AWS Security Hub
🔄 Major Service Evolution (Dec 2025 – 2026)
AWS Security Hub has been significantly reimagined. The original Security Hub is now called AWS Security Hub CSPM (Cloud Security Posture Management), while the new AWS Security Hub is a unified cloud security operations solution that correlates findings across multiple AWS security services. Both services complement each other and are recommended to be used together.
- AWS Security Hub is a unified cloud security operations solution that prioritizes critical security issues and helps respond at scale by correlating and enriching signals across multiple AWS security services.
- provides near real-time risk analytics, trends, unified enablement, streamlined pricing, and automated correlation that transforms security signals into actionable insights.
- automatically aggregates and correlates signals from Amazon GuardDuty, Amazon Inspector, AWS Security Hub CSPM, and Amazon Macie, organizing them by threats, exposures, resources, and security coverage.
- AWS Security Hub CSPM (previously known as Security Hub) performs security best practice checks, aggregates alerts, and enables automated remediation.
- collects security data from across AWS accounts, services, and supported third-party partner products and helps analyze the security trends and identify the highest priority security issues.
- is Regional and only receives and processes findings from the Region where it is enabled. However, it supports cross-Region aggregation of findings, resources, and trends from multiple AWS Regions into a single home Region.
- must be enabled in each region to view findings in that region.
- Security Hub CSPM automatically runs continuous, account-level configuration and security checks based on AWS best practices and industry standards which include
- CIS AWS Foundations Benchmark (supports versions 5.0.0, 3.0.0, 1.4.0, and 1.2.0)
- Payment Card Industry Data Security Standard (PCI DSS)
- AWS Foundational Security Best Practices
- NIST SP 800-53 Revision 5
- can consume, aggregate, organize, and prioritize findings from
- AWS services like
- Amazon GuardDuty,
- Amazon Inspector,
- Amazon Macie,
- AWS IAM Access Analyzer,
- AWS Firewall Manager
- other supported third-party partner products.
- AWS services like
- consolidates the security findings across accounts and provider products and displays results on the Security Hub console.
- supports integration with Amazon EventBridge. Custom actions can be defined when a finding is received.
- supports integration with Jira and ServiceNow for incident management workflows, including automated ticket creation based on finding criteria.
- only detects and consolidates findings that are generated after the Security Hub is enabled.
- has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
- uses service-linked AWS Config rules to perform most of its security checks for controls. AWS Config must be enabled on all accounts – both the administrator account and member accounts – in each Region where Security Hub is enabled.
- works with a service-linked role named
AWSServiceRoleForSecurityHubwhich includes the permissions and trust policy to do the following:- Detect and aggregate findings from Amazon GuardDuty, Amazon Inspector, and Amazon Macie
- Configure the requisite AWS Config infrastructure to run security checks for the supported standards
- findings use the Open Cybersecurity Schema Framework (OCSF) format for partner integrations, enabling seamless data sharing across security tools. Security Hub CSPM uses the AWS Security Finding Format (ASFF) for control findings.
Security Hub Plans
- Security Hub uses a streamlined, resource-based pricing model with the following plans:
Essentials Plan (Default)
- The Essentials plan is the default level of coverage included with Security Hub.
- Consolidates Security Hub, Amazon Inspector, and Security Hub CSPM into a single per-resource price with unlimited scans.
- Provides risk analytics, vulnerability management, security posture management, and workflow automation.
- Includes:
- Risk and exposure analytics
- Resource inventory
- Workflow automation and automation rules
- Finding ingestion events
- EC2 vulnerability scanning (agent-based and agentless)
- ECR container image vulnerability scanning
- Lambda function vulnerability scanning
- EC2 CIS Benchmark assessments
- Posture management (CSPM)
- Resource unit ratios: 1 EC2 = 1 unit | 12 Lambda = 1 unit | 18 ECR images = 1 unit | 125 IAM users/roles = 1 unit
- Includes a 30-day free trial for all customers.
Threat Analytics (Add-on)
- Adds automated threat detection powered by Amazon GuardDuty across CloudTrail, VPC, DNS, S3, EKS, and Lambda.
- Usage-based pricing on events and log volume.
- Requires the Essentials plan.
- Includes EC2/EBS malware protection at no additional charge.
Extended Plan (Add-on)
- Adds curated enterprise partner solutions across 9 security categories: endpoint, identity, email, network, data, browser, cloud, AI, and security operations.
- Pay-as-you-go pricing with no upfront commitment.
- Includes 21 curated partner solutions from providers such as CrowdStrike, SentinelOne, Okta, CyberArk, Proofpoint, Splunk, Zscaler, Varonis, and others.
- Simplifies procurement with consolidated billing through AWS.
- Extends protection beyond AWS to multicloud and on-premises environments.
- Eligible for Enterprise Discount Program (EDP) credits.
Security Hub Key Features
Near Real-Time Risk Analytics and Exposure Correlation
- Security Hub calculates exposures in near real-time by correlating findings from Security Hub CSPM, Amazon Inspector, Amazon Macie, and Amazon GuardDuty.
- Automatically correlates findings to identify when multiple security issues combine to create critical risk (e.g., public EC2 instance with vulnerabilities and misconfigurations).
- Provides potential attack path visualization showing how attackers could access and control resources.
- Enriches security signals with context by analyzing resource associations, potential impact, and relationships.
- Exposure findings include contributing traits categorized as Reachability, Vulnerability, Sensitive data, Misconfiguration, and Assumability.
- Provides prioritized remediation guidance with links to documentation.
Summary Dashboard and Historical Trends
- Provides a Summary dashboard with customizable widgets showing exposures, threats, resources, and security coverage.
- Trends feature provides up to 1 year of historical data for findings and resources across the organization.
- Includes period-over-period analysis: day-over-day, week-over-week, and month-over-month comparisons.
- Security coverage widget tracks which accounts and Regions have security services enabled, identifying visibility gaps.
- Supports shared filters, finding filters, and resource filters with saved filter sets using and/or operators.
Automation Rules
- Automation rules automatically update finding fields, suppress findings, and send findings to ticketing tools in near real-time.
- Can automatically create tickets in Jira Service Management and ServiceNow based on criteria such as severity, resource type, or finding type.
- Can be created from scratch or using pre-populated rule templates.
- Supports automated response workflows through Amazon EventBridge to route findings to Lambda functions or AWS Systems Manager Automation runbooks.
Central Configuration
- Allows centralized management of Security Hub across multiple accounts from a delegated administrator account.
- Enables setting policies that specify whether Security Hub should be enabled and which standards and controls should be activated.
- Policies can be applied to specific accounts, organizational units (OUs), or the entire organization.
Cross-Region Aggregation
- Aggregates findings, finding updates, insights, control compliance statuses, security scores, and trends from multiple AWS Regions into a single home Region.
- Can automatically link future Regions as they become available.
- Supports GovCloud (US) regions.
- Delegated administrator accounts see data for both administrator and member accounts.
Consolidated Controls and Findings
- Provides a consolidated controls view showing compliance status across all enabled standards.
- Generates a single finding per security check per resource, reducing duplicate findings across standards.
- Controls are organized by unique control IDs rather than by standard.
Multicloud Security Operations (2026)
- AWS Security Hub is expanding to unify security operations across multicloud environments.
- Extended plan enables protection across AWS, Azure, GCP, OCI, and on-premises environments through curated partner solutions.
- Provides unified procurement, billing, and operations across security vendors.
Security Hub Integrations
- AWS Services: Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS IAM Access Analyzer, AWS Firewall Manager, AWS Config, Amazon Detective, AWS Systems Manager, AWS Audit Manager
- Ticketing: Jira Service Management, ServiceNow
- SIEM/SOAR: Splunk, CrowdStrike, Datadog, Dynatrace, Securonix, SentinelOne, Sumo Logic
- Automation: Amazon EventBridge, AWS Lambda, AWS Systems Manager Automation, Tines
- Data/Schema: OCSF format for partner integrations; ASFF for Security Hub CSPM control findings
- Partner Ecosystem (Extended Plan): 21+ partners across endpoint, identity, email, network, data, browser, cloud, AI, and security operations categories

AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- A security engineer has been asked to continuously monitor the company’s AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks. How can the security engineer accomplish this using AWS services?
- AWS Config + AWS Security Hub
- Amazon Inspector + AWS GuardDuty
- Amazon Inspector + AWS Shield
- AWS Config + Amazon Inspector
- A company wants to unify its security operations across multiple AWS accounts and automatically correlate findings from threat detection, vulnerability management, and security posture services. Which AWS service provides this unified security operations experience?
- Amazon GuardDuty
- Amazon Inspector
- AWS Security Hub
- AWS Config
- A security team needs to identify their most critical security risks by understanding when multiple security issues (vulnerabilities, misconfigurations, and threats) combine to create exploitable exposures. Which Security Hub feature provides this capability?
- Security standards
- Automation rules
- Near real-time risk analytics and exposure correlation
- Cross-Region aggregation
- An organization wants to consolidate billing for Amazon Inspector vulnerability scanning, Security Hub CSPM posture management, and risk analytics into a single predictable pricing model. Which Security Hub plan should they use?
- Extended plan
- Threat Analytics add-on
- Essentials plan
- Standard plan
- A multinational company operates across 10 AWS Regions and wants to view all security findings from a single location without manually checking each region. Which Security Hub feature should they enable?
- Central configuration
- Automation rules
- Cross-Region aggregation
- Delegated administrator
- A company wants to extend its AWS Security Hub protection to cover endpoint security, identity management, and email security across both AWS and other cloud providers. Which Security Hub offering should they use?
- Security Hub Essentials plan
- Security Hub CSPM
- Security Hub Threat Analytics
- Security Hub Extended plan
- Which of the following accurately describes the relationship between AWS Security Hub and AWS Security Hub CSPM?
- They are the same service with different names
- Security Hub CSPM is a newer replacement for Security Hub
- Security Hub CSPM focuses on posture management and best practice checks, while Security Hub provides unified security operations with risk correlation
- Security Hub is only for threat detection while CSPM handles all other security functions