AWS Security Hub Configuration
Security Hub aggregates security findings from multiple AWS services into a single dashboard. It provides compliance scoring against industry standards and enables centralized security management across accounts. This guide covers configuration options, standards selection, and integration patterns.
Quick Start
Enable Security Hub with default standards:
aws securityhub enable-security-hub --enable-default-standardsSecurity Hub begins aggregating findings immediately. Default standards include AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark. See the AWS Security Hub documentation for complete feature details.
Security Standards
Security Hub supports multiple compliance frameworks:
| Standard | Controls | Use Case |
|---|---|---|
| AWS Foundational Security Best Practices | ~200 | General AWS security baseline |
| CIS AWS Foundations Benchmark v1.4.0 | ~50 | Industry-recognized compliance framework |
| CIS AWS Foundations Benchmark v1.2.0 | ~43 | Legacy compliance requirements |
| PCI DSS v3.2.1 | ~160 | Payment card industry compliance |
| NIST SP 800-53 Rev. 5 | ~200+ | Federal and government compliance |
Configuration Options
Minimal Configuration
Enable Security Hub with default standards:
resource "aws_securityhub_account" "main" {
enable_default_standards = true
}Explicit Standards Selection
Disable defaults and subscribe to specific standards:
resource "aws_securityhub_account" "main" {
enable_default_standards = false
}
# CIS AWS Foundations Benchmark v1.4.0
resource "aws_securityhub_standards_subscription" "cis" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
}
# AWS Foundational Security Best Practices
resource "aws_securityhub_standards_subscription" "fsbp" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
}Standards Selection Considerations
Findings Management
Security Hub aggregates findings from multiple sources:
Finding Severity Levels
Immediate action required. Active vulnerabilities or misconfigurations with significant risk.
Review within 30 days. Potential security gaps requiring attention.
Best practice recommendations. Address during regular maintenance cycles.
Compliance Scoring
Security Hub calculates compliance scores for each enabled standard:
- Score calculation: Passed controls / Total applicable controls × 100
- Control status: Passed, Failed, Unknown, Not available
- Suppressed findings: Excluded from score calculation
Multi-Account Setup
For AWS Organizations, designate a security account as the delegated administrator:
# From management account
aws securityhub enable-organization-admin-account \
--admin-account-id 123456789012The delegated administrator aggregates findings from all member accounts and manages organization-wide settings.
Recommended Architecture
- Security Account: Security Hub administrator, centralized dashboard
- Member Accounts: Auto-enrolled via Organizations integration
- Aggregation Region: Designate one region for cross-region finding aggregation
EventBridge Integration
Route high-severity findings to notification systems via EventBridge:
{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Severity": {
"Label": ["CRITICAL", "HIGH"]
}
}
}
}This pattern captures CRITICAL and HIGH severity findings. Common targets include SNS for email notifications or Lambda for Slack/PagerDuty integration.
Automation Actions
Security Hub supports automated response through AWS Security Hub Automated Response and Remediation (SHARR):
- Automatic remediation of common misconfigurations
- Custom Lambda functions for organization-specific responses
- Integration with Systems Manager for EC2 remediation
Cost Considerations
Security Hub pricing is based on:
| Component | Pricing | Notes |
|---|---|---|
| Security checks | $0.0010 per check | Per account/region/month |
| Finding ingestion events | $0.00003 per event | First 10,000 events free |
| Automation rules | $0.000003 per evaluation | Rule evaluation charges |
Integration Points
Security Hub serves as the central aggregation point for AWS security services:
Next Steps
- Enable GuardDuty and AWS Config for comprehensive finding sources
- Configure EventBridge rules for high-severity notifications
- Review and suppress non-applicable controls with documented justification
- Schedule weekly compliance score reviews and remediation cycles