the standards you want (FSBP is selected by default).
3. Choose Enable Security Hub.
4. Go to Settings → Configuration to confirm AWS Config is recording.
5. Open Integrations and toggle on Accept findings for GuardDuty, Inspector, and Macie.

CLI equivalent

# Turn on Security Hub with the default standards (FSBP, CIS)
aws securityhub enable-security-hub --enable-default-standards

Output:

(no output on success; exit code 0)

To enable a specific standard later, you reference its subscription ARN:

aws securityhub batch-enable-standards \
  --standards-subscription-requests \
  '[{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}]'

Output:

{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsStatus": "PENDING"
        }
    ]
}

Reading findings

Each finding has a severity (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL) and a workflow status (NEW, NOTIFIED, SUPPRESSED, RESOLVED). You triage findings by changing their workflow status, not by deleting them.

List the current critical findings from the CLI:

aws securityhub get-findings \
  --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"WorkflowStatus":[{"Value":"NEW","Comparison":"EQUALS"}]}' \
  --max-results 2

Output:

{
    "Findings": [
        {
            "Id": "arn:aws:securityhub:us-east-1:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.8/finding/a1b2c3d4-...",
            "Title": "S3.8 S3 Block Public Access setting should be enabled at the bucket level",
            "SeverityLabel": "CRITICAL",
            "Resources": [
                { "Type": "AwsS3Bucket", "Id": "arn:aws:s3:::my-app-uploads" }
            ],
            "Compliance": { "Status": "FAILED" },
            "Workflow": { "Status": "NEW" }
        }
    ]
}

To mark a finding as handled once you have fixed (or accepted) it:

aws securityhub batch-update-findings \
  --finding-identifiers '[{"Id":"arn:aws:securityhub:...S3.8/finding/a1b2c3d4-...","ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub"}]' \
  --workflow Status=RESOLVED

Multi-account setup

In an organization, designate one account as the delegated administrator for Security Hub. That account sees findings from every member account in one view, instead of you logging into each account separately.

# Run from the AWS Organizations management account
aws securityhub enable-organization-admin-account \
  --admin-account-id 444455556666

When to use this: any company with more than one AWS account. A single pane of glass across accounts is the main reason teams adopt Security Hub at all. When NOT to: for a single personal/dev account it adds no value — just enable Security Hub directly.

Cost note

Security Hub bills on two things: per security check evaluated and per finding ingested from other products. The first 100,000 finding ingestion events per account per region each month are free, then it is roughly $0.0003 per event. Standards checks are around $0.0010 per check per account per month, prorated. None of these are large individually, but enabling every standard across every account and region in a big organization can quietly reach hundreds of dollars a month. Enable FSBP broadly, and add extra standards only where required.

Cost tip: disable Security Hub (and its standards) in regions you do not actually use. Checks run per region, so an idle region with all standards on is pure waste.

Best Practices

• Enable AWS Config and the detectors (GuardDuty, Inspector, Macie) before relying on Security Hub scores — an empty dashboard usually means missing inputs, not a clean account.
• Make FSBP your organization-wide baseline; add CIS, PCI DSS, or NIST only in accounts that legally or contractually need them.
• Use a delegated administrator account so findings aggregate into one view across the whole organization.
• Triage with workflow statuses (NOTIFIED, SUPPRESSED, RESOLVED) instead of ignoring findings, so the score reflects reality.
• Route CRITICAL and HIGH findings to a ticketing system or chat via Amazon EventBridge for fast response.
• Turn Security Hub off in unused regions to avoid paying for checks you never read.

Related Topics

• Security overview
• Amazon GuardDuty
• Amazon Inspector
• Amazon Macie
• Security best practices