AWS Security Hub

A unified cloud security operations platform that aggregates, correlates, and prioritizes findings from across your AWS environment. Recently restructured: the original Security Hub (compliance/posture checks) is now called Security Hub CSPM, and a new, enhanced Security Hub sits on top of it as the unified correlation layer — this rebrand is the single freshest, most-tested nuance in this whole service.

Detective — aggregation/correlation Governance — compliance standards Compliance — CIS/PCI/NIST/FSBP

2025-06-17

Enhanced Security Hub GA

30 days

Free trial

1 year

Trends dashboard historical window

OCSF

New supported finding format

How Security Hub Actually Works — The Two-Layer Model

Layer 1: Security Hub CSPM (the original service, renamed)

Performs automated security checks against defined standards — CIS AWS Foundations Benchmark, PCI DSS, NIST 800-53, AWS Foundational Security Best Practices (FSBP) — across resource configurations.
Aggregates findings in AWS Security Finding Format (ASFF) from AWS services and supported third-party products into one place.
This is fundamentally a configuration compliance engine — checking resource state against rules, conceptually similar in spirit to Config rules but packaged as standardized, continuously-scored security checks.

Layer 2: The new, enhanced Security Hub (GA June 17, 2025)

Sits ON TOP of Security Hub CSPM. It ingests signals from GuardDuty (threats), Inspector (vulnerabilities), Macie (sensitive data exposure), and Security Hub CSPM (misconfigurations), then runs them through correlation engines.
Generates exposure findings — a fundamentally new finding type representing the correlation of multiple security signals that together indicate a real, prioritized risk (e.g. a publicly accessible EC2 instance + an Inspector-flagged exploitable vulnerability + an active GuardDuty threat = one high-priority exposure finding, not three disconnected ones).
Adds OCSF (Open Cybersecurity Schema Framework) support alongside the existing ASFF format, a Summary/Trends dashboard with up to 1 year of historical data, and near real-time correlation (exposures update automatically as new signals arrive).
A resource can be the primary resource in at most one exposure finding — if a resource lacks sufficient "exposure traits," no exposure finding is generated for it at all.

⚠️ The Recurring Exam Theme

Security Hub questions increasingly test one thing above all else: can you distinguish Security Hub CSPM (configuration/compliance checks against standards) from the new unified Security Hub (cross-service correlation producing exposure findings and attack-path visibility). Older exam material and many third-party resources still use "Security Hub" to mean only the CSPM layer — be ready for both framings.

Exam Domain Mapping

Domain	Where Security Hub Shows Up
Threat Detection & Incident Response	Exposure findings, attack-path correlation, EventBridge custom actions for response
Security Logging & Monitoring	The centerpiece — ASFF/OCSF aggregation, Trends dashboard, multi-account/multi-region aggregation
Management & Security Governance	Compliance standards (CIS/PCI/NIST/FSBP), Security Coverage widget, Organizations integration
Infrastructure Security	CSPM configuration checks underlying many findings

Decision Tree — Mental Model

Threat

Findings scattered across GuardDuty, Inspector, Macie, and configuration checks, with no way to see which combinations represent real, prioritized risk; lack of a documented compliance posture against CIS/PCI/NIST

↓

Security Goal

Single pane of glass for findings; automatic compliance scoring; correlated, prioritized exposure visibility instead of isolated alerts

↓

AWS Service

AWS Security Hub

Security Hub CSPM (compliance checks) Enhanced Security Hub (correlation layer) Exposure findings Trends/Summary dashboard

↓

Implementation

Enable via Organizations delegated administrator. Designate an aggregation region for cross-region visibility. Enable relevant compliance standards per regulatory need.

↓

Monitoring

Use exposure findings and the Trends/Security Coverage dashboard to prioritize, rather than raw finding counts.

↓

Remediation

EventBridge custom actions → Lambda/Step Functions, or the dedicated Automated Response and Remediation solution, for high-priority exposure/CSPM findings.

Final Summary

Must Memorize

Security Hub CSPM = compliance/config checks (the original service, renamed)
Enhanced Security Hub = correlation layer producing exposure findings
Exposure findings correlate GuardDuty + Inspector + Macie + CSPM signals on a shared resource
A resource can be primary in at most ONE exposure finding
ASFF (legacy) and OCSF (new) are both supported finding formats

Must Understand

Why correlation (exposure findings) beats raw finding-count triage
The aggregation-region concept for cross-region/cross-account visibility
The distinction triangle: Security Hub (aggregate/correlate) vs Detective (deep investigate) vs Config (raw per-resource compliance)

Can De-prioritize

Exact dollar pricing per check evaluated
Full list of every CIS/PCI/NIST control
Console UI navigation specifics

Exam appearance probability: HIGH

Security Hub CSPM vs. Exposure Findings

This is the single most important structural distinction in the entire service right now.

2.1 Security Hub CSPM — Compliance Standards Engine High-trap, rebrand

Was formerly called"AWS Security Hub" (pre-June 2025)

FunctionAutomated security checks against compliance standards

Standards supportedCIS AWS Foundations Benchmark, PCI DSS, NIST 800-53, AWS Foundational Security Best Practices (FSBP)

Continuously evaluates resource configuration against each enabled standard's controls and produces a compliance score.
Findings from this layer are themselves one of the four signal types correlated into exposure findings by the layer above it.

2.2 Exposure Findings — The New Correlation Layer High — newest capability

Inputs correlatedGuardDuty (threats) + Inspector (vulnerabilities) + Macie (sensitive data exposure) + Security Hub CSPM (misconfigurations)

OutputA single finding representing a combination of signals on a shared resource that together indicate meaningful, prioritized risk

Example: a publicly accessible EC2 instance (CSPM misconfiguration) running software with a highly exploitable vulnerability (Inspector) while GuardDuty detects active threat activity against it — these three signals combine into ONE exposure finding rather than three disconnected ones an analyst would have to manually piece together.
Exposure findings include traits (e.g. a "Vulnerability" trait might include an "Exploit Available" title) describing exactly what makes the resource exposed.
A resource can be the primary resource in at most one exposure finding at a time. If a resource has no exposure traits, or insufficient traits, no exposure finding is generated for it.
Correlation happens in near real-time — as GuardDuty detects a new threat, or Inspector finds a new vulnerability, or CSPM flags a new misconfiguration, exposures update automatically, giving near-immediate feedback on whether remediation actions actually reduced risk.

2.3 Summary / Trends Dashboard

Historical windowUp to 1 year of historical data for findings and resources

ComparisonsDay-over-day, week-over-week, month-over-month trend analysis

WidgetsCustomizable — exposure summaries, threat trends, security coverage

Security Coverage widget shows the percentage of your environment covered by each capability: vulnerability management (Inspector), threat detection (GuardDuty), sensitive data discovery (Macie), posture management (Security Hub CSPM) — letting you see visibility GAPS, not just findings.

2.4 OCSF Support

WhatOpen Cybersecurity Schema Framework support, alongside the existing ASFF (AWS Security Finding Format)

OCSF is an industry-standard schema, broadening interoperability with third-party security tools beyond AWS's own ASFF format.
As of March 2026, CloudWatch can ingest Security Hub CSPM findings in BOTH ASFF and OCSF format via CloudWatch Pipelines, enabling CloudWatch Logs Insights queries, metric filters, and S3 Tables analytics directly on security findings.

2.5 Insights (Legacy Feature)

WhatSaved searches grouping findings by a chosen attribute

An older feature predating exposure findings — still useful for custom, attribute-based finding views, but exposure findings are now the primary AWS-recommended prioritization mechanism.

AWS Exam Thinking

Requirement → Keywords → Expected Answer → why every distractor fails.

Check resource compliance against CIS/PCI/NIST standards

compliance standardCIS benchmarkPCI DSS

Expected Answer

Security Hub CSPM

Distractor	Why it's wrong
`AWS Config`	Provides the underlying configuration evaluation engine, but doesn't package it as standardized, scored compliance frameworks the way Security Hub CSPM does
`Audit Manager`	Collects evidence for audit reporting frameworks, distinct from real-time security finding aggregation against these specific standards

Identify a combination of vulnerability + exposure + active threat as one prioritized risk

attack pathcorrelated riskprioritize across services

Expected Answer

Security Hub exposure findings

Distractor	Why it's wrong
Manually cross-reference GuardDuty, Inspector, and Macie consoles	Works but doesn't scale and isn't automatic/near-real-time the way exposure findings are
`GuardDuty Extended Threat Detection`	Correlates WITHIN GuardDuty's own findings into an attack sequence; doesn't incorporate Inspector vulnerability data or Macie sensitive-data signals the way Security Hub exposure findings do

Get a single, centralized place where GuardDuty, Inspector, and Macie findings all appear

single pane of glassaggregate findings

Expected Answer

AWS Security Hub

Distractor	Why it's wrong
`Amazon Detective`	Optionally ingests Security Hub-aggregated findings for investigation, but isn't itself the primary aggregation point
`CloudWatch`	Can now ingest Security Hub CSPM findings (March 2026), but it's a downstream consumer, not the aggregation/correlation engine itself

See what percentage of the environment lacks vulnerability scanning or threat detection coverage

coverage gapvisibility

Expected Answer

Security Hub Security Coverage widget

Distractor	Why it's wrong
Count total findings per service	Tells you about existing findings, not about resources with NO coverage at all — a fundamentally different and important gap to see

Automatically remediate a specific high-confidence finding

automated remediationcustom action

Expected Answer

Security Hub custom actions via EventBridge, or the Automated Response and Remediation solution

Distractor	Why it's wrong
Security Hub remediates findings automatically by default	It doesn't — remediation requires explicit configuration of a custom action/EventBridge rule/Lambda, or deploying the dedicated remediation solution

Security Controls Mapping & Integrations

4 — Controls Mapping

Detective (aggregation/correlation)

Core identity — ingests, correlates, and prioritizes findings from GuardDuty, Inspector, Macie, and Security Hub CSPM into exposure findings

Governance & Compliance

Security Hub CSPM's standards (CIS, PCI DSS, NIST 800-53, FSBP) enforce and continuously score organizational compliance posture

Responsive (via integration, not automatic)

EventBridge custom actions, or the Automated Response and Remediation solution, trigger Lambda/Step Functions workflows off high-priority findings

⚠️ Security Hub does not replace GuardDuty, Inspector, or Macie

It aggregates and correlates their output — it has no native detection engine of its own beyond Security Hub CSPM's configuration checks. Disabling GuardDuty/Inspector/Macie removes those signal types from exposure findings entirely.

5 — Integrations

GuardDuty, Inspector, Macie

WhatPrimary upstream finding sources feeding both raw aggregation and exposure-finding correlation

EventBridge

WhatCustom actions and standard finding events both flow to EventBridge

PatternFinding/custom action → rule → Lambda/Step Functions for ticketing or remediation

Organizations

WhatDelegated administrator model, with a designated aggregation region for cross-region visibility

WhyCentralized findings and compliance scoring across every account and region in scope

Amazon CloudWatch

What(March 2026) Ingests Security Hub CSPM findings in ASFF and OCSF format via CloudWatch Pipelines

WhyCloudWatch Logs Insights queries, metric filters, and S3 Tables analytics directly on security findings

Detective

WhatDetective can optionally ingest Security Hub-aggregated findings (incl. Inspector) as an additional data source

Third-Party Products

WhatMany partner security tools integrate findings into Security Hub via ASFF/OCSF

Costs, Limits & Quotas

Pricing Model

CSPM checksPriced per security check evaluated, per account, per region

Finding ingestionVolume-based pricing for findings ingested from other services/partners

Trial30-day free trial

Common Cost Mistakes

Enabling every available compliance standard (CIS + PCI + NIST + FSBP simultaneously) without considering whether all are actually regulatory requirements for the organization
Not designating an aggregation region, leading to fragmented visibility and potentially redundant tooling/cost across regions

Cost Optimization

Enable only the compliance standards your organization is actually regulated under
Use a single aggregation region for cross-region/cross-account visibility rather than separately monitoring each region

Limits & Quotas

ScopeRegional, with cross-region aggregation available via a designated aggregation region

Exposure finding cardinalityA resource can be the primary resource in at most ONE exposure finding

Trends historyUp to 1 year of historical findings/resource data

⚠️ Exam trap

If a resource has no exposure traits, or insufficient traits, Security Hub does NOT generate an exposure finding for it — absence of an exposure finding does not necessarily mean the resource is risk-free, it may simply lack correlated signal from the contributing services.

Best Practices & Common Exam Traps

8 — Best Practices

Must Know

Security Hub CSPM = compliance/config checks (renamed from the original "Security Hub")
Enhanced Security Hub = correlation layer producing exposure findings
Exposure findings combine GuardDuty + Inspector + Macie + CSPM signals
Security Hub aggregates/correlates — it has no independent detection engine of its own beyond CSPM checks

Good Practice

Designate a single aggregation region for cross-region/account visibility
Enable only the compliance standards actually required by regulation
Use the Security Coverage widget to find visibility gaps, not just review existing findings
Build EventBridge custom actions for your highest-priority exposure finding types

Advanced Practice

Adopt OCSF where third-party tooling benefits from the industry-standard schema over ASFF
Pipe CSPM findings into CloudWatch for Logs Insights queries and S3 Tables-based long-term analytics
Use Trends widgets (day/week/month-over-month) to demonstrate security posture improvement over time to leadership/auditors

9 — Common Exam Traps

Misconception	Reality
"Security Hub and Security Hub CSPM are two separate, unrelated services"	Security Hub CSPM is the renamed original Security Hub; the new Security Hub is built on top of it as a correlation layer — not a separate, disconnected product
"Security Hub detects threats itself"	It has no independent threat-detection engine — threat signal comes from GuardDuty; Security Hub correlates it with other signals
"An exposure finding means three completely separate problems"	It represents ONE correlated risk derived from multiple contributing signals on the SAME resource — the point is consolidation, not just listing three findings together
"Security Hub automatically fixes flagged misconfigurations"	It requires explicit EventBridge custom actions or the separate Automated Response and Remediation solution — nothing is auto-remediated by default
"A resource can appear as the primary resource in multiple exposure findings simultaneously"	A resource can be the primary resource in at most ONE exposure finding at a time

Security Hub vs. The Lookalikes

Service	What it actually answers
vs AWS Config	Config evaluates individual resource configuration against custom/managed rules generally. Security Hub CSPM packages this concept into standardized, scored compliance frameworks (CIS/PCI/NIST/FSBP) specifically
vs Amazon Detective	Security Hub aggregates and correlates findings org-wide to tell you WHAT to prioritize (exposure findings). Detective performs deep, graph-based investigation to tell you WHY/HOW once you've decided what to investigate. Used together in sequence, not interchangeably
vs GuardDuty Extended Threat Detection	ETD correlates findings WITHIN GuardDuty itself (behavioral signals only) into an Attack Sequence finding. Security Hub's exposure findings correlate ACROSS services (GuardDuty + Inspector + Macie + CSPM) — broader scope, different services involved
vs AWS Audit Manager	Audit Manager collects and organizes evidence to support a specific audit/compliance framework reporting process. Security Hub CSPM continuously evaluates and scores compliance in near real-time as part of day-to-day security operations — different purposes, sometimes used together

Flashcards — 16 Cards

Click card to flip. Mark right or wrong to track score.

Click to reveal answer

1 / 16

Mark: Score: 0/0

Practice Quiz — 10 Questions

SCS-C02 scenario style, Easy → Specialty. Select an answer to reveal the explanation.

out of 10 correct