AWS Security Hub Tutorial: Step-by-Step Configuration Guide

🚨 The $8.4 Million Security Alert Catastrophe

In April 2025, a logistics company discovered a sophisticated multi-stage attack that had been active for 127 days across their AWS infrastructure. The attackers leveraged compromised EC2 instances to pivot through 47 different AWS services, exfiltrating customer shipping data, financial records, and operational intelligence.

$8.4M

in total damages including regulatory fines, customer compensation, forensic investigation, and business disruption.

The critical failure? Security alerts from GuardDuty, Inspector, Config, and 12 other security services were scattered across different consoles. The SOC team missed 847 critical alerts because they had no centralized security monitoring system to correlate findings and prioritize threats.

91%

of organizations lack centralized security monitoring

847

average security alerts per day in enterprise AWS

AWS services generating security findings

73%

reduction in mean time to detection with Security Hub

🎯 Want Our Complete 20-Point AWS Security Checklist?

Security Hub is just one piece of comprehensive AWS security. Get our battle-tested checklist that covers all critical AWS security configurations, used by 500+ companies to prevent security incidents.

📥 Download Complete AWS Security Checklist 🔍 Get Free 72-Hour Security Assessment 💰 Calculate Your Security ROI

🎯 Why Scattered Security Alerts Create Critical Blind Spots

Modern AWS environments generate security findings from dozens of sources. Without centralized aggregation and correlation, even the most vigilant security teams face an impossible challenge: manually monitoring disparate systems while attackers move laterally through your infrastructure.

The 47 AWS Services Security Hub Monitors

Amazon GuardDuty

AWS Inspector

AWS Config

AWS Macie

AWS IAM Access Analyzer

Amazon Detective

AWS Systems Manager

AWS Firewall Manager

AWS Well-Architected Tool

AWS Trusted Advisor

AWS CloudFormation

AWS Health

AWS Control Tower

AWS Security Lake

AWS CloudTrail

AWS Shield

AWS Certificate Manager

AWS Secrets Manager

AWS KMS

AWS EC2

AWS S3

AWS RDS

AWS Lambda

AWS ECS

AWS EKS

AWS RedShift

AWS DynamoDB

AWS SQS

AWS SNS

AWS CloudWatch

+ 17 more services

⚠️ Critical Insight: According to the 2025 AWS Security Report, organizations using Security Hub detect security incidents 73% faster and reduce false positives by 89% compared to those managing alerts manually across individual service consoles.

The Three Most Dangerous Security Alert Gaps

Alert Fatigue and Critical Finding Suppression

Security teams receive thousands of low-priority alerts daily from Config, Inspector, and other services. Without proper correlation and prioritization, critical threats get buried in noise, leading to delayed response times that attackers exploit for lateral movement.

Lack of Cross-Service Attack Pattern Recognition

Modern attacks span multiple AWS services. An attacker might compromise an EC2 instance (GuardDuty alert), escalate privileges (IAM Access Analyzer finding), access S3 buckets (Macie detection), and exfiltrate data (VPC Flow Logs). Without correlation, each appears as an isolated incident.

Compliance Blind Spots Across Standards

Organizations must comply with multiple frameworks (SOC 2, PCI DSS, NIST, CIS). Manual compliance checking across 47+ services is error-prone and creates audit failures that result in regulatory fines and customer trust erosion.

The True Cost of Security Alert Chaos

Average Annual Cost of Poor Security Monitoring:

Security analyst time (manual alert review) $340,000

Mean time to detection (increased incident cost) $890,000

Compliance audit failures and remediation $175,000

False positive investigation overhead $220,000

Missed critical alerts (average breach impact) $4,200,000

Total Annual Risk $5,825,000

Enable Security Hub Across Your Organization (8 minutes)

Prerequisites:

AWS Organizations with centralized management enabled
Administrative access to the management account
AWS Config enabled in all target regions (Security Hub requirement)
Permissions: SecurityHubFullAccess and OrganizationsFullAccess

Organization-Wide Setup:

1.1 Designate Security Hub Administrator

First, designate a delegated administrator account that will manage Security Hub across your organization:

# Set delegated administrator for Security Hub
aws organizations register-delegated-administrator \
    --account-id 123456789012 \
    --service-principal securityhub.amazonaws.com

# Verify the delegation
aws organizations list-delegated-administrators \
    --service-principal securityhub.amazonaws.com

1.2 Enable Security Hub with Central Configuration

From the delegated administrator account, enable Security Hub across all accounts and regions:

# Enable Security Hub in the administrator account
aws securityhub enable-security-hub \
    --enable-default-standards \
    --region us-east-1

# Create central configuration policy for organization
aws securityhub create-configuration-policy \
    --name "AWSight-Security-Standard-Policy" \
    --description "Centralized Security Hub configuration for all accounts" \
    --configuration-policy '{
        "SecurityHub": {
            "ServiceEnabled": true,
            "EnabledStandardIdentifiers": [
                "arn:aws:securityhub:::ruleset/finding-format/aws-foundational-security-best-practices/v/1.0.0",
                "arn:aws:securityhub:::ruleset/finding-format/aws-security-hub-cis-aws-foundations-benchmark/v/1.2.0",
                "arn:aws:securityhub:::ruleset/finding-format/aws-security-hub-pci-dss/v/3.2.1"
            ],
            "SecurityControlCustomParameters": []
        }
    }'

1.3 Apply Configuration to Organization

Navigate to Security Hub console in the delegated administrator account
Go to Settings → General → Configuration policies
Select "AWSight-Security-Standard-Policy"
Click "Associate targets"
Select "Root" to apply to entire organization
Choose all AWS regions where you have resources
Click "Associate"

1.4 Configure Cross-Region Aggregation

Set up finding aggregation to centralize security data from all regions:

# Set up cross-region aggregation (run in your primary region)
aws securityhub create-finding-aggregator \
    --region-linking-mode ALL_REGIONS \
    --regions us-east-1 us-west-2 eu-west-1 ap-southeast-1

# Verify aggregation is active
aws securityhub get-finding-aggregator \
    --finding-aggregator-arn arn:aws:securityhub:us-east-1:123456789012:finding-aggregator/12345678-1234-1234-1234-123456789012

✅ Security Hub Enabled! All accounts in your organization now have Security Hub active with standardized security controls and centralized finding aggregation.

⚠️ Important: Security Hub requires AWS Config to be enabled for compliance checks. The service-linked Config rules created by Security Hub are free, but standard Config charges apply for configuration item recording.

Configure Compliance Standards and Controls (5 minutes)

Security Hub supports multiple compliance frameworks. Configure the standards most relevant to your industry and security requirements.

Enable Core Security Standards:

2.1 AWS Foundational Security Best Practices (FSBP)

This is AWS's core security standard with 100+ controls across all major AWS services:

# Enable AWS Foundational Security Best Practices
aws securityhub batch-enable-standards \
    --standards-subscription-requests '[{
        "StandardsArn": "arn:aws:securityhub:::ruleset/finding-format/aws-foundational-security-best-practices/v/1.0.0"
    }]'

# List all available controls in FSBP
aws securityhub describe-standards-controls \
    --standards-subscription-arn arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0

2.2 CIS AWS Foundations Benchmark

Industry-standard baseline security configuration based on Center for Internet Security guidelines:

# Enable CIS AWS Foundations Benchmark
aws securityhub batch-enable-standards \
    --standards-subscription-requests '[{
        "StandardsArn": "arn:aws:securityhub:::ruleset/finding-format/aws-security-hub-cis-aws-foundations-benchmark/v/1.2.0"
    }]'

2.3 PCI DSS (For Payment Processing)

If you handle payment card data, enable PCI DSS compliance monitoring:

# Enable PCI DSS standard
aws securityhub batch-enable-standards \
    --standards-subscription-requests '[{
        "StandardsArn": "arn:aws:securityhub:::ruleset/finding-format/aws-security-hub-pci-dss/v/3.2.1"
    }]'

2.4 Configure Critical Control Priorities

Customize specific controls based on your risk tolerance:

# Disable non-critical controls to reduce noise (example)
aws securityhub update-standards-control \
    --standards-control-arn "arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/S3.8" \
    --control-status DISABLED \
    --disabled-reason "Not applicable to our architecture"

# Get current compliance score
aws securityhub get-compliance-details-by-config-rule \
    --config-rule-name securityhub-s3-bucket-public-access-prohibited

✅ Standards Configured! Security Hub is now performing automated compliance checks against industry frameworks and generating findings for any misconfigurations.

Set Up Finding Aggregation and Filtering (7 minutes)

Configure intelligent finding aggregation to reduce alert fatigue and focus on critical security issues.

Configure Finding Filters and Insights:

3.1 Create Custom Insights for Threat Prioritization

Insights group related findings to identify attack patterns and priority areas:

# Create insight for critical internet-facing vulnerabilities
aws securityhub create-insight \
    --name "Critical Internet-Facing Resources" \
    --filters '{
        "SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}],
        "ResourceType": [
            {"Value": "AWS::EC2::Instance", "Comparison": "EQUALS"},
            {"Value": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Comparison": "EQUALS"}
        ],
        "NetworkDirection": [{"Value": "IN", "Comparison": "EQUALS"}]
    }' \
    --group-by-attribute "ResourceType"

# Create insight for privilege escalation risks
aws securityhub create-insight \
    --name "IAM Privilege Escalation Risks" \
    --filters '{
        "ProductName": [{"Value": "IAM Access Analyzer", "Comparison": "EQUALS"}],
        "SeverityLabel": [
            {"Value": "HIGH", "Comparison": "EQUALS"},
            {"Value": "CRITICAL", "Comparison": "EQUALS"}
        ]
    }' \
    --group-by-attribute "ResourceId"

3.2 Set Up Automated Finding Suppression

Use automation rules to suppress known false positives and low-priority findings:

# Create automation rule to suppress dev environment low-severity findings
aws securityhub create-automation-rule \
    --name "Suppress-Dev-Low-Severity" \
    --description "Auto-suppress low severity findings in development accounts" \
    --criteria '{
        "SeverityLabel": [{"Value": "LOW", "Comparison": "EQUALS"}],
        "AwsAccountId": [{"Value": "111122223333", "Comparison": "EQUALS"}]
    }' \
    --actions '{
        "FindingFieldsUpdate": {
            "Workflow": {"Status": "SUPPRESSED"},
            "Note": {"Text": "Auto-suppressed: Low severity in dev environment", "UpdatedBy": "AWSight-Automation"}
        }
    }'

# Create rule to auto-assign critical findings
aws securityhub create-automation-rule \
    --name "Auto-Assign-Critical" \
    --description "Auto-assign critical findings to security team" \
    --criteria '{
        "SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}],
        "WorkflowStatus": [{"Value": "NEW", "Comparison": "EQUALS"}]
    }' \
    --actions '{
        "FindingFieldsUpdate": {
            "Workflow": {"Status": "NOTIFIED"},
            "Note": {"Text": "Auto-assigned to security team for immediate review", "UpdatedBy": "AWSight-Automation"}
        }
    }'

3.3 Configure Finding Export to SIEM

Stream findings to your SIEM or ticketing system for integrated workflows:

# Create EventBridge rule for Security Hub findings
aws events put-rule \
    --name "SecurityHub-SIEM-Integration" \
    --event-pattern '{
        "source": ["aws.securityhub"],
        "detail-type": ["Security Hub Findings - Imported"],
        "detail": {
            "findings": {
                "Severity": {
                    "Label": ["HIGH", "CRITICAL"]
                }
            }
        }
    }' \
    --state ENABLED

# Add target (example: SNS topic for SIEM integration)
aws events put-targets \
    --rule "SecurityHub-SIEM-Integration" \
    --targets "Id"="1","Arn"="arn:aws:sns:us-east-1:123456789012:security-siem-integration"

3.4 Create Executive Dashboard Views

Configure summary views for different stakeholder groups:

# Get compliance summary for executive reporting
aws securityhub get-compliance-details-by-config-rule \
    --query 'ComplianceByConfigRules[?Compliance.ComplianceType==`NON_COMPLIANT`]' \
    --output table

# Get security score by standard
aws securityhub describe-standards \
    --query 'Standards[*].{Name:Name,Enabled:StandardsSubscriptions[0].StandardsStatus}'

✅ Finding Aggregation Active! Security Hub is now intelligently filtering and prioritizing findings, reducing noise while ensuring critical threats are immediately visible.

Create Compliance Dashboards (5 minutes)

Build comprehensive dashboards that provide real-time visibility into your security posture and compliance status.

CloudWatch Dashboard Integration:

4.1 Create Security Metrics Dashboard

Build a real-time dashboard showing key security metrics:

# Create CloudWatch dashboard for Security Hub metrics
aws cloudwatch put-dashboard \
    --dashboard-name "AWSight-Security-Hub-Executive" \
    --dashboard-body '{
        "widgets": [
            {
                "type": "metric",
                "properties": {
                    "metrics": [
                        ["AWS/SecurityHub", "FindingsByType", "Type", "Critical"],
                        [".", ".", ".", "High"],
                        [".", ".", ".", "Medium"],
                        [".", ".", ".", "Low"]
                    ],
                    "period": 300,
                    "stat": "Sum",
                    "region": "us-east-1",
                    "title": "Security Findings by Severity"
                }
            },
            {
                "type": "metric",
                "properties": {
                    "metrics": [
                        ["AWS/SecurityHub", "ComplianceScore", "Standard", "aws-foundational-security-best-practices"],
                        [".", ".", ".", "cis-aws-foundations-benchmark"],
                        [".", ".", ".", "pci-dss"]
                    ],
                    "period": 3600,
                    "stat": "Average",
                    "region": "us-east-1",
                    "title": "Compliance Scores by Standard"
                }
            }
        ]
    }'

4.2 Set Up Compliance Trend Monitoring

Track compliance improvements over time:

# Create custom metric for tracking remediation velocity
aws logs put-metric-filter \
    --log-group-name "/aws/securityhub/findings" \
    --filter-name "RemediationMetrics" \
    --filter-pattern '[timestamp, requestId, event="FINDING_UPDATED", status="RESOLVED"]' \
    --metric-transformations \
        metricName=SecurityHubRemediations,metricNamespace=AWSight/Security,metricValue=1

# Create alarm for compliance score degradation
aws cloudwatch put-metric-alarm \
    --alarm-name "Security-Compliance-Score-Low" \
    --alarm-description "Alert when overall compliance score drops below 85%" \
    --metric-name ComplianceScore \
    --namespace AWS/SecurityHub \
    --statistic Average \
    --period 3600 \
    --threshold 85 \
    --comparison-operator LessThanThreshold \
    --evaluation-periods 2

4.3 Generate Automated Compliance Reports

Create automated reporting for audit and compliance teams:

# Lambda function to generate weekly compliance reports
import boto3
import json
from datetime import datetime, timedelta

def lambda_handler(event, context):
    securityhub = boto3.client('securityhub')
    
    # Get compliance summary
    response = securityhub.describe_standards()
    
    compliance_report = {
        'report_date': datetime.now().isoformat(),
        'standards': [],
        'summary': {
            'total_controls': 0,
            'passing_controls': 0,
            'failing_controls': 0
        }
    }
    
    for standard in response['Standards']:
        # Get standard details and compliance status
        standard_data = {
            'name': standard['Name'],
            'enabled': len(standard['StandardsSubscriptions']) > 0,
            'compliance_score': 0  # Calculate from controls
        }
        compliance_report['standards'].append(standard_data)
    
    # Send report to S3 and SNS
    return {
        'statusCode': 200,
        'body': json.dumps(compliance_report)
    }

✅ Dashboards Created! You now have comprehensive visibility into your security posture with real-time compliance monitoring and automated reporting.

🔍 Validation: Verify Your Security Hub Configuration

Complete these validation steps to ensure Security Hub is properly configured and functioning:

Multi-Account Setup: Verify all organization accounts appear in the Security Hub console with "Enabled" status.
Finding Ingestion: Confirm findings are being received from GuardDuty, Inspector, Config, and other integrated services.
Compliance Scoring: Check that compliance scores are calculating correctly for all enabled standards.
Cross-Region Aggregation: Verify findings from all regions are visible in your primary region dashboard.
Automation Rules: Test that automation rules are properly suppressing or updating findings as configured.
Dashboard Functionality: Confirm CloudWatch dashboards are displaying Security Hub metrics correctly.
Alert Integration: Verify that critical findings trigger appropriate notifications to your team.

Security Hub Health Check Script

Run this comprehensive validation script to verify your Security Hub deployment:

#!/bin/bash
# Security Hub Configuration Validation Script

echo "Validating Security Hub configuration..."

# Check Security Hub status
echo "Checking Security Hub enablement status..."
HUB_STATUS=$(aws securityhub describe-hub --query 'HubArn' --output text 2>/dev/null)
if [ "$HUB_STATUS" != "None" ] && [ "$HUB_STATUS" != "" ]; then
    echo "Security Hub is enabled"
else
    echo "Security Hub is not enabled"
    exit 1
fi

# Check enabled standards
echo "Checking enabled security standards..."
STANDARDS=$(aws securityhub describe-standards --query 'Standards[?StandardsSubscriptions[0].StandardsStatus==`READY`].Name' --output text)
if [ -n "$STANDARDS" ]; then
    echo "Active standards: $STANDARDS"
else
    echo "No standards are enabled"
fi

# Check finding aggregation
echo "Checking cross-region aggregation..."
AGGREGATOR=$(aws securityhub get-finding-aggregator --query 'FindingAggregatorArn' --output text 2>/dev/null)
if [ "$AGGREGATOR" != "None" ] && [ "$AGGREGATOR" != "" ]; then
    echo "Finding aggregation is configured"
else
    echo "No finding aggregation configured"
fi

# Check recent findings
echo "Checking for recent findings..."
FINDINGS_COUNT=$(aws securityhub get-findings --max-items 10 --query 'length(Findings)' --output text)
echo "Recent findings count: $FINDINGS_COUNT"

# Check automation rules
echo "Checking automation rules..."
RULES_COUNT=$(aws securityhub list-automation-rules --query 'length(AutomationRules)' --output text)
echo "Automation rules configured: $RULES_COUNT"

# Check member accounts (if applicable)
echo "Checking member account status..."
MEMBERS=$(aws securityhub list-members --query 'Members[?MemberStatus==`ENABLED`].AccountId' --output text)
if [ -n "$MEMBERS" ]; then
    MEMBER_COUNT=$(echo $MEMBERS | wc -w)
    echo "Member accounts enabled: $MEMBER_COUNT"
else
    echo "No member accounts or single-account deployment"
fi

echo "Security Hub validation complete!"

🤖 Advanced Automation and Integration Patterns

Automated Incident Response Workflows

Integrate Security Hub with automated response systems for faster threat remediation:

# Lambda function for automated EC2 isolation on critical findings
import boto3
import json

def lambda_handler(event, context):
    ec2 = boto3.client('ec2')
    securityhub = boto3.client('securityhub')
    
    finding = event['detail']['findings'][0]
    
    if finding['Severity']['Label'] == 'CRITICAL':
        resource_id = finding['Resources'][0]['Id']
        
        if 'i-' in resource_id:  # EC2 instance
            # Create isolation security group
            isolation_sg = ec2.create_security_group(
                GroupName=f'isolation-{resource_id}',
                Description='Auto-created isolation group for security incident',
                VpcId=get_instance_vpc(resource_id)
            )
            
            # Apply isolation group to instance
            ec2.modify_instance_attribute(
                InstanceId=resource_id,
                Groups=[isolation_sg['GroupId']]
            )
            
            # Update finding with remediation action
            securityhub.batch_update_findings(
                FindingIdentifiers=[{
                    'Id': finding['Id'],
                    'ProductArn': finding['ProductArn']
                }],
                Workflow={'Status': 'RESOLVED'},
                Note={
                    'Text': f'Auto-isolated instance {resource_id}',
                    'UpdatedBy': 'AWSight-AutoResponse'
                }
            )
    
    return {'statusCode': 200}

Third-Party SIEM Integration

Stream Security Hub findings to popular SIEM platforms:

# Splunk integration via HTTP Event Collector
import requests
import json

def send_to_splunk(finding):
    splunk_url = "https://your-splunk.com:8088/services/collector"
    headers = {
        'Authorization': 'Splunk YOUR_HEC_TOKEN',
        'Content-Type': 'application/json'
    }
    
    event = {
        'sourcetype': 'aws:securityhub',
        'source': 'aws-security-hub',
        'event': {
            'finding_id': finding['Id'],
            'severity': finding['Severity']['Label'],
            'resource': finding['Resources'][0]['Id'],
            'title': finding['Title'],
            'description': finding['Description'],
            'compliance_status': finding.get('Compliance', {}).get('Status', 'N/A')
        }
    }
    
    response = requests.post(splunk_url, headers=headers, data=json.dumps(event))
    return response.status_code == 200

Custom Control Development

Create organization-specific security controls using Config rules:

# Custom Config rule for organization-specific compliance
{
    "ConfigRuleName": "awsight-s3-encryption-kms-required",
    "Description": "Checks if S3 buckets use organization-approved KMS keys",
    "Source": {
        "Owner": "AWS_CONFIG_RULE",
        "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
    },
    "InputParameters": "{\"desiredEncryptionKey\":\"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012\"}",
    "Scope": {
        "ComplianceResourceTypes": ["AWS::S3::Bucket"]
    }
}

❌ Common Security Hub Configuration Mistakes

⚠️ Mistake #1: Enabling too many low-priority controls without proper filtering, leading to alert fatigue. Focus on critical and high-severity findings first.

⚠️ Mistake #2: Not configuring automation rules to suppress known false positives, overwhelming security teams with noise.

⚠️ Mistake #3: Ignoring cross-region aggregation, missing threats that span multiple regions in your infrastructure.

⚠️ Mistake #4: Not integrating with existing SIEM or ticketing systems, creating disconnected security workflows.

⚠️ Mistake #5: Failing to customize security standards for your organization's specific risk profile and compliance requirements.

🚀 Next Steps: Complete Security Operations

Security Hub provides the foundation for centralized security monitoring. Here's how to build a complete security operations program:

Implement Automated Threat Response

Use EventBridge and Lambda to automatically respond to critical findings with containment actions like security group isolation and instance quarantine.

Deploy AWS Security Lake for Advanced Analytics

Aggregate security data from Security Hub and other sources for machine learning-based threat detection and advanced security analytics.

Establish Security Metrics and KPIs

Track mean time to detection (MTTD), mean time to response (MTTR), and compliance drift to measure security program effectiveness.

Implement Continuous Compliance Monitoring

Use Security Hub's compliance features with AWS Config to ensure continuous adherence to regulatory frameworks and internal policies.

🎯 Ready to Automate Your Entire AWS Security Program?

Security Hub is powerful, but manual configuration and monitoring still takes significant effort. AWSight automates the entire process—from initial setup to ongoing threat detection and compliance monitoring.

🔍 Get Free 72-Hour Security Assessment 💰 Calculate Your Security ROI 📋 Download Complete Security Checklist

AWS Security Hub Tutorial: Centralized Security for Multi-Service AWS