This content is part of the Essential Guide: Use this AWS cloud security guide to protect workloads

AWS Security Hub centralizes an organization's cloud security view

AWS Security Hub consolidates an admin's sprawl of cloud assets into dashboards for better security insights. But its resource limitations may blunt its effectiveness, for now.

Public cloud computing is based on an increasingly complex mesh of complementary -- and separate -- services and resources. That complexity can create challenges for organizations, especially those with large cloud footprints.

An AWS workload will typically include a host of components, such as compute instances, storage, monitoring, networking and databases, each of which must be properly deployed and configured. When vital settings are overlooked or unevenly applied, these complex, interrelated environments can pose serious threats to security and compliance. Alerts help, but too many can bombard administrators.

AWS Security Hub was built to address the complex security problems that can arise in dynamic cloud environments. AWS Security Hub collects, aggregates, analyzes and reports any errors, omissions or trends across AWS services and accounts. The goal is to provide AWS users with a single, comprehensive and prioritized summation of their security and compliance posture.

AWS Security Hub overview

Visibility across accounts is the biggest challenge with cloud security. Organizations need a view that enables them to track how workloads are configured and deployed in order to spot potential vulnerabilities. That's difficult enough in a private data center, but the challenge becomes next to impossible with cloud services that are cobbled together and used by employees across multiple accounts.

AWS Security Hub is meant to provide a centralized view of security and compliance posture. AWS Security Hub is primarily an aggregation and analytics tool that works across AWS services, accounts and even some supported third-party tools. It collects, organizes and analyzes data on all resources and services you consume. The tool checks this data against best practice standards -- rule sets, such as the Center for Internet Security AWS Foundations standard -- to identify oversights or trends and then provides actionable results.

AWS Security Hub delivers two types of information: findings and insights. A finding is a known or identified security issue flagged by AWS security services. These findings can come from vulnerability scans from Amazon Inspector, sensitive data found by Amazon Macie or intrusion detection from Amazon GuardDuty. AWS Security Hub can aggregate findings from third-party integrations, including IBM QRadar Security Information and Event Management, McAfee MVision Cloud for AWS and Symantec Cloud Workload Protection.

An insight reveals a broad area of concern that needs more attention. It's a collection of findings that AWS Security Hub groups and filters into a targeted trend. AWS Security Hub offers several preconfigured insights, such as missing security patches for known vulnerabilities, but users can also set their own custom insights. For example, you can create custom insights to find storage buckets that don't meet preferred practices for your production environment. Administrators can access both findings and insights on the AWS Security Hub dashboard.

AWS Security Hub can operate across AWS accounts, so administrators can develop a comprehensive view of every account in an organization. You can group findings by account so you can address problematic account owners faster and more constructively.

To enable AWS Security Hub, log in to a current AWS account, and ensure that the Identity and Access Management user, role or group has the proper permissions. Then, log in to the AWS Security Hub console, click Get Started and select Enable Security Hub.

When you set up the tool, a service-linked role is created to establish the permissions and policies needed to collect findings from other services and use AWS Config for compliance monitoring. AWS Config and AWS Security Hub must be enabled in the same account, but AWS Security Hub does not manage AWS Config automatically. Users can continue to work with AWS Config through the AWS Config console or APIs.

AWS Security Hub limits

The service can only support up to 1,000 member accounts per region, and only up to 1,000 member account invitations can be sent per Security Hub master account. This may be too restrictive for an enterprise with a massive AWS presence.

AWS Security Hub has internal limits as well. Users can also only save findings for up to 90 days. They can only create up to 100 custom Security Hub insights, and the tool can only return up to 100 insight results at any time. These are all hard limits and currently cannot be increased.

In addition, AWS Security Hub does not offer any retroactive capabilities and therefore cannot offer any findings or insights based on past data. Any problems or incidents that took place prior to AWS Security Hub activation are not available for review.

Cost and availability

As of publication, AWS Security Hub is available in preview in most commercial global regions. The preview is free, but there is no current pricing data for the service once it enters general availability. However, AWS Security Hub requires AWS Config as a supporting service for compliance checks, so users who evaluate AWS Security Hub may incur additional costs due to configuration items in AWS Config -- though there is no charge for AWS Config rules related to AWS Security Hub.

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality