AWSGlossary

AWS Security Hub: What It Is and When to Use It

Definition

AWS Security Hub is a cloud security posture management (CSPM) service that provides a comprehensive, centralized view of your security and compliance status across your AWS environment. It solves the problem of alert fatigue and scattered security data by aggregating, organizing, and prioritizing security findings from various AWS services and third-party partner products into a single, actionable dashboard.

How It Works

AWS Security Hub acts as a central nervous system for security in your AWS accounts. Its primary function is to ingest and normalize security data, run compliance checks, and present the information in a unified format.

  1. Data Aggregation: Security Hub collects security data, called "findings," from a wide range of sources. This includes native AWS services like Amazon GuardDuty (threat detection), Amazon Inspector (vulnerability scanning), Amazon Macie (data security), and AWS IAM Access Analyzer. It also integrates with dozens of third-party security solutions from AWS Partners.

  2. Standardized Format: All incoming findings are normalized into the AWS Security Finding Format (ASFF), a standardized JSON format. This allows for consistent processing and analysis, regardless of the data's origin.

  3. Compliance Checks: A core feature of Security Hub is its ability to run continuous, automated security checks against your AWS resources. It uses controls based on well-known security and compliance standards, such as:

    • AWS Foundational Security Best Practices (FSBP)
    • CIS AWS Foundations Benchmark
    • Payment Card Industry Data Security Standard (PCI DSS)
    • NIST SP 800-53 These checks are largely powered by AWS Config rules running in the background.

  4. Centralized Management & Visualization: Security Hub provides a single dashboard to view, filter, and investigate all findings. It calculates a security score for your accounts based on enabled standards, helping you quickly assess your posture. Through integration with AWS Organizations, you can designate a central administrator account to manage Security Hub and view findings from all member accounts. It also supports cross-Region aggregation, allowing you to consolidate findings from multiple AWS Regions into a single, primary Region for a truly global view.

  5. Automated Response and Remediation: While Security Hub itself doesn't directly fix issues, it is a critical component for automating remediation. It integrates natively with Amazon EventBridge, which can trigger automated workflows based on specific findings. For example, a finding for an overly permissive S3 bucket could trigger an EventBridge rule that invokes an AWS Lambda function to correct the bucket's policy. AWS also provides a pre-built "Automated Security Response on AWS" solution to deploy common remediation playbooks.

Key Features and Limits

  • Centralized Findings Management: Aggregates findings from multiple AWS services and over 60 partner solutions.
  • Automated Security & Compliance Checks: Continuously monitors your environment against standards like AWS FSBP, CIS, PCI DSS, and NIST.
  • Multi-Account & Multi-Region Management: Uses AWS Organizations for central administration and supports cross-Region aggregation for a unified view.
  • Security Scores: Provides a 0-100% score to quickly summarize your compliance status against enabled standards.
  • Automation Rules: Allows you to automatically update or suppress findings based on criteria you define, reducing manual effort.
  • Integration with Amazon EventBridge: Enables automated response and remediation workflows.
  • Custom Actions: Create custom actions in the console to send specific findings to EventBridge for targeted manual or automated responses.
  • Service Quotas: Your AWS account has default quotas for Security Hub resources and operations. These include limits on API request rates. Most quotas can be increased via the Service Quotas console.

Common Use Cases

  1. Centralized Security Monitoring (Single Pane of Glass): For organizations that want to consolidate alerts from GuardDuty, Inspector, Macie, and other tools into one place to reduce alert fatigue and improve visibility.

  2. Continuous Compliance Monitoring: To automatically assess your AWS infrastructure against regulatory or industry standards like PCI DSS or NIST, generate evidence for auditors, and get alerts on non-compliant resources.

  3. Automated Security Remediation: As the trigger for automated response workflows. When Security Hub detects a misconfiguration (e.g., a public S3 bucket), it sends an event to Amazon EventBridge, which can invoke a Lambda function or AWS Systems Manager Automation document to fix the issue automatically.

  4. Cloud Security Posture Management (CSPM): To proactively identify, prioritize, and track the remediation of security risks and misconfigurations across a multi-account, multi-region AWS Organization.

Pricing Model

As of 2026, AWS Security Hub has moved to a consolidated pricing model with a required Essentials plan. This plan simplifies billing by combining Security Hub's CSPM features and Amazon Inspector's vulnerability scanning into a single per-resource price with unlimited scans.

  • Essentials Plan (Required): Billed per "resource unit" per month. Pricing is anchored to Amazon EC2 instances (1 unit), with other resources weighted as fractions (e.g., 12 Lambda functions = 1 unit, 18 ECR images = 1 unit, 125 IAM users/roles = 1 unit). All new accounts receive a 30-day free trial.
  • Threat Analytics (Optional Add-On): This adds threat detection powered by Amazon GuardDuty. It is billed based on usage, primarily the volume of CloudTrail events and logs (VPC Flow Logs, DNS logs) analyzed. This replaces the standalone GuardDuty billing for accounts using the add-on.
  • Extended Plan (Optional Add-On): This plan allows you to procure, deploy, and integrate curated third-party partner security solutions with pay-as-you-go pricing directly through your AWS bill.

Cross-Region data aggregation does not incur an additional charge. For detailed estimates, always consult the official AWS Pricing page and the AWS Pricing Calculator.

Pros and Cons

Pros:

  • Unified Visibility: Provides a single pane of glass for security and compliance, drastically simplifying monitoring in complex environments.
  • Simplified Compliance: Automated checks against major industry standards make it easier to prepare for and pass audits.
  • Strong AWS Integration: Seamlessly integrates with AWS Organizations and other AWS security services, making it easy to enable across an entire enterprise.
  • Reduces Alert Fatigue: Aggregates and correlates findings, helping security teams prioritize the most critical issues.
  • Enables Automation: Native integration with Amazon EventBridge is powerful for building automated remediation workflows.

Cons:

  • Cost: In large-scale environments, the cost can become significant, driven by the number of resources and the volume of logs analyzed by the Threat Analytics add-on.
  • Remediation is Not Built-in: While it enables remediation, you must build the automation logic yourself using services like Lambda and Systems Manager, which adds complexity.
  • Potential for Noise: Without proper tuning of automation rules and filters, the volume of findings can still be overwhelming.
  • AWS-Centric: Primarily focused on AWS. Organizations with multi-cloud environments may need a third-party CSPM tool for a truly unified view across all cloud providers.

Comparison with Alternatives

  • AWS Security Hub vs. Amazon GuardDuty: This is a common point of confusion. GuardDuty is a threat detection service that identifies malicious activity (e.g., an EC2 instance communicating with a known malicious IP). Security Hub is a CSPM and aggregation service that ingests findings from GuardDuty and other services to provide a consolidated view and run compliance checks. They are complementary; GuardDuty finds the threats, and Security Hub manages and prioritizes those findings alongside other security data.

  • AWS Security Hub vs. AWS Config: AWS Config is a service that records and evaluates the configurations of your AWS resources. Security Hub uses AWS Config and its rules as a foundational data source for many of its compliance checks. You need AWS Config enabled for Security Hub to function fully. Config is focused on configuration history and change tracking, while Security Hub is focused on the overall security and compliance posture based on that configuration data.

Exam Relevance

AWS Security Hub is a key service in the security domain and features prominently on several AWS certification exams.

  • AWS Certified Security - Specialty (SCS-C02): Expect in-depth questions about its architecture, multi-account setup, integration with other services, and its role in automated remediation.
  • AWS Certified Solutions Architect - Professional (SAP-C02): Questions may focus on using Security Hub as part of a large-scale, enterprise-wide security and governance strategy.
  • AWS Certified Solutions Architect - Associate (SAA-C03): You should understand its core purpose as a centralized security and compliance service and how it differs from services like GuardDuty and Inspector.

For all exams, it's crucial to know that Security Hub provides a consolidated view and that it integrates with other services for detection and remediation.

Frequently Asked Questions

Q: What is the difference between AWS Security Hub and Amazon GuardDuty?

A: Amazon GuardDuty is a threat detection service that monitors for malicious or unauthorized behavior. AWS Security Hub is a broader cloud security posture management (CSPM) service that aggregates findings from GuardDuty, Amazon Inspector, Amazon Macie, and others to give you a single view of your security posture and compliance status. In short, GuardDuty detects threats, and Security Hub centralizes and prioritizes those threat findings along with other security alerts and compliance checks.

Q: Does Security Hub fix security issues automatically?

A: No, not directly. Security Hub identifies security and compliance issues (findings), but it does not have built-in remediation capabilities. However, it is designed to enable automated remediation. It integrates with Amazon EventBridge, which can trigger actions—like invoking an AWS Lambda function or an AWS Systems Manager runbook—to automatically fix the issues that Security Hub finds.

Q: How does Security Hub handle findings from multiple AWS accounts and regions?

A: Security Hub is designed for multi-account and multi-region environments. It integrates with AWS Organizations, allowing you to designate a single AWS account as the Security Hub administrator. This administrator account can then view and manage findings from all associated member accounts. Additionally, Security Hub features cross-Region aggregation, which lets you consolidate findings from multiple AWS Regions into a single aggregation Region, providing a truly centralized dashboard for your entire global AWS footprint.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/22/2026 / Updated: 5/23/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

Multi-Factor Authentication (MFA): Secure Your AWS Account

Multi-Factor Authentication (MFA) adds a vital security layer to AWS IAM, requiring a second factor beyond passwords. Reduce unauthorized access risk. Learn how it works.

View all Security terms →