350+
Security controls checked by AWS Security Hub across CIS, FSBP, and PCI DSS standards
100%
Of AWS accounts in an Organization can be auto-enrolled via delegated administrator without per-account configuration
90 days
Default Security Hub finding retention period before automatic deletion
60+
Third-party integrations available in Security Hub including Splunk, Palo Alto, and CrowdStrike

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

AWS Security Hub is the control plane your multi-account AWS environment needs but rarely has properly configured. Most teams enable it in their primary account, glance at the dashboard once, and leave it without cross-account aggregation, standards activation, or any remediation automation. The result: a compliance theater dashboard that shows findings no one acts on. This guide covers the practitioner path from zero to an operational Security Hub deployment: Organizations-based auto-enrollment, delegated admin configuration, security standard activation, cross-region aggregation, ASFF-based EventBridge automation, and suppression workflows to cut dashboard noise.

Enable Security Hub via AWS Organizations with a Delegated Administrator

The production-ready Security Hub architecture uses a dedicated security tooling account as the delegated administrator rather than the management (root) account. This separates security visibility from billing and organization management.

Designate the security account as delegated admin

From the AWS Organizations management account, run: `aws securityhub enable-organization-admin-account --admin-account-id <security-account-id>`. This grants the security account permission to view findings and manage Security Hub configuration across all member accounts without needing access to those accounts' IAM or resources.

Auto-enroll new accounts

In the delegated admin account, enable auto-enrollment: `aws securityhub update-organization-configuration --auto-enable`. This ensures any new AWS account created in the Organization automatically gets Security Hub enabled and its findings sent to the security account within minutes of account creation.

Configure cross-region aggregation

In the delegated admin account, go to Security Hub settings > Regions and designate your primary Region as the aggregation Region. Link all other Regions where workloads run. Findings from us-west-2, eu-west-1, and ap-southeast-1 will replicate to your aggregation Region dashboard -- no need to switch Region tabs to see the full picture.

Enable member accounts in bulk

For existing accounts not yet enrolled, use the Security Hub console's Accounts page to select all unmanaged accounts and choose 'Enable Security Hub.' For large Organizations, use the aws-security-hub-multi-account-scripts project on GitHub to automate bulk enablement via boto3 across hundreds of accounts simultaneously.

Activate and Prioritize Security Standards

Security Hub's value comes from its automated compliance checks. The CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices (FSBP) standards cover the most impactful controls for AWS environments.

Enable FSBP as your baseline standard

[AWS Foundational Security Best Practices](/blog/aws-security-best-practices-guide) is the most actionable standard for AWS environments. Enable it in the delegated admin account: `aws securityhub batch-enable-standards --standards-subscription-requests StandardsArn=arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0`. It activates in all member accounts automatically. Focus initial remediation on CRITICAL and HIGH severity findings in the IAM, EC2, S3, and RDS categories.

Layer CIS Benchmark v1.4 or v3.0

CIS Benchmark provides a widely recognized external compliance framework. Enable CIS v1.4 for existing environments or v3.0 for new deployments. Note: some CIS controls require AWS Config rules that generate costs -- review the Config pricing impact before enabling in all accounts. CIS v3.0 added new controls for S3 Block Public Access at account level and EC2 IMDSv2 enforcement that are particularly high value.

Disable controls that don't apply

Use Security Hub's control disable feature to suppress entire control classes that are handled by other compensating controls or don't apply to your architecture. For example, if all EC2 instances run in private subnets with no public IPs, you can disable the 'EC2 instances should not have a public IPv4 address' control after documenting the exception rather than letting it generate perpetual noise. Use AWS Config tags to scope controls to specific account types.

Track security score trends

Security Hub's Summary dashboard shows your organization-wide security score per standard. Export these metrics to CloudWatch via EventBridge: create a rule that fires when SecurityHubFindingsImported events occur and publishes the current compliance summary to a CloudWatch dashboard. This lets you track score changes over time and correlate remediation sprints to score improvements in sprint retrospectives.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Integrate GuardDuty, Inspector, and Macie Findings

Security Hub becomes most valuable when it aggregates findings from multiple detection services. GuardDuty, Inspector v2, and Macie all support native Security Hub integration that requires only enabling the integration in the delegated admin account.

Enable GuardDuty integration

In the GuardDuty delegated admin account (ideally the same security tooling account as Security Hub), enable the Security Hub integration under GuardDuty Settings > Integrations. All GuardDuty findings automatically appear in Security Hub as ASFF findings within 5 minutes of detection. GuardDuty findings flow to Security Hub at no additional cost beyond GuardDuty's own pricing.

Enable AWS Inspector v2 integration

Inspector v2 sends vulnerability findings (software CVEs on EC2, Lambda layers, and ECR images) to Security Hub via native integration. Enable under Inspector Settings > General > Security Hub. Inspector findings include CVSS scores, package paths, and remediation links, making them directly actionable from the Security Hub console without switching between services.

Enable Macie for S3 sensitive data findings

Amazon Macie discovers sensitive data (PII, financial data, credentials) in S3 buckets and sends findings to Security Hub. Enable the integration under Macie Settings > Security Hub. Macie findings appear with a `Software and Configuration Checks/AWS Security Best Practices` finding type prefix, distinguishing them from threat findings. High-severity Macie findings (unencrypted S3 bucket with credit card numbers) should trigger immediate notification workflows.

Connect third-party tools via ASFF

For non-AWS security tools (CrowdStrike Falcon, Palo Alto Prisma, Wiz -- see [CSPM vendor selection guide](/blog/guide-finding-best-cloud-security-posture-management-tools)), enable their Security Hub integrations in the Integrations marketplace. Each integration sends findings in ASFF format, meaning your EventBridge automation, SIEM export, and suppression workflows work identically for third-party findings as for native AWS findings. The Security Hub console shows which integrations are active and their finding counts.

Automate Finding Remediation with EventBridge

Security Hub findings sitting in a dashboard without action are wasted signal. EventBridge integration turns findings into automated workflows.

Create EventBridge rules for critical findings

Create an EventBridge rule matching `aws.securityhub` source with `Security Hub Findings - Imported` detail type, filtering for `detail.findings[0].Severity.Label` equal to CRITICAL. Route these to a Lambda function that posts to your security Slack channel and creates a JIRA or ServiceNow ticket with the ASFF finding detail. This ensures CRITICAL findings get human attention within minutes, not days.

Use Security Hub custom actions for analyst workflows

Custom actions let analysts trigger EventBridge events for selected findings from the Security Hub console. Create a 'Send to IR Team' custom action that routes to a Lambda function creating an incident in your IR platform. Create an 'Acknowledged' custom action that updates the WorkflowStatus to NOTIFIED. This gives analysts actionable buttons in the Security Hub UI rather than requiring them to switch to other tools.

Deploy AWS SHARR for automated remediation

AWS Security Hub Automated Response and Remediation (SHARR) is an open-source solution that provides Lambda-based remediators for common FSBP and CIS findings. For example, the S3.4 remediator automatically enables S3 server-side encryption when that finding triggers. Deploy SHARR via CloudFormation in your security account and configure which findings should trigger automatic remediation versus human-reviewed remediation.

Export Findings to Your SIEM

Security Hub should feed your SIEM for long-term retention and correlation, not replace it.

Stream findings to S3 for SIEM ingestion

Create an EventBridge rule that routes all Security Hub findings to a Kinesis Data Firehose delivery stream that writes to an S3 bucket. Configure your SIEM (Splunk, Elastic, Sentinel) to ingest from that S3 bucket using its native S3 connector. This gives you ASFF findings in your SIEM with 90+ days of retention (beyond Security Hub's own retention window) and enables cross-source correlation with non-AWS findings.

Use Security Hub Findings export for compliance evidence

Security Hub's compliance score reports can be exported as JSON via the API: `aws securityhub get-compliance-summary --output json`. Schedule this as a Lambda function that runs monthly and stores the compliance summary to S3. Auditors can retrieve these snapshots as evidence of ongoing compliance posture without needing AWS console access.

The bottom line

AWS Security Hub without multi-account aggregation and remediation automation is a compliance scorecard nobody uses. The delegated administrator model, cross-region aggregation, FSBP plus CIS standards, and EventBridge-driven remediation are what convert Security Hub from a dashboard into an operational security control. Configure it once at the Organization level and every new account benefits automatically. For the ASFF field reference and custom finding integration, see the AWS Security Hub ASFF schema guide.

Frequently asked questions

What is the difference between AWS Security Hub and GuardDuty?

GuardDuty is a threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs to identify active threats using machine learning. Security Hub is an aggregation and compliance layer: it ingests findings from GuardDuty (and 60+ other sources), runs automated compliance checks against security standards, and provides a unified dashboard. You need both: GuardDuty for runtime threat detection, Security Hub for posture management and findings consolidation.

How does Security Hub pricing work?

Security Hub pricing has two components: security checks (charged per check per account per month, with a 90-day free trial) and finding ingestion (charged per finding above 10,000/month free tier). The CIS and FSBP standards together run approximately 350 checks. For a 50-account Organization, expect roughly $150-400/month depending on check volume. Enabling the free trial in all accounts before committing is recommended.

Can Security Hub aggregate findings across AWS regions?

Yes. Security Hub supports cross-region aggregation where you designate a single aggregation Region and link other Regions to it. Linked Regions replicate their findings and compliance statuses to the aggregation Region. The delegated administrator account in the aggregation Region then sees findings from all linked Regions and all member accounts in one view. Cross-region aggregation must be configured separately from the delegated admin setup.

What is ASFF and why does it matter?

ASFF (Amazon Security Finding Format) is Security Hub's standardized JSON schema for findings. All integrated services normalize their alerts into ASFF before sending to Security Hub, which means GuardDuty findings, Inspector vulnerability reports, and Macie data alerts all use the same field structure. This lets you write EventBridge rules, Lambda automations, and SIEM mappings against a single schema rather than parsing each service's unique alert format.

How do you suppress false positive findings in Security Hub?

Use finding suppression workflows: set the finding's WorkflowStatus to SUPPRESSED via the Security Hub console, CLI, or EventBridge automation. Suppressed findings are hidden from the default dashboard view but retained for audit purposes. For organization-wide suppressions of known false positives (e.g., a control that doesn't apply to your environment), use Security Hub's automated finding suppression rules that match findings by criteria like GeneratorId, Title, or RecordState.

What security standards should you enable in Security Hub?

Start with AWS Foundational Security Best Practices (FSBP) as the baseline -- it covers the most impactful AWS-native controls without prescribing OS-level configurations. Add CIS AWS Foundations Benchmark v1.4 or v3.0 for a widely recognized compliance baseline. Enable PCI DSS v3.2.1 only if you handle cardholder data. Enabling all three simultaneously is fine -- Security Hub deduplicates overlapping controls in the consolidated score view.

How do you remediate Security Hub findings automatically?

Create EventBridge rules that match specific ASFF finding types and trigger Lambda functions or Step Functions. For example: a rule matching `aws/securityhub` source with detail.findings[0].GeneratorId containing 'iam-1' (root MFA disabled) can trigger a Lambda that sends an alert to the security team Slack channel and creates a ServiceNow ticket. AWS publishes automated remediation runbooks in the Security Hub Automated Response and Remediation (SHARR) solution on GitHub that cover the top FSBP and CIS findings.

Sources & references

  1. AWS Security Hub User Guide
  2. CIS AWS Foundations Benchmark v3.0 Controls
  3. AWS Foundational Security Best Practices Standard
  4. Security Hub Multi-Account Management

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.