Security Hub is the first security service that we will explore. From a monitoring and compliance point of view, it is one of the most significant services that AWS has to offer. It offers continuous checks and monitoring of your infrastructure compliance aligned with the security standards that you choose or require. This means that to monitor your compliance, you do not need external monitoring. In addition to monitoring, you can also configure automatic remediation, which we will delve into later in this post.

Central Management and aggregation

Security Hub allows centralised management of security findings in multi-account organisations. You can now aggregate Security Hub findings into one central management account across multiple regions and organisational units (OUs).

This aggregation ensures that security teams can access all findings from a single place, simplifying operations and reducing the risk of oversight and limiting unauthorised access. It provides an overview of security risks across the organisation, enabling quicker response times and more efficient resource allocation.

This central management could be any delegated administrator of your choice. The primary recommendation is that the admin account should be the same for all security tools, and it should not be the Organisation management account (although this is possible). In our case, we have designated the SecurityOps account as the delegated administrator.

Security Standards

Security standards are predefined frameworks that outline best practices and compliance guidelines to protect your infrastructure and data. By adhering to these standards, organisations can systematically address security risks and meet regulatory or industry-specific requirements.

Security standards that are currently available in Security Hub:

• AWS Foundational Security Best Practices v1.0.0: Covers basic security controls for IAM, logging, and encryption.
• CIS AWS Foundations Benchmark (Center for Internet Security): Offers prescriptive controls for organisations seeking external validation, often used for audits.
• NIST SP 800-53 Rev. 5 (National Institute of Standards and Technology): Designed for projects requiring adherence to U.S. government security standards.
• PCI DSS (Payment Card Industry Data Security Standard): Ensures secure handling of payment card transactions, which could be critical for e-commerce platforms.
• AWS Resource Tagging Standard: Promotes consistent tagging to improve resource management and cost visibility.

These standards simplify compliance by offering clear guidelines tailored to various industries and use cases. For example, an online retailer might use PCI DSS to ensure secure payment processing, while a government contractor could apply NIST SP 800-53 to meet federal compliance requirements. Security Hub evolves continuously; just in December 2024 Security Hub added 84 new controls.

Next we will talk about how can we implement those standards across our AWS organisation.

Custom policies

You can create customised configuration policies for your central configuration. The recommended policy when first setting up Security Hub is enabling AWS Foundational Security Best Practices v1.0.0, with all controls across all accounts and any new AWS account automatically enrolled.

However you can change this and create a customised configuration policy for your organisation, and apply different policies across different accounts and/or Organisational Units in AWS Organisation. There might be different reasons for utilising Custom Policies on different accounts, here are some examples:

• Different compliance requirements: For example, enabling PCI DSS only for accounts that process payments, while applying less stringent standards to development and sandbox accounts.
• Custom control parameters: Adjusting specific checks, such as flagging only public S3 buckets storing sensitive data, instead of all public buckets.

You can enable this in the Configuration settings, under the Policies section.

When creating a new policy, you first select which standards should be used—in this example, we have chosen three, including PCI DSS.

Next, you can enable all controls, disable or enable specific controls. Here we have chosen to disable two controls. In addition, you can customise how specific parameters are evaluated.

Customisation reduces noise from unnecessary alerts and focuses compliance efforts on high-priority risks, so that findings and insights are tailored and custom for our use case, without having to enable standards that are unnecessary in the whole Organisation, which will also save on the cost.

Automated Response and Remediation

Security Hub supports automation through:

• Automated Rules
• Automated Response and Remediation:

With Automation Rules, you can automatically update and/or suppress findings based on criteria. This is useful for updating severity levels or suppressing findings that match defined criteria. You can set up an automation rule from a template or create a custom rule.

Let’s have a closer look at one of the templates — this one relates to elevating findings in specific production accounts. This is just a template, so we can update any values to match our requirements.

In the Criteria section, you can choose which findings the rule should apply to. One of those keys is the account ID — in this case, we would like it to apply only to the production account.

Next, we choose what automated action will take place against the findings that match our criteria. Here, the severity will be updated to "Critical" and a note will be added stating:
"A resource in production accounts is at risk. Please review ASAP."

Any of these actions can be modified. For instance, for sandbox accounts, we can update the severity to a lower level. You can also add a user defined field—here, we could add a key of Environment with a value of Production or Sandbox. This means that any findings originating from the production account will contain that extra field with environment information.

Automated Response and Remediation involves triggering remediation actions through integrations such as AWS Lambda, EC2 run command, Step Functions, pushing messages to an SNS topic, or sending findings to third-party tools or chats. These actions are automatically sent to EventBridge in near real-time.

For example, when a control detects a publicly accessible S3 bucket, a Lambda function can automatically restrict access. Another example is isolating compromised EC2 instances automatically.

AWS offers a set of templates for cross-account automated responses and remediation that can be deployed using CloudFormation. You can explore this solution here: Automated Security Response on AWS.

Security Hub Dashboards, Insights and Integrations

Dashboard

Security Hub dashboard provides a customisable summary of your security posture, highlighting key metrics such as open findings by severity, compliance scores or resource distribution across regions and accounts. This helps security teams quickly identify trends, track remediation progress, and focus on critical issues. Over time, the dashboard reveals whether compliance and security efforts are improving or require additional attention.

Insights

Security Hub also offers insights— predefined or customisable views/filters that help organisations focus on specific security findings. For instance, you can filter findings based on severity, AWS resources with the most findings, account type, S3 buckets with public write or read permissions etc.

You can also create your own insight/filter to quickly access finding that are a priority for your Organisation.

Integrations

Security Hub integrates with other security AWS services like GuardDuty, Macie, Inspector or IAM Access Analyser, feeding findings directly into the dashboard. You can also integrate third-party services such as Splunk, PagerDuty, SumoLogic and Palo Alto Networks. For better visibility, you can add widgets like Latest Findings from AWS Integrations to the dashboard, centralising all critical information in one place.

Additionally, Security Hub supports custom integrations, allowing you to integrate other custom security products, not listed about. By using the Security Hub custom providers API, you can send findings from other security tools or workflows into Security Hub. This enables a unified and comprehensive view of security across both AWS-native and custom solutions, tailored to your requirements.

Conclusion

Security Hub has come a long way since it was first released, evolving into a powerful tool for managing and automating security in AWS environments. With regular updates like the addition of new controls and enhanced integrations, it’s clear that Security Hub is only getting better. Its ability to centralise findings, customise compliance, and automate responses keeps improving, making it an important consideration for securing you AWS Infrastructure.

Useful resources and training about Security Hub:

• Security Hub Workshop
• List of AWS service integrations
• List of third-party Security Hub integrations
• Security Hub user guide