1. What is Security Hub?

AWS Security Hub provides a comprehensive view of your security state across AWS. It aggregates, organizes, and prioritizes security findings from multiple AWS services and third-party tools in a single dashboard.

Core Concept

Security Hub = single pane of glass for security. It collects findings from GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, and 60+ third-party tools. It also runs automated compliance checks against security standards (CIS, PCI DSS, AWS Best Practices).

2. Key Features


Finding Aggregation

  1. Collects findings from: GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, Systems Manager, third-party partners (60+)
  2. Findings use AWS Security Finding Format (ASFF) — standardized JSON format
  3. Cross-Region aggregation: designate one Region to aggregate findings from all Regions
  4. Cross-account: manage security across AWS Organization from delegated admin


Security Standards & Compliance

  1. Automated checks run continuously using AWS Config rules
  2. Security Score: 0–100% per standard showing compliance percentage
  3. Requires AWS Config to be enabled (Security Hub uses Config for checks)


Automated Response

  1. Security Hub sends findings to EventBridge for automation
  2. Custom Actions: trigger specific workflows from the Security Hub console
  3. Automated remediation: EventBridge → Lambda/SSM Automation → fix the finding

Exam Tip

Security Hub: "Single dashboard for all security findings" = Security Hub. "Compliance check against CIS/PCI" = Security Hub. "Aggregate GuardDuty + Inspector + Macie findings" = Security Hub. Requires AWS Config. Uses ASFF format. Cross-Region + cross-account aggregation. Automate via EventBridge.