CoursesAWS security engineeringThreat detection & findings

Security Hub & standards

Aggregate, normalize, and score against CIS/FSBP.

Advanced30 min · lesson 5 of 15

Turn on enough AWS security services and you drown in findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, and Config — each in its own console, its own format. Security Hub is the aggregation layer that makes that volume actionable.

Aggregate, normalize, score

Security Hub ingests findings from AWS services and partners into one normalized schema (ASFF), deduplicates them, and gives each a severity and a single cross-account view. On top of aggregation it runs standards checks — CIS AWS Foundations, AWS Foundational Security Best Practices, PCI — continuously scoring your posture against known benchmarks and telling you which controls are failing where.

central posture, auto-enabled across the org
# Designate a delegated admin and enable Security Hub org-wide.
aws securityhub enable-organization-admin-account --admin-account-id 333333333333
aws securityhub update-organization-configuration --auto-enable
# Subscribe to the standards you must evidence:
aws securityhub batch-enable-standards --standards-subscription-requests \
'[{"StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"}]'

From dashboard to workflow

Aggregation only pays off when findings drive work. Use Security Hub’s finding aggregation region for a global view, custom insights to slice by team or resource, and EventBridge to route high-severity or specific control failures into ticketing and automated remediation. Suppress the known-benign with automation rules so responders see signal, not noise — alert quality is a first-class concern, not an afterthought.

Findings converge and drive action
1GuardDuty · Inspector · Macie · Config
sources
2Security Hub
normalize (ASFF), dedupe, score
3standards checks
CIS / FSBP / PCI posture
4EventBridge → SOAR/ticketing
prioritized response
One pane, one schema, one severity model — then automation turns the highest-signal findings into work.
Standards score is a starting line, not a finish
A high FSBP/CIS score means the automated checks pass — it does not prove your architecture is sound or your custom risks are covered. Treat the score as a floor to maintain while you invest in the threat-specific controls no benchmark checks.