Skip to content

Security Hub

Absolutely! Here's the complete AWS Security Hub tutorial, with the final section covering how to disable Security Hub.

πŸ” What is AWS Security Hub?

AWS Security Hub is a security posture management service that centralizes and automates security checks, aggregates findings from AWS services and partner tools, and helps you monitor compliance using industry standards like CIS AWS Foundations Benchmark, PCI-DSS, etc.

🧱 1. Enable AWS Security Hub

βœ… Steps:

  1. Go to AWS Console > Security Hub
  2. Click Enable Security Hub
  3. (Optional) Choose the standards to enable:
  4. CIS AWS Foundations Benchmark
  5. PCI DSS
  6. AWS Foundational Security Best Practices

πŸ“ You can enable it via CLI:

aws securityhub enable-security-hub \
  --standards-subscription-requests \
  StandardsArn="arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"

πŸ”Œ 2. Integrate AWS Services

Security Hub integrates with: - Amazon GuardDuty (threat detection) - AWS Config (resource compliance) - Amazon Macie (sensitive data detection) - IAM Access Analyzer - Inspector (vulnerabilities) - Firewall Manager

Enable each service in their respective consoles or via CLI.

Example for GuardDuty:

aws guardduty enable-organization-admin-account --admin-account-id <your-admin-id>

🧰 3. Integrate Third-Party Tools

Security Hub supports partner tools like: - Palo Alto - Trend Micro - CrowdStrike - Splunk - Check Point

Go to Security Hub > Integrations, and select third-party products to enable integration.

πŸ” 4. Viewing and Managing Findings

  1. Go to Security Hub > Findings
  2. Use filters: severity, compliance status, resource type, etc.
  3. Findings are normalized using the AWS Security Finding Format (ASFF)

βš™οΈ 5. Automate Response with AWS Lambda

Use EventBridge + Lambda to automate remediation.

Example: Stop non-compliant EC2

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Compliance": {
        "Status": ["FAILED"]
      }
    }
  }
}

Lambda function can tag, stop, or quarantine the EC2 instance.

πŸ“Š 6. Enable Compliance Standards

Go to Security Hub > Compliance to see results of standard checks like:

  • CIS AWS Foundations
  • PCI-DSS
  • AWS Best Practices

You can disable non-relevant controls.

πŸ§ͺ 7. Create Custom Insights

  1. Go to Insights > Create Insight
  2. Filter by severity, resource type, account ID, etc.
  3. Save the query for dashboard monitoring.

πŸ“₯ 8. Export Findings

CLI:

aws securityhub get-findings > findings.json

Python (Boto3):

import boto3
client = boto3.client('securityhub')
response = client.get_findings()

You can also set up a Lambda to send filtered findings to S3.

🧠 9. Best Practices

  • Use AWS Organizations for centralized management
  • Enable auto-enable for new accounts
  • Integrate with SIEMs like Splunk/ELK
  • Regularly review insights and findings
  • Suppress known false positives

πŸ›‘οΈ 10. Pricing

  • Charged per security check per resource
  • Charged per finding ingestion
  • First 30 days free

Use the AWS Pricing Calculator for estimates.

πŸ›‘ 11. How to Disable AWS Security Hub

βœ… Via Console:

  1. Go to Security Hub > Settings
  2. Scroll to the bottom
  3. Click Disable Security Hub

βœ… Via CLI:

aws securityhub disable-security-hub

⚠️ Note:

  • This removes all findings, insights, and standard subscriptions.
  • You can re-enable Security Hub later, but previous data won’t be recovered.