AWS: Services & Architecture
by Sergey Okinchuk
MacieACM
AWS Security Hub
Service 38

AWS Security Hub

SecurityPostureManaged

Security Hub is an aggregator. It does not detect threats or scan data itself — it collects findings from other services (GuardDuty, Macie, Inspector, Config, IAM Access Analyzer, Firewall Manager, and many third-party partners), normalizes them into one format, scores your account against security standards, and presents the whole picture in one console.

It solves a real problem: security teams running 5 or 10 tools, each with its own console and finding format. It is the single pane of glass for AWS-native security operations.

What It Aggregates

AWS-native sources include GuardDuty (threat detection), Macie (S3 sensitive data), Inspector (vulnerability scanning), IAM Access Analyzer, Config, Firewall Manager, and Health. Third-party tools (CrowdStrike, Splunk, Palo Alto, and dozens more) publish findings via a documented API.

All findings are normalized into the AWS Security Finding Format (ASFF), a common JSON schema that lets you query, filter, and route findings consistently regardless of source.

Security Standards

Beyond aggregation, Security Hub continuously evaluates your account against standards — sets of automated checks (mostly Config rules underneath): AWS Foundational Security Best Practices (the right baseline), the CIS AWS Foundations Benchmark, PCI DSS, and NIST 800-53. Each gives per-control pass/fail and a score.

Triaging failed controls is the core day-to-day work for teams using Security Hub.

Working with Findings

Findings can be filtered and grouped, suppressed with optional expiration, updated with workflow status, and routed to EventBridge for downstream ticketing, SIEM, or automation. For teams with a SIEM, EventBridge is the integration point; for those without, the console plus EventBridge alerts to Slack or email is a workable lightweight setup.

Multi-account and multi-Region setups use a delegated administrator and a single aggregator Region (often us-east-1).

Security Hub vs GuardDuty vs a SIEM

Security Hub — aggregating and scoring AWS-native security findings and posture in one place.

GuardDuty — one source feeding Security Hub — active threat detection, not aggregation.

A SIEM — aggregating application, network, and security logs from everywhere, including non-AWS — complementary, not replaced.

Common Mistakes
  • Treating Security Hub as a SIEM replacement — it aggregates AWS-native signals, not application and network logs from everywhere.
  • Enabling it in some accounts/Regions only instead of centralizing through a delegated administrator and an aggregator Region.
  • Letting failed controls and findings pile up unread instead of triaging weekly toward a target score.
  • Creating permanent suppressions with no owner or expiration, turning them into invisible technical debt.
  • Running it on tiny dev accounts where the baseline noise and minimum bill exceed the value.
  • Expecting it to find application-layer issues — those need SAST, DAST, and dependency scanning.
Best Practices
  • Enable Security Hub in every account and Region, centralized via a delegated administrator.
  • Start with the AWS Foundational Security Best Practices standard; add CIS or industry standards as required.
  • Triage failed controls weekly toward a target score.
  • Route findings to EventBridge and alert on Critical and High severity.
  • Tag suppressions with an owner and expiration.
  • Pick a single aggregator Region for multi-Region operations.
Comparable services GCP Security Command CenterAzure Microsoft Defender for Cloud

Knowledge Check

What is Security Hub's core function?

  • Normalizing findings from many security services and scoring the account against standards — it detects nothing itself
  • Detecting brand-new threats directly from raw CloudTrail, DNS, and VPC Flow Logs in very much the same way GuardDuty does
  • Scanning S3 bucket contents for sensitive data such as card numbers, exactly like Macie does
  • Issuing and auto-renewing the TLS certificates that load balancers and CloudFront rely on

What is the AWS Security Finding Format (ASFF)?

  • A common JSON schema all findings are normalized into, enabling consistent query, filter, and routing
  • A formal compliance standard, much like PCI DSS, that the whole account is continuously scored against
  • The encryption format used to protect finding records while they sit at rest
  • A premium pricing tier for Security Hub that unlocks extra finding sources

Why is Security Hub not a replacement for a SIEM?

  • It aggregates AWS-native security signals; a SIEM aggregates application, network, and security logs from everywhere
  • Security Hub has no ability whatsoever to store or retain the findings it receives for any length of time
  • A SIEM can only ever run on-premises inside your own physical data center on hardware you rack yourself, never as a managed cloud service
  • They are functionally identical products and can be swapped for one another freely

Which standard is the recommended baseline to enable first?

  • AWS Foundational Security Best Practices (FSBP)
  • The complete NIST 800-53 control set
  • PCI DSS, regardless of whether you handle any card data
  • No standard at all — simply aggregate the findings

You got correct