AWS Security Hub

Security Hub was announced at re:invent 2018 and aims to provide an overall view of security findings across AWS services and partner products. It also helps consolidate and prioritize large volumes of alerts. In many organizations this evolves into a fragmented space, mixed between traditional security tooling, logging solutions and native AWS services. Here we take AWS Security Hub for a test drive to see how fares as a consolidated security view.



Components of the above diagram:

  • Findings – Are the central component of Security Hub, an [extensive json document format] ( to consistently describe security findings.
  • Providers – generate security findings, the native AWS services, Macie, Guard Duty and Inspector integrate directly with Security Hub. In addition partner security tools such as palo alto firewalls and sumo logic can create additional findings specific findings from their respective products.
  • Standards – Currently security hub has one standard, the CIS AWS Benchmarks. When enabled this creates a set of AWS config rules implementing the standards compliance checks. These rules create findings in the standards findings format.
  • Insights – Light weight aggregation and correlation rules to group findings. Users can define custom insights in addition to the default provided by security hub, for example filter by AMI with the most findings, or filter by source.
  • Actions – Performed against findings, security hub actions create cloudwatch events which can in turn invoke lambdas or step functions. These could be used to:
  • Isolate suspect resources
  • Snapshot and terminate EC2 instances
  • Send alerts
  • Automatically fix permissions issues
  • Automatically update firewall rules


Security hub can be enabled via the console or CLI.

<span class="hljs-variable">$ </span>aws securityhub enable-security-hub

Note it is currently a regional service, to cover all regions:

$ <span class="hljs-keyword">for</span> region <span class="hljs-keyword">in</span> `aws ec2 describe-regions --query <span class="hljs-string">"Regions[].RegionName"</span> --output text`; <span class="hljs-keyword">do</span> aws --region <span class="hljs-variable">$region</span> securityhub <span class="hljs-built_in">enable</span>-security-hub ;<span class="hljs-keyword">done</span>

This will create a service linked role and enable the security hub service.


In addition to the standard granular IAM permissions, two managed policies exist to control access to the security hub service itself.



Findings represent a security or compliance issue. All providers, AWS services, partners and standards create findings in the same format defined by Security Hub. With about 130 attributes the structure should cover a wide range of integrations going forward.

Key attributes within the findings format are used by the Security Hub console.


Some of the key attributes are:

  • RecordState: ACTIVE|ARCHIVE – by default the findings UI hides archived findings
  • Severity.Normalized: 0 to 100, with;
    • 1-39 mapping to low
    • 40-69 medium
    • 70-89 high
    • 90-100 critical
    • This fields purpose is to normalize the severity across multiple providers, for example within guardduty both InstanceCredentialExfiltration and PhishingDomainRequest are classified equally as highs. However within Security Hub InstanceCredentialExfiltration gets a normalized score of 75 (High) vs PhishingDomainRequest with a normalized score of 60 (Medium). This is a useful field to prioritize different types of findings across multiple providers.
  • Types: A path representing Mitre Matrix of techniques, useful for further sorting and classifying findings.
  • Findings can be filtered by attributes with EQUALS, CONTAINS and CONTAINS operators and further grouped by additional attributes within the UI.


Native AWS Providers


GuardDuty is a threat detection service. It is not automatically enabled by Security Hub, once enabled GuardDuty findings are automatically sent to Security Hub in the same account. There is some overlap between the multi account configuration of GuardDuty and security hub which we’ll cover later. The GuardDuty finding information is automatically mapped into Security Hub finding format.


Security Hub View



Amazon Inspector checks applications for exposure and vulnerabilities. The findings of any inspector assessment runs are automatically send to Security Hub in the local account if enabled.

The Inspector findings are automatically mapped into Security Hub finding format.


Security Hub View



Macie discovers, classifies, protects and alerts on sensitive data in AWS. When both services are enabled in an account the integration works as expected.


Macie alarms are sent to security hub as findings.


Partner Providers

In addition to the native AWS services, many AWS partners have updated their solutions to provide Security Hub findings.



Currently security hub contains one standard, the CIS AWS Foundations. his depends on AWS config, and automatically enables the CIS Foundation config rules in the current account and region.


After enabling, security hub creates a set of config rules. Many of these are non-compliant in fresh AWS accounts.


Warning, these config rules are not free. Be cautious running across multiple accounts and regions as it can quickly add up.


After about two hours Security Hub catches up and we see some findings from the CIS rulesets within Security Hub.


A fresh AWS account passes about 26 of the 43 CIS rules. A few quick areas to improve the score are:

  • Set a strong password policy. We generally recommend taking it a step further and restricting IAM users in general, instead preferring roles from an identity provider.
  • Configure Cloud Trail to an audit account with a security bucket
  • Configure a set of log metric filters and alarms to alert on changes to important components such as NACLs, gateways, route tables and VPCs.


Insights are saved searches, filtering and grouping on finding attributes. Security Hub provides a number of default insights and users can create and save their own.

A default insight:



Actions can be performed against one or more findings, often grouped by insights. Security hub provides a single default action to archive a finding. Actions are executed by users via the console.


In addition users can create custom actions.


These actions integrate with cloudwatch events, this is linked by the arn of the custom action, e.g. arn:aws:securityhub:ap-southeast-2:123412341234:action/custom/TerminateInstance

A CloudWatch events rule can be created:

  "<span class="hljs-attribute">source</span>": <span class="hljs-value">[
    <span class="hljs-string">"aws.securityhub"</span>
    "<span class="hljs-attribute">resources</span>": <span class="hljs-value">[
      <span class="hljs-string">"arn:aws:securityhub:ap-southeast-2:123412341234:action/custom/TerminateInstance"</span>

This rule could then invoke a lambda to perform any action required based on the finding.

Multiple Accounts

Security Hub uses the standard master and member account configuration used by other AWS services. Master accounts invite member accounts, member accounts then share findings with the master accounts.


From the perspective of finding fowarding between accounts:


Providers forward findings to the local accounts Security Hub, which then share those findings with the master account. This can be used to provide a centralized security team view across a companies set of accounts, and a per account view visible to account owners.

The approach overlaps with the existing GuardDuty and Macie cross account configurations. Security Hub should simplify the deployment of those two tools as it centralizes the aggregation configuration in one setup. In addition Inspector findings can now also be centralized to a single account.


Security hub only stores 90 days history of findings, companies requiring longer retention may need to automate the “aws securityhub get-findings” call and archive the results.

The remainder of the limits are currently all hard limits but should be sufficient for most environments.


During the public preview there are no additional costs for AWS security hub itself, however any config rules created by the service are charged at standard config rates.


A few features that would be great to see soon to complete the product are:

  • Multi account multi region support, to avoid having to aggregate across regions to a single view outside the tool.
  • Organizations integration, to complete the account handshake seamlessly using organizational permissions and fetch account lists from organization.
  • A Security Hub generated critical calling out ‘coverage gaps’, eg GuardDuty missing in a region in one account.

However, for a preview release service Security Hub appears to hit the sweet spot. Minimal configuration required to get started and quickly and provide useful findings with great filtering. By performing the cross account forwarding in a single tool security hub saves on management of GuardDuty and Macie master and member accounts lists. It also allows inspector results to be aggregated to a central account.

We’re excited to see what’s next with security hub as it heads towards general release and work with customers to get the most out of it.