AWS Security Hub Cheat Sheet

• AWS Security Hub provides a comprehensive view of your security posture across AWS accounts by aggregating, organizing, and prioritizing security findings from AWS services, AWS partner tools, and automated compliance checks. It helps evaluate compliance with industry standards and best practices.

Features

Centralized Security Findings

Aggregates security alerts (findings) across AWS services such as:

• Amazon GuardDuty

• Amazon Inspector

• Amazon Macie

• AWS IAM Access Analyzer

• AWS Firewall Manager

• AWS Audit Manager

• Integrated AWS Partner security solutions

Multi-Account Support via AWS Organizations

Integrates with AWS Organizations to manage security posture across all existing and future member accounts.

Automated Compliance Checks

Runs continuous configuration and compliance checks based on standards such as:

• CIS AWS Foundations Benchmark

• Other supported compliance frameworks

Compliance checks use AWS Config configuration items.

Aggregated Dashboards

Consolidates findings across accounts into a unified dashboard showing security status and compliance posture.

Event Forwarding and Automation

Findings can be forwarded to ticketing, chat, email, or automated remediation systems using Amazon CloudWatch Events custom actions.

Finding Storage

Findings are stored within Security Hub for a minimum of 30 days.

(Previously documented as 90 days; current documented behavior is 30 days.)

Regional Behavior

Security Hub receives and processes findings only for the Region where it is enabled.

Core Concepts

• Finding — A security or compliance detection.

• Insight — A grouped view of related findings based on filters and aggregation.

• Control — Safeguards that represent security requirements.

• Compliance Standard — A set of controls mapped to frameworks or benchmarks.

• Custom Action — A mechanism for sending selected findings to CloudWatch Events for workflow automation.

Compliance Check Structure

• A standard contains multiple controls.

• A control may apply to multiple resources.

• A compliance check evaluates a control against a single resource.

Service-Linked Role

Uses a service-linked role allowing Security Hub to aggregate findings and configure necessary AWS Config components for compliance checks.

AWS Config must be enabled to run compliance checks.

How It Works

• Security Hub receives and processes only those findings from the same Region where you enabled Security Hub in your account.

Security

• Security Hub processes only security-related metadata and findings; it does not store customer secrets.

• Access to Security Hub data is controlled through IAM policies.

• Tag-based access control can be used to restrict or grant permissions.

• VPC endpoints can be used to keep Security Hub API traffic within the AWS network.

• Findings are retained for at least 30 days; exported findings can be stored externally if longer retention is needed.

• Security Hub leverages AWS Config for compliance checks, ensuring configuration history is preserved securely.

Use Cases

• Centralizing security findings and alerts across AWS services.

• Monitoring compliance with CIS benchmarks or other supported standards.

• Managing multi-account security posture in an organization.

• Identifying misconfigurations or insecure resource states.

• Automating remediation workflows via CloudWatch Events integrations.

• Prioritizing security issues through consolidated dashboards and insights.

AWS Security Hub Pricing

• Pricing is based on two metered components:

1. 1. Number of compliance checks performed.

   2. Number of finding ingestion events.

• Pricing is billed monthly per account per Region.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Security Hub Cheat Sheet References:

https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-security-hub/
https://aws.amazon.com/security-hub/
https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html
https://aws.amazon.com/security-hub/faqs/