Review and Manage Security Hub Findings
AWS Security Hub aggregates security findings from multiple AWS services and third-party tools into a centralized dashboard. This tutorial shows you how to effectively review, investigate, and manage these findings.
Overview
Security Hub receives findings from:
| Source | Finding Types |
|---|---|
| GuardDuty | Threat detection, malicious activity |
| Inspector | Vulnerabilities in EC2, ECR, Lambda |
| Macie | Sensitive data exposure in S3 |
| Config | Configuration compliance violations |
| Access Analyzer | External access, unused permissions |
| Firewall Manager | Firewall policy compliance |
Prerequisites
- Security Hub deployed — Follow the Security Hub setup guide
- Product subscriptions enabled — All security services integrated
- Console access — Access to the security account
Finding Workflow
Reviewing Findings
1 Access Security Hub Dashboard
- Log into the AWS Console in the security account
- Navigate to Security Hub
- Select Findings from the left navigation
The dashboard shows findings aggregated from all accounts and regions.
2 Filter by Severity
Focus on high-priority findings first:
SeverityLabel = CRITICAL OR SeverityLabel = HIGH
Or use the severity filter dropdown to select CRITICAL and HIGH findings.
3 Group by Finding Type
Organize findings by type to identify patterns:
- Click Group by dropdown
- Select Type or Product name
- Review counts for each category
4 Investigate Individual Findings
For each finding, review:
- Title: Brief description of the issue
- Severity: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
- Account: Which AWS account has the issue
- Resource: Affected resource ARN
- Remediation: Suggested fix (when available)
Click on a finding to see full details including:
- Resource configuration
- Related findings
- Remediation steps
Using Insights
Security Hub Insights provide pre-built and custom views of your security posture.
Built-in Insights
Navigate to Insights to view:
| Insight | Description |
|---|---|
| Critical findings | All CRITICAL severity findings |
| Failed security checks | Compliance standard failures |
| Top accounts by findings | Accounts with most issues |
| Top resources by findings | Resources needing attention |
Create Custom Insights
1 Define Filter Criteria
ProductName = "GuardDuty" AND SeverityLabel = "HIGH" AND RecordState = "ACTIVE"
2 Create the Insight
- Click Create insight
- Enter a name (e.g., "High Severity GuardDuty Findings")
- Configure the grouping (e.g., by Resource Type)
- Save the insight
Managing Finding Workflow
Update Finding Status
Use the AWS CLI to update finding workflow status:
# Mark finding as resolved
aws securityhub batch-update-findings \
--finding-identifiers '[{"Id":"arn:aws:securityhub:...","ProductArn":"arn:aws:securityhub:..."}]' \
--workflow '{"Status":"RESOLVED"}' \
--region us-east-1
# Mark finding as suppressed (false positive)
aws securityhub batch-update-findings \
--finding-identifiers '[{"Id":"arn:aws:securityhub:...","ProductArn":"arn:aws:securityhub:..."}]' \
--workflow '{"Status":"SUPPRESSED"}' \
--note '{"Text":"False positive - approved exception","UpdatedBy":"security-team"}' \
--region us-east-1
Workflow Status Values
| Status | Description |
|---|---|
NEW | Finding has not been reviewed |
NOTIFIED | Finding has been reviewed and assigned |
SUPPRESSED | Finding is a false positive or accepted risk |
RESOLVED | Finding has been remediated |
Automating Finding Response
EventBridge Integration
Create automated responses to findings:
# Example: Alert on critical GuardDuty findings
components:
terraform:
security-hub-automation:
vars:
event_pattern:
source:
- aws.securityhub
detail-type:
- Security Hub Findings - Imported
detail:
findings:
ProductName:
- GuardDuty
Severity:
Label:
- CRITICAL
SNS Notifications
Enable SNS notifications in Security Hub:
components:
terraform:
aws-security-hub/delegated-administrator:
vars:
create_sns_topic: true
# SNS topic receives all new findings
Compliance Standards
Review Compliance Scores
-
Navigate to Security standards
-
Review compliance percentage for each standard:
- CIS AWS Foundations Benchmark
- AWS Foundational Security Best Practices
- PCI DSS (if enabled)
-
Click on a standard to see failed controls
Export Compliance Report
# Get compliance summary
aws securityhub get-enabled-standards --region us-east-1
# Get control status
aws securityhub describe-standards-controls \
--standards-subscription-arn "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0" \
--region us-east-1
Best Practices
- Daily review: Check CRITICAL and HIGH findings daily
- Weekly review: Review MEDIUM findings weekly
- Document exceptions: Use notes to document why findings are suppressed
- Automate responses: Use EventBridge for automated alerting and remediation
- Track metrics: Monitor finding counts over time to measure improvement
Troubleshooting
Findings Not Appearing
If findings aren't showing up:
- Verify product subscriptions are enabled
- Check cross-region aggregation settings
- Allow 15-30 minutes for initial data sync
- Verify IAM permissions for the security account
Duplicate Findings
Duplicate findings may occur when:
- Multiple regions report the same global resource
- Finding aggregation is misconfigured
Enable finding aggregation to deduplicate:
components:
terraform:
aws-security-hub/delegated-administrator:
vars:
finding_aggregator_enabled: true
finding_aggregator_linking_mode: ALL_REGIONS
See Also
- AWS Security Hub - Complete Security Hub documentation
- AWS GuardDuty - Threat detection service
- AWS Config - Configuration compliance
- Setup Guide - Complete deployment instructions