Troubleshooting AWS Security Hub


According to AWS Shared Responsibility Model[1], both cloud vendors and cloud users have the responsibility to ensure its security in many levels. To maintain the security within infrastructure AWS and third party vendors have been utilizing many services so far, but there have been many concerns around them.

1. Security compliance issues and not adhering to a specific industry standard.

2. So many security alert formats from different security product sources. There is no unique format to adhere for further processing.

3. No proper single window (dashboard) for monitoring

What is Security Hub?

As a solution, AWS launched its integrated security tool called AWS Security Hub (in 2018), which can provide a comprehensive view of your security state in your AWS environments. This would help customers to check your infrastructure compliance with the security industry standards and best practices.

It basically collects security data from three AWS security services (AWS GuardDuty, AWS Inspector, AWS Macie) and 30+ third-party partner products. This process helps you analyze your security trends and identify the highest priority security issues.

Security Hub — Benefits

1. Reduces the effort to collect and prioritize security findings across accounts

2. Automatically runs continuous, account level configuration and compliance checks based on industry standards such as CIS benchmarking [2].

3. Consolidate your security findings across accounts on to a dashboard

4. Supports integration with CloudWatch events, which lets you automate specific findings by defining custom actions and send them to a ticketing system.

The Components

Security Hub aggregates, organizes and prioritizes your security alerts or findings from multiple AWS services such as Amazon GuardDuty, Amazon Inspector, Amazon Macie and as well as 30+ partner solutions.

AWS Security Finding Format

AWS Security Hub findings from AWS Security Services and third party products are possessed by Security Hub using a standard finding format called AWS Security Finding Format (JSON Type). This basically eliminates the need of any time consuming data conversion efforts. These findings are correlated via Security Hub by some prioritizing.

Security Compliance

AWS Security Hub maintains its compliance with CIS AWS Benchmarks [2]. CIS Controls and CIS Benchmarks are the global standard and are recognized best practices for securing IT systems and data against the most pervasive attacks. Under CIS compliance guidelines, there are 43 compliance indicators, which are categorized under Identity Access Management (IAM), Monitoring and Logging features.

CIS Quick Start Deployment

In order to comply most of the non-complied features (which are listed under Security Hub dashboard), need to be corrected with the help of the Quick Start Deployment script [3] provided by AWS.

The Quick Start Deployment Script has to be executed as a CloudFormation script and it will generate multiple CloudWatch events, alarms and log filters, which are required for compliance. Once it runs, you can see a marked improvement in the compliance.

P.Note: It is required to set up CloudTrail and AWS Config in all AWS regions before executing the task.


However, the CIS Quick Start Deployment has a few issues related to its deployment. Though it runs well and completes well, there are certain CloudWatch events and filters not created as expected in the process. Hence, some tweaking was needed to complete this task in the script (cis-benchmark.template). Due to probably licensing restrictions, I am not sure whether I can share the modified template in public. But if anyone needs any guidance to rectify these issues, you can contact me on my email ( Good Luck and Thank You!


1. The Shared Responsibility Model:

2. CIS Benchmarking:

3. CIS Quick Start Compliance Git (Original):

Written by

An Enterprise Software Architect, Cloud Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store