How I use AWS Security Hub

Michael Wittig – 28 Apr 2021

AWS Security Hub provides a centralized and org-wide overview of how well you are doing in terms of security. Security Hub follows two strategies to collect the needed information: First, Security Hub runs checks based on security standards. Second, Security Hub integrates with other AWS services such as GuardDuty, Inspector, and many more. In this blog post, I show you how I use Security Hub to improve the security of my AWS accounts.

How I use AWS Security Hub

To get started with Security Hub, I recommend enabling at least one security standard.

Complying with security standards

I prefer the AWS Foundational Security Best Practices security standard. It covers many areas and services. I recommend starting with a single security standard to not overwhelm yourself with findings. Once you reach a score in the heights of 80%, think twice if you really need to enable another security standard or not.

Dealing with false positives

Any security tool will generate false positives. Security Hub provides two ways to deal with false positives.

You can disable a control entirely. I usually disable [IAM.6] Hardware MFA should be enabled for the root user because it doesn’t make much sense in an AWS Organizations setup. Learn more about disabling a control.

Andreas and Michael Wittig

Please support our work!

We have published 331 articles, 42 podcast episodes, and 15 videos. It's all free and means a lot of work in our spare time.

$6,000.00 will help us to write in-depth service reviews and comparisons in 2022! With your help, we can continue to produce independent & high-quality content focused on AWS.

$1,454.00 raised

Thanks to Alan Leech, Alex DeBrie, e9e4e5f0faef, Jaap-Jan Frans, Jens Gehring, jhoadley, Kamil Oboril, Ken Snyder, Thorsten Hoeger, Todd Valentine, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.

Support us

You can suppress a finding. Sometimes, you need an S3 bucket to be public. The control ][S3.2] S3 buckets should prohibit public read access]( will flag that bucket as insecure. You can whitelist the finding by setting the workflow status to suppressed.

How I use Security Hub

In the following video, I demo how I use Security Hub. I also share two pitfalls with you:

  • Security Score in orgs
  • IAM Unknown error

Integration with other AWS services

AWS Security Hub integrates with a bunch of other AWS services. You can forward all the findings from those services to Security Hub for a centralized view.

The following services are supported:

  • Amazon Inspector
  • Amazon GuardDuty
  • IAM Access Analyzer
  • AWS Systems Manager Patch Manager
  • AWS Firewall Manager
  • Amazon Macie

I recommend enabling integrations one after another. Nothing is more frustrating than a million findings that no one resolves! Think twice before using one of those services. They only provide value if you have the capacity to resolve the findings.

Michael Wittig

Michael Wittig

I launched in 2015 with my brother Andreas. Since then, we have published hundreds of articles, podcast episodes, and videos. It’s all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.
Have you learned something new by reading, listening, or watching our content? If so, we kindly ask you to support us in producing high-quality & independent AWS content. We look forward to sharing our AWS knowledge with you.

Support us

Feedback? Questions? You can reach me via Email, Twitter, or LinkedIn.