AWS Security Hub is a service that helps you manage your security posture across your AWS accounts. It aggregates security alerts and findings from various AWS services and third-party security tools, providing a comprehensive view of your security status.
Let’s see Security Hub in action. Imagine you have an S3 bucket that’s publicly accessible, which is a common security misconfiguration.
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1::finding/aws/S3BucketPublicReadExample",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"GeneratorId": "aws-foundational-security-best-practices/v/v1.0/S3_BUCKET_PUBLIC_READ_PROHIBITED",
"AwsAccountId": "123456789012",
"Region": "us-east-1",
"Partition": "aws",
"Severity": {
"Product": 70,
"Normalized": 70,
"Label": "HIGH"
},
"Title": "S3 bucket is publically readable",
"Description": "The S3 bucket is publicly readable. This means that any user on the internet can read objects from this bucket.",
"Resources": [
{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::my-insecure-bucket",
"Partition": "aws",
"Region": "us-east-1",
"Details": {
"AwsS3Bucket": {
"OwnerId": "example-bucket-owner-id",
"Arn": "arn:aws:s3:::my-insecure-bucket",
"Name": "my-insecure-bucket",
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"IgnorePublicAcls": false,
"BlockPublicPolicy": false,
"RestrictPublicBuckets": false
}
}
}
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"NIST-800-53-CM-6",
"CIS-BENCHMARK-S3-BUCKET-LEVEL-1-4"
]
},
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"CreatedAt": "2023-10-27T10:00:00Z",
"UpdatedAt": "2023-10-27T10:00:00Z"
}
This JSON represents a finding generated by Security Hub. It tells us that the my-insecure-bucket in us-east-1 is publicly readable, a HIGH severity finding. The PublicAccessBlockConfiguration section clearly shows that all public access blocks are disabled. Security Hub collected this from the AWS Foundational Security Best Practices (FSBP) standard.
Security Hub’s core purpose is to centralize and organize security findings. Instead of logging into each AWS service (like S3, EC2, IAM) or each third-party tool (like CrowdStrike, Palo Alto Networks) to check for issues, you get a single pane of glass. It also normalizes findings, meaning it translates findings from different sources into a common format, making them easier to understand and act upon. Furthermore, it allows you to automatically trigger actions based on these findings, like sending them to a ticketing system or initiating remediation workflows.
You can enable various security standards within Security Hub, such as AWS Foundational Security Best Practices (FSBP), CIS Benchmarks, and PCI DSS. When enabled, Security Hub continuously runs checks against your AWS environment to ensure compliance with these standards. For example, FSBP includes checks for common misconfigurations like publicly accessible S3 buckets, unencrypted EBS volumes, or overly permissive IAM policies.
The levers you control are primarily the standards you enable and the integrations you configure. You can enable or disable specific controls within a standard, tailor severity levels, and set up integrations with services like Amazon EventBridge to automate responses. For instance, you can configure EventBridge to trigger a Lambda function whenever a "HIGH" severity finding related to S3 buckets is generated, which could then automatically apply public access block settings to the offending bucket.
The surprising thing about Security Hub is how it can act as a central nervous system for your cloud security operations. It doesn’t just report; it orchestrates. By integrating with EventBridge and Lambda, you can build sophisticated automated remediation playbooks that react to security events in near real-time, significantly reducing your mean time to respond (MTTR) for common security issues without manual intervention.
If you’re using Security Hub and have found that some findings aren’t appearing, the next thing you’ll want to investigate is how Security Hub’s integration with other AWS services works and what permissions are required for it to pull those findings.